feat(components): GCP cookbook — compute-engine + registry-backed network

[Lexxick]

Summary

Adds the GCP compute cookbook to infra-components and replaces the network foundation with a
thin wrapper over verified Cloud Foundation Toolkit modules. Completes the AWS→GCP pivot for the
network + compute layers; the cookbook stays lean for infra-environments-dev to consume (env
passes project_id + CIDR and never sees the upstream modules' full input surface).

Changes

• network (replaces AWS vpc) — thin wrapper over terraform-google-modules/network/google
  (~> 18.0) + terraform-google-modules/cloud-router/google (~> 9.0). Custom-mode VPC + one
  regional subnet (Private Google Access), optional Cloud NAT (enable_cloud_nat), and an
  allow-IAP-SSH rule scoped via target_tags to an exported ssh_tag (multi-VM ready). Adds the
  google-beta provider. Same output contract as before, so downstream is unaffected.
• compute-engine — GCP VM (google_compute_instance), no external IP, OS Login + IAP access,
  bootstrap-agnostic startup_script, opts into the firewall via network_tags = [network.ssh_tag].
• Removed AWS app-alb, postgres-instance, and the dummy pipeline stub.
• CI validate matrix → [network, compute-engine, github]; docs (root README, CHANGELOG, component
  READMEs) updated to match.

Type

• feat (also: refactor, ci, chore)

How to Verify

1. terraform -chdir=network/terraform init -backend=false && terraform -chdir=network/terraform validate
2. Same for compute-engine/terraform.
3. CI (fmt -> init -> validate -> tflint) green for all three components.