fix: upgrade packages in agent container to mitigate CVE-2023-44487 (#760)

Add an apt-get upgrade step after the main package installation in the
agent Dockerfile. This ensures all base image packages (including
Node.js) receive the latest security patches, addressing the HTTP/2
Rapid Reset Attack vulnerability (CVE-2023-44487) and other known CVEs.

While this CVE primarily affects HTTP/2 server implementations and the
agent container acts as a client, upgrading packages is the most robust
defense-in-depth approach.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: Mossaka

containers/agent/Dockerfile

@@ -33,6 +33,10 @@ RUN set -eux; \
     fi && \
     rm -rf /var/lib/apt/lists/*
 
+# Upgrade all packages to pick up security patches
+# Addresses CVE-2023-44487 (HTTP/2 Rapid Reset) and other known vulnerabilities
+RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
+
 # Create non-root user with UID/GID matching host user
 # This allows the user command to run with appropriate permissions
 # and prevents file ownership issues with mounted volumes