Migrate docker SDK to moby - CVE fix

[carole-lavillonniere]

Motivation

Trivy reported 2 vulnerabilities (GHSA-x744-4wpc-v9h2, GHSA-pxq6-2prw-chj9) in github.com/docker/docker v28.5.2+incompatible, both fixed upstream in Docker Engine v29.3.1. Direct version bump is not possible: v29 only exists under docker-vX.Y.Z git tags (Go proxy ignores the prefix) and upstream renamed the Go module to github.com/moby/moby/v2. The SDK has been extracted into separate client and api modules — switching to those picks up the fix. govulncheck confirms reachability of both CVEs in the lstk binary today, so silencing in Trivy without code change was not a defensible option.

Changes

• Replace github.com/docker/docker with github.com/moby/moby/{client,api,api/pkg/stdcopy}; drop github.com/docker/go-connections (port types now in moby/api/types/network)
• Adapt every Client method to the new (opts T) (Result, error) shape: Ping, Info, ImagePull, ContainerCreate/Start/Stop/Remove/Inspect/Logs/List, ImageTag, ImageRemove
• ContainerExecCreate/ContainerExecStart → ExecCreate/ExecStart
• filters.NewArgs(filters.Arg(...)) → make(client.Filters).Add(...)
• nat.Port{Set,Map,Binding} → network.{MustParsePort,PortSet,PortMap,PortBinding} (HostIP now netip.Addr)
• Same migration applied to integration tests' separate module

Tests

• make build, make test (393 tests), make lint all pass
• govulncheck -mode=binary bin/lstk: both DRG-838 CVEs no longer detected
• Manual smoke test (lstk start, lstk logs, lstk stop)

Todo

• Track when moby/moby/client ships a stable v1 — currently on v0.4.1 (beta-line, but same code as Docker Engine v29.4.x in production)

Closes DRG-838

[anisaoshafi]

🚀