fix(local-dev): docker-compose + .env.example cover the new required env vars (closes #334)

[cristim]

Summary

A fresh docker-compose up -d on this branch crashes on startup because
the compose file is missing several env vars the app now requires.
This PR adds them with local-dev defaults and documents the same
contract in .env.example so anyone running outside compose has a
one-stop reference.

Failure chain this fixes

Without this PR, a fresh docker-compose up -d hits these one by one:

1. scheduled-task auth init: SCHEDULED_TASK_AUTH_MODE is unset —
   internal/server/scheduledauth/config.go requires explicit choice.
2. ADMIN_PASSWORD_SECRET environment variable is required but not set; refusing to start without a Secrets Manager ARN.
3. (After fix(email): short-circuit to no-op sender when EMAIL_ENABLED=false (closes #332) #333 lands) SECRET_PROVIDER=aws + empty AWS creds was
   working by luck; switching to env is the correct local-dev path.
4. Frontend admin-setup modal asks for an API key (sourced from
   API_KEY_SECRET_ARN → fails when empty).

Changes

docker-compose.yml (app service environment block):

• SECRET_PROVIDER: env (was aws) — pairs with EMAIL_ENABLED=false
  so the no-op email sender from fix(email): short-circuit to no-op sender when EMAIL_ENABLED=false (closes #332) #333 kicks in.
• SCHEDULED_TASK_AUTH_MODE: disabled.
• ADMIN_PASSWORD_SECRET / API_KEY_SECRET_ARN as VAR-NAME
  indirections pointing at concrete dev values
  (ADMIN_PASSWORD_DEV / ADMIN_API_KEY_DEV).
• ADMIN_EMAIL: admin@cudly.local.
• CREDENTIAL_ENCRYPTION_ALLOW_DEV_KEY: "1".

.env.example:

• Updated SECRET_PROVIDER block to remove the now-stale "env will
  fail" warning and explain the new contract.
• Added SCHEDULED_TASK_AUTH_MODE section.
• Added EMAIL_ENABLED section with cross-reference to fix(email): short-circuit to no-op sender when EMAIL_ENABLED=false (closes #332) #333.
• Added the VAR-NAME-indirection pattern for *_SECRET / *_SECRET_ARN
  with concrete dev values co-located so future readers can trace the
  chain in one file. Kept the AWS-ARN production examples as
  commented-out alternatives.

Dependency

Depends on #333 (no-op email sender). Without that, the email
factory crashes on SECRET_PROVIDER=env. Sequencing intentional —
this PR is a no-op until #333 merges.

Closes #334.

Test plan

• docker compose up -d postgres app frontend brings the stack to
  healthy on a fresh checkout.
• curl http://localhost:8080/api/health → HTTP 200.
• Frontend at http://localhost:3001 serves index.html.
• Admin-setup modal accepts the documented dev defaults
  (API key cudly-local-dev-api-key-not-for-prod,
  email admin@cudly.local,
  password LocalDev!Pass123).
• No regressions for prod deploys (the new vars are unset there;
  the cloud secret resolver handles them).

Summary by CodeRabbit

• Chores
  • Switched local dev to environment-based secret resolution instead of cloud provider integration.
  • Replaced production credential examples with local-dev placeholder credentials and inline dev keys for easier local setup.
  • Defaulted scheduled task auth to disabled and disabled email sending in local development mode.

[cristim]

@coderabbitai review

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 396ab4c1-5620-483b-92e9-24bc0095b859

📥 Commits

Reviewing files that changed from the base of the PR and between 8fec8cd and b7a5f6d.

📒 Files selected for processing (1)

• .env.example

---

📝 Walkthrough

Walkthrough

Configuration templates and docker-compose service environment updated for local development: SECRET_PROVIDER switched to env, SCHEDULED_TASK_AUTH_MODE=disabled and EMAIL_ENABLED=false added, and admin/API credential vars rewritten to use env-mode indirection with local-dev placeholders.

