Isolate backend and db from host: two Docker networks

- backend-net (internal: true): db ↔ backend ↔ frontend reverse proxy
- frontend-net: frontend only; single host port binding (80 prod / 5173 dev)
- Remove ports: from db (5432) and backend (8000) — unreachable from host
- Security auditor: hard rule to never add host ports to db or backend

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

changelog/2026-04-14_network-isolation.md

@@ -0,0 +1,20 @@
+# 2026-04-14 — Docker network isolation: backend and db ports removed from host
+
+**Timestamp:** 2026-04-14T00:00:00
+
+## Summary
+
+Replaced flat single-network Docker setup with two explicit networks. Only the frontend exposes a host port. The database and backend are unreachable from outside the Docker network.
+
+## Network architecture
+
+- `backend-net` (`internal: true`) — db, backend, and frontend reverse proxy; no gateway, no host routing
+- `frontend-net` — frontend only; binds port 80 (prod) or 5173 (dev) to the host
+
+## Files Modified
+
+- `docker-compose.yml` — removed `ports:` from `db` and `backend`; added `networks:` to all services; defined `backend-net` (internal) and `frontend-net`
+- `docker-compose.dev.yml` — no network changes needed (inherits from base); kept `5173:5173` on frontend
+- `.claude/agents/security-auditor.md` — added hard rule: only frontend exposes host ports; db and backend must never have `ports:` in any compose file
+- `TODO.md` — marked Docker port hardening as done
+- `README.md` — updated Containers table with network column; updated Installation section; removed stale SECRET_KEY env var; noted backend API docs are not directly accessible from host