docs: audit and fix all project mount references across docs

Replace full project mounts with scoped .taskorchestrator/ mounts in all docs.
No file outside .taskorchestrator/ should ever be exposed to the container.

Files changed:
- current/docs/quick-start.md: remove mount from Options A/B; fix :main→:latest;
  fix AGENT_CONFIG_DIR env var table entry; add Docker callout in note schemas section
- current/docs/workflow-guide.md: fix dev example to use scoped mount
- CLAUDE.md: fix all three dev docker run examples to use scoped mount;
  relabel "project mount" → "config mount"
- .claude/commands/deploy_to_docker.md: replace hardcoded D:/Projects/... paths
  with $(pwd)/.taskorchestrator; relabel options to "Config Mount"
- clockwork/docs/quick-start.md: fix full project mount in both examples (archived)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jpicklyk

.claude/commands/deploy_to_docker.md

@@ -114,11 +114,11 @@ AskUserQuestion(
 
 Use `<DATA_VOLUME>` as the data volume name: `mcp-task-data-current` for v3 (default) or `mcp-task-data` for v2 (`--clockwork`).
 
-**"With Project Mount"**
+**"With Config Mount"**
 ```bash
 docker run --rm -i \
   -v <DATA_VOLUME>:/app/data \
-  -v D:/Projects/task-orchestrator:/project:ro \
+  -v "$(pwd)"/.taskorchestrator:/project/.taskorchestrator:ro \
   -e AGENT_CONFIG_DIR=/project \
   <image-tag>
 ```
@@ -127,7 +127,7 @@ docker run --rm -i \
 ```bash
 docker run --rm -i \
   -v <DATA_VOLUME>:/app/data \
-  -v D:/Projects/task-orchestrator:/project:ro \
+  -v "$(pwd)"/.taskorchestrator:/project/.taskorchestrator:ro \
   -e AGENT_CONFIG_DIR=/project \
   -e LOG_LEVEL=DEBUG \
   -e DATABASE_SHOW_SQL=true \
@@ -157,8 +157,8 @@ AskUserQuestion(
     multiSelect: false,
     options: [
       {
-        label: "With Project Mount (Recommended)",
-        description: "Database volume + project mount + port 3001"
+        label: "With Config Mount (Recommended)",
+        description: "Database volume + .taskorchestrator config mount + port 3001"
       },
       {
         label: "With Debug Logging",
@@ -178,12 +178,12 @@ docker stop mcp-task-orchestrator-http 2>/dev/null || true
 docker rm mcp-task-orchestrator-http 2>/dev/null || true
 ```
 
-**"With Project Mount"**
+**"With Config Mount (Recommended)"**
 ```bash
 docker run -d \
   --name mcp-task-orchestrator-http \
   -v <DATA_VOLUME>:/app/data \
-  -v D:/Projects/task-orchestrator:/project:ro \
+  -v "$(pwd)"/.taskorchestrator:/project/.taskorchestrator:ro \
   -e AGENT_CONFIG_DIR=/project \
   -e MCP_TRANSPORT=http \
   -e MCP_HTTP_HOST=0.0.0.0 \
@@ -197,7 +197,7 @@ docker run -d \
 docker run -d \
   --name mcp-task-orchestrator-http \
   -v <DATA_VOLUME>:/app/data \
-  -v D:/Projects/task-orchestrator:/project:ro \
+  -v "$(pwd)"/.taskorchestrator:/project/.taskorchestrator:ro \
   -e AGENT_CONFIG_DIR=/project \
   -e MCP_TRANSPORT=http \
   -e MCP_HTTP_HOST=0.0.0.0 \

CLAUDE.md

@@ -43,25 +43,25 @@ scripts\docker-build.bat                           # Windows CMD
 # Run Docker container (basic - database only)
 docker run --rm -i -v mcp-task-data:/app/data task-orchestrator:dev
 
-# Run with project mount (recommended - enables config reading)
+# Run with config mount (enables custom note schemas)
 docker run --rm -i \
   -v mcp-task-data:/app/data \
-  -v "$(pwd)":/project:ro \
+  -v "$(pwd)"/.taskorchestrator:/project/.taskorchestrator:ro \
   -e AGENT_CONFIG_DIR=/project \
   task-orchestrator:dev
 
 # Debug with logs
 docker run --rm -i \
   -v mcp-task-data:/app/data \
-  -v "$(pwd)":/project:ro \
+  -v "$(pwd)"/.taskorchestrator:/project/.taskorchestrator:ro \
   -e AGENT_CONFIG_DIR=/project \
   -e LOG_LEVEL=DEBUG \
   task-orchestrator:dev
 
 # Run in HTTP transport mode (exposes port 3001, endpoint: http://localhost:3001/mcp)
 docker run --rm \
   -v mcp-task-data-current:/app/data \
-  -v "$(pwd)":/project:ro \
+  -v "$(pwd)"/.taskorchestrator:/project/.taskorchestrator:ro \
   -e AGENT_CONFIG_DIR=/project \
   -e MCP_TRANSPORT=http \
   -p 3001:3001 \

clockwork/docs/quick-start.md

@@ -61,7 +61,7 @@ Choose your AI platform and configure accordingly:
 Use the universal MCP configuration command from your project directory (works on macOS, Linux, Windows):
 
