Infra config asserts: prod port exposure, nginx security headers/HSTS, weak .env.example secrets + startup refusal

[aaronsb]

ADR-401 item 6 · Audit: docs/security/security-consistency-audit-2026-06-09.md (F5)

Verified findings:

• docker/docker-compose.yml:38,92-93 publishes Postgres 5432 and Garage 3900/3903 to the host (dev); the Garage admin API has no auth. Prod compose publishes nothing — correct, but the invariant is unguarded.
• docker/nginx.prod.conf:30 — HSTS commented out. Neither nginx.prod.conf nor web/nginx.conf sets X-Frame-Options, X-Content-Type-Options, or CSP.
• .env.example:84,100,205 — POSTGRES_PASSWORD=password plus two CHANGE_THIS_TO_A_RANDOM_SECRET_KEY placeholders. Nothing refuses to boot on placeholder secrets.

Acceptance criteria

• Uncomment HSTS; add X-Frame-Options, X-Content-Type-Options, and a CSP to prod nginx (dev nginx: headers minus HSTS)
• CI assert script fails if: prod compose publishes 5432/3900/3903; HSTS/security headers absent or commented in nginx.prod.conf; .env.example contains a real-looking secret value
• API startup refuses to run outside DEVELOPMENT_MODE when POSTGRES_PASSWORD == "password" or any secret matches CHANGE_THIS
• Dev/prod port-exposure delta documented (one paragraph in the operator way or ops docs)