feat(local-secrets): introduce unified local secrets management and documentation

- Add example secret files for `app_key`, `db_user_password`, and `redis_password`.
- Introduce `local.vault.yml.example` for Ansible Vault encryption of local secrets.
- Create migration and setup scripts for transitioning from `.env.local` to secrets files.
- Update `docker-compose.local.yml` to adopt Docker Secrets and `_FILE` pattern for local configurations.
- Add deployment playbooks and enhanced logging configurations for local development.

docker-compose.local.yml

@@ -2,9 +2,11 @@
 # Usage: docker-compose -f docker-compose.base.yml -f docker-compose.local.yml up
 #
 # This file overrides base configuration with local development settings:
-# - Development ports (8888:80, 8443:443, 5433:5432)
+# - Development ports (8888:80, 443:443, 5433:5432)
 # - Host-mounted volumes for live code editing
 # - Debug flags enabled (APP_DEBUG, Xdebug)
+# - Redis with password (Docker Secrets)
+# - Docker Secrets via *_FILE pattern (consistent with staging/production)
 # - Development-friendly restart policies
 
 services:
@@ -47,10 +49,18 @@ services:
       - ./storage/uploads:/var/www/html/storage/uploads:rw
       - ./storage/analytics:/var/www/html/storage/analytics:rw
     environment:
-      PHP_IDE_CONFIG: "${PHP_IDE_CONFIG:-serverName=docker}"
-      APP_ENV: ${APP_ENV:-development}
-      APP_DEBUG: ${APP_DEBUG:-true}
-      XDEBUG_MODE: ${XDEBUG_MODE:-debug}
+      - PHP_IDE_CONFIG=${PHP_IDE_CONFIG:-serverName=docker}
+      - APP_ENV=${APP_ENV:-development}
+      - APP_DEBUG=${APP_DEBUG:-true}
+      - XDEBUG_MODE=${XDEBUG_MODE:-debug}
+      # Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
+      - DB_PASSWORD_FILE=/run/secrets/db_user_password
+      - REDIS_PASSWORD_FILE=/run/secrets/redis_password
+      - APP_KEY_FILE=/run/secrets/app_key
+    secrets:
+      - db_user_password
+      - redis_password
+      - app_key
     restart: ${RESTART_POLICY:-unless-stopped}
     # NOTE: env_file not needed - Framework automatically loads .env.base → .env.local
     # Environment variables are loaded by EncryptedEnvLoader in the PHP application
@@ -77,6 +87,29 @@ services:
     container_name: db
     ports:
       - "${DB_EXTERNAL_PORT:-5433}:5432"
+    # Override environment to remove POSTGRES_PASSWORD (we use Docker Secrets via entrypoint)
+    environment:
+      POSTGRES_DB: ${DB_DATABASE:-michaelschiemer}
+      POSTGRES_USER: ${DB_USERNAME:-postgres}
+      # POSTGRES_PASSWORD is NOT set here - it's read from Docker Secret in entrypoint
+      # Performance & Connection Settings
+      POSTGRES_INITDB_ARGS: "-E UTF8 --locale=C"
+      PGDATA: /var/lib/postgresql/data/pgdata
+    secrets:
+      - db_user_password
+    # Use entrypoint to read password from Docker Secret
+    # This overrides the base.yml POSTGRES_PASSWORD environment variable
+    entrypoint: ["/bin/sh", "-c"]
+    command:
+      - |
+        POSTGRES_PASSWORD=$$(cat /run/secrets/db_user_password 2>/dev/null || echo '')
+        if [ -n "$$POSTGRES_PASSWORD" ]; then
+          export POSTGRES_PASSWORD
+          exec /usr/local/bin/docker-entrypoint.sh postgres -c config_file=/etc/postgresql/postgresql.conf
+        else
+          echo "⚠️  Warning: db_user_password secret not found, PostgreSQL may fail to start"
+          exec /usr/local/bin/docker-entrypoint.sh postgres -c config_file=/etc/postgresql/postgresql.conf
+        fi
     restart: ${RESTART_POLICY:-unless-stopped}
     logging:
       driver: "${LOG_DRIVER:-local}"
@@ -95,12 +128,29 @@ services:
   redis:
     container_name: redis
     restart: ${RESTART_POLICY:-unless-stopped}
+    secrets:
+      - redis_password
+    command: >
+      sh -c "redis-server
+      --requirepass $$(cat /run/secrets/redis_password)
+      --maxmemory 256mb
+      --maxmemory-policy allkeys-lru
+      --save 900 1
+      --save 300 10
+      --save 60 10000
+      --appendonly yes
+      --appendfsync everysec"
+    healthcheck:
+      test: ["CMD", "sh", "-c", "redis-cli --no-auth-warning -a $$(cat /run/secrets/redis_password) ping"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
     logging:
       driver: "${LOG_DRIVER:-local}"
       options:
         max-size: "${LOG_MAX_SIZE:-5m}"
         max-file: "${LOG_MAX_FILE:-2}"
-    # NOTE: env_file not needed - Framework automatically loads .env.base → .env.local
     deploy:
       resources:
         limits:
@@ -121,6 +171,12 @@ services:
       - WORKER_DEBUG=${WORKER_DEBUG:-false}
       - WORKER_SLEEP_TIME=${WORKER_SLEEP_TIME:-100000}
       - WORKER_MAX_JOBS=${WORKER_MAX_JOBS:-1000}
+      # Use Docker Secrets via *_FILE pattern (Framework supports this automatically)
+      - DB_PASSWORD_FILE=/run/secrets/db_user_password
+      - REDIS_PASSWORD_FILE=/run/secrets/redis_password
+    secrets:
+      - db_user_password
+      - redis_password
     restart: unless-stopped
     # NOTE: env_file not needed - Framework automatically loads .env.base → .env.local
     deploy:
@@ -156,3 +212,8 @@ networks:
   cache:
     internal: ${NETWORK_CACHE_INTERNAL:-false}
 
+# Docker Secrets Configuration
+# Secrets are stored in ./secrets/ directory (relative to this file)
+# Note: Secrets are already defined in docker-compose.base.yml, but we activate them here
+# for local development. The base.yml defines the secret sources.
+