v0.41.0: first-boot base-infra bring-up + self-heal (+ Section-G mount fix)

New internal/infra package renders traefik/cloudflared/filebrowser from config
(pinned images, single source of truth; web filebrowser path delegates here).
stacks.EnsureBaseStack deploys the traefik-public network + the three stacks,
single-flight + idempotent + non-fatal; wired to first boot and every health
tick. monitor.EffectiveProtected drops cloudflared when no tunnel token.
Section-G fix lives in felhom-agent build-golden.sh (same-path stacks bind).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

controller/internal/infra/templates/cloudflared-compose.yml.tmpl

@@ -0,0 +1,22 @@
+# Cloudflare Tunnel — external access connector — managed by felhom-controller (base-infra bring-up).
+# Routes are configured in the Cloudflare dashboard (Zero Trust > Networks > Tunnels > Public Hostname);
+# the tunnel connects Cloudflare's edge to Traefik, which handles TLS + routing internally.
+services:
+  cloudflared:
+    image: {{.Image}}
+    container_name: cloudflared
+    restart: unless-stopped
+    command: tunnel run
+    environment:
+      - TUNNEL_TOKEN={{.CFTunnelToken}}
+    dns:
+      - 1.1.1.1
+      - 8.8.8.8
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - traefik-public
+
+networks:
+  traefik-public:
+    external: true