[MEDIUM] Empty Desktop version cached for full 5-minute TTL when Desktop is unavailable at first call

GetVersion always returns (info.CurrentVersion, nil) — even when the HTTP call to Desktop's /update endpoint fails (Desktop not running, socket not present, timeout, etc.). In that case info.CurrentVersion is the zero value "", and since go-memoize only caches results where error == nil, the empty string gets cached for the full 5-minute TTL.

This contradicts the PR description's claim that the lookup "recovers automatically if Desktop starts after docker-agent": if GetVersion is first called before Desktop is ready, the X-Docker-Desktop-Version header will be silently omitted for up to 5 minutes even after Desktop becomes available — rather than recovering on the next request.

Fix: return a non-nil error when the lookup fails so go-memoize does not cache the failure:

if err := ClientBackend.Get(ctx, "/update", &info); err != nil {
    return "", err   // not cached; next caller retries
}
return info.CurrentVersion, nil

This way a transient failure (Desktop not yet up) never poisons the cache.

Non-blocking: the _ = ClientBackend.Get(...) ignores the error and lets the memoizer cache the empty string for the full 5 minutes. That's intentional for the steady-state "Desktop not running" case (good — we don't want to hammer the socket), but it also means a transient failure (e.g. backend.sock momentarily unavailable while Desktop restarts, or a 2 s timeout under load) gets pinned for 5 minutes before we try again.

If we wanted to differentiate, returning a non-nil error from the closure on Get failures would let go-memoize re-attempt sooner (its TTL applies per cache entry, but errors aren't cached the same way — worth double-checking the library semantics). Not a blocker for this PR — the header is best-effort by design — but worth a comment in the code so the next reader knows the swallow is deliberate.

Question: what drove the 5 min TTL (and the 10 min cleanup interval)? The PR description mentions "recovers automatically … upgraded mid-session" which argues for some refresh, but 5 minutes is a fairly arbitrary middle ground — Desktop upgrades are rare (once a week), the lookup is cheap-ish (one local socket call with a 2 s ceiling), and the value almost never changes within a session.

A short rationale comment near the NewMemoizer call (e.g. "5 min keeps the steady-state cost ≤ 1 socket call per 5 min per process while still picking up Desktop upgrades within a few minutes") would save the next reader the same question. Happy to leave the value as-is.

Non-blocking (privacy/scope): SetIdentity is wired into every api / fetch / openapi outbound request, which means X-Docker-Desktop-Version is broadcast to every host the operator points a built-in tool at — not just Docker-owned backends. The PR description acknowledges this and defers an opt-out, which I think is fine, but two thoughts for the next iteration:

1. Consider scoping the Desktop header to known Docker hosts (Hub, Hub gateway, *.docker.com, *.docker.io) by default. The agent-version header is harmless to broadcast; the Desktop-version one is the genuinely new signal and the one most likely to surprise a security-minded operator.
2. If we keep it global, the README / docs should mention the new header explicitly so operators auditing outbound traffic aren't surprised. I don't see a docs update in this PR — happy to merge without one if a follow-up is tracked.

Neither blocks this PR.

Non-blocking: two behaviours that the PR description calls out as load-bearing don't have a unit test here:

1. Desktop unreachable → X-Docker-Desktop-Version omitted, not set to empty string. Today this is implicit (because no Desktop socket is around in CI) — the existing tests in api/fetch/openapi assert presence of the agent-version header but don't assert absence of the Desktop one. A test that injects a stub returning "" and asserts req.Header.Get(HeaderDesktopVersion) == "" and that the key is not present in req.Header would pin the contract.
2. Operator-supplied override wins. The setHeaders callers apply caller headers after SetIdentity, which is the documented precedence — but there's no test pinning that a User-Agent or X-Docker-Agent-Version in the operator config overrides the defaults. pkg/tools/builtin/fetch/fetch_test.go has a TestFetch_Headers_OverrideDefaults for User-Agent; an analogous one for X-Docker-Agent-Version (and ideally one in api/openapi) would catch a future refactor that flips the order.

Both are quick to add and would lock in the invariants the PR description leans on.