Raise go.mod to go 1.25.5 and drop the toolchain
directive.  Matches blacksmith and the rest of the
long-running studio services.

Go 1.25's default go test vet tightens the printf
check, flagging 15 call sites with non-constant
format strings.  Fixed in place to keep the suite
green under the new toolchain.

Build image was pinned to golang:1.21-bookworm,
four minors behind go.mod.  Move to 1.25-bookworm
so image and go directive match.

Both images were on bullseye-derived bases.  Debian
bullseye goes EOL 2026-06; bookworm is current and
supported through 2028.

Pin the nginx minor (1.27) but let the patch tag
float, so security fixes land without a re-bump.

Noted: webdav Dockerfile still carries a deprecated
MAINTAINER line.  Left alone -- cleanup is not in
scope for a version bump.

Previous pin (v1.5.0, 2020) predates MySQL 8's
caching_sha2_password default auth and carries
five years of missed security + compat fixes.

Driver is registered via blank import in
plugin/mysql/plugin.go; no API surface changes in
our caller.  filippo.io/edwards25519 appears as
an indirect dep because v1.9 added optional
support for MariaDB's ed25519 auth plugin -- not
something SHIELD enables, but carried along.

Previous pin (v1.14.15, 2022) is pre Go 1.22
compat and carries an older bundled SQLite
amalgamation.  v1.14.42 is the current v1.14
patch, ships a newer SQLite, and keeps binary
layout and the CGo build surface unchanged.

SHIELD's internal store uses this driver via
database/sql; no API surface changes in callers.

Clears drift on the consul client library --
previous pin (v1.18.0) is from early 2023.

Used only by plugin/consul/plugin.go via thin
surface: api.NewClient, api.KVPair, api.KV().
No caller changes required.

Transitive churn: armon/go-metrics, mapstructure,
and go-immutable-radix bump patch/minor; btree
and go-msgpack drop out as indirect deps; x/exp
appears as new indirect.

Previous pin was an 11-year-old pseudo-version
(2015) carrying a documented latent bug: the
Organizations.ListUserTeams call behaves
incorrectly against modern GitHub per a comment
in-code, because that endpoint moved to Teams
in go-github v17.

v76 is the current major.  API surface used is
three calls:

  Users.Get              (ctx, username)
  Organizations.List     (ctx, username, opts)
  Teams.ListUserTeams    (ctx, opts)

All three now take context as the first arg, and
the teams call moved from the Organizations
service to Teams.

The Client wrapper's exported surface (NewClient,
Lookup) is unchanged, so core/auth_provider_github
does not need to move.

Stale comment referring to the v3/v47 drift is
removed -- the underlying bug it described is now
fixed.

Bundle of routine refreshes; no API changes in any
caller.  Per plan matrix:

  golang.org/x/crypto         v0.36.0 -> v0.50.0
  golang.org/x/net            v0.38.0 -> v0.53.0
  golang.org/x/oauth2         v0.30.0 -> v0.36.0
  fsouza/go-dockerclient      v1.12.1 -> v1.12.4
  prometheus/client_golang    v1.19.1 -> v1.23.2

x/net is carried as indirect but bumped explicitly
alongside x/crypto to keep the security baseline
coherent.

Transitive churn of note: docker/docker 27 -> 28,
klauspost/compress 1.16 -> 1.18, x/sys / x/term /
x/text advance to current, protobuf 1.33 -> 1.36,
prometheus/common 0.48 -> 0.66, prometheus/procfs
0.12 -> 0.16.  moby/go-archive added as a new
indirect pulled in by go-dockerclient v1.12.4.

Previous vendored copy was 3.2.1 from 2017, which
predates jQuery's 3.5 series -- the one that fixed
the HTML-parsing XSS family (CVE-2020-11022 and
CVE-2020-11023) triggered via .html() and similar
calls on attacker-controlled input.

3.7.1 is the current 3.x release.  Minified file
dropped in from https://code.jquery.com/ verified
against the upstream SRI hash:

  sha256 fc9a93dd241f6b045cbff0481cf4e1901becd0e1
         2fb45166a8f17f95823f0b1a

Loaded as <script src="https://github.com/js/jquery.js"> from
index.html; no caller changes needed -- 3.7 keeps
the 3.x API surface.

Previous vendored copy was 1.9.0 from 2018.  2.x
landed in 2022 and is the maintained line; 1.x has
not received patches since.

Used in web/htdocs/js/lib.js as:

  new showdown.Converter({
    omitExtraWLInCodeBlocks, simplifiedAutoLink,
    literalMidWordUnderscores, strikethrough,
    tables, simpleLineBreaks, openLinksInNewWindow
  })

All seven options survive the 1.x -> 2.x jump
unchanged, and makeHtml() is API-stable across
the bump, so no caller changes needed.

Minified 2.1.0 pulled from cdn.jsdelivr.net; sha
cross-checked against unpkg to catch mirror drift:

  sha256 88eb6fbbe0c270ddf3384aee0c9620d070e090a2
         6e07c67421ae36c903b5d649

Previous vendored copy was 5.3.1 (2018).  6.x is
the current major line; 6.7.2 is the latest free
release.

Runtime usage is narrow: two brand icons only
(fab fa-apple, fab fa-linux) for the CLI download
buttons in index.html.  Both icons exist unchanged
in FA6 Free; old class names (fab, fas, far) still
map to the new font-families via the css, so no
markup changes needed.

Bundle pulled from use.fontawesome.com, sha
cross-checked against github.com/FortAwesome:

  sha256 ecdaaa6d347cd7da82c66054770995e97f3d066a
         57e8d58ac9c517f0f77561fb

Layout mirrors the prior vendoring (css, js,
metadata, sprites, svgs, webfonts) -- upstream's
less and scss source dirs are omitted to match
the existing tree.

Diff is large (~2500 paths touched: added, removed,
byte-different webfonts) but content-neutral for
the two icons actually rendered.

Closes a Snyk advisory (CVSS 6.3) for improper
initialization in MultiScalarMult.  Indirect dep,
pulled in by go-sql-driver/mysql v1.9 for MariaDB
ed25519 auth.  Not exercised by SHIELD's own code
path, but bumped to clear the alert.