chore(deps): bump direct Go dependencies

[dgageot]

This PR updates direct Go dependencies to their latest patch and minor versions. Each dependency was validated independently with task lint and task test before being committed.

The updates improve compatibility with upstream packages and incorporate bug fixes and incremental improvements from the dependency maintainers.

Dependency	From	To	Notes
github.com/anthropics/anthropic-sdk-go	v1.44.1	v1.45.0
github.com/aws/aws-sdk-go-v2/service/bedrockruntime	v1.51.0	v1.52.0
github.com/docker/portcullis	20260511153206-f65240c74787	20260522094836-b66c4ab750fd
github.com/modelcontextprotocol/go-sdk	v1.6.0	v1.6.1
github.com/openai/openai-go/v3	v3.36.0	v3.37.0
github.com/pb33f/libopenapi	v0.36.5	v0.36.6
golang.org/x/image	v0.40.0	v0.41.0
golang.org/x/sys	v0.44.0	v0.45.0
google.golang.org/genai	v1.57.0	v1.58.0

Note: google.golang.org/adk (v1.2.0 → v1.3.0) was intentionally skipped. The upgrade deprecates server/adka2a in favor of server/adka2a/v2, which requires a non-trivial code migration handled separately.

[docker-agent]

Assessment: 🟢 APPROVE

Routine dependency bump touching only go.mod and go.sum. All nine bumped dependencies follow the expected semver minor/patch pattern, with both source (h1) and go.mod hashes updated consistently in go.sum. No breaking API changes are evident.

Observations (low severity, no action required):

• docker/portcullis uses a pseudo-version (timestamp-based) — the new commit b66c4ab750fd replaces f65240c74787. This is expected for internal Docker modules; the commit has been independently validated per the PR description.
• anthropic-sdk-go and bedrockruntime show unchanged go.mod hashes alongside new source hashes — this is normal when a module's own dependencies did not change between versions.
• google.golang.org/adk remains pinned at v1.2.0 while genai advances to v1.58.0. These are separate modules; Go MVS handles the co-existence, but the version skew is worth monitoring if ADK internals depend on specific genai behaviour.

The intentional skip of google.golang.org/adk v1.3.0 (pending server/adka2a/v2 migration) is clearly documented in the PR description.

[aheritier]

Review: chore(deps): bump direct Go dependencies

Clean, surgical maintenance PR — only go.mod and go.sum are touched.

CI: All required checks pass (build-and-test, lint, license-check, build-image). ✅

Dependency changes (9 bumps):

Dependency	From	To
anthropics/anthropic-sdk-go	v1.44.1	v1.45.0
aws/.../bedrockruntime	v1.51.0	v1.52.0
docker/portcullis	20260511-f65240c	20260522-b66c4ab
modelcontextprotocol/go-sdk	v1.6.0	v1.6.1
openai/openai-go/v3	v3.36.0	v3.37.0
pb33f/libopenapi	v0.36.5	v0.36.6
golang.org/x/image	v0.40.0	v0.41.0
golang.org/x/sys	v0.44.0	v0.45.0
google.golang.org/genai	v1.57.0	v1.58.0

All bumps are minor or patch — no breaking changes per Go semver.

go.sum integrity: Exactly 36 changed lines (9 deps × 2 hash lines × 2 diff sides). No stray or missing entries; no transitive dependency cascades.

google.golang.org/adk intentionally held at v1.2.0: Correct call. v1.3.0 deprecates server/adka2a in favour of server/adka2a/v2, which is a non-trivial migration (pkg/a2a/server.go and pkg/a2a/executor_wrapper.go both import the old path directly). Rushing the upgrade without the migration would break the A2A server feature.

Non-blocking note: google.golang.org/genai is now at v1.58.0 while adk stays at v1.2.0. The combination is validated by CI, but the skew will grow until the adka2a/v2 migration lands. Worth tracking as a follow-up.

Process: Per the PR description, each dependency was validated independently with task lint + task test before committing — good practice for a batch bump.