 ```bash
-claude mcp add-json task-orchestrator '{"type":"stdio","command":"docker","args":["run","--rm","-i","-v","mcp-task-data:/app/data","-v",".:/project","-e","AGENT_CONFIG_DIR=/project","ghcr.io/jpicklyk/task-orchestrator:latest"]}'
+claude mcp add-json task-orchestrator '{"type":"stdio","command":"docker","args":["run","--rm","-i","-v","mcp-task-data:/app/data","-v","./.taskorchestrator:/project/.taskorchestrator","-e","AGENT_CONFIG_DIR=/project","ghcr.io/jpicklyk/task-orchestrator:latest"]}'
 ```
 
 This single command works across all platforms. Claude Code will automatically configure and connect to the MCP server.
@@ -103,7 +103,7 @@ All these platforms use similar JSON configuration. Find your configuration file
         "--volume",
         "mcp-task-data:/app/data",
         "--volume",
-        "/absolute/path/to/your/project:/project",
+        "/absolute/path/to/your/project/.taskorchestrator:/project/.taskorchestrator",
         "--env",
         "AGENT_CONFIG_DIR=/project",
         "ghcr.io/jpicklyk/task-orchestrator:latest"

current/docs/quick-start.md

@@ -14,10 +14,10 @@ MCP Task Orchestrator gives AI agents persistent, structured task tracking that
 ## Step 1: Pull the Docker image
 
 ```bash
-docker pull ghcr.io/jpicklyk/task-orchestrator:main
+docker pull ghcr.io/jpicklyk/task-orchestrator:latest
 ```
 
-The image is built from the `current` module (`runtime-current` target) and published to GitHub Container Registry. The `main` tag tracks the latest build from the main branch.
+The image is built from the `current` module (`runtime-current` target) and published to GitHub Container Registry. The `latest` tag always points to the most recent release from the main branch.
 
 ---
 
@@ -33,9 +33,7 @@ claude mcp add-json mcp-task-orchestrator '{
   "args": [
     "run", "--rm", "-i",
     "-v", "mcp-task-data:/app/data",
-    "-v", "${workspaceFolder}:/project:ro",
-    "-e", "AGENT_CONFIG_DIR=/project",
-    "ghcr.io/jpicklyk/task-orchestrator:main"
+    "ghcr.io/jpicklyk/task-orchestrator:latest"
   ]
 }'
 ```
@@ -54,9 +52,7 @@ Add this to `.claude/settings.json` in your project root (checked into source co
       "args": [
         "run", "--rm", "-i",
         "-v", "mcp-task-data:/app/data",
-        "-v", "${workspaceFolder}:/project:ro",
-        "-e", "AGENT_CONFIG_DIR=/project",
-        "ghcr.io/jpicklyk/task-orchestrator:main"
+        "ghcr.io/jpicklyk/task-orchestrator:latest"
       ]
     }
   }
@@ -178,6 +174,13 @@ After adding or editing this file, reconnect the MCP server:
 
 Items tagged `task-implementation` will now require a `requirements` note before `advance_item(trigger="start")` advances them to work, and a `done-criteria` note before `advance_item(trigger="complete")` closes them.
 
+> **Docker:** To read this config file, mount only the `.taskorchestrator/` folder into the container. Add this to your project-level `.mcp.json` (not the global CLI registration):
+> ```json
+> "-v", "${workspaceFolder}/.taskorchestrator:/project/.taskorchestrator:ro",
+> "-e", "AGENT_CONFIG_DIR=/project"
+> ```
+> Only the `.taskorchestrator/` folder is exposed — the server has no access to the rest of your project.
+
 ---
 
 ## Key concepts
@@ -198,7 +201,7 @@ Items tagged `task-implementation` will now require a `requirements` note before
 |----------|---------|-------------|
 | `DATABASE_PATH` | `data/current-tasks.db` | SQLite file path inside the container |
 | `USE_FLYWAY` | `true` | Apply database migrations on startup |
-| `AGENT_CONFIG_DIR` | `/project` | Directory containing `.taskorchestrator/config.yaml` |
+| `AGENT_CONFIG_DIR` | _(unset)_ | Parent directory of `.taskorchestrator/`; set when mounting a config folder into the container |
 | `LOG_LEVEL` | `INFO` | Verbosity: `DEBUG`, `INFO`, `WARN`, `ERROR` |
 
 ---

current/docs/workflow-guide.md

@@ -554,7 +554,7 @@ note_schemas:
 - Docker override: set `AGENT_CONFIG_DIR` environment variable to the directory containing `.taskorchestrator/`.
 
 ```bash
-docker run -e AGENT_CONFIG_DIR=/project -v "$(pwd)":/project:ro task-orchestrator:dev
+docker run -e AGENT_CONFIG_DIR=/project -v "$(pwd)"/.taskorchestrator:/project/.taskorchestrator:ro task-orchestrator:dev
 ```
 
 ---