Vendor selected Harbor runtime fixes

Port selected changes from Harbor into Pier, using Harbor as the source of
truth where the surrounding Pier architecture allowed direct copying.

Harbor reference range:
- e70d5f06..c4c68e35
- pulled in Harbor on 2026-05-26, reflog entry:
  c4c68e35 HEAD@{2026-05-26 20:05:37 +0000}: pull --tags origin main: Fast-forward

Specific Harbor commits referenced:
- 352389a0 fix(opencode): Allow any model provider to be specified with -m (#1590)
- 8d40b8aa Allow configuring Daytona connection_pool_maxsize via env kwargs (#1445)
- 13ab67a5 Fix Daytona auth and rich verifier rewards (#1620)
- 229e6191 Fix retry exclude CLI override (#1622)
- dd2b317d Fix task.toml writing.
- a53282fc Add separate verifier environments (#1655)
- 080a1cb3 Simplify trial flow (#1672) [reviewed; not vendored as a refactor]
- 971f7406 fix: fail opencode runs on error events (#1658)
- 5dd31c40 Fix EnvironmentConfig deprecation warnings on default construction.
- 8dfc57e6 [codex] Add resource enforcement policies (#1697)

Line-for-line / near-direct ports:
- src/pier/environments/resource_policies.py matches Harbor after namespace rename.
- src/pier/models/task/verifier_mode.py matches Harbor after namespace rename.
- OpenCode provider rejection removal and JSON error-event failure handling follow
  Harbor's hunks.
- retry_exclude default/override behavior follows Harbor's hunk.
- Task TOML blank-line join and legacy memory/storage before-validation follow
  Harbor's hunks.

Intentional Pier deviations:
- Did not vendor Harbor's trial-flow split into single_step.py, multi_step.py,
  and artifact_handler.py. Pier already has trial/execution.py plus ATIF/context
  plumbing; separate verifier support was implemented in the existing Trial flow.
- Resource enforcement was adapted around Pier's existing Docker/Modal/Daytona
  provider behavior, filtered egress, agent preinstall, and mounted log handling.
- Daytona client config remains backward-compatible with older installed Daytona
  SDKs instead of requiring Harbor's dependency bump to daytona>=0.165.0.
- Docker keeps Pier's compose templates and dynamic log mounts rather than
  deleting the base compose file exactly as Harbor did.
- OpenCode file keeps Pier-specific installed-agent packaging, network allowlist,
  and ATIF v1.7/context metric handling.
- Task schema keeps Pier's existing defaults/fields where Harbor has unrelated
  schema changes not requested for this vendor pass.

Verification:
- uv run ruff check src/pier tests/test_harbor_ports.py
- uv run --with pytest python -m pytest tests