Add Komodo bootstrap dry-run scaffold (F-09 rest)

Mirror of the Immich restore-test pattern for the Komodo bootstrap
anchor. Brings up a throwaway komodo-mongo + komodo-core +
komodo-periphery under project restoretest-komodo, isolated from
production:

- same image digests as production (mongo:7.0.32, komodo-core:2,
  komodo-periphery:2) to prove compose-level bootstrap compatibility
- restore-lab paths under /mnt/user/backups/restore-lab/komodo
- 127.0.0.1:19120 only, no LAN bind, no Traefik, no Authelia
- test periphery runs WITHOUT docker.sock mount and WITHOUT
  /mnt/user/services mount; cannot manage productive containers
- KOMODO_* secrets are throwaway placeholders hardcoded in the test
  compose; productive secrets never enter this path

Smoke test: compose config valid, mongo healthy, mongo auth-ping
with test creds, komodo-core HTTP 200/302/303/401, periphery
container running. Report under restore-reports/komodo-bootstrap-*.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

ops/restore-tests/komodo-bootstrap-compose.test.yml

@@ -0,0 +1,77 @@
+services:
+  # Wegwerf-Mongo fuer Komodo-Bootstrap-Trockenlauf.
+  # Schreibt in den Restore-Lab-Pfad, NICHT in das produktive
+  # /mnt/user/appdata/komodo/mongo-Volume.
+  restoretest-komodo-mongo:
+    image: mongo:7.0.32@sha256:32979a1189dfdc44da3f5ed40d910495f5ad8f6f7f77556646f890a30b2d3f56
+    container_name: restoretest-komodo-mongo
+    restart: "no"
+    command: --quiet
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: komodo
+      MONGO_INITDB_ROOT_PASSWORD: restoretest-komodo-mongo-pwd
+    volumes:
+      - /mnt/user/backups/restore-lab/komodo/mongo:/data/db
+    healthcheck:
+      test: ["CMD", "mongosh", "--quiet", "--eval", "db.adminCommand('ping').ok"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    security_opt:
+      - no-new-privileges:true
+
+  restoretest-komodo-core:
+    # Selbes Image wie Produktion, damit Compose-Diff Bootstrap-Kompatibilitaet
+    # nachweist.
+    image: ghcr.io/moghtech/komodo-core:2@sha256:8a7dbba232e4e49797bb412be5f78207c89fcf22cc2727b38631ae30f7518a4c
+    container_name: restoretest-komodo-core
+    init: true
+    restart: "no"
+    depends_on:
+      restoretest-komodo-mongo:
+        condition: service_healthy
+    volumes:
+      - /mnt/user/backups/restore-lab/komodo/core:/repo-cache
+      - /mnt/user/backups/restore-lab/komodo/keys:/config/keys
+    environment:
+      TZ: Europe/Berlin
+      KOMODO_HOST: http://127.0.0.1:19120
+      KOMODO_TITLE: Restore-Test
+      # Wegwerf-Secrets, ausschliesslich fuer den lokalen Trockenlauf.
+      # Niemals produktive Komodo-Secrets in dieses Compose schreiben.
+      KOMODO_SECRET_KEY: restoretest-secret-key-placeholder-32
+      KOMODO_WEBHOOK_SECRET: restoretest-webhook-secret
+      KOMODO_PASSKEY: restoretest-periphery-passkey
+      KOMODO_DATABASE_ADDRESS: restoretest-komodo-mongo:27017
+      KOMODO_DATABASE_USERNAME: komodo
+      KOMODO_DATABASE_PASSWORD: restoretest-komodo-mongo-pwd
+      KOMODO_LOG_LEVEL: info
+      KOMODO_LOCAL_AUTH: "true"
+      KOMODO_JWT_SECRET: restoretest-jwt-secret-placeholder
+      KOMODO_DISABLE_WEBSOCKETS: "true"
+    ports:
+      - "127.0.0.1:19120:9120"
+    security_opt:
+      - no-new-privileges:true
+
+  restoretest-komodo-periphery:
+    image: ghcr.io/moghtech/komodo-periphery:2@sha256:8ac9f2ef9c1461b95c862d445da00253005e7094d1e30f5b7b04b8d60ca7a3d6
+    container_name: restoretest-komodo-periphery
+    init: true
+    restart: "no"
+    depends_on:
+      restoretest-komodo-core:
+        condition: service_started
+    volumes:
+      - /mnt/user/backups/restore-lab/komodo/keys:/config/keys
+      # bewusst KEIN docker.sock-Mount: dieser Test-Periphery darf nicht
+      # versehentlich produktive Container managen.
+      - /mnt/user/backups/restore-lab/komodo/periphery:/etc/komodo
+    environment:
+      PERIPHERY_ROOT_DIRECTORY: /tmp/restoretest-periphery
+      PERIPHERY_PASSKEYS: restoretest-periphery-passkey
+      PERIPHERY_SSL_ENABLED: "false"
+      TZ: Europe/Berlin
+    security_opt:
+      - no-new-privileges:true