Replace the 500-line bash fhevm-cli with a structured Bun/TypeScript
implementation. The new CLI resolves version bundles from GitHub
releases or GitOps branches, generates compose overrides and env files
under .fhevm/, and boots the stack through a 13-step pipeline with
resume support.

Key modules:
- versions.ts: resolve targets (latest-main, latest-release, gitops)
- artifacts.ts: compose/env generation, local build isolation
- runtime.ts:  boot pipeline, test runner, pause/unpause
- compat.ts:   legacy CLI flag injection for older image versions
- cli.test.ts: unit tests for version resolution, compat, layout

Local builds use :fhevm-local image tags to avoid overwriting registry
images. Services sharing an image tag are deduplicated before buildx.

The merge with main incorrectly took the old bash script instead of
the thin Bun wrapper entrypoint.

…rsions conservatively

Three fixes for network target compatibility (devnet/testnet/mainnet):

- Auto-detect MinIO key prefix during KMS signer discovery by probing
  both PUB/PUB (KMS <= v0.12) and PUB (KMS >= v0.13), then propagate
  the detected prefix through state for all MinIO URL construction.

- Fix Docker volume mount conflicts where named volumes shadowed bind
  mounts to the same container path, preventing GatewayAddresses.sol
  from being accessible on the host.

- Treat unparseable SHA versions conservatively in compat layer — apply
  legacy flags rather than skip them, since we cannot determine the
  actual version from a SHA tag.

Test-suite SDK < v0.11.0 (e.g. mainnet's 29ed8a7 with SDK 0.3.0-6)
appends /v1/ internally to RELAYER_URL. SDK >= v0.11.0 (0.4.0) expects
the URL to already include /v2. Set the base URL bare in the template
and append /v2 only for modern test-suite versions.

Overriding a component on devnet/testnet/mainnet can cause DB schema or
contract interface mismatches if local code diverges from the pinned
versions. Add a non-blocking warning so devs are aware.

Destructive compat rewrites (relayer readiness config, RELAYER_URL path)
must treat unparseable SHAs as modern, not old. Applying destructive
rewrites to modern services removes config fields they require, causing
crashes in workspace CI where images use SHA tags.

Introduces versionLtStrict (SHA→modern) alongside existing versionLt
(SHA→old) and uses it for the two destructive callers.

## Purpose
Reduce reviewer cognitive load by eliminating duplication and dead code
across three files (-34 lines, 3 concepts removed, 0 added).

## Structural changes
- Merge versionLt/versionLtStrict into one function with unknownIsOld param
- Extract defaultEndpoints(deps) to replace 4 copies of the endpoints literal
- Delete unused companionPreset export from presets.ts

## Preserved contract
- All 107 unit tests pass unchanged (no public signatures changed)
- Additive compat rules still treat SHAs as old (unknownIsOld=true default)
- Destructive compat rules still treat SHAs as modern (unknownIsOld=false)

## Suggested review order
1. compat.ts — versionLt parameterization
2. runtime.ts — defaultEndpoints helper + 4 call sites
3. presets.ts — dead export removal

## Risk areas
- None: pure simplification, no behavioral change

requiresMultichainAclAddress used conservative SHA handling (SHA=old),
which demanded MULTICHAIN_ACL_ADDRESS from gateway discovery even when
the gateway contracts are modern and don't deploy it. Switch to
unknownIsOld=false since requiring a non-existent address crashes the
validate step (destructive). Also fix typo: unparseable → unparsable.

Workspace builds use SHA version tags (e.g. fd3ef74) which are unparsable
by the semver comparator. Previously, unparsable versions were treated as
"old" for additive compat rules, injecting legacy CLI flags like
--coprocessor-api-key and --delegation-fallback-polling. Modern binaries
built from HEAD reject these removed flags, crashing the service.

Remove the unknownIsOld parameter from versionLt — all unparsable versions
are now treated as modern. This is correct because SHA versions only appear
in workspace builds which always use latest HEAD binaries.

- Delete copyFile (zero callers) and toError (unnecessary instanceof
  check in catch blocks where caught value is always Error)
- Delete baseCompose (zero callers)
- Simplify explainGitHubCliError: fewer substring checks, same 3
  error categories (ENOENT, auth, rate limit) with same messages
- Inline repoPackageName (1-caller wrapper around decodeURIComponent)
- Simplify dockerInspect: early return on non-zero exit instead of
  parsing empty stdout with silent fallback
- Simplify ensureCommand: use allowFailure instead of try/catch

Registry SHAs (--target sha) need compat flags because the image could
be genuinely old, but workspace SHAs (local override) are always HEAD
and reject legacy flags. Pass !hasOverride as unknownIsOld per group.

Reverts override-aware approach — the orchestrate CI uses registry mode
with SHA-tagged images from main tip (no workspace overrides), so the
override signal cannot distinguish fresh SHAs from old ones.  Presets
already map SHA targets to MODERN_COMPANIONS; compat now agrees.

Detect relayer v1/v2 API mismatch at validate time (fail fast instead
of runtime 500s) and catch containers that crash shortly after boot
by inspecting exit codes after a delay.

…le source of truth

Move scattered version compatibility knowledge (relayer pins, ACL cutover SHA,
legacy shims, incompatibility rules) into one declarative COMPAT_MATRIX in
compat.ts. Add `compat-defaults` CLI subcommand so CI workflows read pins and
anchors from the CLI instead of hardcoding them.