fix: Implement dependency digest tracking for nightly builds

- Updated Docker Compose files to use digest-pinned images for CI contexts.
- Enhanced Dockerfile to pin Go tool installations and verify external downloads with SHA256 checksums.
- Added Renovate configuration for tracking Go tool versions and digest updates.
- Introduced a new design document outlining the architecture and data flow for dependency tracking.
- Created tasks and requirements documentation to ensure compliance with the new digest pinning policy.
- Updated security documentation to reflect the new digest pinning policy and exceptions.

.docker/compose/docker-compose.dev.yml

@@ -2,7 +2,9 @@
 
 services:
   app:
-    image: ghcr.io/wikid82/charon:dev
+    # Override for local testing:
+    # CHARON_DEV_IMAGE=ghcr.io/wikid82/charon:dev
+    image: ${CHARON_DEV_IMAGE:-ghcr.io/wikid82/charon:dev@sha256:8ed38f884c217ee09da02d5b7ba990fa22ccdd4fb0d2e01a4da1b5963301104f}
     # Development: expose Caddy admin API externally for debugging
     ports:
       - "80:80"