docs(pgserver): Phase 7 — bootstrap example + CI gate documentation

Wraps the v1.0 PG-wire deliverable with the two pieces operators
actually look for: a runnable example PRG and an updated CI gate
list in CLAUDE.md.

* examples/pgserver_demo.prg — full bootstrap PRG demonstrating
  every HB_FUNC composed in the order a production deployment
  needs:
    PG_TLS_SELF_SIGNED → PG_ADD_ROLE × N → PG_ALLOW_IP × N →
    PG_SERVER_START( ":5432", "md5" )
  Comments cover the SHARED-DBF integration point and the SPAWN
  idiom for non-blocking server startup. Builds cleanly under
  the examples_build sweep (now 66/72; was 65/71).

* CLAUDE.md — the "어떤 파일이든 수정한 후" mandatory test list
  goes from 3 gates → 6:
    1. go test ./...
    2. FiveSql2 SQL:1999 43/43
    3. Harbour compat 56/56
    4. std.ch 17/17 (added)
    5. FRB 7/7 (added)
    6. pgserver integration 6/6 (added — psql required)
  Aligns the rule-of-thumb with reality. The five suites already
  ran on every audit-era commit; pgserver/run.sh is new in
  Phases 3-6 and now joins them.

This completes the v1.0 PostgreSQL-wire frontend. End-to-end
checklist:

  Phase 1: per-session state isolation         [93cf5c8]
  Phase 2: SimpleQuery wire MVP                [d98f5e1 7083297]
  Phase 3: DML + transactions                  [a556764]
  Phase 4: Extended Protocol (Parse/Bind/Exec) [8472928]
  Phase 5: password + MD5 auth                 [90eafcf]
  Phase 6: TLS + IP allowlist                  [3b2dd36]
  Phase 7: example + docs                      [this commit]

Open follow-ups (Phase 7.x):
  - hbrdd workarea per-thread isolation (audit Top-Risk #2):
    ≥3 concurrent connections doing in-flight INSERT/SELECT in
    their own transactions can race at the workarea layer. Fix
    is a separate workstream against hbrtl/database.go +
    hbrdd/dbf/. Documented limitation in tests/pgserver/run.sh.
  - SCRAM-SHA-256 auth (Phase 5.1).
  - pg_catalog shim for BI-tool introspection (Phase 1.1+ of the
    original audit plan).
  - Binary parameter format for NUMERIC/TIMESTAMP (Phase 4.1).

All gates green:
  go test ./...               ✓
  FiveSql2 SQL:1999 43/43     ✓
  Harbour compat 56/56        ✓
  std.ch 17/17                ✓
  FRB 7/7                     ✓
  examples 66/72              ✓ (+1 from new pgserver_demo)
  pgserver integration 6/6    ✓

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

examples/pgserver_demo.prg

@@ -0,0 +1,53 @@
+/*
+ * examples/pgserver_demo.prg — PostgreSQL-wire server example.
+ *
+ * Run this PRG to expose your Five workareas to any psql / pgx /
+ * JDBC / DBeaver / Tableau client over TCP. The server speaks
+ * PostgreSQL protocol v3 so existing PG drivers connect with no
+ * client-side changes.
+ *
+ *   ./five build examples/pgserver_demo.prg _FiveSql2/src/*.prg \
+ *      -o /tmp/pgserver
+ *   /tmp/pgserver
+ *
+ * Then from another terminal:
+ *   psql 'postgres://alice@127.0.0.1:5432/alice?sslmode=require' \
+ *        -c "SELECT 1 AS one, 'hello' AS greet"
+ *
+ * Stop with Ctrl-C.
+ */
+
+PROCEDURE Main()
+
+   /* TLS — auto-generate a self-signed cert for the demo.
+    * Production deployments load a CA-signed pair via
+    * PG_TLS_LOAD( "cert.pem", "key.pem" ). */
+   PG_TLS_SELF_SIGNED( "/tmp/pg_cert.pem", "/tmp/pg_key.pem", "localhost" )
+
+   /* Users — minimum one role to log in. Plaintext kept in
+    * memory; production should source these from a secured
+    * config file or vault. */
+   PG_ADD_ROLE( "alice", "swordfish" )
+   PG_ADD_ROLE( "bob",   "hunter2"   )
+
+   /* Source-IP allowlist (pg_hba.conf equivalent). Skip
+    * entirely to accept any source. */
+   PG_ALLOW_IP( "127.0.0.1/32" )
+   PG_ALLOW_IP( "::1/128" )
+
+   /* Open the tables you want to expose. The server runs queries
+    * against whatever workareas are open in the PRG process.
+    * Uncomment as needed:
+    *   USE customers SHARED NEW
+    *   USE orders    SHARED NEW
+    */
+
+   /* Start — blocks. SPAWN this if you want to keep doing work
+    * in the main thread:
+    *   SPAWN {|| PG_SERVER_START( ":5432", "md5" ) }
+    */
+   ? "FiveSql2 PG-wire server starting on :5432"
+   ? "Connect with: psql 'postgres://alice@127.0.0.1:5432/alice?sslmode=require'"
+   PG_SERVER_START( ":5432", "md5" )
+
+   RETURN