#729 Vault/secrets handling for docker-compose dev environment

## Problem Production uses Vault sidecar injection in K8s: - vault.hashicorp.com/agent-inject annotations - Secrets written to /vault/secrets/db - ConfigMap mounted at /etc/highway/config.ini Docker-compose cannot use Vault sidecar. Need alternative approach. ## Solution Options ### Option A: Vault dev mode container - Run Vault in dev mode as docker-compose service - Pre-seed with dev secrets - Workers/API connect to local Vault ### Option B: Environment variable override (RECOMMENDED) - Create docker/dev.env with all secrets as env vars - Modify engine/config.py to support env var fallback - Example: ``` POSTGRES_PASSWORD=devpassword JWT_SECRET_KEY=devsecret VAULT_TOKEN_DEFAULT=devtoken ``` ### Option C: .secrets file - Mount a local .secrets file instead of Vault injection - Same format as /vault/secrets/db ## Implementation 1. Modify engine/config.py to check ENV vars before Vault 2. Create docker/dev.env.example (git tracked, no real secrets) 3. Create docker/dev.env (git ignored, real dev secrets) 4. Update docker-compose.dev.yml to load env_file ## Key overrides needed: - POSTGRES_PASSWORD - JWT_SECRET_KEY - VAULT_TOKEN_* (admin, demo, default, platform, test) - DEEPSEEK_API_KEY (optional for dev) - SMTP credentials (optional) ## Parent: #726