fix(federation): add restart policies + M2-04 OID assertion criterion

Address review feedback on PR #490:
- Add `restart: unless-stopped` to postgres-federated, valkey-federated,
  step-ca services so they auto-recover after host reboot / docker restart.
- Update FED-M2-04 acceptance: must wire federation.tpl template into
  mosaic-fed provisioner config AND include unit/integration test asserting
  issued certs contain BOTH custom OIDs (grantId + subjectUserId). Carry-
  forward guard from M2-02 review against silent OID stripping.

docker-compose.federated.yml

@@ -27,6 +27,7 @@ services:
   postgres-federated:
     image: pgvector/pgvector:pg17
     profiles: [federated]
+    restart: unless-stopped
     ports:
       - '${PG_FEDERATED_HOST_PORT:-5433}:5432'
     environment:
@@ -45,6 +46,7 @@ services:
   valkey-federated:
     image: valkey/valkey:8-alpine
     profiles: [federated]
+    restart: unless-stopped
     ports:
       - '${VALKEY_FEDERATED_HOST_PORT:-6380}:6379'
     volumes:
@@ -79,6 +81,7 @@ services:
   step-ca:
     image: smallstep/step-ca:0.27.4
     profiles: [federated]
+    restart: unless-stopped
     ports:
       - '${STEP_CA_HOST_PORT:-9000}:9000'
     volumes: