fix(buildlog): bump coder/coder to v2.33.2 to send agent token via header

[deansheather]

Problem

When envbox starts in a Coder workspace pod, the buildlog client logs this on a tight retry loop:

{"level":"ERROR","msg":"connect err","caller":"buildlog/coder.go:119",
 "func":"github.com/coder/envbox/buildlog.newAgentClientV2",
 "fields":{"error":"GET https://<server>/api/v2/workspaceagents/me/rpc?version=2.2: unexpected status code 401: Cookie \"coder_session_token\" must be provided.: Try logging in using 'coder login'."}}

The workspace still comes up (the call site at cli/docker.go:199 deliberately doesn't fail startup on buildlog errors), but no envbox build logs are pushed and the error spam confuses users debugging real workspace problems.

Root cause

Envbox was pinned to github.com/coder/coder/v2 v2.24.4. In that version, agentsdk.connectRPCVersion authenticates the WebSocket upgrade via a cookie jar:

jar, _ := cookiejar.New(nil)
jar.SetCookies(rpcURL, []*http.Cookie{{Name: codersdk.SessionTokenCookie, Value: c.SDK.SessionToken()}})
httpClient := &http.Client{Jar: jar, Transport: c.SDK.HTTPClient.Transport}
conn, res, err := websocket.Dial(ctx, rpcURL.String(), &websocket.DialOptions{HTTPClient: httpClient})

The coder/websocket package does not honor http.Client.Jar during the upgrade — cookies from the jar are silently dropped, so the upgrade request reaches the server with no auth and the agent-token middleware returns 401.

Mainline coder/coder already fixed this — connectRPCVersion now passes the token via HTTPHeader: http.Header{codersdk.SessionTokenHeader: ...} in the websocket.DialOptions, which coder/websocket does honor. Verified in v2.33.2 at codersdk/agentsdk/agentsdk.go:349-350.

Changes

1. Bump github.com/coder/coder/v2 from v2.24.4 → v2.33.2. This is past the SessionTokenProvider refactor (1354d84) and the functional-args refactor (5c2b9a5), both of which are required so agentsdk uses HTTPHeader for the upgrade.

2. buildlog/coder.go: adopt the new agentsdk.New(serverURL, SessionTokenSetup, ...) signature:

   // before
   client := agentsdk.New(accessURL)
   client.SetSessionToken(token)
   // after
   client := agentsdk.New(accessURL, agentsdk.WithFixedToken(token))

3. Migrate cdr.dev/slog → cdr.dev/slog/v3 across the repo (12 files). Required because the new agentsdk.NewLogSender takes a cdr.dev/slog/v3.Logger, and buildlog/coder.go passes its logger straight through.

4. Mirror coder/coder's replace directives for tailscale.com, github.com/tailscale/wireguard-go, and gvisor.dev so the v2.33.2 build resolves cleanly.

5. Pin github.com/docker/cli to v27.4.1 via replace. docker/cli v29 (pulled in transitively by coder) imports the new github.com/moby/moby/client v0.3.0 module. The legacy github.com/moby/moby +incompatible module that ory/dockertest still drags in also exposes the same client package, and Go cannot disambiguate when the parent module is +incompatible (no go.mod). v27.4.1 is the version dockertest v3.12.0 itself requires and its cli/compose/loader doesn't import moby/moby/client, so the conflict goes away. Rationale is documented inline in go.mod.

Acceptance criteria

• go.mod github.com/coder/coder/v2 bumped to a version where agentsdk.connectRPCVersion uses HTTPHeader for the session token (v2.33.2).
• buildlog/coder.go updated for the new agentsdk.New signature.
• go mod tidy clean.
• go build ./... passes.
• go vet ./... — no new warnings (the two pre-existing cli/docker.go cancel/leak warnings are unchanged from main).
• go test ./... — all unit tests pass.
• Live workspace verification not yet done in this PR — needs a workspace pod with CODER_AGENT_TOKEN and CODER_AGENT_URL set against a real Coder deployment. The buildlog client should NOT log connect err … coder_session_token must be provided on the retry loop; it should connect successfully (or, on a real network error, surface a more accurate error). Marking this as a draft so a maintainer can sanity-check the dep bump scope before we run that.
• Integration suite (CODER_TEST_INTEGRATION=1 make test-integration) — not run locally because per AGENTS.md it requires a VM/physical machine and Docker socket access not available in my sandbox. Will rely on CI.

Out of scope

• Changing the buildlog retry semantics or the --no-startup-log flag.
• Removing the cookie-jar code from older agentsdk versions (that's a coder/coder repo concern, already fixed upstream).