Ledger-based resolution + .versions retirement (gale-recipes #65 cutover)

[kelp]

gale-recipes #65 landed the registry side of the one-ledger/one-writer design: every .binaries.toml now carries an append-only [[history]] ledger (<version>-<revision> -> per-platform {sha256, manifest_digest}), backfilled across the catalog, with immutable revisioned GHCR tags and a daily coherence audit. The republish campaign is healing the mismatched recipes through it now.

0.17.0 shipped verify-by-digest (#111). The remaining client-side work, none of it yet tracked:

1. Ledger reader — resolve a recipe's installable versions from [[history]] in .binaries.toml, not the .versions commit-pin file.
2. Digest-based fetch — pull the artifact by manifest_digest from the ledger entry (verify-by-digest already exists; this extends it to resolution/fetch), keeping the sha256 second-factor.
3. .versions retirement — once 1+2 ship, gale no longer needs .versions; a gale-recipes cutover PR can delete the files and the bridge invariants (merge-commits-only, two-commit append). Until a released gale reads the ledger, those invariants must hold.

Shipping 1+2 in one release lets the gale-recipes cutover follow after an announced grace window. Closes the loop on #62 / #111.

[kelp]

Items 1+2 (client-side ledger resolution + digest-based fetch) shipped in #122 (merged as 78570c9).

Item 3 (the .versions retirement / gale-recipes cutover) is now tracked in kelp/gale-recipes#94. It needs the registry side first (per-entry commit/ref in the ledger so historical installs leave the commit-pin path), then the gale-side removal of parseVersionIndex/fetchLatestPinned/the mispin+skew fallbacks.