Docker Compose services that reference a locally-built image (via image: tag) but lack both a build: directive and pull_policy: never will fail with 'pull access denied' when the image name uses a private/nonexistent registry prefix. Services with build: but no pull_policy: never produce warnings but fall back to building. The fix is adding pull_policy: never to every service that consumes a locally-built image.
Add pull_policy: never to every service definition that references a locally-built image via the image: key. This is especially critical for services without a build: directive — they have no fallback and will hard-fail. Services with build: will produce warnings but still work. The consistent pattern: the service that builds the image AND every service that reuses it should all have pull_policy: never.