chore: release-prep docs, env vars, compose, and e2e port hygiene

- README rewritten end-to-end: stack, quick start, dev workflow, full
  /api/v1 endpoint table, error and pagination envelopes, auth
  quick-start (browser + bot bearer), configuration table, deployment
  notes, backup/restore pointer. Stale "next features" section dropped
  now that all eight feat branches are in.
- .env.example now lists every env var the backend reads, with
  inline explanations:
  - COOKIE_SECURE / COOKIE_DOMAIN / SESSION_TTL_DAYS (auth)
  - CORS_ALLOWED_ORIGINS (same-origin by default)
  - MAX_REQUEST_BYTES / MAX_FILE_BYTES (upload caps)
  - Postgres + storage + log vars carried over.
- docker-compose.yml forwards all of the above into the backend
  service with `${VAR:-default}` so an unset value falls back to the
  same default the code uses, and any `.env` override flows through
  without a compose edit.
- docs/backup.md: step-by-step backup, restore, and smoke-test drill
  for both stateful volumes (postgres-data + storage-data), plus a
  list of what's deliberately *not* in the backup (e.g., .env).
- playwright.config.ts: pins the e2e dev server to port 5174 with
  `--strictPort` so it neither reuses nor silently bumps off
  collision with another vite instance on 5173. Drops the flaky
  manual-start workflow the earlier branches needed.
- docker-compose syntax (both prod and dev) validates cleanly against
  .env.example with no undefined-variable warnings.

No version bump — this is documentation, config, and tooling.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.env.example

@@ -1,15 +1,51 @@
-# Copy to .env for `docker compose up`.
-# Local dev (cargo run / npm run dev) reads backend/.env if present.
+# Copy to .env for `docker compose up --build`. Local-dev runs (cargo run
+# / npm run dev) read backend/.env if present, or pick up the variables
+# from your shell.
 
+# ----- Postgres -----
+# These are read by the Postgres container *and* by DATABASE_URL below;
+# changing them after the first boot won't migrate existing data, so set
+# them up front for any new deployment.
 POSTGRES_USER=mangalord
 POSTGRES_PASSWORD=mangalord
 POSTGRES_DB=mangalord
 
+# ----- Backend -----
 DATABASE_URL=postgres://mangalord:mangalord@postgres:5432/mangalord
 BIND_ADDRESS=0.0.0.0:8080
 STORAGE_DIR=/var/lib/mangalord/storage
 RUST_LOG=info,mangalord=debug
 
-# Public base URL the frontend uses to reach the API from the browser.
-# In docker compose this is exposed on the host.
+# ----- Auth / cookies -----
+# COOKIE_SECURE controls whether the `Secure` flag is set on the session
+# cookie. Keep `true` in production (HTTPS); set to `false` if you're
+# serving over plain HTTP locally (e.g., behind a dev reverse proxy).
+COOKIE_SECURE=true
+# COOKIE_DOMAIN scopes the session cookie. Leave empty to default to the
+# requesting host. Set when serving the API and frontend on subdomains of
+# a shared parent (e.g., `.example.com`) so the cookie is shared.
+COOKIE_DOMAIN=
+# Session lifetime in days. Expired sessions are no longer accepted and
+# get reaped lazily.
+SESSION_TTL_DAYS=30
+
+# ----- CORS -----
+# Comma-separated origins allowed to call the API with credentials.
+# Default is empty: same-origin only. Set when frontend and backend live
+# on different hosts. Example: https://app.example.com,https://app.example.de
+CORS_ALLOWED_ORIGINS=
+
+# ----- Upload limits -----
+# Per-request body cap. axum rejects oversized requests with 413 before
+# our handlers run. Default 200 MiB.
+MAX_REQUEST_BYTES=209715200
+# Per-image-part cap. Enforced after reading each part, so a single
+# oversized image is rejected even when the total request fits.
+# Default 20 MiB.
+MAX_FILE_BYTES=20971520
+
+# ----- Frontend -----
+# Public base URL the browser uses to reach the API. Behind a reverse
+# proxy that serves /api/* from the frontend host, set this to /api so
+# the calls stay same-origin.
 PUBLIC_API_BASE=http://localhost:8080/api