feat(providers): add Docker Agent provider

[ericcurtin]

Summary

• Add docker-agent as a built-in agent provider for OpenShell
• Enables docker agent to be sandboxed and policy-enforced within OpenShell
• Covers Docker Hub OCI registry endpoints (for pulling agent images), the Docker Model Runner internal endpoint (for local inference), and an optional Hub access token for private repositories

Related Issue

N/A — new provider addition from the Docker ecosystem.

Changes

• providers/docker-agent.yaml — declarative profile: agent category, Docker Hub + model-runner endpoints, optional DOCKER_ACCESS_TOKEN credential
• crates/openshell-providers/src/providers/docker_agent.rs — DockerAgentProvider plugin backed by ProviderDiscoverySpec for DOCKER_ACCESS_TOKEN
• crates/openshell-providers/src/providers/mod.rs — expose docker_agent module
• crates/openshell-providers/src/profiles.rs — embed YAML at compile time
• crates/openshell-providers/src/lib.rs — register plugin in ProviderRegistry; add docker-agent and docker_agent aliases to normalize_provider_type

Testing

• All 25 existing openshell-providers unit tests pass
• One new unit test in docker_agent.rs verifying DOCKER_ACCESS_TOKEN discovery
• cargo clippy -p openshell-providers — clean

Checklist

• Follows Conventional Commits format
• SPDX license headers present on all new files
• No credentials or secrets introduced
• Unit tests added for new provider plugin
• Profile YAML validates (covered by default_profiles_are_sorted_by_id test)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.