Fix Docker build: manual NodeSource setup + retry loops on all apt-get updates

The previous fix wasn't enough: the NodeSource setup_22.x script runs its
own internal `apt-get update` without retries. When that hit the Ubuntu
mirror-sync issue (stale Packages.gz with mismatched hash), the script
silently bailed without configuring the NodeSource repo. The next
`apt-get install -y nodejs` then installed Ubuntu's default nodejs 18,
which ships without npm, breaking the `npm install -g pnpm` step.

Changes:
- Replace the `curl ... | bash -` NodeSource setup with manual GPG key +
  repo file configuration, giving us direct control over apt-get update
  retries.
- Add the same 5-attempt retry loop (with 10s sleep and lists cleanup)
  to the Python 3 and Docker CLI steps, since both also do an
  apt-get update and would hit the same failure mode.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

container/Dockerfile

@@ -58,13 +58,32 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
     && rm -rf /var/lib/apt/lists/*
 
 # ── Node.js LTS (22.x) + pnpm ───────────────────────────────────────────────
-RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+# Configure NodeSource repo manually (not via their setup_22.x script, which
+# runs an internal apt-get update without retries and silently falls through
+# to Ubuntu's default nodejs 18 — missing npm — on mirror-sync failures).
+RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
+    | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg \
+    && chmod a+r /usr/share/keyrings/nodesource.gpg \
+    && echo "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" \
+    > /etc/apt/sources.list.d/nodesource.list \
+    && for i in 1 2 3 4 5; do \
+        apt-get -o Acquire::Retries=3 update && break; \
+        echo "apt-get update failed (attempt $i), retrying in 10s..."; \
+        rm -rf /var/lib/apt/lists/*; \
+        sleep 10; \
+    done \
     && apt-get install -y nodejs \
     && rm -rf /var/lib/apt/lists/* \
     && npm install -g pnpm
 
 # ── Python 3 + pip + uv + ruff ──────────────────────────────────────────────
-RUN apt-get -o Acquire::Retries=3 update && apt-get install -y --no-install-recommends \
+RUN for i in 1 2 3 4 5; do \
+        apt-get -o Acquire::Retries=3 update && break; \
+        echo "apt-get update failed (attempt $i), retrying in 10s..."; \
+        rm -rf /var/lib/apt/lists/*; \
+        sleep 10; \
+    done \
+    && apt-get install -y --no-install-recommends \
     python3 \
     python3-pip \
     python3-venv \
@@ -77,7 +96,13 @@ RUN install -m 0755 -d /etc/apt/keyrings \
     && chmod a+r /etc/apt/keyrings/docker.gpg \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
     > /etc/apt/sources.list.d/docker.list \
-    && apt-get -o Acquire::Retries=3 update && apt-get install -y docker-ce-cli \
+    && for i in 1 2 3 4 5; do \
+        apt-get -o Acquire::Retries=3 update && break; \
+        echo "apt-get update failed (attempt $i), retrying in 10s..."; \
+        rm -rf /var/lib/apt/lists/*; \
+        sleep 10; \
+    done \
+    && apt-get install -y docker-ce-cli \
     && rm -rf /var/lib/apt/lists/*
 
 # ── AWS CLI v2 ───────────────────────────────────────────────────────────────