fix: add apply diagnostics for silent no-op failures

[Wenxin-Jiang]

Summary

• Track unmatched manifest entries: After the apply loop, compares targeted manifest PURLs against actually-matched PURLs. Any unmatched entry produces a warning with the specific PURL. Correctly handles PyPI qualified variants and respects --ecosystems filtering.
• Fail when nothing matches: Changes exit code from 0 to 1 when the manifest has patches in scope but no matching packages are found on disk. Also fails when packages are discovered but none match any targeted manifest entry.
• Post-apply summary: Prints Summary: X/Y targeted patches applied, Z already patched, W not found on disk so the user always sees the gap.
• JSON output: Adds unmatchedPatches (count) and unmatchedPurls (list) to --json output.

Addresses findings CRITICAL-1 (zero packages → exit 0), CRITICAL-2 (version mismatch → silent skip), and CRITICAL-3 (no unmatched-manifest diagnostic) from the reliability audit.

Test plan

• cargo check -p socket-patch-cli compiles
• cargo test -p socket-patch-cli passes
• cargo test -p socket-patch-core passes (255 tests)
• Manual: run apply in a dir with manifest but no node_modules/ — should exit 1 with warning
• Manual: run apply after npm update changes a version — should warn about unmatched PURL
• Manual: run apply --ecosystems npm with pypi patches in manifest — pypi patches should NOT appear as unmatched
• Manual: run apply --json — verify unmatchedPatches and unmatchedPurls fields

🤖 Generated with Claude Code

[Wenxin-Jiang]

@claude review once