Add Docker container discovery

[Spadav]

Summary

Add optional Docker container discovery behind --docker.

tsp previously only discovered host listeners from lsof/netstat, so containers without a visible host process could be
missed or shown as generic Docker proxy listeners. This change adds Docker as a second discovery source by reading the local
Docker API over /var/run/docker.sock.

Docker discovery:

• calls GET /containers/json
• uses published host ports when available
• falls back to the container IP + private port for exposed ports without host bindings
• names routes from the container name
• deduplicates by port with host lsof listeners taking priority

The feature is wired through:

• start --docker
• list --docker
• status --docker
• doctor --docker
• configure --docker
• embedded/controller options

Safety / Risk

This is opt-in and read-only. It only sends Docker API GET requests and does not create, modify, stop, or remove containers.

The main operational caveat is that the user running tsp must have permission to access /var/run/docker.sock. Docker socket
access is privileged in general, so users should only enable this on machines where they already trust the local user/session.

Testing

• go test ./...
• go vet ./...
• Smoke-tested tsp list --docker --all --ports 3000-9000 against local running Docker containers

[vercel]

@Spadav is attempting to deploy a commit to the Mohamed Meabed's projects Team on Vercel.

A member of the Team first needs to authorize it.