Convert to Apple Container

This skill switches NanoClaw's container runtime from Docker to Apple Container (macOS-only). It uses the skills engine for deterministic code changes, then walks through verification.

What this changes:

• Container runtime binary: docker → container
• Mount syntax: -v path:path:ro → --mount type=bind,source=...,target=...,readonly
• Startup check: docker info → container system status (with auto-start)
• Orphan detection: docker ps --filter → container ls --format json
• Build script default: docker → container
• Dockerfile entrypoint: .env shadowing via mount --bind inside the container (Apple Container only supports directory mounts, not file mounts like Docker's /dev/null overlay)
• Container runner: main-group containers start as root for mount --bind, then drop privileges via setpriv

What stays the same:

• Mount security/allowlist validation
• All exported interfaces and IPC protocol
• Non-main container behavior (still uses --user flag)
• All other functionality