TASK-026: Disable API docs in production, protect with BANGUI_ENABLE_DOCS setting

Addresses security concern where FastAPI's default behavior exposes interactive
API documentation (/docs, /redoc) without authentication, allowing attackers to
enumerate endpoints and understand API schemas.

Changes:
- Add BANGUI_ENABLE_DOCS boolean setting (default: false) to Settings
- Modify create_app() to conditionally set docs_url, redoc_url, openapi_url
- Add docs endpoints to SetupRedirectMiddleware allowlist (/api/docs, /api/redoc, /api/openapi.json)
- Set BANGUI_ENABLE_DOCS=true in Docker/compose.debug.yml for development
- Production compose files leave it unset (defaults to false, docs disabled)
- Add comprehensive tests for docs configuration
- Document the new setting in Backend-Development.md

Security Impact:
- API documentation is now disabled by default in production
- Development environments can enable docs by setting BANGUI_ENABLE_DOCS=true
- Docs endpoints are inaccessible in production without manual configuration

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

backend/app/config.py

@@ -162,6 +162,14 @@ class Settings(BaseSettings):
             "Example: 'systemctl start fail2ban' or 'fail2ban-client start'."
         ),
     )
+    enable_docs: bool = Field(
+        default=False,
+        description=(
+            "Enable FastAPI interactive API documentation at /api/docs (Swagger UI) "
+            "and /api/redoc (ReDoc). Should be true only in development environments. "
+            "In production, leave unset (defaults to false) to avoid exposing API schema."
+        ),
+    )
 
     @field_validator("fail2ban_start_command", mode="after")
     @classmethod