diff --git a/.env.example b/.env.example
index e48b9f5..8b32033 100644
--- a/.env.example
+++ b/.env.example
@@ -4,3 +4,29 @@
 
 ANTHROPIC_API_KEY=
 OPENAI_API_KEY=
+
+# ── PostgreSQL ───────────────────────────────────────────────────────────────
+# App user — SELECT/INSERT/UPDATE/DELETE only, used by FastAPI + Celery
+DATABASE_URL=postgresql+psycopg://docuvault_app:changeme_app@postgres:5432/docuvault
+# Migration user — DDL privileges, used ONLY by Alembic, never by the app at runtime
+DATABASE_MIGRATE_URL=postgresql+psycopg://docuvault_migrate:changeme_migrate@postgres:5432/docuvault
+# Superuser password for the postgres init container — used only by initdb.d scripts
+POSTGRES_PASSWORD=changeme_super
+
+# ── MinIO ────────────────────────────────────────────────────────────────────
+MINIO_ROOT_USER=minioadmin
+MINIO_ROOT_PASSWORD=changeme_minio_root
+MINIO_ENDPOINT=minio:9000
+# App-level access key — minimal permissions on docuvault bucket only
+MINIO_ACCESS_KEY=docuvault_app
+MINIO_SECRET_KEY=changeme_minio_app
+MINIO_BUCKET=docuvault
+
+# ── Redis ─────────────────────────────────────────────────────────────────────
+REDIS_PASSWORD=changeme_redis
+# Must match REDIS_PASSWORD; the leading : is the no-username form for requirepass
+REDIS_URL=redis://:changeme_redis@redis:6379/0
+
+# ── Security (Phase 2) ───────────────────────────────────────────────────────
+# Not read by the app in Phase 1 — documented here for Phase 2 JWT + HKDF use
+SECRET_KEY=CHANGEME-replace-with-64-char-random-hex