fix: Implement dependency digest tracking for nightly builds

- Updated Docker Compose files to use digest-pinned images for CI contexts.
- Enhanced Dockerfile to pin Go tool installations and verify external downloads with SHA256 checksums.
- Added Renovate configuration for tracking Go tool versions and digest updates.
- Introduced a new design document outlining the architecture and data flow for dependency tracking.
- Created tasks and requirements documentation to ensure compliance with the new digest pinning policy.
- Updated security documentation to reflect the new digest pinning policy and exceptions.

.docker/compose/docker-compose.dev.yml

@@ -2,7 +2,9 @@
 
 services:
   app:
-    image: ghcr.io/wikid82/charon:dev
+    # Override for local testing:
+    # CHARON_DEV_IMAGE=ghcr.io/wikid82/charon:dev
+    image: ${CHARON_DEV_IMAGE:-ghcr.io/wikid82/charon:dev@sha256:8ed38f884c217ee09da02d5b7ba990fa22ccdd4fb0d2e01a4da1b5963301104f}
     # Development: expose Caddy admin API externally for debugging
     ports:
       - "80:80"

.docker/compose/docker-compose.playwright-ci.yml

@@ -27,7 +27,11 @@ services:
   # Charon Application - Core E2E Testing Service
   # =============================================================================
   charon-app:
-    image: ${CHARON_E2E_IMAGE:-charon:e2e-test}
+    # CI default (digest-pinned via workflow output):
+    # CHARON_E2E_IMAGE_DIGEST=ghcr.io/wikid82/charon:nightly@sha256:<digest>
+    # Local override (tag-based):
+    # CHARON_E2E_IMAGE=charon:e2e-test
+    image: ${CHARON_E2E_IMAGE_DIGEST:-${CHARON_E2E_IMAGE:-charon:e2e-test}}
     container_name: charon-playwright
     restart: "no"
     # CI generates CHARON_ENCRYPTION_KEY dynamically in GitHub Actions workflow
@@ -96,7 +100,7 @@ services:
   # CrowdSec - Security Testing Service (Optional Profile)
   # =============================================================================
   crowdsec:
-    image: crowdsecurity/crowdsec:latest
+    image: crowdsecurity/crowdsec:latest@sha256:63b595fef92de1778573b375897a45dd226637ee9a3d3db9f57ac7355c369493
     container_name: charon-playwright-crowdsec
     profiles:
       - security-tests
@@ -122,7 +126,7 @@ services:
   # MailHog - Email Testing Service (Optional Profile)
   # =============================================================================
   mailhog:
-    image: mailhog/mailhog:latest
+    image: mailhog/mailhog:latest@sha256:8d76a3d4ffa32a3661311944007a415332c4bb855657f4f6c57996405c009bea
     container_name: charon-playwright-mailhog
     profiles:
       - notification-tests

.docker/compose/docker-compose.remote.yml

@@ -4,7 +4,7 @@ services:
   # Run this service on your REMOTE servers (not the one running Charon)
   # to allow Charon to discover containers running there (legacy: CPMP).
   docker-socket-proxy:
-    image: alpine/socat
+    image: alpine/socat:latest@sha256:bd8d6a251eb7d1b8c08f7117e3e583e14ec86f43f25d2bf31a6e16ff5dc15f58
     container_name: docker-socket-proxy
     restart: unless-stopped
     ports:

.docker/compose/docker-compose.yml

@@ -1,6 +1,8 @@
 services:
   charon:
-    image: ghcr.io/wikid82/charon:latest
+    # Override for local testing:
+    # CHARON_IMAGE=ghcr.io/wikid82/charon:latest
+    image: ${CHARON_IMAGE:-ghcr.io/wikid82/charon:latest@sha256:371a3fdabc7f52da65a4ac888531a413b6a56294f65041a42fdc0c407e8454c4}
     container_name: charon
     restart: unless-stopped
     ports: