docs(devops): update all documentation for DockerSpec compliance

- Replace all docker-compose.yml/docker-compose.monitoring.yml references with
  compose.yaml/compose.monitoring.yaml (modern Compose Spec naming)
- Replace all `docker-compose` CLI commands with `docker compose` (plugin syntax)
- Update Dockerfile stage descriptions: node:18-alpine → node:20.11-bookworm-slim,
  built-in node user → explicit nodeapp:1001 non-root user
- Update image version references: postgres:14-alpine → postgres:14.12-alpine3.19,
  redis:7-alpine → redis:7.2-alpine3.19
- Externalize postgres credentials: hardcoded values → POSTGRES_USER/PASSWORD/DB env vars
- Externalize Grafana admin password: hardcoded 'agentidp' → GF_ADMIN_PASSWORD env var
- Add Docker Compose Variables section to environment-variables.md (POSTGRES_*, GF_ADMIN_PASSWORD)
- Update local-development.md Step 3: cp .env.example .env, document POSTGRES_* purpose
- Update quick-start.md: cp .env.example .env, use awk/sed for JWT key injection
- Update 07-dev-setup.md: remove 'no .env.example' claim, reference cp .env.example
- Update docker-compose.yml key file description in 04-codebase-structure.md
- Update monitoring overlay launch commands across all docs (compose.yaml + compose.monitoring.yaml)
- Update volume names to kebab-case: postgres_data → postgres-data, redis_data → redis-data
- Fix compliance encryption-runbook: docker-compose restart agentidp → docker compose restart app

All docs now consistent with compose.yaml in repo root.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/devops/local-development.md

@@ -17,7 +17,7 @@ Verify versions:
 
 ```bash
 docker --version
-docker-compose --version
+docker compose version
 node --version
 npm --version
 ```
@@ -57,18 +57,29 @@ Keep these files in the project root. They are used only locally and should not
 
 ## Step 3 — Configure environment
 
-Create a `.env` file in the project root:
+Copy the template and fill in your values:
 
 ```bash
-cat > .env << 'ENVEOF'
+cp .env.example .env
+```
+
+The template already includes all required variables. At minimum, verify these are set correctly for local development:
+
+```
+POSTGRES_USER=sentryagent
+POSTGRES_PASSWORD=sentryagent
+POSTGRES_DB=sentryagent_idp
 DATABASE_URL=postgresql://sentryagent:sentryagent@localhost:5432/sentryagent_idp
 REDIS_URL=redis://localhost:6379
 PORT=3000
 NODE_ENV=development
 CORS_ORIGIN=*
-ENVEOF
 ```
 
+> **Note:** `POSTGRES_USER`, `POSTGRES_PASSWORD`, and `POSTGRES_DB` are used by `compose.yaml`
+> to configure the PostgreSQL container and construct `DATABASE_URL`. They are not read by
+> the application directly — only `DATABASE_URL` is.
+
 Append the JWT keys to `.env`:
 
 ```bash
@@ -86,10 +97,10 @@ grep -E "^(DATABASE_URL|REDIS_URL|JWT_PRIVATE_KEY|JWT_PUBLIC_KEY)" .env
 
 ## Step 4 — Start infrastructure services
 
-The `docker-compose.yml` defines three services: `postgres`, `redis`, and `app`. For local development, start only the infrastructure services — the application runs directly via Node.js.
+The `compose.yaml` defines three services: `postgres`, `redis`, and `app`. For local development, start only the infrastructure services — the application runs directly via Node.js.
 
 ```bash
-docker-compose up -d postgres redis
+docker compose up -d postgres redis
 ```
 
 Expected output:
@@ -100,7 +111,7 @@ Expected output:
  ✔ Container sentryagent-idp-redis-1     Healthy
 ```
 
-Both services must show `Healthy` before proceeding. If they show `Starting`, wait a few seconds and run `docker-compose ps` to recheck.
+Both services must show `Healthy` before proceeding. If they show `Starting`, wait a few seconds and run `docker compose ps` to recheck.
 
 ### Service ports
 
@@ -112,18 +123,18 @@ Both services must show `Healthy` before proceeding. If they show `Starting`, wa
 Verify manually:
 
 ```bash
-docker-compose exec postgres pg_isready -U sentryagent -d sentryagent_idp
-docker-compose exec redis redis-cli ping
+docker compose exec postgres pg_isready -U sentryagent -d sentryagent_idp
+docker compose exec redis redis-cli ping
 ```
 
 ### Docker volumes
 
-Data is persisted in named Docker volumes:
+Data is persisted in named Docker volumes (kebab-case per Compose Spec standard):
 
 | Volume | Service | Contents |
 |--------|---------|---------|
-| `sentryagent-idp_postgres_data` | PostgreSQL | All database data |
-| `sentryagent-idp_redis_data` | Redis | Redis persistence (if enabled) |
+| `sentryagent-idp_postgres-data` | PostgreSQL | All database data |
+| `sentryagent-idp_redis-data` | Redis | Redis persistence (if enabled) |
 
 ---
 
@@ -222,15 +233,13 @@ CORS_ORIGIN=http://localhost:3001
 > deployments — see the [field trial guide](field-trial.md). For day-to-day development, start
 > only the infrastructure services and run the application directly.
 
-When the Dockerfile is available, the entire stack (infrastructure + application) can be started with:
+The entire stack (infrastructure + application) can be started with:
 
 ```bash
-docker-compose up -d
+docker compose up --build -d
 ```
 
-The `app` service depends on `postgres` and `redis` with health check conditions, so it will not start until both services are healthy.
-
-Environment variables for the container are loaded from `.env` via the `env_file` directive in `docker-compose.yml`.
+The `app` service depends on `postgres` and `redis` with health check conditions, so it will not start until both services are healthy. Environment variables are loaded from `.env` via the `env_file` directive in `compose.yaml` (`required: false` — the file is optional if env vars are injected directly).
 
 ---
 
@@ -239,19 +248,19 @@ Environment variables for the container are loaded from `.env` via the `env_file
 Stop infrastructure only (preserves volumes):
 
 ```bash
-docker-compose stop postgres redis
+docker compose stop postgres redis
 ```
 
 Stop and remove containers (preserves volumes):
 
 ```bash
-docker-compose down
+docker compose down
 ```
 
 Stop and remove containers AND volumes (destroys all data):
 
 ```bash
-docker-compose down -v
+docker compose down -v
 ```
 
 > Use `-v` only when you want a clean slate. This deletes all PostgreSQL data and Redis data permanently.