[codex] Add Docker execution environments

[aandresalvarez]

Summary

• Adds durable workspace/task/run execution-environment state for Docker-backed runs.
• Discovers Dockerfiles, Compose files, devcontainer configs, and loaded workspace images.
• Adds Docker image inventory/build services and wires the Container right-rail panel with a single environment dropdown plus build action.
• Routes selected Docker image environments through the runtime launch planner with workspace/task mounts, path mapping, audit fields, and fail-closed policy checks.
• Blocks unsafe container options including privileged mode, host networking, and Docker socket mounts, including Docker Desktop socket aliases.

Root Cause

ASTRA could recognize repositories but had no durable, testable owner for container execution state. Docker-related markers were discovered as inert facts, and the UI exposed Host/image switching as multiple row actions instead of one clear environment setting. Runtime launch planning also needed an explicit container boundary so tasks could be pinned to the environment they actually used.

Validation

• swift test --filter ExecutionEnvironmentTests
• swift test --filter ArchitectureFitnessTests
• git diff --check
• ./script/build_and_run.sh --verify