[codex] harden Docker sensing-server auth defaults

[essentiaMarco]

Summary

This PR hardens the Docker sensing-server defaults so the container no longer starts a network-bound unauthenticated sensing surface by accident.

Changes:

• Adds an entrypoint guard that refuses to start sensing-server on 0.0.0.0, ::, or [::] unless RUVIEW_API_TOKEN is non-empty.
• Preserves the existing trusted-LAN behavior behind an explicit RUVIEW_ALLOW_UNAUTH_LAN=1 opt-in.
• Keeps loopback binds allowed without a token.
• Updates Dockerfile/Compose comments to document the new secure default.
• Updates entrypoint regression tests and Docker publish smoke tests for the new behavior.

This addresses the Docker secure-default portion of #864. It intentionally does not redesign /ws/sensing auth in this PR; that needs a separate browser-compatible WebSocket auth decision.

Why

#443/#547 added opt-in bearer auth while preserving LAN-mode defaults. The remaining Docker-specific risk is that the image entrypoint starts sensing-server on 0.0.0.0 and Compose publishes ports while RUVIEW_API_TOKEN is empty by default. That makes sensing/pose REST data and the sensing WebSocket reachable to any client that can reach the Docker host.

Failing closed for Docker keeps the maintainer-approved LAN mode available, but makes it an intentional deployment choice instead of an accidental default.

Validation

bash tests/test_docker_entrypoint.sh
# 24 passed, 0 failed

sh -n docker/docker-entrypoint.sh
bash -n tests/test_docker_entrypoint.sh
git diff --check
docker compose -f docker/docker-compose.yml config
docker build -f docker/Dockerfile.rust -t ruview-secure-defaults-poc:local .

Runtime checks on the built image:

default start without token/opt-in -> exit 64 with RUVIEW_API_TOKEN guidance
token mode -> /health 200, /api/v1/info no bearer 401, wrong bearer 401, correct bearer 200
RUVIEW_ALLOW_UNAUTH_LAN=1 -> /api/v1/info no bearer 200

docker compose config reports the existing Compose version deprecation warning; no new config error was introduced.