Fix gosec lint failures: G115, G706, G703

[Copilot]

make verify was failing due to 5 gosec violations across three files. Fixes suppress legitimate false positives (trusted env vars, fd-to-int casts) and refactors log calls to use structured fields instead of interpolated messages.

Changes

• G115 (profiles.go): Suppress integer overflow warning on int(os.Stdout.Fd()) — fd values are always safe to cast to int
• G706 (profiles.go, docker/run.go, podman/run.go): Replace slog.Debug(fmt.Sprintf("exec: %s", bin), ...) with structured slog.Debug("exec", "binary", bin, ...) to avoid tainted data in the log message; suppress remaining instance where xauthority env var appears as a log field
• G703 (profiles.go): Suppress path traversal warning on os.Open(xauthority) — path is sourced from the user's own $XAUTHORITY env var

// Before
slog.Debug(fmt.Sprintf("exec: %s", runnerBinary), "args", args)

// After
slog.Debug("exec", "binary", runnerBinary, "args", args) //nolint:gosec // G706: binary path is from trusted config

Also includes regenerated proto files (host.pb.go, host_grpc.pb.go) that were stale relative to the .proto source, causing verify-dirty to fail.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.