fix(security): bind Caddy admin to local socket (GHSA-8jvv-gwqg-6vjc) (#41847)

## Summary

Security fix for
[GHSA-8jvv-gwqg-6vjc](https://github.com/appsmithorg/appsmith/security/advisories/GHSA-8jvv-gwqg-6vjc).
Caddy's admin endpoint now binds to a Unix socket instead of TCP;
Prometheus metrics keep their previous port for scrape-config
compatibility.

## What changed

`deploy/docker/fs/opt/appsmith/caddy-reconfigure.mjs` — admin moved to a
Unix socket, dedicated `:2019 { metrics }` block for Prometheus, no Helm
changes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Admin interface now binds to a local Unix socket instead of a network
port, reducing external exposure.
* Port 2019 is reserved exclusively for Prometheus metrics collection to
isolate monitoring traffic.
* HTTP protocol handling and trusted-proxy/rate-limiting settings in the
admin configuration have been tightened for improved security and
reliability.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/appsmithorg/appsmith/pull/41847?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

<!-- This is an auto-generated comment: Cypress test results  -->
> [!WARNING]
> Tests have not run on the HEAD
c49fba77dcc51ba1ca98b2fb7f9adf81aa13b225 yet
> <hr>Tue, 26 May 2026 18:54:36 UTC
<!-- end of auto-generated comment: Cypress test results  -->

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>