docs(modules): update server/client boundary docs and client manifest generation

- update MODULES.md to document dual-entry pattern (main vs ./client) and explain why client entry must not import server-only code
- filter client manifest to only include modules exposing a `./client` subpath export
- add `moduleHasClientEntry` helper in discover.server.js to check package.json exports
- update cli.js to use `moduleHasClientEntry` when rendering the client manifest
- update init.js and modules/index.js to align with new client entry convention

src/features/init.js

@@ -14,7 +14,7 @@
 
 import { createTables as authCreate, dropTables as authDrop } from './auth/db.js';
 import { done, fail, info, step } from '@zen/core/shared/logger';
-import { discoverModules, validateModuleEnvVars } from '../core/modules/discover.server.js';
+import { loadModulesForCli, validateModuleEnvVars } from '../core/modules/discover.server.js';
 import { getRegisteredModules } from '../core/modules/registry.js';
 import { registerPermissions } from '../core/users/permissions-registry.js';
 
@@ -23,7 +23,7 @@ const CORE_FEATURES = [
 ];
 
 async function loadModules() {
-  await discoverModules();
+  await loadModulesForCli();
   const modules = getRegisteredModules();
   validateModuleEnvVars(modules);