support BuildKit local output delete mode

[crazy-max]

needs moby/buildkit#6561

This PR adds Buildx client-side support for the BuildKit local exporter mode=delete behavior introduced by moby/buildkit#6561. Buildx now passes the local exporter mode through for both build --output and Bake outputs, and it gates deletion of stale local output files behind the Buildx-local --allow=buildx.local.delete entitlement where the destination is potentially dangerous.

The build command now accepts --output=type=local,dest=...,mode=delete and keeps the exporter attribute intact when creating BuildKit export entries. Buildx parses --allow=buildx.local.delete separately from BuildKit entitlements, so the Buildx-local allow is used for client-side validation and is not forwarded to BuildKit as an AllowedEntitlement.

The build command allows mode=delete without an extra allow when the local output destination resolves to a subdirectory of the current working directory. It requires --allow=buildx.local.delete when the destination resolves to the current working directory, outside the current working directory, or through a symlink that escapes the current working directory. This keeps ordinary out or dist usage ergonomic while still making destructive destinations explicit.

Bake now recognizes the same buildx.local.delete entitlement for local outputs that use mode=delete. The Bake entitlement prompt and raw JSON error path both report the Buildx-local allow name, and Bake output definitions and --set output overrides are covered by the same entitlement flow.

Testing on buildx repo with mode=delete for binaries target:

$ docker buildx --builder builder bake binaries-cross --set *.platform=linux/amd64,linux/arm64 --print
#1 [internal] load local bake definitions
#1 reading docker-bake.hcl 4.94kB / 4.94kB done
#1 DONE 0.0s
{
  "group": {
    "default": {
      "targets": [
        "binaries-cross"
      ]
    }
  },
  "target": {
    "binaries-cross": {
      "context": ".",
      "dockerfile": "Dockerfile",
      "args": {
        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1"
      },
      "target": "binaries",
      "platforms": [
        "linux/amd64,linux/arm64"
      ],
      "output": [
        {
          "dest": "./bin/build",
          "mode": "delete",
          "type": "local"
        }
      ]
    }
  }
}

$ tree -anh ./bin/build
[4.0K]  ./bin/build
├── [   0]  baz.txt
├── [ 62M]  buildx
├── [4.0K]  linux_amd64
│   └── [ 61M]  buildx
└── [4.0K]  linux_arm64
    └── [ 57M]  buildx

3 directories, 4 files

$ docker buildx --builder builder bake binaries-cross --set *.platform=linux/amd64,linux/arm64
#0 building with "builder" instance using docker-container driver

#1 [internal] load local bake definitions
#1 reading docker-bake.hcl 4.94kB / 4.94kB done
#1 DONE 0.0s
Your build is requesting privileges for following possibly insecure capabilities:

 - Deleting stale files from local output destinations

In order to not see this message in the future pass "--allow=local-output-delete" to grant requested privileges.

Your full command with requested privileges:

docker buildx --builder builder bake --allow=local-output-delete binaries-cross --set *.platform=linux/amd64,linux/arm64

Do you want to grant requested privileges and continue? [y/N] y
#0 building with "builder" instance using docker-container driver

#1 [internal] load build definition from Dockerfile
#1 transferring dockerfile: 6.43kB 0.1s done
#1 DONE 0.1s

...

$ tree -anh ./bin/build
[4.0K]  ./bin/build
├── [4.0K]  linux_amd64
│   └── [ 62M]  buildx
└── [4.0K]  linux_arm64
    └── [ 58M]  buildx

3 directories, 2 file

[tonistiigi]

evaluateToExistingPath is not needed anymore