clan-cli: improve runtime dependency management

Many dependencies of clan-cli  are currently dynamically loaded via nix-shell on each execution.
This is nice, as it reduces the initial closure size of clan, but the overhead introduced by nix-shell piles up quickly, as some commands shell out many times during their lifetime. For example, when adding a secret git is called 10+ times.

This reduces the time of a test which adds a secret from around 50 seconds to 15 seconds.

- add run_cmd() as an alternative to nix_shell()
- introduce the concept of static dependencies which do not need to go through nix-shell
- static dependencies are defined at build time and included into the wrapper for clan-cli
- add package: clan-cli-full which statically ships all required dependencies

TODO: deprecate nix_shell() in favor of run_cmd()

pkgs/clan-cli/flake-module.nix

@@ -40,13 +40,22 @@
     {
 
       devShells.clan-cli = pkgs.callPackage ./shell.nix {
-        inherit (self'.packages) clan-cli;
+        inherit (self'.packages) clan-cli clan-cli-full;
         inherit self';
       };
       packages = {
         clan-cli = pkgs.python3.pkgs.callPackage ./default.nix {
           inherit (inputs) nixpkgs;
           clan-core-path = clanCoreWithVendoredDeps;
+          includedRuntimeDeps = [
+            "age"
+            "git"
+          ];
+        };
+        clan-cli-full = pkgs.python3.pkgs.callPackage ./default.nix {
+          inherit (inputs) nixpkgs;
+          clan-core-path = clanCoreWithVendoredDeps;
+          includedRuntimeDeps = lib.importJSON ./clan_cli/nix/allowed-programs.json;
         };
         clan-cli-docs = pkgs.stdenv.mkDerivation {
           name = "clan-cli-docs";