feat: security audit fixes

docker-compose.yml

@@ -5,17 +5,16 @@ services:
       dockerfile: Dockerfile
     container_name: cryptowallet-api
     restart: unless-stopped
-    # Bind to loopback only — TLS termination + WAF на reverse proxy (Caddy/Nginx).
-    # Если нужно direct exposure для dev — поменяй на "3001:3001" локально.
+    # Bind to loopback only — TLS termination + WAF на reverse proxy (Caddy / Nginx).
+    # Для direct exposure в dev → поменяй на "3001:3001".
     ports:
       - "127.0.0.1:3001:3001"
     env_file:
       - .env
     environment:
       API_PORT: "3001"
-    volumes:
-      - ./logs:/app/logs
-    # Container hardening — post-RCE blast radius minimization
+    # Container hardening — post-RCE blast radius minimization.
+    # Audit-логи теперь идут в stdout (не файл), поэтому read_only OK без logs mount.
     read_only: true
     tmpfs:
       - /tmp