fix: allow HTTPS in PKL resource allowlist for package resolution

The security fix in 56ad2b1 removed https: from both allowedModules and
allowedResources. However, package: URI resolution internally downloads
archives via HTTPS, so removing it from allowedResources broke all configs
using published PKL packages (package://github.com/...).

Restore https: in allowedResources only — module imports still block
https: to prevent executing remote code.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: alexey1312

Sources/ExFigConfig/PKL/PKLEvaluator.swift

@@ -23,9 +23,11 @@ public enum PKLEvaluator {
         "pkl:", "repl:", "file:", "modulepath:", "package:", "projectpackage:",
     ]
 
-    /// Allowed resource schemes (no http/https to prevent network reads).
+    /// Allowed resource schemes.
+    /// Includes https: because package: resolution requires downloading archives via HTTPS.
+    /// Module imports (allowedModules) still block https: to prevent executing remote code.
     private static let allowedResources = [
-        "file:", "env:", "prop:", "modulepath:", "package:", "projectpackage:",
+        "file:", "env:", "prop:", "modulepath:", "package:", "projectpackage:", "https:",
     ]
 
     /// Evaluates a PKL configuration file and returns the typed ExFig module.