v0.41.0: first-boot base-infra bring-up + self-heal (+ Section-G mount fix)

New internal/infra package renders traefik/cloudflared/filebrowser from config
(pinned images, single source of truth; web filebrowser path delegates here).
stacks.EnsureBaseStack deploys the traefik-public network + the three stacks,
single-flight + idempotent + non-fatal; wired to first boot and every health
tick. monitor.EffectiveProtected drops cloudflared when no tunnel token.
Section-G fix lives in felhom-agent build-golden.sh (same-path stacks bind).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

controller/internal/infra/templates/traefik.yml.tmpl

@@ -0,0 +1,54 @@
+# Traefik Static Configuration
+# Generated by felhom-controller (base-infra bring-up). Do not edit — regenerated on bring-up.
+
+api:
+  dashboard: true
+  insecure: false
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+{{- if .ACMEEmail}}
+    http:
+      tls:
+        certResolver: letsencrypt
+{{- end}}
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    network: traefik-public
+  file:
+    directory: /etc/traefik/dynamic
+    watch: true
+
+log:
+  level: INFO
+
+accessLog: {}
+{{- if .ACMEEmail}}
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: {{.ACMEEmail}}
+      storage: /etc/traefik/acme.json
+{{- if .CFAPIToken}}
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+{{- else}}
+      httpChallenge:
+        entryPoint: web
+{{- end}}
+{{- end}}