fix: Remove hardcoded secrets from docker-compose

Docker was using a hardcoded JWT secret which isn't great even for dev.
Now pulls from .env file with a clear error if JWT_SECRET isn't set.

Also rewrote the Quick Start section - was confusing about whether
Docker runs just the API or the full stack. Now shows both options.

Author: jonmartin721

.env.example

@@ -1,6 +1,8 @@
 # .env.example
 # Copy this file to .env and fill in your values
 # DO NOT commit your actual .env file to version control
+#
+# These variables are used by both docker-compose and local development.
 
 # -----------------------------------------------------------------------------
 # Database Configuration

.gitignore

@@ -13,6 +13,11 @@ TestResults/
 # TUI Log Files
 *.log
 
+# Environment files (contains secrets)
+.env
+.env.local
+.env.*.local
+
 # Node
 node_modules/
 npm-debug.log*

README.md

@@ -61,19 +61,30 @@ curl -X POST http://localhost:5257/api/documents/generate \
 
 (Requires Docker OR .NET 8 SDK + Node.js 18+)
 
-**With Docker** (runs API only):
+**With Docker**:
 ```bash
 git clone https://github.com/jonmartin721/docforge-api.git
 cd docforge-api
-docker-compose up -d
 
-# Then start the frontend separately
-cd DocumentGenerator.Client
-npm install
-npm run dev
+# 1. Configure environment
+cp .env.example .env
+# Edit .env and set JWT_SECRET (minimum 32 characters)
+
+# 2. Build frontend and start everything
+docker-compose --profile build up docforge-frontend-builder  # Build frontend once
+docker-compose up -d                                          # Start API + nginx
 ```
 
-Then open:
+Then open http://localhost (nginx serves both frontend and API).
+
+**For development** (hot reload on frontend):
+```bash
+cp .env.example .env  # Set JWT_SECRET
+docker-compose up -d docforge-api  # API only
+
+# Frontend with hot reload (separate terminal)
+cd DocumentGenerator.Client && npm install && npm run dev
+```
 - **Frontend**: http://localhost:5173
 - **API**: http://localhost:5000/swagger
 
@@ -112,7 +123,7 @@ chmod +x docforge.sh && ./docforge.sh
 - **Works offline** - No external API calls, runs entirely on your infrastructure
 - **Handles the hard parts** - Chrome rendering, proper fonts, page breaks that don't suck
 - **Multi-user ready** - JWT auth built in, not bolted on later
-- **Docker support** - API runs in container, frontend runs locally (Vite)
+- **Docker support** - Full stack runs in containers, or API-only for development with hot reload
 
 ## Architecture
 

docker-compose.yml

@@ -11,12 +11,12 @@ services:
     ports:
       - "5000:8080"
     environment:
-      - ASPNETCORE_ENVIRONMENT=Development
-      - ConnectionStrings__DefaultConnection=Data Source=/app/data/documentgenerator.db
-      - JwtSettings__Secret=THIS_IS_A_SUPER_SECRET_KEY_FOR_JWT_TOKEN_GENERATION_AT_LEAST_32_CHARS
-      - JwtSettings__Issuer=DocForge
-      - JwtSettings__Audience=DocForgeUsers
-      - JwtSettings__ExpirationMinutes=60
+      - ASPNETCORE_ENVIRONMENT=${ASPNETCORE_ENVIRONMENT:-Development}
+      - ConnectionStrings__DefaultConnection=${DATABASE_CONNECTION_STRING:-Data Source=/app/data/documentgenerator.db}
+      - JwtSettings__Secret=${JWT_SECRET:?JWT_SECRET is required - copy .env.example to .env}
+      - JwtSettings__Issuer=${JWT_ISSUER:-DocForge}
+      - JwtSettings__Audience=${JWT_AUDIENCE:-DocForge}
+      - JwtSettings__ExpirationMinutes=${JWT_EXPIRATION_MINUTES:-60}
     volumes:
       - ./data:/app/data
       - ./GeneratedDocuments:/app/GeneratedDocuments