transform: add edge transform resource API

[acoshift]

Edge Transform — api (PR 1, merge first)

Adds the transform.* resource: declarative, CEL-scoped request/response transforms at the parapet proxy. Design: SPEC-cel-transform.md (the chosen middle path between forward-auth hacks and a WASM runtime — no user code).

• TransformPhase enum (request|response); TransformRule (required *TransformPhase, CEL filter, ordered ops, mode, priority); TransformOp (set-header, remove-header, rewrite-path, rewrite-query, redirect, set-status, cors).
• Transform interface (get/list/set/delete) + client.
• Structural validation: phase×op legality matrix, RFC 7230 header-name tokens, protected-header denylist (hop-by-hop, framing, Host, X-Forwarded-*, X-Real-IP, X-Auth-*, wafclaim), redirect $uri/open-redirect guard. mode is "" (enforce) or shadow only — matches the parapet wire contract.
• role.go: transform.{get,list,set,delete}; reads are non-public-bindable (can carry credentials) but delegatable. LocationFeatures.Transform. DeployerCommandTransform{Set,Delete}.

Merge first — the Go consumers (apiserver, deployer, mcp, deploys) re-pin github.com/deploys-app/api to this commit. go build/vet, gofmt, go generate clean.

Part of the Edge Transform feature — consumer PRs (re-pin to the merged commit of this PR)

• apiserver deploys-app/apiserver#218 · deployer transform: materialize transform zones to parapet ConfigMaps deployer#30 · mcp deploys-app/mcp#39 · deploys CLI transform: add transform CLI commands deploys#50
• console transform: edge transform management UI console#310 · docs transform: document the edge transform resource docs#53 · runtime feat(transform): in-cluster CEL transform runtime moonrhythm/parapet-ingress-controller#175

Merge order: this (api) → deployer → apiserver; parapet-ingress-controller before apiserver is deployed; console/mcp/deploys/docs any time after api.