fix(security): remove hardcoded default credentials from config files

- .env.example: replace weak default INITIAL_ADMIN_PASSWORD and
  AUTH_SECRET with instructive placeholders requiring manual generation
- docker-compose.yml: parameterize POSTGRES_USER, POSTGRES_PASSWORD,
  POSTGRES_DB and DATABASE_URL via environment variables with local fallbacks

docker-compose.yml

@@ -3,9 +3,9 @@ services:
     image: postgres:16-alpine
     restart: unless-stopped
     environment:
-      POSTGRES_USER: ecommerce
-      POSTGRES_PASSWORD: ecommerce_password
-      POSTGRES_DB: ecommerce
+      POSTGRES_USER: ${POSTGRES_USER:-ecommerce}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-ecommerce_password}
+      POSTGRES_DB: ${POSTGRES_DB:-ecommerce}
     volumes:
       - ./data/db:/var/lib/postgresql/data
     healthcheck:
@@ -24,7 +24,7 @@ services:
         condition: service_healthy
     env_file: .env
     environment:
-      DATABASE_URL: postgresql://ecommerce:ecommerce_password@db:5432/ecommerce
+      DATABASE_URL: postgresql://${POSTGRES_USER:-ecommerce}:${POSTGRES_PASSWORD:-ecommerce_password}@db:5432/${POSTGRES_DB:-ecommerce}
     expose:
       - "3000"
     volumes: