refactor: replace deprecated docker-compose with docker compose across repository

.planning/phases/03-lab-02-network-vpc/03-01-PLAN.md

@@ -187,7 +187,7 @@ Phase 2 patterns to follow:
     1. Verify docker-compose.yml exists
     2. Verify no port bindings use 0.0.0.0 (violates INF-02)
     3. Verify private services use 127.0.0.1 binding (localhost only)
-    4. Verify docker-compose config is valid YAML
+    4. Verify docker compose config is valid YAML
     5. Verify no published ports for private-only services
 
     Requirements:
@@ -201,7 +201,7 @@ Phase 2 patterns to follow:
     - Check file exists: `[ -f labs/lab-02-network/docker-compose.yml ]`
     - Find port mappings: `grep -E "^\s*-\s*[0-9]+:" docker-compose.yml` or `grep -A 20 "ports:"`
     - Check for violations: `grep -E '0\.0\.0\.0:[0-9]+' docker-compose.yml` (should NOT find)
-    - Validate YAML: `docker-compose -f docker-compose.yml config` (if file exists)
+    - Validate YAML: `docker compose -f docker-compose.yml config` (if file exists)
 
     Expected: 5 tests total (file exists, no 0.0.0.0 bindings, 127.0.0.1 bindings used, YAML valid, private services no ports)
   </action>

.planning/phases/03-lab-02-network-vpc/03-02-PLAN.md

@@ -193,9 +193,9 @@ From 03-RESEARCH.md, use consistent naming:
     4. **Step 2: Define Networks in Compose**: Custom networks with subnets (10.0.1.0/24, 10.0.2.0/24)
     5. **Step 3: Define Services**: Web server in public network, database in private network
     6. **Step 4: Port Publishing**: INF-02 compliance (127.0.0.1 binding only)
-    7. **Verification Step 1**: `docker-compose config`
-    8. **Step 5: Start Services**: `docker-compose up -d`
-    9. **Verification Step 2**: `docker-compose ps`, `docker network inspect`
+    7. **Verification Step 1**: `docker compose config`
+    8. **Step 5: Start Services**: `docker compose up -d`
+    9. **Verification Step 2**: `docker compose ps`, `docker network inspect`
     10. **Step 6: Verify Service Placement**: Which network each service is in
     11. **Troubleshooting**: Port conflicts, network not found
     12. **Summary**: Multi-tier architecture deployed
@@ -336,7 +336,7 @@ From 03-RESEARCH.md, use consistent naming:
     **Guide 4: cleanup-networks.md**
     - Goal: Remove networks and fix common cleanup issues
     - Steps: Remove networks, remove containers, fix "network has active endpoints"
-    - Commands: docker network rm, docker-compose down -v
+    - Commands: docker network rm, docker compose down -v
     - Troubleshooting: Networks that won't delete, orphaned networks
     - ~60 lines
 

.planning/phases/03-lab-02-network-vpc/03-03-PLAN.md

@@ -21,7 +21,7 @@ must_haves:
     - "Private networks use --internal flag and no published ports"
     - "Public services bind to 127.0.0.1 only (INF-02 compliant)"
     - "Infrastructure verification tests pass (GREEN phase)"
-    - "All services start successfully with docker-compose up"
+    - "All services start successfully with docker compose up"
   artifacts:
     - path: "labs/lab-02-network/docker-compose.yml"
       provides: "VPC network definition with subnets"
@@ -47,7 +47,7 @@ must_haves:
 <objective>
 Create Docker infrastructure (docker-compose.yml and Dockerfile) implementing VPC simulation with isolated bridge networks. Following TDD methodology, this is the GREEN phase - tests already exist from Plan 03-01, and infrastructure should make those tests pass. Infrastructure must enforce INF-02 compliance (private networks don't expose ports on 0.0.0.0).
 
-Purpose: Implement network infrastructure that simulates AWS VPC with public and private subnets. Students learn by running docker-compose and observing isolated networks in action.
+Purpose: Implement network infrastructure that simulates AWS VPC with public and private subnets. Students learn by running docker compose and observing isolated networks in action.
 
 Output: Working docker-compose.yml with VPC networks, test container image, and infrastructure verification script that validates all requirements.
 </objective>
@@ -262,7 +262,7 @@ From REQUIREMENTS.md:
     Expected: ~100 lines with complete VPC simulation
   </action>
   <verify>
-    <automated>cd labs/lab-02-network && docker-compose config && docker-compose up -d && docker-compose ps</automated>
+    <automated>cd labs/lab-02-network && docker compose config && docker compose up -d && docker compose ps</automated>
   </verify>
   <done>docker-compose.yml defines VPC networks with correct subnets. Services deployed in appropriate tiers. INF-02 compliant (127.0.0.1 bindings only).</done>
 </task>
@@ -374,7 +374,7 @@ From REQUIREMENTS.md:
     Expected: ~45 lines with non-root user and networking tools
   </action>
   <verify>
-    <automated>cd labs/lab-02-network && docker-compose build api && docker images | grep lab02-api</automated>
+    <automated>cd labs/lab-02-network && docker compose build api && docker images | grep lab02-api</automated>
   </verify>
   <done>Dockerfile builds successfully. Creates non-root container with networking tools. Healthcheck tests connectivity to private network.</done>
 </task>
@@ -391,7 +391,7 @@ From REQUIREMENTS.md:
     3. Verify subnet configurations (10.0.1.0/24, 10.0.2.0/24)
     4. Verify INF-02 compliance (no 0.0.0.0 bindings)
     5. Verify private network has internal: true flag
-    6. Verify docker-compose build succeeds
+    6. Verify docker compose build succeeds
     7. Verify services start successfully
     8. Verify network isolation (web cannot ping db)
     9. Verify same-network communication (api can reach db)
@@ -399,7 +399,7 @@ From REQUIREMENTS.md:
 
