Make all KPAR sources have kpar_digest and src sources have checksum

[andrius-puksta-sensmetry]

Breaking changes

• Removed project-level checksum from lockfile project entries.
• Moved integrity metadata into individual lockfile sources:
  • *_src sources now all carry checksum
  • kpar_path / *_kpar sources now all carry kpar_size and kpar_digest
• Config source overrides now use a separate OverrideSource model, since config records user-provided source locations while lockfiles record resolved sources with integrity metadata.
• Bumped lockfile version, older lockfiles are incompatible.

Added

• Added ProjectChecksum, distinguishing canonical source-project checksums from KPAR archive checksums. It is tied rather closely to env.toml structure, so other ReadEnvironment implementers currrently stub out the methods.
• Added environment checksum verification APIs so sync can check whether an installed project matches the checksum kind and value required by a lockfile source.
• Added src_cksum / kpar_cksum metadata in local environment project entries to remember what kind of source the project was installed from. This means that currently we have no way to verify correctness of projects with kpar_cksum, as the actual KPAR is not saved
• README.md and licenses are now installed in the env when installing projects

Changed

• sync now decides whether a project is already installed by checking each lockfile source checksum against the environment, rather than comparing a single project-level checksum.
• sync installs projects using the checksum kind associated with the selected source.
• KPAR sources now verify the archive digest and size before use when expected metadata is available.
• Provided-project handling in sync now matches by project version instead of project checksum.

Fixed

• crash that happens when env.toml is written and later another project is being installed

Closes #325.
Closes #326.