Rebuild ws-daemon runtime tools for CVE fixes

[geropl]

Summary

Implements Phase 3 of the CLC-2255 critical CVE remediation plan for components/ws-daemon:docker:

• Rebuilds runc from the existing v1.2.9 source line with golang.org/x/net@v0.55.0 and the current Go toolchain.
• Rebuilds Git LFS v3.7.1 from source with golang.org/x/crypto@v0.52.0 and golang.org/x/net@v0.55.0.
• Removes the Ubuntu git-lfs package install so /usr/bin/git-lfs comes from the rebuilt binary.
• Keeps the Ubuntu apt dist-upgrade path intact.
• Adds comments explaining why these are local rebuilds rather than upstream/distro artifacts, and when we should switch back.

Issues

Fixes CLC-2255

Validation

• git diff --check
• leeway build components/ws-daemon:docker --dont-test -Dversion=dev -DimageRepoBase=localhost:5000/gitpod
• leeway sbom scan components/ws-daemon:docker --output-dir /tmp/ws-daemon-phase3-scan -Dversion=dev -DimageRepoBase=localhost:5000/gitpod
  • components/ws-daemon:docker: critical=0 high=45 ignored=0
• leeway sbom scan components/ws-daemon:docker --with-dependencies --output-dir /tmp/ws-daemon-phase3-with-deps-scan -Dversion=dev -DimageRepoBase=localhost:5000/gitpod
  • components/ws-daemon:docker: critical=0 high=45 ignored=0
  • components/ws-daemon:app: critical=0 high=27 ignored=0
  • components/ws-daemon:content-initializer: critical=0 high=26 ignored=0
  • components/ws-daemon/nsinsider:app: critical=0 high=8 ignored=0
  • all remaining scanned deps: critical=0
• Image smoke checks:
  • /usr/bin/git-lfs version reports git-lfs/3.7.1 (GitHub; linux amd64; go 1.25.11; git gitpod-rebuild)
  • /usr/bin/runc --version reports runc version 1.2.9, spec: 1.2.0, go: go1.25.11
  • git --version reports git version 2.54.0
  • /app/content-initializer --help and /app/nsinsider --help start successfully