chore: migrate Docker base images from Alpine to Debian Trixie

Migrated all Docker stages from Alpine 3.23 to Debian Trixie (13) to
address critical CVE in Alpine's gosu package and improve security
update frequency.

Key changes:

Updated CADDY_IMAGE to debian:trixie-slim
Added gosu-builder stage to compile gosu 1.17 from source with Go 1.25.6
Migrated all builder stages to golang:1.25-trixie
Updated package manager from apk to apt-get
Updated user/group creation to use groupadd/useradd
Changed nologin path from /sbin/nologin to /usr/sbin/nologin
Security impact:

Resolved gosu Critical CVE (built from source eliminates vulnerable Go stdlib)
Reduced overall CVE count from 6 (bookworm) to 2 (trixie)
Remaining 2 CVEs are glibc-related with no upstream fix available
All Go binaries verified vulnerability-free by Trivy and govulncheck
Verification:

E2E tests: 243 passed (5 pre-existing failures unrelated to migration)
Backend coverage: 87.2%
Frontend coverage: 85.89%
Pre-commit hooks: 13/13 passed
TypeScript: 0 errors
Refs: CVE-2026-0861 (glibc, no upstream fix - accepted risk)

docs/security-incident-response.md

@@ -152,7 +152,7 @@ cp -r ./charon-data /tmp/incident-backup-$(date +%Y%m%d%H%M%S)
 ls -la ./charon-data/backups/
 
 # Verify backup can be read
-docker run --rm -v ./charon-data/backups:/backups alpine ls -la /backups
+docker run --rm -v ./charon-data/backups:/backups debian:bookworm-slim ls -la /backups
 ```
 
 **Step 2: Restore from Clean State**