fix(#367): migrate Node.js 20 → 24 LTS

Node.js 24 (Krypton) entered Active LTS on 2026-02-09. Update all
Dockerfiles, CI pipelines, and engine constraint from node:20-alpine
to node:24-alpine. Corrected .trivyignore: tar CVEs come from Next.js
16.1.6 bundled tar@7.5.2 (not npm). Orchestrator and API images are
clean; web image needs Next.js upstream fix.

Fixes #367

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.trivyignore

@@ -1,12 +1,13 @@
 # Trivy CVE Suppressions — Upstream Dependencies
-# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline
+# Reviewed: 2026-02-13 | Milestone: M11-CIPipeline
 #
-# MITIGATED in this sprint:
+# MITIGATED:
 #   - Go stdlib CVEs (6): gosu rebuilt from source with Go 1.26
 #   - npm bundled CVEs (5): npm removed from production Node.js images
+#   - Node.js 20 → 24 LTS migration (#367): base images updated
 #
-# REMAINING: OpenBao only (5 CVEs — 4 false positives + 1 upstream Go stdlib)
-# Re-evaluate when upgrading openbao image beyond 2.5.0.
+# REMAINING: OpenBao (5 CVEs) + Next.js bundled tar (3 CVEs)
+# Re-evaluate when upgrading openbao image beyond 2.5.0 or Next.js beyond 16.1.6.
 
 # === OpenBao false positives ===
 # Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
@@ -16,19 +17,15 @@ CVE-2024-9180   # HIGH: privilege escalation (fixed in 2.0.3)
 CVE-2025-59043  # HIGH: DoS via malicious JSON (fixed in 2.4.1)
 CVE-2025-64761  # HIGH: identity group root escalation (fixed in 2.4.4)
 
-# === npm bundled tar CVEs (not upgradeable — not our dependency) ===
-# Why suppressed instead of fixed:
-#   - tar@7.5.2 is bundled INSIDE npm, which ships with the node:20-alpine base image
-#   - It is NOT in pnpm-lock.yaml — not a direct or transitive app dependency
-#   - We already remove npm from all production images:
-#       `RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx`
-#   - Locally-built images have zero tar packages (verified via Trivy scan 2026-02-12)
-#   - CVEs may reappear in CI due to Docker layer caching of the base image
-# To fully eliminate: switch to a distroless/slim base image without npm, or
-# wait for Node.js 20 to bundle a patched npm release.
-CVE-2026-23745  # HIGH: tar arbitrary file overwrite via unsanitized linkpaths
-CVE-2026-23950  # HIGH: tar arbitrary file overwrite via Unicode path collision
-CVE-2026-24842  # HIGH: tar arbitrary file creation via hardlink path traversal
+# === Next.js bundled tar CVEs (upstream — waiting on Next.js release) ===
+# Next.js 16.1.6 bundles tar@7.5.2 in next/dist/compiled/tar/ (pre-compiled).
+# This is NOT a pnpm dependency — it's embedded in the Next.js package itself.
+# Affects web image only (orchestrator and API are clean).
+# npm was also removed from all production images, eliminating the npm-bundled copy.
+# To resolve: upgrade Next.js when a release bundles tar >= 7.5.7.
+CVE-2026-23745  # HIGH: tar arbitrary file overwrite via unsanitized linkpaths (fixed in 7.5.3)
+CVE-2026-23950  # HIGH: tar arbitrary file overwrite via Unicode path collision (fixed in 7.5.4)
+CVE-2026-24842  # HIGH: tar arbitrary file creation via hardlink path traversal (needs tar >= 7.5.7)
 
 # === OpenBao Go stdlib (waiting on upstream rebuild) ===
 # OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.