🛡 fix(security): resolve critical CVEs via multi-stage build and OS upgrade

This commit addresses high-severity vulnerabilities detected by Docker Scout in both the Lyrebird binary and the Alpine base image.

Changes:
- Lyrebird: Implemented a multi-stage build using golang:1.24-alpine. This compiles Lyrebird from source to resolve "baked-in" Go runtime and dependency vulnerabilities (stdlib, crypto, pion) found in the upstream Alpine package.
- Base OS: Added apk upgrade --no-cache to force the installation of the latest system libraries, patching active CVEs in musl and openssl.

Resolves: CVE-2025-9230 (openssl), CVE-2025-26519 (musl), and multiple Go runtime CVEs.

Dockerfile

@@ -41,8 +41,9 @@ LABEL maintainer="rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>" \
 
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
-# Note: 'lyrebird' removed from apk add, we copy it from builder instead
+# Note: 'lyrebird' removed from apk add, copying it from builder instead
 RUN set -eux \
+ && apk upgrade --no-cache
  && apk add --no-cache \
     tor \
     tini \

Dockerfile.edge

@@ -46,8 +46,9 @@ LABEL maintainer="rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>" \
 
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
-# NOTE: 'lyrebird' removed from apk add list (we copy it from builder)
+# NOTE: 'lyrebird' removed from apk add list (copying it from builder instead)
 RUN set -eux \
+ && apk upgrade --no-cache
  && apk add --no-cache \
     tor \
     tini \