feat: update deployment configuration and encrypted env loader

- Update Ansible playbooks and roles for application deployment
- Add new Gitea/Traefik troubleshooting playbooks
- Update Docker Compose configurations (base, local, staging, production)
- Enhance EncryptedEnvLoader with improved error handling
- Add deployment scripts (autossh setup, migration, secret testing)
- Update CI/CD workflows and documentation
- Add Semaphore stack configuration

docs/deployment/env-production-template.md

@@ -303,14 +303,20 @@ php console.php ssl:test
 
 ## Environment File Hierarchy
 
+**New Base + Override Pattern (Development):**
 ```
-.env.example          # Template with placeholders
-.env                  # Development (local, debug enabled)
-.env.staging          # Staging (production-like, staging SSL)
-.env.production       # Production (this template)
+.env.example          # Template with placeholders (documentation)
+.env.base             # Shared variables for all environments (versioned)
+.env.local            # Local development overrides (gitignored)
+.env.staging          # Staging-specific overrides (optional, gitignored)
+.env.production       # Production (generated by Ansible - this template)
 ```
 
-**Load Priority**: `.env.production` > `.env` > Environment Variables > Defaults
+**Production Load Priority**: Docker ENV vars → `.env.production` (generated by Ansible) → Environment Variables → Defaults
+
+**Development Load Priority**: `.env.base` → `.env.local` → System ENV vars
+
+**Note**: Framework automatically loads `.env.base` + `.env.local` in development. For production, Ansible generates `.env.production` with `*_FILE` pattern for Docker Secrets.
 
 ## Docker Compose Integration