security(ocr): apply container hardening baseline to docker-compose.prod.yml

Mirror the CIS Docker §4.1/§4.6 hardening from docker-compose.yml to the
production/staging compose file, which is standalone (not an overlay).

- Fix cache volume mount path: ocr-cache:/root/.cache → /app/cache (matches
  the non-root user's HF_HOME/XDG_CACHE_HOME, avoids PermissionError)
- Add HF_HOME, XDG_CACHE_HOME, TORCH_HOME env vars so HuggingFace, ketos,
  and PyTorch all write to the declared writable volumes, not HOME
- Add read_only: true, tmpfs (/tmp:512m), cap_drop: [ALL],
  no-new-privileges:true — matching the dev baseline

Also extend DEPLOYMENT.md §8 upgrade notes to cover all three environments
(dev/production/staging), each with its correct project-namespaced volume name.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.prod.yml

@@ -142,8 +142,11 @@ services:
     memswap_limit: ${OCR_MEM_LIMIT:-12g}
     volumes:
       - ocr-models:/app/models
-      - ocr-cache:/root/.cache
+      - ocr-cache:/app/cache  # HuggingFace / ketos cache — prevents re-downloads on recreate (HF_HOME)
     environment:
+      HF_HOME: /app/cache
+      XDG_CACHE_HOME: /app/cache
+      TORCH_HOME: /app/models/torch
       KRAKEN_MODEL_PATH: /app/models/german_kurrent.mlmodel
       TRAINING_TOKEN: ${OCR_TRAINING_TOKEN}
       OCR_CONFIDENCE_THRESHOLD: "0.3"
@@ -161,6 +164,13 @@ services:
       timeout: 5s
       retries: 12
       start_period: 120s
+    read_only: true
+    tmpfs:
+      - /tmp:size=512m   # training endpoints write ZIPs to /tmp; 512 MB covers typical batches (20–50 images)
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
 
   backend:
     image: familienarchiv/backend:${TAG:-nightly}