feat: set env vars on deploy via --env

[pat-s]

Closes #77

Summary

Adds ricochet deploy --env so users can set environment variables / secrets on a content item's initial deployment. Variables are RSA-encrypted client-side against the server's public key and attached to the deploy upload; the server decrypts and re-encrypts them with AES-256 at rest.

• --env KEY=VALUE sets a variable directly; --env KEY (no value) resolves it from .env, then .Renviron, then the calling environment, erroring if unresolved. Repeatable (-e).
• Only explicitly named keys are ever sent — whole .env/.Renviron files are never auto-loaded (avoids unintentionally publishing arbitrary definitions).

How it works

• New src/env_vars.rs — resolves --env entries + parses .env/.Renviron (KEY=VALUE, comments, quotes, export prefix).
• New src/crypto.rs — fetches/parses the server's PKCS#1 PEM public key and RSA-OAEP/SHA-256 encrypts each variable name and value (base64-standard), matching the server's decryption exactly.
• RicochetClient::get_public_key() hits GET /api/v0/public-key, called only when --env is provided.
• deploy() attaches the encrypted vars as the multipart env_vars field.

Notes

• Env vars can only be set on a content item's first deployment (server constraint). Re-deploying an existing item with --env surfaces the server's clear error; change variables later via the web UI.
• New deps: rsa (OAEP/SHA-256, with getrandom+sha2 features) and base64.
• Unit tests cover resolution/parsing and an encrypt→decrypt round-trip; integration tests (mockito) cover the env-vars field being sent, omitted without --env, and the first-deploy error path.