fix(security): patch Docker Scout CVEs and remove unused openssh-client (#41)

## Summary

- Upgrade `golang.org/x/net` v0.54.0 → v0.55.0 — patches 6 CVEs including critical CVE-2026-41589 (CVSS 9.6)
- Remove `openssh-client` from Docker image — unused (uptop uses pure Go SSH), eliminates 4 CVEs
- Add `apk upgrade` to Dockerfile for remaining Alpine package CVEs

## CVEs Resolved

| CVE | Severity | Package | Fix |
|-----|----------|---------|-----|
| CVE-2026-41589 | 9.6 Critical | golang.org/x/net | upgraded to v0.55.0 |
| CVE-2025-60876 | 6.5 Medium | golang.org/x/net | upgraded to v0.55.0 |
| CVE-2026-42502 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 |
| CVE-2026-42506 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 |
| CVE-2026-25681 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 |
| CVE-2026-35414 | 6.1 Medium | golang.org/x/net | upgraded to v0.55.0 |
| CVE-2026-25680 | 7.5 High | alpine/openssh | removed openssh-client |
| CVE-2026-35386 | 3.6 Low | alpine/openssh | removed openssh-client |
| CVE-2026-35387 | 3.1 Low | alpine/openssh | removed openssh-client |
| CVE-2026-35388 | 2.5 Low | alpine/openssh | removed openssh-client |
| CVE-2026-27136 | 6.5 Medium | alpine/busybox | apk upgrade |

## Not Addressed (not exploitable)

CVE-2026-35385 (charmbracelet/wish v1.4.7, CVSS 9.6) — path traversal in wish's SCP middleware. uptop does not use the SCP middleware, only wish core + bubbletea middleware. Vulnerable code path is never loaded. Migration to wish v2 tracked in #42.

## Test Plan

- [x] `go build ./...` passes
- [x] `go test ./...` passes
- [ ] Rebuild Docker image, re-scan with Docker Scout

Reviewed-on: #41

go.mod

@@ -53,7 +53,7 @@ require (
 	golang.org/x/crypto v0.52.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/mod v0.35.0 // indirect
-	golang.org/x/net v0.54.0 // indirect
+	golang.org/x/net v0.55.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.45.0 // indirect
 	golang.org/x/text v0.37.0 // indirect