feat: add K8s API server, orchestrator abstraction, and CI pipeline

- Add apps/api/ — Hono REST API server for managing pentest scans via K8s Jobs
  - POST/GET /api/scans, GET /api/scans/:id, cancel, report endpoints
  - Bearer token auth, Temporal client integration, K8s Job builder
  - Dockerfile, Kustomize manifests (Deployment, Service, RBAC)
- Add CLI orchestrator abstraction (docker.ts → Orchestrator interface)
  - DockerOrchestrator and K8sOrchestrator implementations
  - Backend detection via SHANNON_BACKEND env var or --backend flag
- Add CI workflow: type-check + lint on PR, build+push both images on main
- Switch all workflows to self-hosted runners (runners-farhoodliquor)
- Add shannon-api image build to release and release-beta workflows
- Add root infra/kustomization.yaml as Flux entry point
- Export PipelineProgress from @shannon/worker/pipeline

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/cli/src/env.ts

@@ -10,7 +10,7 @@ import { resolveConfig } from './config/resolver.js';
 import { getMode } from './mode.js';
 
 /** Environment variables forwarded to worker containers. */
-const FORWARD_VARS = [
+export const FORWARD_VARS = [
   'ANTHROPIC_API_KEY',
   'ANTHROPIC_BASE_URL',
   'ANTHROPIC_AUTH_TOKEN',
@@ -61,6 +61,23 @@ export function buildEnvFlags(): string[] {
   return flags;
 }
 
+/**
+ * Build a key-value record of env vars to forward to workers.
+ * Used by the K8s backend to create Secrets instead of Docker `-e` flags.
+ */
+export function buildEnvRecord(): Record<string, string> {
+  const env: Record<string, string> = { TEMPORAL_ADDRESS: 'shannon-temporal:7233' };
+
+  for (const key of FORWARD_VARS) {
+    const value = process.env[key];
+    if (value) {
+      env[key] = value;
+    }
+  }
+
+  return env;
+}
+
 interface CredentialValidation {
   valid: boolean;
   error?: string;