v0.4.1 - Immich drift gate (multi-vendor)
Mirrors the Famly drift design against the operator's Immich
server. Tag-push only, manifest + baseline committed, anonymize
for cardinality, struct-allowlist when Immich endpoints get bound
to typed structs (currently full-shape; see drift_schemas.go).
New: discovery/probe/manifest-immich.toml, discovery/baselines/
main-immich/, drift-gate-immich CI job (allow_failure: true so
forkers without IMMICH_BASE_URL/IMMICH_API_KEY are not blocked).
Drift command made vendor-agnostic: env-expanded base_url, per-
vendor token resolution keyed off m.AuthEnv, validation moved
into Probe and runDrift's vendor branches.
Operator next steps:
1. Set IMMICH_BASE_URL + IMMICH_API_KEY as masked + protected
CI variables on dunn.dev/bairn.
2. Locally seed the baseline:
bairn drift --anonymize \\
--manifest discovery/probe/manifest-immich.toml \\
--out-dir discovery/baselines/main-immich
3. Commit + push the seeded shapes; the next tag pipeline gates
on them.