Add infra/openzaak/docker-compose.yml — a lean adaptation of the upstream
open-zaak dev stack: PostGIS db, redis, a one-shot init that runs database
migrations, the OpenZaak API, and a celery worker. (Dropped nginx, beat,
flower, OTEL for leanness.) Images fully qualified (docker.io/...) for
rootless Podman.
Verified locally: stack comes up; migrations run; GET /admin/ -> 302,
GET /zaken/api/v1/ -> 200, and an unauthenticated GET /zaken/api/v1/zaken
-> 403 PermissionDenied (a proper ZGW fout) — i.e. auth is enforced.
Note: the S-01 acceptance says "401", but OpenZaak's ZGW APIs return 403
for missing/invalid JWT. Auth-enforced intent is met; the issue text
should be corrected to 403. Remaining S-01 work: BIG catalogus + zaaktype
seed + JWT client (then list zaaktypen), and Open Notificaties — so this
refs (not closes) #10.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>