Changes

Local Development Environment Configuration

Layer / File(s)	Summary
Secret Provider Mode & Documentation .env.example	SECRET_PROVIDER changed from aws to env with docs explaining env-mode indirection where secret-ref vars name another env var containing the real secret.
Scheduled Task Auth Requirement .env.example	Added SCHEDULED_TASK_AUTH_MODE required setting; example sets disabled for local development and documents startup refusal when unset.
Email Factory No-Op Behavior .env.example	Added EMAIL_ENABLED=false and comments describing the email factory’s no-op sender behavior when disabled and its pairing with SECRET_PROVIDER=env.
Admin Credentials Env-Mode Lookup .env.example	Replaced production ARN placeholders with env-mode chain: ADMIN_PASSWORD_SECRET=ADMIN_PASSWORD_DEV, ADMIN_PASSWORD_DEV placeholder, API_KEY_SECRET_ARN=ADMIN_API_KEY_DEV, ADMIN_API_KEY_DEV placeholder, and ADMIN_EMAIL updated to a local placeholder.
Docker Compose Service Environment docker-compose.yml	app service env block updated to SECRET_PROVIDER: env, sets ADMIN_PASSWORD_SECRET→ADMIN_PASSWORD_DEV (with dev password), API_KEY_SECRET_ARN→ADMIN_API_KEY_DEV (with dev API key), ADMIN_EMAIL, CREDENTIAL_ENCRYPTION_ALLOW_DEV_KEY: "1", SCHEDULED_TASK_AUTH_MODE: disabled, EMAIL_ENABLED: "false"; removed previous AWS-only block.

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly Related PRs

• LeanerCloud/CUDly#203: Implements bearer mode for scheduled-task authentication with SCHEDULED_TASK_SECRET_NAME env var, related to SCHEDULED_TASK_AUTH_MODE handling.

Suggested Labels

effort/s

Poem

🐰 I swapped the clouds for local air,
Env secrets snug, no ARNs to spare.
Disabled tasks and emails muted,
Dev keys in place, configs computed.
Docker hums — the local stack’s prepared. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding required environment variables to docker-compose.yml and .env.example for local development, with a specific reference to the closed issue.
Linked Issues check	✅ Passed	All coding requirements from issue #334 are met: docker-compose.yml sets all required env vars (SECRET_PROVIDER, SCHEDULED_TASK_AUTH_MODE, ADMIN_PASSWORD_SECRET/DEV, API_KEY_SECRET_ARN/DEV, ADMIN_EMAIL, CREDENTIAL_ENCRYPTION_ALLOW_DEV_KEY) with documented local-dev defaults, and .env.example documents every new variable with comments.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #334 requirements: modifications to docker-compose.yml and .env.example only, with no unrelated changes to other files or functionality.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/compose-dev-secrets

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.env.example:
- Around line 61-71: Update the ADMIN_EMAIL default in the .env.example to match
the local-dev value used in docker-compose (change ADMIN_EMAIL from
admin@example.com to admin@cudly.local) so the template and docker-compose
defaults are consistent; modify the ADMIN_EMAIL entry in the file (look for the
ADMIN_EMAIL variable near ADMIN_PASSWORD_SECRET / ADMIN_PASSWORD_DEV) to the new
address.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bab7b6ac-0481-4b9d-aac7-0f67650fca4e

📥 Commits

Reviewing files that changed from the base of the PR and between c95a6ac and 8fec8cd.

📒 Files selected for processing (2)

• .env.example
• docker-compose.yml

[cristim]

Addressed CR's actionable in commit b7a5f6d: .env.example ADMIN_EMAIL now admin@cudly.local to match docker-compose. @coderabbitai review

[coderabbitai]

@cristim Thanks for addressing that — aligning ADMIN_EMAIL in .env.example to admin@cudly.local keeps the two files consistent. Triggering a fresh review now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[cristim]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.