Add OpenSearch storage configuration support to the interactive setup wizard

[LantaoJin]

Description

Add OpenSearch storage configuration support to the interactive setup wizard

Related Issues

#2791

Changes Made

See #2791

Checklist

• Changes tested locally
• Code reviewed
• Documentation updated (if necessary)
• Unit tests added (if applicable)

Additional Notes

[Add any additional notes or context for the reviewer(s).]

[danielaskdd]

Fix multiple OpenSearch setup wizard defects:

• Add deployment marker # LIGHTRAG_SETUP_OPENSEARCH_DEPLOYMENT=docker to env.example, and use it persists the OpenSearch Docker between setup aligned with the other managed storage backends.
• Fix host env injection normalization malfunction in compose file. Loopback host entries such as localhost:9200 are rewritten to host.docker.internal:9200 when LightRAG itself runs in Compose, while Opensearch is not.
• OpenSearch-specific validation was added for OPENSEARCH_HOSTS, OPENSEARCH_USER, and OPENSEARCH_PASSWORD. The new logic rejects URL-style hosts, empty comma-separated entries, missing auth, and weak passwords, with clearer Docker-specific guidance.
• Interactive collection for OpenSearch is stricter and more predictable. Host input is validated at prompt time, password strength is enforced during secret entry, SSL and certificate verification are handled explicitly, and Docker mode keeps OPENSEARCH_VERIFY_CERTS=false while wiring the managed service to opensearch:9200..
• .env validation and security auditing are now scoped to the storage backends actually selected by LIGHTRAG_*_STORAGE. That prevents stale, unused backend settings from causing false validation failures or false security warnings, while still enforcing OpenSearch checks whenever OpenSearch is active.
• The bundled OpenSearch Compose template no longer publishes port 9200 to the host by default, reducing accidental exposure and reinforcing internal service-to-service access.