     Requirements:
     - Follow Phase 2 test patterns (color output, helper functions)
-    - Use docker-compose config to validate YAML
+    - Use docker compose config to validate YAML
     - Use docker network inspect to verify network config
     - Use docker exec for connectivity tests
     - Use grep for INF-02 validation
@@ -442,7 +442,7 @@ From REQUIREMENTS.md:
 
     # Test 1: docker-compose.yml is valid
     echo -e "[1/10] Testing docker-compose.yml syntax..."
-    if docker-compose config > /dev/null 2>&1; then
+    if docker compose config > /dev/null 2>&1; then
         echo -e "${GREEN}PASS${NC}: docker-compose.yml is valid"
         inc_pass
     else
@@ -452,8 +452,8 @@ From REQUIREMENTS.md:
 
     # Test 2: Networks defined
     echo -e "[2/10] Testing network definitions..."
-    if docker-compose config | grep -q "vpc-public:" && \
-       docker-compose config | grep -q "vpc-private:"; then
+    if docker compose config | grep -q "vpc-public:" && \
+       docker compose config | grep -q "vpc-private:"; then
         echo -e "${GREEN}PASS${NC}: vpc-public and vpc-private networks defined"
         inc_pass
     else
@@ -463,8 +463,8 @@ From REQUIREMENTS.md:
 
     # Test 3: Subnet configurations
     echo -e "[3/10] Testing subnet configurations..."
-    if docker-compose config | grep -q "10.0.1.0/24" && \
-       docker-compose config | grep -q "10.0.2.0/24"; then
+    if docker compose config | grep -q "10.0.1.0/24" && \
+       docker compose config | grep -q "10.0.2.0/24"; then
         echo -e "${GREEN}PASS${NC}: Subnets 10.0.1.0/24 and 10.0.2.0/24 configured"
         inc_pass
     else
@@ -474,7 +474,7 @@ From REQUIREMENTS.md:
 
     # Test 4: INF-02 compliance
     echo -e "[4/10] Testing INF-02 compliance (no 0.0.0.0 bindings)..."
-    if docker-compose config | grep -qE '0\.0\.0\.0:[0-9]+'; then
+    if docker compose config | grep -qE '0\.0\.0\.0:[0-9]+'; then
         echo -e "${RED}FAIL${NC}: Found 0.0.0.0 port bindings (INF-02 violation)"
         inc_fail
     else
@@ -484,7 +484,7 @@ From REQUIREMENTS.md:
 
     # Test 5: Private network internal flag
     echo -e "[5/10] Testing private network isolation..."
-    if docker-compose config | grep -A 3 "vpc-private:" | grep -q "internal: true"; then
+    if docker compose config | grep -A 3 "vpc-private:" | grep -q "internal: true"; then
         echo -e "${GREEN}PASS${NC}: vpc-private has internal: true flag"
         inc_pass
     else
@@ -493,8 +493,8 @@ From REQUIREMENTS.md:
     fi
 
     # Test 6: Build succeeds
-    echo -e "[6/10] Testing docker-compose build..."
-    if docker-compose build -q api > /dev/null 2>&1; then
+    echo -e "[6/10] Testing docker compose build..."
+    if docker compose build -q api > /dev/null 2>&1; then
         echo -e "${GREEN}PASS${NC}: Docker image builds successfully"
         inc_pass
     else
@@ -504,10 +504,10 @@ From REQUIREMENTS.md:
 
     # Test 7-10: Runtime tests (if services running)
     # Check if services are running
-    if docker-compose ps | grep -q "Up"; then
+    if docker compose ps | grep -q "Up"; then
         # Test 7: Services running
         echo -e "[7/10] Testing service status..."
-        running_count=$(docker-compose ps | grep -c "Up" || true)
+        running_count=$(docker compose ps | grep -c "Up" || true)
         if [ "$running_count" -ge 2 ]; then
             echo -e "${GREEN}PASS${NC}: Services are running ($running_count services)"
             inc_pass
@@ -590,19 +590,19 @@ After all tasks complete, verify:
    - tests/04-verify-infrastructure.sh exists
 
