feat(security,build): enforce localhost-only binding and harden Dockerfile (v1.0.2)

BREAKING CHANGE: Internal services now bind exclusively to 127.0.0.1 by default.

This release introduces strict network boundary enforcement and build-level hardening
to improve both runtime security and CI/CD compliance.

Port Security Model:
- Public: 9001 (ORPort), 9030 (DirPort)
- Internal: 9035+ (metrics, health, dashboard) - localhost-only

Security Enhancements:
- Enforces localhost binding for all internal services
- Prevents unauthorized external access to internal endpoints
- Adds reverse proxy, SSH tunnel, and VPN access guidance
- Integrates automated port security validation in diagnostic tools
- Includes comprehensive migration instructions for existing deployments

Build Improvements:
- Dockerfile hardened with strict shell mode (set -euo pipefail)
- Fixed lint warnings: DL3018, DL3059, SC2010, DL4006
- Ensures reproducible builds and cleaner CI validation
- No functional runtime changes beyond improved reliability

File Updates:
- CHANGELOG.md: Version entries updated to v1.0.2
- README.md: Deployment examples and version references aligned
- SECURITY.md: Expanded with port access policy and network architecture
- relay-status.sh: Added port binding validation (v1.0.2)
- integration-check.sh: Added version and port validation phases (v1.0.2)
- Dockerfile: Hardened, lint-compliant, and security aligned

Migration Required:
If external access to metrics or health endpoints is required,
configure a reverse proxy with authentication, SSH tunneling, or VPN routing.
See SECURITY.md for implementation details.

Version: 1.0.2

Dockerfile

@@ -4,7 +4,7 @@
 # Base: Alpine 3.22.2 | Multi-arch: amd64, arm64
 # ============================================================================
 
-FROM alpine:3.22.2
+FROM alpine:3.22.2 AS builder
 
 # Build arguments
 ARG BUILD_DATE