fix(security): refresh CI and gateway image dependencies

[johntmyers]

Summary

Refreshes the CI image toolchain and gateway runtime image to address reported container scan findings. The CI image moves to patched Go-built tool releases, Python 3.14.5, and omits the vulnerable Linux k3d binary from Linux installs. The gateway runtime rebases to pinned distroless Debian 13 with glibc 2.41-12+deb13u3 while preserving the existing UID/GID 1000 runtime identity for upgrade compatibility.

Related Issue

Security scan report provided out of band.

Changes

• Bumped Docker CLI/buildx/GitHub CLI and mise-managed CI tools.
• Updated gateway base to gcr.io/distroless/cc-debian13:nonroot@sha256:e1fd250ce83d94603e9887ec991156a6c26905a6b0001039b7a43699018c0733 while keeping gateway and Helm defaults at UID/GID 1000.
• Updated rustls-webpki to 0.103.13.
• Ignored local .codex/ state so pre-commit license checks do not scan machine-local agent files.
• Clarified Linux k3d/kind guidance now that k3d is no longer installed through mise on Linux.

Testing

• mise run pre-commit
• mise run helm:lint
• mise run helm:test
• Verified the new gateway base reports Debian glibc 2.41-12+deb13u3.
• Verified Linux mise install --locked --dry-run excludes k3d from CI installs.
• Built a lightweight dummy gateway image from the updated Dockerfile and confirmed the entrypoint and 1000:1000 runtime user configuration.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1432.docs.buildwithfern.com/openshell

[github-actions]

Label test:e2e applied for 1b8f8e2. Open the existing run and click Re-run all jobs to execute with the label set. The E2E Gate check on this PR will flip green automatically once the run finishes.