fix(security): remove hardcoded default credentials from config files

- .env.example: replace weak default INITIAL_ADMIN_PASSWORD and
  AUTH_SECRET with instructive placeholders requiring manual generation
- docker-compose.yml: parameterize POSTGRES_USER, POSTGRES_PASSWORD,
  POSTGRES_DB and DATABASE_URL via environment variables with local fallbacks

.env.example

@@ -1,8 +1,8 @@
 APP_URL=http://localhost
 DATABASE_URL=postgresql://ecommerce:ecommerce_password@db:5432/ecommerce
-AUTH_SECRET=dev-secret-change-in-production-32chars
+AUTH_SECRET=<generate-with-openssl-rand-hex-32>
 INITIAL_ADMIN_EMAIL=admin@example.com
-INITIAL_ADMIN_PASSWORD=Admin1234!test
+INITIAL_ADMIN_PASSWORD=<change-this-use-openssl-rand-base64-32>
 STRIPE_SECRET_KEY=sk_test_placeholder
 STRIPE_WEBHOOK_SECRET=whsec_placeholder
 SMTP_HOST=mailpit
@@ -10,3 +10,4 @@ SMTP_PORT=1025
 SMTP_USER=
 SMTP_PASSWORD=
 SMTP_FROM=noreply@localhost
+POSTGRES_PASSWORD=ecommerce_password

docker-compose.yml

@@ -3,9 +3,9 @@ services:
     image: postgres:16-alpine
     restart: unless-stopped
     environment:
-      POSTGRES_USER: ecommerce
+      POSTGRES_USER: ${POSTGRES_USER:-ecommerce}
-      POSTGRES_PASSWORD: ecommerce_password
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-ecommerce_password}
-      POSTGRES_DB: ecommerce
+      POSTGRES_DB: ${POSTGRES_DB:-ecommerce}
     volumes:
       - ./data/db:/var/lib/postgresql/data
     healthcheck:
@@ -24,7 +24,7 @@ services:
         condition: service_healthy
     env_file: .env
     environment:
-      DATABASE_URL: postgresql://ecommerce:ecommerce_password@db:5432/ecommerce
+      DATABASE_URL: postgresql://${POSTGRES_USER:-ecommerce}:${POSTGRES_PASSWORD:-ecommerce_password}@db:5432/${POSTGRES_DB:-ecommerce}
     expose:
       - "3000"
     volumes: