make network access configurable

[alexcos20]

Summary

• Add enableNetwork option to Docker C2D environments to allow enabling/disabling networking for algorithm containers (default: disabled).

• Extend Docker compute environment config schema/types/docs to include enableNetwork and scanning-related defaults.

• Tech debt: Add scanImage related options to z schema

Motivation

Some compute workloads require outbound network access during algorithm execution, while the default posture should remain “no network” for security. This change keeps the secure default and allows opting in per compute environment.

Changes

• Config: enableNetwork added to DOCKER_COMPUTE_ENVIRONMENTS entries (default false).
• Runtime: When enableNetwork is false, containers are created with HostConfig.NetworkMode = 'none'. When true, the container uses Docker defaults (networking enabled).
• Docs: Update docs/env.md with the new field and improve wording for image scanning options.

[alexcos20]

/run-security-scan

[alexcos20]

AI automated code review (Gemini 3).

Overall risk: medium

Summary:
This pull request introduces a configurable option enableNetwork for Docker compute environments, allowing algorithm containers to optionally have network access. By default, network access remains disabled (false), maintaining the current secure posture. The PR also adds scanImageDBUpdateInterval for configuring how often vulnerability database updates occur for image scanning using Trivy. Documentation, type definitions, and schema validation are updated accordingly, ensuring consistency and clear defaults.

Comments:
• [INFO][other] The initialization of this.enableNetwork using clusterConfig.connection.enableNetwork ?? false correctly implements a secure-by-default approach. This ensures that network access for algorithm containers is disabled unless explicitly configured otherwise, which is crucial for security.
• [INFO][security] This conditional logic correctly applies NetworkMode: 'none' when this.enableNetwork is false, preserving the current secure network isolation. When enableNetwork is true, the containers will be allowed network access. Operators enabling this feature must thoroughly understand and accept the associated security implications, as it significantly changes the execution environment of algorithms.
• [INFO][other] Adding enableNetwork to the configuration schema with a default(false) is excellent practice, reinforcing the secure-by-default principle directly in the validation layer. The addition of scanImageDBUpdateInterval with a sensible default also enhances the existing security scanning capabilities.