feat(provider): add Gemini CLI provider

[aurokin]

Author Note: The intent of this PR is to add Gemini CLI support to Clawpatch. I know antigravity was just announced i'll start on that next >.> . I analyzed Gemini CLI source, probed the CLI behavior directly, reviewed the implementation as it was built, and dogfooded this build while reviewing the final PR with Clawpatch using both Codex and Gemini.

---

Summary

Adds Gemini CLI as a Clawpatch provider for map, review, revalidate, and fix workflows.

Changes

• Add gemini provider command construction and JSON envelope parsing.
• Run Gemini review/map/revalidate in --approval-mode=plan.
• Run Gemini fix in --approval-mode=auto_edit.
• Require explicit CLAWPATCH_GEMINI_TRUST_WORKSPACE=true for trusted workspace execution.
• Isolate Gemini subprocesses in a temporary HOME/XDG environment while seeding only minimal auth files.
• Gate Gemini CLI versions against GHSA-wpqr-6v78-jr5g patched ranges.
• Add an explicit warning for CLAWPATCH_GEMINI_ALLOW_UNPATCHED=1.
• Harden provider JSON fallback extraction and parallelize review prompt file loading.
• Document Gemini provider setup, security behavior, model selection, and timeout controls.

Validation

• pnpm format:check
• pnpm typecheck
• pnpm lint
• pnpm test
• pnpm build
• CLAWPATCH_GEMINI_TRUST_WORKSPACE=true node dist/cli.js doctor --provider gemini --json
• Rebuilt Clawpatch and reviewed the branch with Gemini 3.1 Flash Lite and Codex providers.