Runtime REC namespace reconciliation

REC now tracks live Docker state continuously: a Docker /events listener plus a periodic rescan (REC_RESCAN_INTERVAL, default 60s) reconcile the monitored namespace set, so coverage self-heals on container restart, redeploy, and removal without an Observer restart. Host fallback runs only when no namespace is monitored. Legacy REC_NS_CONTAINER mode is unchanged.