Commit `Brewfile.lock.json` to pin and verify installed package versions

[ooloth]

Current state

Brewfile.lock.json is explicitly gitignored. Brew packages are installed via brew bundle without the --lock flag, so no version snapshot is committed to the repository. There is no record of which package versions were reviewed, and version drift between machines or reinstalls is undetectable until something breaks.

Ideal state

• Brewfile.lock.json is generated by brew bundle --lock and committed to the repository
• .gitignore no longer excludes Brewfile.lock.json
• The update workflow runs brew bundle --lock so the lockfile stays current on each update
• Version drift between environments is detectable via git diff

Starting points

• .gitignore — the Brewfile.lock.json exclusion entry to remove
• features/update/zsh/ — the update script(s) that call brew bundle, to add the --lock flag

QA plan

1. Open .gitignore — expect no Brewfile.lock.json entry
2. Check the repo root — expect Brewfile.lock.json to be present and tracked by git (git ls-files Brewfile.lock.json returns the path)
3. Run the update workflow or brew bundle --lock --file=<path> manually — expect a lockfile to be generated listing pinned versions for every installed formula

Done when

Brewfile.lock.json is committed to the repository and the update workflow generates it with --lock.