Remove --enable-dind flag and Docker-in-Docker support

[Mossaka]

Context

Docker-in-Docker support was removed in AWF v0.9.1 (PR #205). The docker-stub.sh blocks all Docker commands by default with an error message pointing to that PR.

However, the --enable-dind CLI flag still exists (src/cli.ts:1334) and enableDind is handled in docker-manager.ts:945 — it mounts the Docker socket when enabled. This creates a confusing dual state where DinD is "removed" but can be silently re-enabled.

Problem

• The flag is undocumented and likely unused
• When enabled, it creates a significant security surface (issue [Security] Child containers don't inherit NAT rules - proxy bypass possible #130) that would require a complex Docker wrapper to secure
• The existing docker-stub.sh says DinD was removed, but the flag contradicts this
• Maintaining security for DinD (shared network namespaces, Docker wrapper, subcommand parsing) adds significant complexity for a feature nobody uses

Proposal

1. Remove the --enable-dind CLI flag from src/cli.ts
2. Remove enableDind handling from src/docker-manager.ts (socket mounting, env vars)
3. Remove enableDind from src/types.ts
4. Clean up related tests in src/docker-manager.test.ts
5. Keep docker-stub.sh as-is (blocks Docker commands with helpful error)

Related

• [Security] Child containers don't inherit NAT rules - proxy bypass possible #130 — "[Security] Child containers don't inherit NAT rules" — this issue becomes moot if DinD is fully removed
• PR feat: remove Docker-in-Docker support #205 — Original removal of DinD in v0.9.1