fix: infrastructure hardening and documentation improvements

- Add *.sqlite* patterns to .gitignore
- Expand .dockerignore to exclude chart/, docs/, .github/, etc.
- Add HEALTHCHECK instruction to Dockerfile
- Fix Helm chart: preserve JWT secret across upgrades (lookup),
  add securityContext, conditional PVC creation, resource defaults
- Remove hardcoded demo credentials from MCP.md
- Complete .env.example with all configurable environment variables

https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8

server/.env.example

@@ -1,4 +1,33 @@
-PORT=3001
-JWT_SECRET=your-super-secret-jwt-key-change-in-production
+PORT=3000
 NODE_ENV=development
 DEBUG=false
+
+# REQUIRED for production — generate with: openssl rand -hex 32
+JWT_SECRET=CHANGEME_GENERATE_WITH_openssl_rand_hex_32
+
+# Timezone (defaults to system timezone)
+# TZ=UTC
+
+# CORS — comma-separated origins (leave unset for same-origin in production, allow-all in development)
+# ALLOWED_ORIGINS=https://trek.example.com
+
+# Force HTTPS redirect (set to true behind TLS-terminating proxy)
+# FORCE_HTTPS=true
+
+# Trust proxy (set to number of proxy hops, e.g. 1 for single reverse proxy)
+# TRUST_PROXY=1
+
+# Application URL (used for OIDC callback validation)
+# APP_URL=https://trek.example.com
+
+# Demo mode (enables demo login, disables registration)
+# DEMO_MODE=false
+
+# --- OIDC / SSO ---
+# OIDC_ISSUER=https://auth.example.com
+# OIDC_CLIENT_ID=
+# OIDC_CLIENT_SECRET=
+# OIDC_DISPLAY_NAME=SSO
+# OIDC_ONLY=false
+# OIDC_ADMIN_CLAIM=groups
+# OIDC_ADMIN_VALUE=app-trek-admins