feat(network-go): add fuzzy container name resolution for firewall connections

Implement FindContainerName method on DockerAPI that attempts exact match
first, then falls back to prefix-based matching (e.g., extracting prefix
before dash like "service-" in "service-abc") to replicate the old shell
script's `grep $D"-"` behavior. Update firewall orchestrator to use this
resolution before connecting containers to networks, improving robustness
when container names vary from configured selectors.

network-go/mock/mock.go

@@ -41,6 +41,10 @@ type MockDockerClient struct {
 	AddRouteGateway               string
 	AddRouteErr                   error
 
+	FindContainerNameCalled       bool
+	FindContainerNameResult       string
+	FindContainerNameErr          error
+
 	InspectContainerErr           error
 	RemoveNetworkErr              error
 	DisconnectContainerErr        error
@@ -94,6 +98,14 @@ func (m *MockDockerClient) AddRouteInContainer(ctx context.Context, containerNam
 	return m.AddRouteErr
 }
 
+func (m *MockDockerClient) FindContainerName(ctx context.Context, name, selector string) (string, error) {
+	m.FindContainerNameCalled = true
+	if m.FindContainerNameResult != "" {
+		return m.FindContainerNameResult, m.FindContainerNameErr
+	}
+	return name, m.FindContainerNameErr
+}
+
 // MockIPTablesManager implements iptables.IPTablesAPI for testing
 type MockIPTablesManager struct {
 	BinaryResult                                string