fix(ci): real digests + matrix→service mapping for deploy-vendor-e2e

Bundle II Phases 1+15 shipped fabricated @sha256 digests across 11
sidecars (deploy/docker-compose.test.yml) plus the f5-mock-icontrol
Dockerfile golang FROM line. The H-001 bare-FROM CI guard passed
locally because it only regex-checks for the *presence* of @sha256:
— it does not verify the digest resolves on the registry. Result:
every deploy-vendor-e2e matrix job failed at `docker compose up`
with 'manifest unknown'.

Two classes of fix:

1. Replace the 11 fabricated digests with real, registry-resolved
   digests (verified via curl against registry-1.docker.io,
   ghcr.io, mcr.microsoft.com manifest endpoints):

   - httpd:2.4-alpine
   - haproxy:3.0-alpine
   - traefik:v3.1
   - caddy:2.8-alpine
   - envoyproxy/envoy:v1.32-latest
   - boky/postfix:latest
   - dovecot/dovecot:latest
   - lscr.io/linuxserver/openssh-server:latest (via ghcr.io)
   - kindest/node:v1.31.0
   - mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2022
     (manifest.v2 single-image digest — the image is Windows-only
     so there is no multi-arch list digest to follow)
   - golang:1.25.9-bookworm (in deploy/test/f5-mock-icontrol/Dockerfile)

   debian:bookworm-slim was also fabricated under the comment
   claiming it 'matches libest sidecar'; replaced with the real
   amd64-linux digest.

2. Special-case the matrix.vendor → docker-compose service mapping
   in .github/workflows/ci.yml::deploy-vendor-e2e step 'Bring up
   vendor sidecar'. The original step assumed a uniform
   '${{ matrix.vendor }}-test' suffix, but four matrix entries
   don't conform:

   - nginx → reuses apache-test (the legacy nginx sidecar in the
     compose file is named 'nginx' with no profile; the nginx
     vendor-edge tests in deploy/test/nginx_vendor_e2e_test.go
     call requireSidecar(t,"apache") because the sidecar map
     doesn't include an 'nginx' key — comment in source explains)
   - ssh → openssh-test
   - k8s → k8s-kind-test
   - f5-mock → f5-mock-icontrol (must be built first; no published image)
   - javakeystore → no sidecar (pure-Go placeholder stubs)

   Wraps the bring-up in a case statement that maps every matrix
   entry to its real sidecar name (or '' for the no-sidecar case),
   and exits 0 cleanly for vendors that don't need a sidecar.

Per the CLAUDE.md 'never go from memory' + 'complete path' rules,
this fix:
- ground-truths every digest against the actual registry (curl
  against the OCI v2 manifest endpoint with the right Accept
  header), not memory or grep
- closes the 'lying field' footgun: H-001 guard now validates a
  contract that's actually satisfied (digests exist + pull)

Verification: yaml parses on both files, H-001 guard simulation
returns no bare FROMs, all 12 manifest endpoints return HTTP 200
on the new digests.

.github/workflows/ci.yml

@@ -1380,13 +1380,40 @@ jobs:
           cache: true
 
       - name: Bring up vendor sidecar
+        # Map matrix.vendor → docker-compose service name. The naming is
+        # NOT 1:1 because (a) the legacy NGINX vendor-edge tests reuse the
+        # apache-test sidecar via requireSidecar(t,"apache") — see the
+        # comment in deploy/test/nginx_vendor_e2e_test.go; (b) the openssh
+        # service is named openssh-test (not ssh-test); (c) the kind
+        # cluster service is named k8s-kind-test; (d) the F5 mock service
+        # is named f5-mock-icontrol and must be built first because it
+        # has no published image; (e) the JavaKeystore tests are pure-Go
+        # placeholder stubs that exercise no sidecar.
         run: |
-          if [ "${{ matrix.vendor }}" = "f5-mock" ]; then
-            docker compose --profile deploy-e2e -f deploy/docker-compose.test.yml build f5-mock-icontrol
-            docker compose --profile deploy-e2e -f deploy/docker-compose.test.yml up -d f5-mock-icontrol
-          else
-            docker compose --profile deploy-e2e -f deploy/docker-compose.test.yml up -d ${{ matrix.vendor }}-test
+          set -e
+          case "${{ matrix.vendor }}" in
+            nginx)        SVC=apache-test ;;       # nginx tests reuse apache sidecar
+            apache)       SVC=apache-test ;;
+            haproxy)      SVC=haproxy-test ;;
+            traefik)      SVC=traefik-test ;;
+            caddy)        SVC=caddy-test ;;
+            envoy)        SVC=envoy-test ;;
+            postfix)      SVC=postfix-test ;;
+            dovecot)      SVC=dovecot-test ;;
+            ssh)          SVC=openssh-test ;;
+            k8s)          SVC=k8s-kind-test ;;
+            f5-mock)      SVC=f5-mock-icontrol ;;
+            javakeystore) SVC="" ;;                # pure-Go placeholder stubs; no sidecar needed
+            *)            echo "::error::unknown matrix vendor '${{ matrix.vendor }}'"; exit 1 ;;
+          esac
+          if [ -z "$SVC" ]; then
+            echo "vendor=${{ matrix.vendor }} runs without a sidecar (pure-Go placeholder tests)"
+            exit 0
           fi
+          if [ "${{ matrix.vendor }}" = "f5-mock" ]; then
+            docker compose --profile deploy-e2e -f deploy/docker-compose.test.yml build "$SVC"
+          fi
+          docker compose --profile deploy-e2e -f deploy/docker-compose.test.yml up -d "$SVC"
           sleep 5
 
       - name: Run vendor-edge e2e