feat(security,build): enforce localhost-only binding and harden Dockerfile (v1.0.2)

BREAKING CHANGE: Internal services now bind exclusively to 127.0.0.1 by default.

This release introduces strict network boundary enforcement and build-level hardening
to improve both runtime security and CI/CD compliance.

Port Security Model:
- Public: 9001 (ORPort), 9030 (DirPort)
- Internal: 9035+ (metrics, health, dashboard) - localhost-only

Security Enhancements:
- Enforces localhost binding for all internal services
- Prevents unauthorized external access to internal endpoints
- Adds reverse proxy, SSH tunnel, and VPN access guidance
- Integrates automated port security validation in diagnostic tools
- Includes comprehensive migration instructions for existing deployments

Build Improvements:
- Dockerfile hardened with strict shell mode (set -euo pipefail)
- Fixed lint warnings: DL3018, DL3059, SC2010, DL4006
- Ensures reproducible builds and cleaner CI validation
- No functional runtime changes beyond improved reliability

File Updates:
- CHANGELOG.md: Version entries updated to v1.0.2
- README.md: Deployment examples and version references aligned
- SECURITY.md: Expanded with port access policy and network architecture
- relay-status.sh: Added port binding validation (v1.0.2)
- integration-check.sh: Added version and port validation phases (v1.0.2)
- Dockerfile: Hardened, lint-compliant, and security aligned

Migration Required:
If external access to metrics or health endpoints is required,
configure a reverse proxy with authentication, SSH tunneling, or VPN routing.
See SECURITY.md for implementation details.

Version: 1.0.2

Dockerfile

@@ -46,7 +46,7 @@ RUN apk add --no-cache \
     jq=1.8.0-r0 \
     grep=3.12-r0 \
     coreutils=9.7-r1 \
-    bind-tools=bind-tools  \
+    bind-tools=9.20.15-r0  \
     netcat-openbsd=1.229.1-r0 \
   && rm -rf /var/cache/apk/*