Add safe Docker runtime cleanup

[NiveditJain]

Summary

• add Docker runtime cleanup for exited containers and dangling images
• support runtime filters via --category containers/images, --containers-only, and --images-only
• apply --older-than to Docker artifacts when creation time is available
• keep unknown-age Docker artifacts when using age filters for safety
• fix scanning root-level project bloat such as node_modules or .venv

Safety

• running containers are never targeted; Docker scanning filters to status=exited
• tagged images are never targeted; image cleanup filters to dangling images only
• Docker commands use execFile with argv instead of shell command strings

Checks

• node --check src/index.js
• node --check src/docker.js
• npm start -- --dry-run --category containers --depth 0
• npm start -- --dry-run --containers-only --depth 0
• npm start -- --dry-run --images-only --depth 0
• mocked Docker age-filter test verified only old artifacts are removable

[LarsenCundric]

Useful feature, but this PR overlaps significantly with #3 (ignore-pattern handling) — the two are diverging. Worth resolving before merge.

Critical

[P0] Overlap with #3, with diverged glob implementation. Both PRs add --ignore + config loading + globToRegExp. The version here (src/scanner.js:188) is the weaker one:

• doesn't handle **/ as a path-segment-consuming wildcard (no slash awareness)
• doesn't support bare directory names like node_modules
• doesn't support scan-root-relative paths
• doesn't anchor properly
• escape regex includes \\ but misses * → results may be wrong on certain inputs

Recommend: rebase on top of #3 after that merges and drop the duplicated --ignore logic from this PR. Otherwise whichever merges second will silently regress the other.

Should fix

[P1] printResults no longer called when only runtime cleanup runs (src/index.js:187)
When --containers-only or --category containers is used, the filesystem table doesn't print (good), but results.length === 0 early-return is gone. If filesystem also has nothing AND no runtime candidates, the code still falls through — minor UX, but the message ordering is now subtle. Worth a quick walkthrough.

[P1] Docker --older-than policy: keep when timestamp unparseable (src/docker.js:30)
The intent in isKeptByAge is "safer to keep" when no timestamp. Correct, but this contradicts the conservative path for runtime cleanup: a malformed Docker date keeps an old container indefinitely. Worth a console.warn so users know why a container they expected to remove was kept.

[P2] --containers-only + --images-only together is undefined
Currently containersOnly ? true : imagesOnly ? false : .... If both flags are passed, images get silently disabled. Either explicitly error, or document precedence in --help.

[P2] parseJsonLines swallows JSON errors silently
If Docker changes its output format, the entire runtime feature appears as "0 containers found." Add a one-line dim warning when a line fails to parse so debugging isn't impossible.

Nice catches

• execFile with argv (not shell string) on every Docker call — proper hygiene
• Per-item delete with separate failure tracking — lets users see partial successes
• keep flag preserves audit trail (what was found vs what's slated for delete)
• Filtering to status=exited + dangling=true — correct safe scope
• 15s timeout on Docker calls — won't hang cron jobs

Minor

• package-lock.json rename from devclean → dev-purge got bundled in. Fine, but worth calling out in the PR description since it affects npm install resolution.
• README mentions "If Docker is not installed... continue" but the unavailable reason in printRuntimeSummary says "unavailable in this environment" — slight mismatch with what the README promises. The actual error from Docker (err.message) is also dropped. Consider showing it dimmed so users can debug.
• --json doesn't include runtime artifacts. Called out in README. Reasonable for v1, but worth a follow-up issue.

Verdict

Block on the #3 overlap. Either:

1. Merge Fix ignore pattern handling #3 first, rebase this PR to drop the duplicated ignore logic, OR
2. Pull the ignore logic out of this PR and into Fix ignore pattern handling #3, leaving this purely Docker-focused

The Docker portion is solid and ready. Don't ship two diverging glob implementations.