fix(flake): switch to useFetchCargoVendor for crates.io UA compatibility

[ericbmerritt]

Summary

CI broke because crates.io added a User-Agent blocklist in late April 2026 and tightened it further in late May. nixpkgs has two crate-fetching paths; only one was patched upstream.

Root cause

Path	Status
fetchCargoVendor (Python-based)	Patched in NixOS/nixpkgs#512735 (merged 2026-04-26): sends User-Agent: nixpkgs fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs) and fetches from static.crates.io
importCargoLock (used by cargoLock.lockFile = ...)	Not patched. Has its own inline fetchCrate calling fetchurl which still hits the API endpoint without a UA → HTTP 403

Our flake used cargoLock.lockFile = self + "/Cargo.lock" — the broken path. Every nix build failed with:

trying https://crates.io/api/v1/crates/boxcar/0.2.14/download
curl: (22) The requested URL returned error: 403

Fix

Switch the build path:

- cargoLock.lockFile = self + "/Cargo.lock";
+ useFetchCargoVendor = true;
+ cargoHash = "sha256-diO7j+Dtzh8PhKMxzTk7pQ+VM7rCeGk29ba1upPyRJg=";

Cargo.lock stays in the repo as the source of truth; fetchCargoVendor reads it via the vendor step.

Verified locally

• nix build .#default — succeeds
• nix develop --command validate-wrap just validate — passes (the exact command CI runs)

Follow-up

This unblocks every PR in the repo. PR #20 (spec) and PR #21 (ladder) need to rebase onto this once merged; they'll then pass CI cleanly. Worth filing an upstream nixpkgs issue against importCargoLock since no fix is in flight there yet — separate from this PR.