fix: Settings UI .env permission error - container user writability

CRITICAL FIX: Settings UI was completely broken with EACCES permission denied

Problem:
- .env file on host owned by root:root
- Docker mounts .env as volume, retains host ownership
- Container runs as nextjs user (UID 1001) for security
- Settings API attempts fs.writeFileSync() → permission denied
- Users could NOT adjust position size, leverage, TP/SL, or any config

User escalation: "thats a major flaw. THIS NEEDS TO WORK."

Solution:
- Changed .env ownership on HOST to UID 1001 (nextjs user)
- chown 1001:1001 /home/icke/traderv4/.env
- Restarted container to pick up new permissions
- .env now writable by nextjs user inside container

Verified: Settings UI now saves successfully

Documented as Common Pitfall #39 with:
- Symptom, root cause, and impact
- Why docker exec chown fails (mounted files)
- Correct fix with UID matching
- Alternative solutions and tradeoffs
- Lesson about Docker volume mount ownership

Files changed:
- .github/copilot-instructions.md (added Pitfall #39)
- .env (ownership changed from root:root to 1001:1001)

.github/copilot-instructions.md

@@ -1636,6 +1636,42 @@ trade.realizedPnL += actualRealizedPnL  // NOT: result.realizedPnL from SDK
     - **Why paid RPC doesn't fix this:** Ghost positions are state management bug, not capacity issue
     - **Lesson:** Periodic validation of in-memory state against authoritative source prevents state drift
 
+39. **Settings UI permission error - .env file not writable by container user (CRITICAL - Fixed Nov 15, 2025):**
+    - **Symptom:** Settings UI save fails with "Failed to save new settings" error
+    - **Root Cause:** .env file on host owned by root:root, nextjs user (UID 1001) inside container has read-only access
+    - **Impact:** Users cannot adjust ANY configuration via settings UI (position size, leverage, TP/SL levels, etc.)
+    - **Error message:** `EACCES: permission denied, open '/app/.env'` (errno -13, syscall 'open')
+    - **User escalation:** "thats a major flaw. THIS NEEDS TO WORK."
+    - **Why it happens:**
+      1. Docker mounts .env file from host: `./.env:/app/.env` (docker-compose.yml line 62)
+      2. Mounted files retain host ownership (root:root on host = root:root in container)
+      3. Container runs as nextjs user (UID 1001) for security
+      4. Settings API attempts `fs.writeFileSync('/app/.env')` → permission denied
+    - **Attempted fix (FAILED):** `docker exec trading-bot-v4 chown nextjs:nodejs /app/.env`
+      * Error: "Operation not permitted" - cannot change ownership on mounted files from inside container
+    - **Correct fix:** Change ownership on HOST before container starts
+    ```bash
+    # On host as root
+    chown 1001:1001 /home/icke/traderv4/.env
+    chmod 644 /home/icke/traderv4/.env
+    
+    # Restart container to pick up new permissions
+    docker compose restart trading-bot
+    
+    # Verify inside container
+    docker exec trading-bot-v4 ls -la /app/.env
+    # Should show: -rw-r--r-- 1 nextjs nodejs
+    ```
+    - **Why UID 1001:** Matches nextjs user created in Dockerfile:
+    ```dockerfile
+    RUN addgroup --system --gid 1001 nodejs && \
+        adduser --system --uid 1001 nextjs
+    ```
+    - **Verification:** Settings UI now saves successfully, .env file updated with new values
+    - **Impact:** Restores full settings UI functionality - users can adjust position sizing, leverage, TP/SL percentages
+    - **Alternative solution (NOT used):** Copy .env during Docker build with `COPY --chown=nextjs:nodejs`, but this breaks runtime config updates
+    - **Lesson:** Docker volume mounts retain host ownership - must plan for writability by setting host file ownership to match container user UID
+
 ## File Conventions
 
 - **API routes:** `app/api/[feature]/[action]/route.ts` (Next.js 15 App Router)