Port Docker option completeness to current upstream

[shaninja]

Context

Our fork's master is still based on an old fork lineage, while current upstream lavie/runlike/master is at 91e74d3. This PR is therefore intentionally opened inside our fork against the review base branch upstream-master-91e74d3, which points at current upstream. That keeps the diff focused on the ported completeness work instead of mixing in the 167 upstream commits that our fork had not previously synced.

This is a review PR for our repo so we can inspect the upstream-based port before deciding how to shape the eventual PR to lavie/runlike.

What Changed

• Ported the phase 11 Docker option completeness work onto current upstream instead of continuing from the stale fork base.
• Preserved upstream's current package metadata, release workflows, Dockerfile, and GitHub Actions structure where possible.
• Added the generated Docker option manifest, current target metadata, option dictionary, probe results, probe work ledger, and generated support matrix.
• Added the normalized inspect model, dictionary-backed renderer, and unsupported-option warning engine.
• Added Docker round-trip probe tooling and per-option probe fixtures.
• Updated the Makefile with targets for probe execution, generated artifact checks, manifest source validation, support artifact refresh, and Docker target verification.
• Updated GitHub Actions CI to use ubuntu-22.04, install the pinned Docker target, set DOCKER_API_VERSION=1.44, and run the generated-file, manifest-source, and option-probe gates.
• Updated CI actions to actions/checkout@v6 and actions/setup-python@v6, which use Node 24.
• Removed DockerHub login from the build/test workflow. Publishing still belongs to the release/publish workflows; build/test CI should not require DOCKERHUB_TOKEN on every branch push.
• Removed the legacy inspect_fixtures.sh failure hook from build/test CI because the old live fixture suite is skipped and the probe suite is now the active Docker coverage.
• Replaced the README's manual supported/unsupported option tables with links to the generated support matrix artifacts.
• Included spec/option-dictionary/*.json in the Python package so installed wheels/sdists have the renderer metadata available.

Important Review Notes

• This PR targets upstream-master-91e74d3, not our stale master, so the diff should represent the actual upstream port.
• The old live fixture inspection tests are retained as skipped legacy coverage. The active coverage now comes from focused unit tests plus Docker round-trip probes. That is a deliberate testing strategy change and should be called out clearly when we prepare the upstream PR.
• CI now depends on the pinned Docker 25.0.5 / API 1.44 target. The installer and verification step are part of the branch so GitHub Actions should not accidentally test against a runner-provided Docker version.

CI Failure Fixed

The first push run failed after all tests and probes had passed because the inherited build/test workflow tried to log into DockerHub on every push. Our fork/review branch does not provide DOCKERHUB_TOKEN, so docker/login-action failed with Password required. The follow-up commit removes DockerHub login from build/test CI and leaves publishing responsibility in the release/publish workflows.

The same failed run also invoked inspect_fixtures.sh, which then failed with missing legacy fixture containers and masked the real failure. That hook has been removed from build/test CI because probe-based Docker checks are now the active coverage.

Verification

Initial port verification, run locally in the upstream-based worktree with /home/shani/.docker25-env sourced for Docker checks:

source /home/shani/.docker25-env && make test
# 131 passed, 37 skipped, 1 warning

source /home/shani/.docker25-env && make check-generated
# Generated files are current.

source /home/shani/.docker25-env && make check-manifest-source
# Docker target validation passed.
# Docker option manifest source validation passed.

source /home/shani/.docker25-env && make test-probes-options
# Fresh probe result summary: 76 passed, 0 failed, 76 total

poetry check
# All set!

poetry build
# Built runlike-1.6.3 sdist and wheel

git diff --cached --check
# clean before commit

Follow-up CI fix verification:

poetry run pytest test_probe_ci.py -q
# 10 passed

source /home/shani/.docker25-env && make test
# 134 passed, 37 skipped, 1 warning

source /home/shani/.docker25-env && make check-generated
# Generated files are current.

git diff --check
# clean

GitHub Actions after the CI fix commit b8de13f:

• push run: https://github.com/shaninja/runlike/actions/runs/25916149176 - success
• pull_request run: https://github.com/shaninja/runlike/actions/runs/25916150672 - success

Also checked the staged diff before the initial port commit for accidental .env/.db files, obvious secret patterns, and debugger statements; none were found.