feat(setup): add port negotiation + managed .env updates (#297)

## Summary
Implement issue #236 by rewriting `manage.sh` setup step 3 into a full
ports negotiation flow with `.env` lifecycle management and preflight
validation.

## What Changed
- Reworked setup step 3 to **Ports & Networking**.
- Added layered port detection (`ss -> lsof -> netstat -> nc`), conflict
reporting, and next-available suggestions.
- Added interactive confirmation/override prompts for HTTP/HTTPS/MQTT
ports.
- Added rerun behavior: when `.env` already has ports, prompt to keep or
re-negotiate.
- Added `.env` managed-key merge/update logic for:
  - `PROD_HTTP_PORT`
  - `PROD_HTTPS_PORT`
  - `PROD_MQTT_PORT`
  - `PROD_DATA_DIR`
- Added `.env` creation from `.env.example` when missing.
- Added atomic `.env` write flow (temp file + move).
- Added preflight port validation before setup step 5 start, and in
`./manage.sh start` (when prod container is not already running).
- Updated `.env.example` comments to clarify managed keys.
- Addressed PR #297 review fixes:
- unified staging container name usage via
`STAGING_CONTAINER="corescope-staging-go"`
  - safe `.env` parsing (removed unsafe `eval`)
- DNS resolution fallback chain: `dig -> host -> nslookup -> getent
hosts`
  - explicit warning when no DNS resolver tool is available
- ensured negotiated `selected_http` is persisted via
`write_env_managed_values` to `PROD_HTTP_PORT`

## How It Works
1. Step 3 loads existing `.env` values (if present) and displays current
managed values.
2. If current ports are set, prompts to keep or re-negotiate.
3. On re-negotiate, checks default ports `80`, `443`, `1883` with
layered detection and suggests alternatives on conflicts.
4. Prompts admin to confirm or override each port.
5. Runs existing Domain/HTTPS/Caddyfile flow unchanged in behavior, but
wired to negotiated HTTP port for HTTP-only mode.
6. Persists managed values to `.env` while preserving all other
keys/comments.
7. Shows final resolved HTTP/HTTPS/MQTT mapping and asks explicit
confirmation before build/start.
8. Before starting containers, validates selected ports are still free
and fails with remediation if not.

## Validation performed
| Scenario | Command / Check | Result |
|---|---|---|
| Required frontend helper tests | `node test-packet-filter.js && node
test-aging.js && node test-frontend-helpers.js` | ✅ Passed (all
assertions green) |
| Script syntax | `bash -n manage.sh` | ✅ Passed |
| Staging container consistency | Verified `logs`/`promote` and
status/restart/stop paths use `STAGING_CONTAINER`
(`corescope-staging-go`) | ✅ Confirmed |
| DNS fallback behavior | Reviewed new `resolve_domain_ipv4` chain (`dig
-> host -> nslookup -> getent`) and no-tool warning path | ✅ Confirmed |
| Port→.env round-trip | Verified step 3 writes `selected_http` via
`write_env_managed_values` to `PROD_HTTP_PORT` | ✅ Confirmed |
| Unsafe `.env` loading removed | Confirmed `eval "$(sed ...)"` replaced
with safe line-by-line key/value export parser | ✅ Confirmed |

Fixes #236

---------

Co-authored-by: Kpa-clawbot <259247574+Kpa-clawbot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.env.example

@@ -2,6 +2,8 @@
 # Copy to .env and customize. All values have sensible defaults.
 #
 # This file is read by BOTH docker compose AND manage.sh — one source of truth.
+# manage.sh setup negotiates and updates only these production managed keys:
+#   PROD_DATA_DIR, PROD_HTTP_PORT, PROD_HTTPS_PORT, PROD_MQTT_PORT
 # Each environment keeps config + data together in one directory:
 #   ~/meshcore-data/config.json, meshcore.db, Caddyfile, theme.json
 #   ~/meshcore-staging-data/config.json, meshcore.db, Caddyfile