feat(base): add toolchain installs to base image for volume-mount architecture

[Tjemmmic]

Summary

Moves all toolchain installs from the now-deleted Dockerfile.layer into the shared base image (base-system.Dockerfile). This supports the new volume-mount architecture where the sidecar and shared code are bind-mounted at runtime instead of baked into 82+ layered images.

• Add 6 versioned CLI tools to base image: OpenCode, Bun, sccache, Newt, mise, GitHub CLI
• Add unzip, ripgrep system packages; pin node-pty@1.0.0
• Add git credential helper for GITHUB_TOKEN-based auth
• Create /sidecar and /shared mount points with module resolution symlinks
• Consolidate all environment variables (XDG dirs, cache paths, tool configs)
• Create agent home directory structure with 777 permissions (for CapDrop: ALL)
• Add EXPOSE 8080 and agent.sidecar labels
• Remove unused appuser (UID 1001)
• Make CI infra matrices dynamic (auto-discovered from Dockerfile FROM lines)
• Add daily scheduled rebuild to pick up upstream base image updates
• Fix tangle Dockerfile npm package name (@webb-tools/tangle-substrate-types)

GITHUB_TOKEN concern is unwarranted. The content of the github block is actually creating a script that is fully isolated within the created container and uses the user's config value