PRD-16: Docker Compose Production Hardening

[PancheI]

Create a production docker-compose overlay with Vault production mode, resource limits, network isolation, read-only filesystems, and capability dropping.

Acceptance Criteria

• docker-compose.production.yml exists with all hardening applied
• Vault runs in production mode (not dev mode) when using production overrides
• Secrets not swapped to disk (mlock enabled)
• Vault UI disabled in production
• Vault audit logging enabled
• Resource limits defined for every service
• All services have restart: always (except vault-init)
• Health checks defined for every service
• Log rotation configured (no unbounded disk usage)
• All services run as non-root (except Vault which requires root for mlock)
• cap_drop: ALL + no-new-privileges:true on every service
• Network isolation: backend network is internal: true
• App cannot reach Vault or Redis directly
• Read-only filesystem on all containers
• Dangerous Redis commands disabled
• Full signing flow works with all hardening enabled

Tasks

• Create docker-compose.production.yml overlay file
• Update docker/vault/config.hcl for production (TLS, mlock, audit)
• Add tw-backend and tw-frontend networks
• Add resource limits, health checks, log rotation to all services
• Enable read_only + tmpfs, cap_drop: ALL, no-new-privileges
• Disable dangerous Redis commands
• Test: all services healthy, network isolation, read-only FS, resource limits, full signing flow