Add uv (Astral Python package manager) support

- Add uv package manager implementation following pip pattern
- Configure MITM proxy with CA bundle for PyPI packages
- Add shell integration (bash/zsh/fish/PowerShell)
- Conditional on --include-python flag
- Add 33 comprehensive E2E tests covering:
  - uv pip install/sync/compile commands
  - uv add for project dependencies
  - uv tool install for global tools
  - uv run --with for ephemeral dependencies
  - uv sync for project syncing
  - Malware blocking verification for all methods
- Update documentation and package.json
- Install uv in Docker test environment

packages/safe-chain/src/packagemanager/uv/runUvCommand.js

@@ -0,0 +1,76 @@
+import { ui } from "../../environment/userInteraction.js";
+import { safeSpawn } from "../../utils/safeSpawn.js";
+import { mergeSafeChainProxyEnvironmentVariables } from "../../registryProxy/registryProxy.js";
+import { getCombinedCaBundlePath } from "../../registryProxy/certBundle.js";
+
+/**
+ * Sets CA bundle environment variables used by Python libraries and uv.
+ * These are applied to ensure all Python network libraries respect the combined CA bundle.
+ * 
+ * @param {NodeJS.ProcessEnv} env - Environment object to modify
+ * @param {string} combinedCaPath - Path to the combined CA bundle
+ */
+function setUvCaBundleEnvironmentVariables(env, combinedCaPath) {
+  // UV_NATIVE_TLS: Use system-provided TLS certificates (default is true)
+  // But we also need to provide our CA bundle for MITM'd connections
+  
+  // SSL_CERT_FILE: Used by Python SSL libraries and underlying HTTP clients
+  if (env.SSL_CERT_FILE) {
+    ui.writeWarning("Safe-chain: User defined SSL_CERT_FILE found in environment. It will be overwritten.");
+  }
+  env.SSL_CERT_FILE = combinedCaPath;
+
+  // REQUESTS_CA_BUNDLE: Used by the requests library (which uv may use internally)
+  if (env.REQUESTS_CA_BUNDLE) {
+    ui.writeWarning("Safe-chain: User defined REQUESTS_CA_BUNDLE found in environment. It will be overwritten.");
+  }
+  env.REQUESTS_CA_BUNDLE = combinedCaPath;
+
+  // PIP_CERT: Some underlying pip operations may respect this
+  if (env.PIP_CERT) {
+    ui.writeWarning("Safe-chain: User defined PIP_CERT found in environment. It will be overwritten.");
+  }
+  env.PIP_CERT = combinedCaPath;
+}
+
+/**
+ * Runs a uv command with safe-chain's certificate bundle and proxy configuration.
+ * 
+ * uv respects standard environment variables for proxy and TLS configuration:
+ * - HTTP_PROXY / HTTPS_PROXY: Proxy settings
+ * - SSL_CERT_FILE / REQUESTS_CA_BUNDLE: CA bundle for TLS verification
+ * 
+ * @param {string} command - The uv command to execute (typically 'uv')
+ * @param {string[]} args - Command line arguments to pass to uv
+ * @returns {Promise<{status: number}>} Exit status of the uv command
+ */
+export async function runUv(command, args) {
+  try {
+    const env = mergeSafeChainProxyEnvironmentVariables(process.env);
+
+    // Provide uv with a complete CA bundle (Safe Chain CA + Mozilla + Node built-in roots)
+    // so that network requests validate correctly under both MITM'd and tunneled HTTPS.
+    const combinedCaPath = getCombinedCaBundlePath();
+
+    // Set CA bundle environment variables for uv and underlying Python libraries
+    setUvCaBundleEnvironmentVariables(env, combinedCaPath);
+
+    // Note: uv uses HTTPS_PROXY and HTTP_PROXY environment variables for proxy configuration
+    // These are already set by mergeSafeChainProxyEnvironmentVariables
+
+    const result = await safeSpawn(command, args, {
+      stdio: "inherit",
+      env,
+    });
+
+    return { status: result.status };
+  } catch (/** @type any */ error) {
+    if (error.status) {
+      return { status: error.status };
+    } else {
+      ui.writeError(`Error executing command: ${error.message}`);
+      ui.writeError(`Is '${command}' installed and available on your system?`);
+      return { status: 1 };
+    }
+  }
+}