build: cache docker layers, configurable engine, bump owasp/pnpm

- CI workflow uses BuildKit inline cache + --cache-from previous :latest;
  NVD_REFRESH build-arg busts the OWASP layer on schedule/dispatch so
  weekly rebuilds still refresh NVD while push builds reuse cached layers.
- build-and-push.ps1 reads CONTAINER_ENGINE from .env (docker default,
  podman supported); add .env.example.
- Bump OWASP Dependency-Check 12.2.1 -> 12.2.2 and pnpm 11.0.6 -> 11.1.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ci/java-builder/Dockerfile

@@ -66,11 +66,14 @@ RUN curl -fsSL "https://dlcdn.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
 #
 # Rebuild this image weekly to keep the NVD database fresh.
 # ─────────────────────────────────────────────────────────────────────
-ARG OWASP_DC_VERSION=12.2.1
+ARG OWASP_DC_VERSION=12.2.2
 ARG NVD_API_KEY=""
+# Bump to invalidate the cached NVD layer (e.g. weekly date stamp from CI).
+ARG NVD_REFRESH=""
 ENV OWASP_DATA_DIR=/opt/owasp/dependency-check-data
 
-RUN if [ -n "${NVD_API_KEY}" ]; then \
+RUN echo "NVD_REFRESH=${NVD_REFRESH}" \
+    && if [ -n "${NVD_API_KEY}" ]; then \
         echo "NVD API key: set (length=$(printf %s "${NVD_API_KEY}" | wc -c))"; \
     else \
         echo "WARNING: NVD_API_KEY is empty — NVD will rate-limit at 5 req / 30s"; \
@@ -113,7 +116,7 @@ RUN curl -fsSL "https://github.com/bufbuild/buf/releases/download/v${BUF_VERSION
 # Last because it's the most volatile pin and corepack prepare is the
 # cheapest layer; bumping pnpm shouldn't force any other layer to rebuild.
 # ─────────────────────────────────────────────────────────────────────
-ARG PNPM_VERSION=11.0.6
+ARG PNPM_VERSION=11.1.1
 
 RUN corepack enable \
     && corepack prepare "pnpm@${PNPM_VERSION}" --activate