docs(readme): env-vars table only documents 9 of 19 configurable env variables

[CryptoJones]

Problem

README.md § Environment variables lists 9 env vars:

PORT, HOST, CORS_ORIGIN, DB_HOST, DB_PORT, DB_NAME, DB_USER,
DB_PASSWORD, PUBLIC_BASE_URL

The codebase actually consumes 19 (see grep -rhEo 'process\.env\.[A-Z_]+' app/ server.js | sort -u). Missing from the README:

Var	What an operator might tune it for
NODE_ENV	Hard-fail on empty DB_PASSWORD in production
TRUST_PROXY	Resolve real client IP behind nginx/caddy
LOG_LEVEL / LOG_PRETTY	Volume / format tuning
DB_LOG_QUERIES	SQL trace
JSON_BODY_LIMIT	Body-size DoS cap
HELMET_CSP	Re-enable CSP for HTML surfaces
RATE_LIMIT_MAX / RATE_LIMIT_WINDOW_MS	Per-key budget
METRICS_BEARER_TOKEN	/metrics auth
SHUTDOWN_TIMEOUT_MS	Drain window vs orchestrator SIGKILL
TLS_DOMAIN / TLS_EMAIL	Caddy reverse-proxy compose

.env.example documents all of them, but the README is what operators
read first to size up the deployment surface. The 9-row table leaves
them with a misleadingly small mental model of what's configurable.

Fix

Resync the README table so it matches the full env surface, grouped
by concern (server / proxy / db / logging / body / security / rate-
limit / observability / lifecycle / tls). Keep .env.example cited as
the canonical artifact.

Acceptance

• All 19 env vars consumed in code appear in the README table
• Rows are grouped by concern (server, db, logging, etc.)
• .env.example still pointed to as canonical reference

Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/