chore(security): patch CVEs in api/agents/ui + add dependabot config

[JoshuaAFerguson]

Summary

• Patches 24 of 27 open Dependabot alerts (critical/high/medium)
• Adds .github/dependabot.yml so weekly scans cover the v2 layout (agents/docker-agent, agents/k8s-agent, api, tests, ui, github-actions)
• Closes obsolete PRs chore(deps): bump golang.org/x/crypto from 0.18.0 to 0.45.0 in /docker-controller in the go_modules group across 1 directory #197/chore(deps): bump golang.org/x/net from 0.20.0 to 0.38.0 in /docker-controller in the go_modules group across 1 directory #198/chore(deps): bump github.com/docker/docker from 24.0.7+incompatible to 25.0.13+incompatible in /docker-controller in the go_modules group across 1 directory #199 (against the old /docker-controller path) — those bumps are reapplied here against agents/docker-agent
• Subsumes chore(deps): bump the npm_and_yarn group across 1 directory with 2 updates #245 (axios + @remix-run/router) — both are bumped via npm audit fix in this PR

Bumps

Go

Module	Package	Old → New	Severity
agents/docker-agent	docker	24.0.7 → 25.0.13	critical, low, medium
agents/docker-agent	golang.org/x/net	0.19.0 → 0.38.0	3× medium
agents/k8s-agent	moby/spdystream	0.5.0 → 0.5.1	high
api	go-jose/v4	4.1.3 → 4.1.4	high
api	golang-jwt/v5	5.2.0 → 5.2.2	high
api	goxmldsig	1.4.0 → 1.6.0	high

npm (lockfile-only): axios 1.13.2→1.15.2, @remix-run/router 1.23.1→1.23.2, vite 6.4.1→6.4.2, rollup→4.60.2, minimatch→9.0.9, follow-redirects→1.16.0, picomatch→2.3.2, postcss→8.5.10, flatted→3.4.2.

Verified

• go build ./... passes in all 3 modules
• npm run build passes (vite production build)
• npm audit reports 0 vulnerabilities after fix
• TypeScript error count unchanged from main (609 pre-existing — separate cleanup)

Remaining (deferred)

3 docker/docker GHSA advisories with no upstream patched version (require docker v25 → v29 major upgrade). Tracked separately.

Test plan

• CI passes
• Smoke: API + docker-agent + k8s-agent containers build
• UI builds and runs

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 529b8e478f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Align docker-agent Go version with build toolchain

Setting go 1.25.0 here raises the module minimum above the docker-agent builder image (agents/docker-agent/Dockerfile uses golang:1.21-alpine), so go mod download/go build in that image will fail with a toolchain-version error before the binary is produced. This makes the documented container build path for docker-agent unusable unless the Dockerfile (and other pinned Go 1.21 environments) are upgraded in the same change.

Useful? React with 👍 / 👎.