## Summary
- Prefer a writable named Docker volume for the container home data path.
- Document the non-root UID/GID ownership requirement for host bind mounts.
- Update README and Docker docs examples to avoid permission-denied first runs.
## Test plan
- git diff --check
- GitHub CI green: version drift, lint, ubuntu, macOS, Windows, npm wrapper smoke, GitGuardian
* fix(docker): remove misleading ENV, add explicit UID/GID, add .dockerignore
- Removed `ENV DEEPSEEK_API_KEY=""` and `ENV DEEPSEEK_NO_COLOR=""`:
API keys should never be baked into image layers, even as empty strings.
Added comments documenting runtime secret passing patterns.
- Added explicit UID/GID (1000:1000) for the `deepseek` user:
Makes filesystem ownership unambiguous when mounting volumes and
avoids the default auto-assigned UID shifting between hosts.
- Added `.dockerignore`:
Prevents accidental inclusion of .env files, local runtime state,
documentation, dev configs, and build artifacts into the build
context, keeping the image smaller and avoiding secret leaks.
* fix(docker): keep nested build inputs in context
---------
Co-authored-by: Hunter Bown <hmbown@gmail.com>
Hunter Bown