build(source-os): add mesh NixOS realization module

[mdheller]

Summary

Implement the first code-bearing follow-up after the merged mesh Linux estate kit.

This PR adds:

• modules/nixos/mesh/default.nix as a real NixOS realization module for the merged mesh templates
• profile wiring for linux-dev, linux-candidate, and linux-stable
• tests/mesh-module-contract.nix as a flake-level contract check
• a small flake update so the mesh module surface is part of the repo's checks and dev-shell guidance

What this does

The new module does not pretend the runtime daemons are fully packaged yet.
Instead it makes the merged Linux-facing templates Nix-realizable by:

• generating a mesh manifest and scaffold under /etc/sourceos/mesh/
• rendering networkd / NetworkManager templates with the configured interface, fwmarks, and route tables
• optionally projecting those templates into active /etc manager locations when sourceos.mesh.activateTemplates = true
• wiring explicit mesh roles into the existing dev / candidate / stable profiles

Why this shape

This is the honest next step after PR #13.
It moves the repo from static templates toward executable Linux realization without overclaiming packaged runtime readiness.

Follow-up still needed

Tracked in #15:

• NixOS host-role wiring beyond profile defaults
• package ownership for meshd, meshd-linkd, and meshd-exitd
• SELinux / AppArmor confinement
• support-matrix freeze
• CI that evaluates or builds the NixOS module path directly

[mdheller]

Follow-up to #15.

This PR implements the first code-bearing realization step after the merged mesh estate kit:

• adds modules/nixos/mesh/default.nix
• wires mesh roles into the dev/candidate/stable profiles
• adds a flake contract check for the mesh module surface

Still intentionally deferred:

• packaged runtime daemons
• SELinux/AppArmor confinement
• support-matrix freeze
• deeper CI that evaluates the module path directly