feat(01-01): extend .env.example with all Phase 1 service variables

- Add PostgreSQL section: DATABASE_URL, DATABASE_MIGRATE_URL, POSTGRES_PASSWORD
- Add MinIO section: MINIO_ROOT_USER, MINIO_ROOT_PASSWORD, MINIO_ENDPOINT, MINIO_ACCESS_KEY, MINIO_SECRET_KEY, MINIO_BUCKET
- Add Redis section: REDIS_PASSWORD, REDIS_URL
- Add Security section: SECRET_KEY (Phase 2 placeholder, documented now)
- All passwords use changeme_* style placeholders matching the init SQL script
- Grouped by service with comment headers per D-11

.env.example

@@ -4,3 +4,29 @@
 
 ANTHROPIC_API_KEY=
 OPENAI_API_KEY=
+
+# ── PostgreSQL ───────────────────────────────────────────────────────────────
+# App user — SELECT/INSERT/UPDATE/DELETE only, used by FastAPI + Celery
+DATABASE_URL=postgresql+psycopg://docuvault_app:changeme_app@postgres:5432/docuvault
+# Migration user — DDL privileges, used ONLY by Alembic, never by the app at runtime
+DATABASE_MIGRATE_URL=postgresql+psycopg://docuvault_migrate:changeme_migrate@postgres:5432/docuvault
+# Superuser password for the postgres init container — used only by initdb.d scripts
+POSTGRES_PASSWORD=changeme_super
+
+# ── MinIO ────────────────────────────────────────────────────────────────────
+MINIO_ROOT_USER=minioadmin
+MINIO_ROOT_PASSWORD=changeme_minio_root
+MINIO_ENDPOINT=minio:9000
+# App-level access key — minimal permissions on docuvault bucket only
+MINIO_ACCESS_KEY=docuvault_app
+MINIO_SECRET_KEY=changeme_minio_app
+MINIO_BUCKET=docuvault
+
+# ── Redis ─────────────────────────────────────────────────────────────────────
+REDIS_PASSWORD=changeme_redis
+# Must match REDIS_PASSWORD; the leading : is the no-username form for requirepass
+REDIS_URL=redis://:changeme_redis@redis:6379/0
+
+# ── Security (Phase 2) ───────────────────────────────────────────────────────
+# Not read by the app in Phase 1 — documented here for Phase 2 JWT + HKDF use
+SECRET_KEY=CHANGEME-replace-with-64-char-random-hex