refactor: consolidate runtime-provider-docker and runtime-provider-kata into runtime-provider-container

[jafreck]

Summary

Merge packages/runtime-provider-docker and packages/runtime-provider-kata into a single packages/runtime-provider-container package. The two packages are nearly identical — both shell out to a Docker-compatible CLI (docker or nerdctl) with the same subcommands (run, exec, stop, rm). The only meaningful difference is the --runtime flag (runc vs io.containerd.kata.v2).

Motivation

• Code duplication: DockerKataAdapter, NerdctlKataAdapter, DockerProvider, and DockerSession all build the same CLI args and handle the same lifecycle. The kata adapters are copy-paste of the docker provider with one extra flag.
• Conceptual overlap: Kata Containers is not a different container engine — it's an OCI runtime that plugs into Docker/containerd. The isolation level (namespace vs VM) is a runtime property, not a provider distinction.
• Simpler config: Users shouldn't need to choose between provider: "docker" and provider: "kata" when the only real knob is which OCI runtime to use.

Proposed Design

Single provider with configurable runtime and CLI

export interface ContainerProviderOptions {
  image: string;
  /** CLI binary: 'docker' | 'nerdctl' (default: 'docker') */
  cli?: 'docker' | 'nerdctl';
  /** OCI runtime: 'runc' (default), 'io.containerd.kata.v2', etc. */
  runtime?: string;
  worktreePath?: string;
  runner?: ContainerRunner;
  hostEnv?: Record<string, string | undefined>;
}

Config schema

{
  "isolation": {
    "provider": "container",
    "containerOptions": {
      "cli": "docker",           // or "nerdctl"
      "runtime": "io.containerd.kata.v2",  // optional, defaults to runc
      "image": "alpine:3"
    }
  }
}

Migration path

• Keep provider: "docker" and provider: "kata" as aliases in the provider-loader for backwards compatibility, mapping to container with the appropriate defaults.
• Deprecate the old provider names with a warning.

Work Items

1. Create packages/runtime-provider-container/ with merged source
2. Unify DockerSession + KataSession hardening (destroyed guard, exec options, timeout) into one ContainerSession
3. Merge policy translation — Kata's translatePolicy adds --runtime and capability checks; Docker's skips --runtime
4. Single healthCheck() implementation
5. Update provider-loader.ts to register container provider with aliases
6. Update config schema — add containerOptions, deprecate dockerOptions / kata
7. Migrate all existing tests
8. Remove packages/runtime-provider-docker/ and packages/runtime-provider-kata/
9. Update docs

Constraints

• Backwards-compatible config: existing provider: "docker" and provider: "kata" must continue to work (with deprecation warning)
• No behavior changes — all existing unit tests should pass after migration
• E2E test gating unchanged (CADRE_E2E_DOCKER, CADRE_E2E_KATA)