Harden auth and security controls with session auth and docs

.env.example

@@ -0,0 +1,53 @@
+# LedgerDock environment template
+# Copy to .env and adjust all secret values before first run.
+
+# Development defaults (HTTP local stack)
+APP_ENV=development
+HOST_BIND_IP=127.0.0.1
+
+POSTGRES_USER=dcm
+POSTGRES_PASSWORD=ChangeMe-Postgres-Secret
+POSTGRES_DB=dcm
+DATABASE_URL=postgresql+psycopg://dcm:ChangeMe-Postgres-Secret@db:5432/dcm
+
+REDIS_PASSWORD=ChangeMe-Redis-Secret
+REDIS_URL=redis://:ChangeMe-Redis-Secret@redis:6379/0
+REDIS_SECURITY_MODE=compat
+REDIS_TLS_MODE=allow_insecure
+
+AUTH_BOOTSTRAP_ADMIN_USERNAME=admin
+AUTH_BOOTSTRAP_ADMIN_PASSWORD=ChangeMe-Admin-Password
+AUTH_BOOTSTRAP_USER_USERNAME=user
+AUTH_BOOTSTRAP_USER_PASSWORD=ChangeMe-User-Password
+
+APP_SETTINGS_ENCRYPTION_KEY=ChangeMe-Settings-Encryption-Key
+TYPESENSE_API_KEY=ChangeMe-Typesense-Key
+
+PROCESSING_LOG_STORE_MODEL_IO_TEXT=false
+PROCESSING_LOG_STORE_PAYLOAD_TEXT=false
+CONTENT_EXPORT_MAX_DOCUMENTS=250
+CONTENT_EXPORT_MAX_TOTAL_BYTES=52428800
+CONTENT_EXPORT_RATE_LIMIT_PER_MINUTE=6
+
+PROVIDER_BASE_URL_ALLOW_HTTP=true
+PROVIDER_BASE_URL_ALLOW_PRIVATE_NETWORK=true
+PROVIDER_BASE_URL_ALLOWLIST=[]
+
+PUBLIC_BASE_URL=http://localhost:8000
+CORS_ORIGINS=["http://localhost:5173","http://localhost:3000"]
+CORS_ALLOW_CREDENTIALS=false
+VITE_API_BASE=
+
+# Production baseline overrides (set explicitly for live deployments):
+# APP_ENV=production
+# HOST_BIND_IP=127.0.0.1
+# REDIS_URL=rediss://:<strong-password>@redis.example.internal:6379/0
+# REDIS_SECURITY_MODE=strict
+# REDIS_TLS_MODE=required
+# PROVIDER_BASE_URL_ALLOW_HTTP=false
+# PROVIDER_BASE_URL_ALLOW_PRIVATE_NETWORK=false
+# PROVIDER_BASE_URL_ALLOWLIST=["api.openai.com"]
+# PUBLIC_BASE_URL=https://api.example.com
+# CORS_ORIGINS=["https://app.example.com"]
+# CORS_ALLOW_CREDENTIALS=false
+# VITE_API_BASE=https://api.example.com/api/v1