• Ship compose.override.yaml as a tracked sample
  (compose.override.yaml.sample) rather than a live config file,
  so local edits no longer collide with upstream updates. Existing
  users should copy the sample to compose.override.yaml on
  upgrade if they don't already have one.
• Refuse app:restore against a live database, to prevent
  silently corrupting an in-use deployment.
• Bootstrap configuration on app:restore so it works against a
  fresh container, and skip the unnecessary database migration
  step during restore.
• Stop services around app:restore and flush memcached
  afterwards, so restored state is consistent.
• Run certbot setup as a one-shot supervisord program, making
  Let's Encrypt provisioning more reliable on container start.
• Use exec form for the Dockerfile HEALTHCHECK so the curl
  process is not orphaned when the check times out.
• Use canonical /usr/bin/env in the certbot renewal hook shebang.
• Drop the redundant app:certs and app:version commands.
• New documentation:
  • Reference pages for the /data volume layout, the
    entrypoint's app: commands, versioning and tags, and the
    ports exposed by the image.
  • How-to guide for Compose-based backups, mirroring the Helm
    persistence guide.
  • Documents the DEBUG environment variable, PostgreSQL
    password rotation, remapping published ports with !override,
    and corrected extension requirements for external PostgreSQL.
  • Restructured the everyday upgrade flow around the git tag and
    split the legacy 11.x upgrade path into its own page.