fix(shellwrap): capture login-shell PATH so docker credential helpers resolve (#382)

When mcpproxy runs as a macOS App Bundle or LaunchAgent, os.Getenv("PATH")
is often `/usr/bin:/bin`. shellwrap.ResolveDockerPath already works around
that for the docker binary itself by caching an absolute path from the
user's login shell, but `docker pull` still fails for registries that
need credential helpers (e.g. docker-credential-desktop), because the
docker CLI re-execs the helper via its own PATH lookup — and the helper
lives in /usr/local/bin or /opt/homebrew/bin, which are absent from the
ambient launchd PATH.

This adds a new LoginShellPATH() helper that captures the login shell's
PATH once per process via `sh -l -c 'printf %s "$PATH"'` and caches it.
MinimalEnv() now merges that login-shell PATH with the ambient PATH
(login-shell first, deduped) so subprocesses spawned by the scanner can
locate credential helpers and other developer tools. Ambient behavior is
fully preserved on Windows and in the success-path fallback when the
login shell cannot be executed.

Fixes #381

Co-authored-by: Claude Code <noreply@anthropic.com>