feat(docker): apply/prune/down + socle action_requests (tâche 2 SJ-6)

- migration 0005 : tables docker_image_events + action_requests
- templates apply-compose (up -d --remove-orphans), prune-images (safe/agressif),
  down-compose (sans volumes/rmi)
- dockerApply: parsers TDD (apply recreated/running/exited, prune images+bytes,
  down removed, parseHumanBytes) + orchestration applyStack/pruneImages/downStack
  réservée aux stacks enabled, insère docker_image_events
- actionRequests: create/approve/reject/list — actions destructives validées
  explicitement (Hermes propose, opérateur approuve, run en arrière-plan) ;
  hors API directe (POST /:id/actions reste passif uniquement)
- routes /machines/:id/action-requests + /action-requests/:id[/approve|/reject]
- execute: RunActionOpts.aggressive, branches apply/prune/down, helper
  archiveExecution mutualisant le boilerplate d'archivage

tsc 0 erreur · 91 tests · build OK · boot OK (migrations 0000→0005).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

templates/docker/apply-compose.sh.tpl

@@ -0,0 +1,13 @@
+#!/bin/sh
+export LC_ALL=C
+cd "<%stackDir%>" || { echo "===SU:DOCKER_ERR==="; echo "compose_not_found"; echo "===SU:EXIT=2==="; exit 2; }
+echo "===SU:DOCKER_APPLY==="
+docker compose up -d --remove-orphans 2>&1
+CODE=$?
+echo "===SU:DOCKER_PS_AFTER==="
+docker compose ps --format json 2>&1
+echo "===SU:DOCKER_INSPECT_AFTER==="
+docker compose config --images 2>/dev/null | while IFS= read -r img; do
+  docker image inspect "$img" --format 'IMG\t{{.Id}}\t{{join .RepoDigests ","}}' 2>/dev/null || echo "IMG_MISSING\t$img"
+done
+echo "===SU:EXIT=${CODE}==="

templates/docker/down-compose.sh.tpl

@@ -0,0 +1,8 @@
+#!/bin/sh
+export LC_ALL=C
+cd "<%stackDir%>" || { echo "===SU:DOCKER_ERR==="; echo "compose_not_found"; echo "===SU:EXIT=2==="; exit 2; }
+echo "===SU:DOCKER_DOWN==="
+# --volumes et --rmi INTERDITS au MVP : down simple uniquement (préserve les volumes).
+docker compose down 2>&1
+CODE=$?
+echo "===SU:EXIT=${CODE}==="

templates/docker/prune-images.sh.tpl

@@ -0,0 +1,13 @@
+#!/bin/sh
+export LC_ALL=C
+echo "===SU:DOCKER_PRUNE==="
+<%#aggressive%>
+# Mode agressif : supprime TOUTES les images non référencées (>168h). Validation UI distincte.
+docker image prune -a -f --filter "until=168h" 2>&1
+<%/aggressive%>
+<%^aggressive%>
+# Mode sûr par défaut : images dangling uniquement.
+docker image prune -f 2>&1
+<%/aggressive%>
+CODE=$?
+echo "===SU:EXIT=${CODE}==="