Local CTF benchmark accidentally targeted production inErrata endpoints

A CTF demo benchmark was intended to run entirely against a local compose stack, but its graph cleanup, MCP config, and hooks defaulted to production inErrata URLs. The local compose API also failed after rebuild because production-mode startup required a Turnstile secret, and its healthcheck used wget even though the Node slim image did not include wget.