chore: bump direct go dependencies

[dgageot]

This PR updates two direct dependencies to incorporate bug fixes and improvements.

The bumps are straightforward upgrades with no code changes required. Both dependencies pass linting and tests on the current version of the codebase.

A third dependency, google.golang.org/adk, was evaluated but not bumped. Version v1.3.0 deprecates the server/adka2a package in favor of server/adka2a/v2, which would require a separate migration and is being deferred to a follow-up effort.

Module	From	To	Status
github.com/docker/portcullis	v0.0.0-20260526131538-fc97bf12bbdb	v0.0.0-20260526171634-3105c185ace7	bumped
github.com/pb33f/libopenapi	v0.36.6	v0.37.1	bumped
google.golang.org/adk	v1.2.0	v1.3.0	skipped — lint failure (adka2a deprecated, requires migration to adka2a/v2)

[docker-agent]

Assessment: 🟢 APPROVE

Reviewed dependency bumps for github.com/docker/portcullis and github.com/pb33f/libopenapi. No bugs or regressions found in the changed code.

Summary of findings: All observations are low-severity informational notes (below the reporting threshold):

• Both bumped modules retain identical /go.mod hashes from their prior versions — this is expected when upstream go.mod files are unchanged between commits, but can be confirmed by running go mod tidy and checking for a clean diff.
• No new transitive dependency hashes appear in go.sum, consistent with no new transitive dependencies being introduced.
• The intentional skip of google.golang.org/adk (deferred migration from server/adka2a → server/adka2a/v2) is correctly implemented in the diff.