fix(deploy): SEC-014 — loopback-bind Postgres host port in compose files

Acquisition-audit SEC-014 closure (Sprint 2 ACQ, 2026-05-16).

Both deploy/docker-compose.yml and deploy/docker-compose.test.yml
published Postgres on `5432:5432` — the short Docker port-mapping
form, which binds to 0.0.0.0 by default. On any host with a
public-facing NIC, that quietly exposed the Postgres TCP listener to
the internet. The certctl-server-to-postgres traffic itself goes over
the `certctl-network` Docker bridge, not the host port; the host
port mapping is a convenience for operator psql access and for the
integration-test runner that lives on the host.

Switch both mappings to `127.0.0.1:5432:5432` (loopback-only).
Operator psql via `localhost` keeps working; the integration-test
runner keeps working; cross-host exposure goes away.

Audit trail: docs/operator/security.md (Postgres transport encryption
subsection, SEC-014 paragraph).

deploy/docker-compose.yml

@@ -145,8 +145,18 @@ services:
       # default for screenshot/demo use; production deploys never
       # depend on that fallback.
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    # Acquisition-audit SEC-014 closure (Sprint 2, 2026-05-16). Bind
+    # the published port to 127.0.0.1 ONLY — the certctl-server
+    # connection comes in via the `certctl-network` Docker network
+    # (the host-port mapping is operator convenience for psql / DB
+    # inspection only). Pre-fix, the "5432:5432" form bound on
+    # 0.0.0.0, exposing the Postgres TCP listener on every interface
+    # of any host that happened to be on a public IP. The loopback
+    # bind keeps host-side psql access working while preventing the
+    # cross-network exposure landmine for compose deploys that aren't
+    # behind a firewall.
     ports:
-      - "5432:5432"
+      - "127.0.0.1:5432:5432"
     volumes:
       - postgres_data:/var/lib/postgresql/data
     networks: