feat(marketplace): add sourceBase for nested package sources (#1519)

[leocamello]

Description

Adds an optional marketplace.sourceBase field so marketplace authors on
self-managed hosts (canonical case: GitLab nested subgroups) can declare a git
base once and write each package source relative to it. The per-entry source
shorthand tops out at host.tld/owner/repo (3 segments); enterprise GitLab
nesting is routinely deeper (.../group/sub-group/team/project/<pkg>), which the
shorthand cannot express.

marketplace:
  sourceBase: https://gitlab.example.com/group/sub-group/team/projects
  packages:
    - name: my-package
      source: my-package                  # -> .../projects/my-package
      version: "^1.0.0"
    - name: from-github
      source: github.com/acme/helper      # host-prefixed: overrides the base
      ref: v1.0.0

Semantics ("relative to base, always"): a host-less source composes onto the
base; a source carrying its own host (host.tld/owner/repo or full URL) or a
local ./ source overrides the base; with no sourceBase declared, behaviour is
byte-for-byte unchanged and a host-less single-segment source stays rejected
(fail-closed — no silent routing to the default host).

Implementation: composition happens at parse time (yml_schema.py) — a
relative entry is rewritten to the equivalent host-prefixed form, so the
resolver, builder, and output mappers treat it identically to a #1288
host-prefixed entry with no changes to those modules. sourceBase is validated
with #1288's posture (https-only, FQDN host, no userinfo/port/query/fragment/
.git) plus validate_path_segments. apm marketplace plugin add accepts
relative sources when a base is declared.

Also fixes apm marketplace check: it was building a single default-host
resolver with no token and ignoring entry.host, so it failed (git ls-remote
exit 128) for any non-default host — every sourceBase entry, and the
pre-existing #1288 host-prefixed form. It now uses the same per-host resolver +
per-host token pattern as apm pack (extracted into a shared
marketplace/auth_helpers.resolve_token_for_host) and short-circuits local
packages, so check and pack agree.

Validated end-to-end against a real self-managed GitLab (4-segment nested group):
apm marketplace check exits 0, and apm pack emits a source: url entry with
the composed URL and a real resolved sha.

The consumer-side install gap for non-default-host marketplaces
(apm install <pkg>@<marketplace> strips the host) is independent, reproduces on
stock 0.18.0, and is tracked in #1010 — out of scope here.

Fixes #1519

Type of change

• Bug fix
• New feature
• Documentation
• Maintenance / refactor

Testing

• Tested locally
• All existing tests pass
• Added tests for new functionality (if applicable)

tests/unit/marketplace/test_source_base.py (validation, composition for 1 and N
segments, override precedence, base-less rejection, composed marketplace.json
URL) and tests/unit/commands/test_marketplace_check.py (per-host resolution:
composed→GitLab+token, host-prefixed override→github, local→zero ls-remote).
uv run pytest tests/unit tests/test_console.py is green except one pre-existing,
environment-dependent test_auth_scoping failure unrelated to this change.
ruff check / ruff format --check clean.

Spec conformance (OpenAPM v0.1)

• N/A -- this PR does not change OpenAPM-observable behaviour.

(src/apm_cli/marketplace/ is not a Mode-B critical path and
CONFORMANCE.{json,md} regenerate with no diff.)