Fix dev compose: API PYTHONPATH and web volume permissions

API: bake ENV PYTHONPATH=/app/src into the development Dockerfile stage
so it's available to uvicorn's WatchFiles reloader subprocess — relying
on compose env vars isn't reliable across process forks.

Web: replace ./web:/app bind mount (caused EACCES in Podman rootless due
to UID mismatch) with ./web/src:/app/src — this preserves the container's
package.json and node_modules while still giving Vite live access to
source files for HMR.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.dev.yml

@@ -36,7 +36,6 @@ services:
       SECRET_KEY: ${SECRET_KEY:-replace_me_with_32_byte_hex_default}
       INTERNAL_SECRET: ${INTERNAL_SECRET:-replace_me_with_32_byte_hex_default}
       DOMAIN: ${DOMAIN:-localhost}
-      PYTHONPATH: /app/src
     ports:
       - "8000:8000"
     networks:
@@ -50,8 +49,7 @@ services:
       context: ./web
       target: development
     volumes:
-      - ./web:/app
-      - /app/node_modules
+      - ./web/src:/app/src
     environment:
       API_URL: http://api:8000
     ports: