Make release compose topology immutable and verifiable

README.md

@@ -69,7 +69,7 @@ cp .env.example .env
 2. Build and run services:
 
 ```bash
-docker compose up --build
+docker compose -f docker-compose.yml -f docker-compose.dev.yml --profile dev up --build
 ```
 
 This starts the development-oriented topology (source bind mounts enabled).
@@ -96,13 +96,22 @@ docker compose exec web python manage.py createsuperuser
 
 ## Development vs Release Compose
 
-Development startup (mutable source, HTMX/Tailwind workflow):
+Base compose (`docker-compose.yml`) is release-oriented and immutable for runtime services.
+Development mutability is enabled via `docker-compose.dev.yml`.
+
+Development startup (mutable source bind mounts for `web`/`celery_*`):
 
 ```bash
-docker compose up --build
+docker compose -f docker-compose.yml -f docker-compose.dev.yml up --build
 ```
 
-Release-style startup (immutable runtime containers, no source bind mount in web/celery runtime):
+Development startup with Tailwind watch:
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.dev.yml --profile dev up --build
+```
+
+Release-style startup (immutable runtime services):
 
 ```bash
 docker compose -f docker-compose.yml -f docker-compose.release.yml up -d --build
@@ -116,11 +125,33 @@ docker compose -f docker-compose.yml -f docker-compose.release.yml down
 
 Notes:
 
-- In release-style mode, `web`, `celery_worker`, and `celery_beat` run from the built image filesystem.
-- `tailwind` is marked as `dev` profile in release override and is not started unless `--profile dev` is used.
+- In release-style mode, `web`, `celery_worker`, and `celery_beat` run from built image filesystem with no repository source bind mount.
+- In development mode (with `docker-compose.dev.yml`), `web`, `celery_worker`, and `celery_beat` are mutable and bind-mount `.:/app`.
+- `tailwind` is a dev-profile service and is not required for release runtime.
 - `nginx`, `postgres`, and `redis` service naming remains unchanged.
 - Release-style `web`, `celery_worker`, and `celery_beat` explicitly run as container user `10001:10001`.
 
+## Release Topology Verification
+
+Inspect merged release config:
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.release.yml config
+```
+
+What to verify:
+
+- `services.web.volumes` does not include a bind mount from repository path to `/app`
+- `services.celery_worker.volumes` does not include a bind mount from repository path to `/app`
+- `services.celery_beat.volumes` does not include a bind mount from repository path to `/app`
+- persistent named volumes still exist for `postgres_data`, `static_data`, `media_data`, `runtime_data`, and `redis_data`
+
+Automated local/CI-friendly check:
+
+```bash
+./scripts/verify_release_topology.sh
+```
+
 ## Setup and Run Notes
 
 - `web` service starts through `entrypoint.sh` and waits for PostgreSQL readiness.
@@ -150,7 +181,7 @@ Notes:
 - `media_data`: user/provider media artifacts
 - `runtime_data`: app runtime files (e.g., celery beat schedule)
 - `redis_data`: Redis persistence (`/data` for RDB/AOF files)
-- `node_modules_data`: Node modules cache for Tailwind builds in containers
+- `node_modules_data`: Node modules cache for Tailwind builds in development override
 
 This keeps persistent state outside container lifecycles.
 
@@ -207,7 +238,7 @@ sudo chown -R "$(id -u):$(id -g)" static
 Run Tailwind in watch mode during development:
 
 ```bash
-docker compose up tailwind
+docker compose -f docker-compose.yml -f docker-compose.dev.yml --profile dev up tailwind
 ```
 
 Source CSS lives in `static/src/tailwind.css` and compiles to `static/css/main.css`.