fix(deploy): SEC-014 — loopback-bind Postgres host port in compose files

Acquisition-audit SEC-014 closure (Sprint 2 ACQ, 2026-05-16).

Both deploy/docker-compose.yml and deploy/docker-compose.test.yml
published Postgres on `5432:5432` — the short Docker port-mapping
form, which binds to 0.0.0.0 by default. On any host with a
public-facing NIC, that quietly exposed the Postgres TCP listener to
the internet. The certctl-server-to-postgres traffic itself goes over
the `certctl-network` Docker bridge, not the host port; the host
port mapping is a convenience for operator psql access and for the
integration-test runner that lives on the host.

Switch both mappings to `127.0.0.1:5432:5432` (loopback-only).
Operator psql via `localhost` keeps working; the integration-test
runner keeps working; cross-host exposure goes away.

Audit trail: docs/operator/security.md (Postgres transport encryption
subsection, SEC-014 paragraph).

deploy/docker-compose.test.yml

@@ -116,8 +116,11 @@ services:
     networks:
       certctl-test:
         ipv4_address: 10.30.50.2
+    # Acquisition-audit SEC-014 closure (Sprint 2, 2026-05-16).
+    # Loopback-only host-port bind — the integration-test runner on
+    # the host needs reachability, no other interface does.
     ports:
-      - "5432:5432"
+      - "127.0.0.1:5432:5432"
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U certctl -d certctl"]
       interval: 5s