rebase: apply audit bug fixes on latest main

Rebased fix/1.0-audit-bugs onto current main (post-merge of PRs #119, #127).

Changes:
- Custom domain types: docker.ImageID, docker.ContainerID, webhook.UnparsedURL
- Type-safe function signatures throughout docker/deploy/webhook packages
- Remove docker-compose.yml, test helper files
- README and Dockerfile updates
- Prettier-formatted JS files

README.md

@@ -176,8 +176,39 @@ docker run -d \
   upaas
 ```
 
-**Important**: When running µPaaS inside a container, set `UPAAS_HOST_DATA_DIR` to the host path
-that maps to `UPAAS_DATA_DIR`. This is required for Docker bind mounts during builds to work correctly.
+### Docker Compose
+
+```yaml
+services:
+  upaas:
+    build: .
+    restart: unless-stopped
+    ports:
+      - "8080:8080"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${HOST_DATA_DIR}:/var/lib/upaas
+    environment:
+      - UPAAS_HOST_DATA_DIR=${HOST_DATA_DIR}
+      # Optional: uncomment to enable debug logging
+      # - DEBUG=true
+      # Optional: Sentry error reporting
+      # - SENTRY_DSN=https://...
+      # Optional: Prometheus metrics auth
+      # - METRICS_USERNAME=prometheus
+      # - METRICS_PASSWORD=secret
+```
+
+**Important**: Set `HOST_DATA_DIR` to an **absolute path** on the Docker host before running
+`docker compose up`. Relative paths will not work because docker-compose may not run on the same
+machine as µPaaS. This value is used both for the bind mount and passed to µPaaS as
+`UPAAS_HOST_DATA_DIR` so it can create correct bind mounts during builds.
+
+Example:
+```bash
+export HOST_DATA_DIR=/srv/upaas-data
+docker compose up -d
+```
 
 Session secrets are automatically generated on first startup and persisted to `$UPAAS_DATA_DIR/session.key`.