 2. **Compose Configuration**:
-   - `docker-compose config` succeeds (valid YAML)
+   - `docker compose config` succeeds (valid YAML)
    - Two networks defined: vpc-public, vpc-private
    - Correct subnets: 10.0.1.0/24, 10.0.2.0/24
    - Three services: web, api, db
 
 3. **INF-02 Compliance**:
-   - No 0.0.0.0 bindings in docker-compose config
+   - No 0.0.0.0 bindings in docker compose config
    - Public services use 127.0.0.1:PORT:PORT format
    - Private services have no published ports
    - vpc-private has internal: true flag
 
 4. **Services Start Successfully**:
-   - `docker-compose up -d` succeeds
+   - `docker compose up -d` succeeds
    - All containers show "Up" status
    - Containers have correct network attachments
 
@@ -619,19 +619,19 @@ After all tasks complete, verify:
 
 ```bash
 # Verify compose configuration
-cd labs/lab-02-network && docker-compose config
+cd labs/lab-02-network && docker compose config
 
 # Check for INF-02 violations (should return nothing)
-cd labs/lab-02-network && docker-compose config | grep "0.0.0.0"
+cd labs/lab-02-network && docker compose config | grep "0.0.0.0"
 
 # Build services
-cd labs/lab-02-network && docker-compose build
+cd labs/lab-02-network && docker compose build
 
 # Start services
-cd labs/lab-02-network && docker-compose up -d
+cd labs/lab-02-network && docker compose up -d
 
 # Check service status
-cd labs/lab-02-network && docker-compose ps
+cd labs/lab-02-network && docker compose ps
 
 # Verify networks created
 docker network ls | grep lab02
@@ -643,7 +643,7 @@ bash labs/lab-02-network/tests/04-verify-infrastructure.sh
 bash labs/lab-02-network/tests/run-all-tests.sh
 
 # Cleanup
-cd labs/lab-02-network && docker-compose down -v
+cd labs/lab-02-network && docker compose down -v
 ```
 
 ## Success Criteria
@@ -652,7 +652,7 @@ cd labs/lab-02-network && docker-compose down -v
 - [ ] Two networks defined: vpc-public (10.0.1.0/24), vpc-private (10.0.2.0/24)
 - [ ] vpc-private has internal: true flag
 - [ ] No 0.0.0.0 port bindings (INF-02 compliant)
-- [ ] Services start successfully with docker-compose up
+- [ ] Services start successfully with docker compose up
 - [ ] Network isolation verified (public cannot reach private)
 - [ ] Infrastructure verification script passes all tests
 - [ ] All tests from Plan 03-01 now pass (GREEN phase complete)

.planning/phases/03-lab-02-network-vpc/03-RESEARCH.md

@@ -246,7 +246,7 @@ networks:
 ### Pitfall 5: Network Cleanup Between Tests
 **What goes wrong:** Previous test networks interfere with new tests
 **Why it happens:** Networks not removed between test runs, container references stale
-**How to avoid:** Always run `docker-compose down -v` to remove networks, include cleanup in tests
+**How to avoid:** Always run `docker compose down -v` to remove networks, include cleanup in tests
 **Warning signs:** "Network already exists" errors, IP conflicts in subnet allocation
 
 ## Code Examples
@@ -373,8 +373,8 @@ else
     echo "WARNING: No port bindings found or all public"
 fi
 
-# Verify with docker-compose config
-docker-compose -f "$compose_file" config 2>/dev/null || true
+# Verify with docker compose config
+docker compose -f "$compose_file" config 2>/dev/null || true
 
 echo "INF-02 verification complete"
 ```

.planning/phases/03-lab-02-network-vpc/03-VALIDATION.md

@@ -41,7 +41,7 @@ created: 2026-03-25
 | 03-01-01 | 01 | 1 | LAB-02, TEST-01 | unit | `bash labs/lab-02-network/tests/test-network-isolation.sh` | ❌ W0 | ⬜ pending |
 | 03-01-02 | 01 | 1 | INF-02 | integration | `bash labs/lab-02-network/tests/test-private-network-no-expose.sh` | ❌ W0 | ⬜ pending |
 | 03-02-01 | 02 | 1 | DOCT-01, DOCT-02 | documentation | File existence check | ❌ W0 | ⬜ pending |
-| 03-03-01 | 03 | 2 | LAB-02, INF-02 | infrastructure | `docker-compose config` + container ping test | ❌ W0 | ⬜ pending |
+| 03-03-01 | 03 | 2 | LAB-02, INF-02 | infrastructure | `docker compose config` + container ping test | ❌ W0 | ⬜ pending |
 
 *Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky*
 
@@ -91,5 +91,5 @@ created: 2026-03-25
 
 ### INF-02 Compliance Verification
 - Private networks must NOT expose ports on 0.0.0.0
-- Test verifies `docker-compose config` output for `127.0.0.1:PORT:PORT` pattern
+- Test verifies `docker compose config` output for `127.0.0.1:PORT:PORT` pattern
 - Manual verification: `netstat -tlnp | grep docker` shows no 0.0.0.0 bindings for private services