fix: comprehensive bakery package manager audit and repair

Critical fixes:
- gen-index.sh: emit services, config, optional_system_deps from bakery.toml;
  parse product list from registry TOML instead of hardcoded array; fail loudly
  when bakery.toml is missing (was silently producing empty metadata in prod)
- install.rs: download service units and example configs from dl server at
  install time (were never fetched); check systemctl exit codes (were swallowed);
  save state before file cleanup in remove_package (was inconsistent on error)
- doctor.rs: rewrite dep detection to use `pacman -Q` as primary (no more
  dependency on `which` or pkg-config name mismatches); add optional_system_deps
  support returning (missing, warnings) — warnings print but never block install
- get.sh: fix GitHub fallback URL (was 404 for both latest and versioned
  releases); add SHA-256 checksum verification using published .sha256 file

High priority fixes:
- bakery doctor <unknown-pkg>: exit non-zero (was silently passing)
- bakery update: add --all flag (documented in README but missing from CLI);
  add doctor gate before update (was bypassing dep check)
- bread_deps: now resolved recursively with cycle detection (was ignored)
- manifest.rs: add artifact_urls() helper and optional_system_deps field
- state.rs: atomic save via tmp+rename; cmd_info shows optional_system_deps

Tests: 17 new unit tests across doctor, download, install, state modules;
scripts/test-gen-index.sh fixture test for full pipeline

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -49,13 +49,18 @@ bakery remove <pkg>            # remove a package (data files are never deleted)
 
 ## System dependencies by product
 
-| Package | Arch packages |
-|---------|--------------|
-| `bread` | `libudev` `dbus` |
-| `breadbar` | `gtk4` `gtk4-layer-shell` `dbus` `iw` |
-| `breadbox` | `gtk4` `gtk4-layer-shell` `librsvg` |
-| `breadcrumbs` | `networkmanager` |
-| `breadpad` | `gtk4` `gtk4-layer-shell` `dbus` |
+`bakery doctor` checks these automatically before any install. Required deps block installation; optional deps generate a warning but never block.
+
+| Package | Required | Optional |
+|---------|----------|---------|
+| `bakery` | _(statically linked, none)_ | — |
+| `bread` | `systemd-libs` `openssl` `zlib` | `bluez` `hyprland` |
+| `breadbar` | `gtk4` `gtk4-layer-shell` `iw` `libpulse` | `hyprland` |
+| `breadbox` | `gtk4` `gtk4-layer-shell` `librsvg` | `hyprland` |
+| `breadcrumbs` | `networkmanager` | `tailscale` `sudo` `xdg-utils` |
+| `breadpad` | `gtk4` `gtk4-layer-shell` | `rocm-hip-runtime` `ollama` `hyprland` |
+
+Install all required deps with `sudo pacman -S <packages>`. Use `pacman -Q <pkg>` to check whether any are already present.
 
 ## Theming
 
@@ -90,6 +95,22 @@ and mirrors the binary to GitHub Releases as a fallback.
 `bakery` always tries `dl.breadway.dev` first and transparently falls back
 to the GitHub Release URL recorded in the manifest.
 
+### Release artifact contract
+
+Each product's `release.yml` **must** upload the following files alongside
+the binary to `dl.breadway.dev/<name>/<version>/`:
+
+| File | Purpose |
+|------|---------|
+| `bakery.toml` | Metadata (deps, services, config) read by `gen-index.sh` |
+| `<binary>-x86_64.sha256` | Checksum verified by `bakery install` and `get.sh` |
+| `*.service` | systemd unit files installed by `bakery install` |
+| `*.example.toml` / `config.example.toml` | Example configs copied on first install |
+
+`gen-index.sh` **fails loudly** if `bakery.toml` is missing — this is by
+design to catch omissions in the release workflow before they silently
+produce empty metadata in production.
+
 ## License
 
 MIT