Support lock files for reproducible builds

[yzx9]

PixiBuilder and UvBuilder now accept a lock file (uv.lock / pixi.lock) via new lockContent/lockFile/lockUrl methods that mirror the existing content/file/url declaration API and are defined once on the Builder interface. When a lock is supplied it is copied into the environment directory and the install runs in strict lock mode so the environment matches the committed lock (uv: --frozen; pixi: --frozen).

appose.json records a lockHash (SHA-256) of the lock content, so a change to the lock forces a rebuild through the normal isUpToDate() check. When no lock is supplied the lockHash key is omitted entirely, keeping appose.json byte-identical to before (no spurious rebuilds of existing environments) and never passing the strict flag.

DynamicBuilder forwards the lock to the detected pixi/uv delegate; MambaBuilder and SimpleBuilder override lockContent to throw UnsupportedOperationException. Note that pixi --frozen uses the lock as-is (the lock is authoritative) while uv --frozen fails fast on a stale lock; both make builds reproducible, and the tests assert the actual semantics of each tool.

closes apposed/appose#33

[ctrueden]

@yzx9 Awesome! Thank you very much for this, and for all the work you've been doing on Appose. And apologies for the sluggishness of my responses and reviews. I'm not trying to ignore anything, just too busy as always. But Appose is a pretty high priority to me, so I will try to work on this soon.

[yzx9]

@ctrueden Thank you! No worries at all. I completely understand that open-source maintainers have a lot on their plate.

Thanks again for all your work on Appose. Please take your time with the review, and let me know if there’s anything I can improve or clarify.