chore: require config.toml for deployment, update docs (#139)

- docker-compose.yml now defaults to ./config.toml instead of
  conf/app.docker.toml, enforcing explicit configuration for
  production deployments (dev environment still uses conf/ directly)
- Update DEPLOYMENT.md and docs with clear instructions to copy
  config template before starting
- Update config-toml.md: add registry/cni fields, remove obsolete
  [brave] section (search providers are now managed via web UI),
  fix default values
- Add China mainland mirror documentation

DEPLOYMENT.md

@@ -6,46 +6,50 @@
 curl -fsSL https://memoh.sh | sudo sh
 ```
 
-Or manually:
+The script prompts for configuration, generates `config.toml`, and starts all services.
+
+## Manual Install
 
 ```bash
 git clone https://github.com/memohai/Memoh.git
 cd Memoh
+cp conf/app.docker.toml config.toml
+nano config.toml   # Change passwords and JWT secret
 sudo docker compose up -d
 ```
 
 > On macOS or if your user is in the `docker` group, `sudo` is not required.
 
+> **Important**: You must create `config.toml` before starting. `docker-compose.yml` mounts `./config.toml` into the containers — running without it will fail.
+
 Access:
 - Web UI: http://localhost:8082
 - API: http://localhost:8080
 - Agent: http://localhost:8081
 
-Default credentials: `admin` / `admin123`
+Default credentials: `admin` / `admin123` (change in `config.toml`)
 
 ## Prerequisites
 
 - Docker (with Docker Compose v2)
 - Git
 
-That's it. No containerd, nerdctl, or buildkit required on the host.
+## Configuration
 
-## Custom Configuration
-
-By default, Docker Compose uses `conf/app.docker.toml` (no file in project root is mounted; only this config file is mounted into the containers).
-
-To use your own config, create and edit it in the project root, then point `MEMOH_CONFIG` at it (path is on the host; run `docker compose` from the project root):
-
-```bash
-cp conf/app.docker.toml config.toml
-nano config.toml
-sudo MEMOH_CONFIG=./config.toml docker compose up -d
-```
+`config.toml` is generated from `conf/app.docker.toml` and should live in the project root. It is mounted into all containers at startup and is **not** tracked by git.
 
 Recommended changes for production:
-- `admin.password` - Admin password
-- `auth.jwt_secret` - JWT secret (generate with `openssl rand -base64 32`)
-- `postgres.password` - Database password
+- `admin.password` — Admin password
+- `auth.jwt_secret` — JWT secret (generate with `openssl rand -base64 32`)
+- `postgres.password` — Database password (also set `POSTGRES_PASSWORD` env var)
+
+### China Mainland Mirror
+
+Uncomment `registry = "memoh.cn"` in `config.toml` under `[mcp]`, then use:
+
+```bash
+sudo docker compose -f docker-compose.yml -f docker/docker-compose.cn.yml up -d
+```
 
 ## Common Commands
 
@@ -56,13 +60,13 @@ docker compose up -d          # Start
 docker compose down           # Stop
 docker compose logs -f        # View logs
 docker compose ps             # Status
-docker compose up -d --build  # Rebuild and restart
+docker compose pull && docker compose up -d  # Update images
 ```
 
 ## Production
 
-1. Configure HTTPS (create `docker-compose.override.yml` with SSL certs)
-2. Change all default passwords
+1. Change all default passwords and secrets
+2. Configure HTTPS (reverse proxy or `docker-compose.override.yml` with SSL)
 3. Configure firewall
 4. Set resource limits
 5. Regular backups
@@ -71,13 +75,12 @@ docker compose up -d --build  # Rebuild and restart
 
 ```bash
 docker compose logs server    # View service logs
-docker compose logs containerd # View containerd logs
 docker compose config         # Check configuration
 docker compose build --no-cache && docker compose up -d  # Full rebuild
 ```
 
 ## Security Warnings
 
-- Main service has privileged container access - only run in trusted environments
+- Main service has privileged container access — only run in trusted environments
 - Must change all default passwords and secrets
 - Use HTTPS in production