docs(dual-mode): INV-9 doctrine + honest framing + DooD migration (PR 3/3)

[jraicr]

Closes #149 — Phase 1 dual-mode network/socket containment, PR 3/3 (stacked on dev; PR1 #151 + PR2 #152 already merged). Doctrine + docs.

What this adds

The constitution and user docs now describe the dual-mode model honestly, and the now-false statements that PR1's default-flip left behind are corrected.

• CLAUDE.md INV-9 — new invariant: network/socket posture is a per-session choice (dood = threat model A, opt-in, unchanged; contained = threat model B, factory default, for external-ingestion work). States plainly that Phase 1 does NOT filter egress. INV-7 left byte-unchanged.
• CLAUDE.md §4 — boundary note: feat(compose): dual-mode network/socket containment — contained-by-default, opt-in DooD #149 reopens the threat-model boundary by documented real demand (the maintainer's external-ingestion workflow); INV-9 records the outcome.
• CLAUDE.md §3 — the stale "an ergonomic drydock dood/drydock default CLI lands in a later slice" parenthetical is replaced with the real commands (they shipped in PR2).
• README — honest dual-mode framing throughout (tagline, the "Bind-mounts the Docker socket" bullet, the threat-model callout, the comparison table, the Architecture prose), a "switching to dood mode" migration path, and dood/contain/default command-table rows. The old "everything works as on host: docker compose… docker exec… curl localhost" claim — false in contained mode — is corrected.
• docs/security.md — the socket-framing lines now qualify "in dood mode" vs "contained (default) the socket is absent".
• docs/troubleshooting.md — a new section for the most common contained-mode symptom (docker/compose/curl localhost/make shell-api stopped working) with the restore path.
• docs/architecture.md — the DooD section, the engram HTTP-bridge note, and the mount diagram now qualify socket/host-net as dood-mode-only.
• docs/ROADMAP.md — the stale "isolated internal bridge network" Phase 1 description is corrected to bridge + egress-open (no internal: true).
• CHANGELOG.md — [Unreleased] flags the BREAKING default flip, lists what stops working in contained mode, and gives the restore path.

Honest framing (non-negotiable)

Every place the contained posture's security is described pairs it with "Phase 1 does not filter egress / still reaches the internet". No "isolated net", no "sandbox", no claim that contained mode blocks egress. Forbidden-phrase grep ("still threat model A", "containment isn't sandboxing", "not a security feature") is clean across all docs.

Out of scope (tracked separately)

• SessionStart hook framing (templates/hooks/drydock-session-start.sh) still emits the socket framing unconditionally — it should become mode-aware, but that is agent-awareness work, a separate follow-up (not part of feat(compose): dual-mode network/socket containment — contained-by-default, opt-in DooD #149).
• Pre-release smoke-test (spec R5.2): before the dev → main release, confirm a contained container reaches api.anthropic.com over the bridge NAT on bare Linux. Render tests prove YAML correctness only.

Tests & gates

• scripts/test.sh: 1099/1099 passing (no code changed; pure regression sanity).
• shellcheck, shfmt -d, scripts/lint-commits.sh: clean (4 conventional commits).
• INV-7 body byte-identical (git diff shows zero changes inside the INV-7 block).