Add a new 'pin' subcommand to rewrite base.image to an explicit URL. Extend build and rebuild with --locked, --offline, and --require-pinned-image, and wire flags into the core engine build options.
