fix(docker): make read-only tmpfs writable

[nightcityblade]

Summary

Fixes #2027

Updates the secure-by-default Docker Compose tmpfs mounts so the non-root appuser can write required runtime state while keeping the baked Playwright browser cache visible.

List of files changed and why

• docker-compose.yml - add appuser-owned tmpfs options for Redis/artifacts/runtime state, mount missing ~/.crawl4ai, avoid shadowing ~/.cache/ms-playwright, and add a writable gunicorn control-socket directory.
• deploy/docker/tests/test_security_container_posture.py - add static posture checks for the read-only-rootfs tmpfs layout.

How Has This Been Tested?

• python3 -m pytest deploy/docker/tests/test_security_container_posture.py -q -k 'not SandboxOptOut' (16 passed, 2 deselected; the deselected tests import the Docker server and need local OpenSSL installed)
• python3 YAML check that validates the required tmpfs entries and confirms ~/.cache is not mounted wholesale
• git diff --check

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (N/A: deployment config/test change only)
• I have added/updated unit tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes