feat(secrets): integrate doppler project cms for stage/prod

[tataihono]

Background

Epic #67 requires Doppler as source of truth for environment variables/secrets. CMS needs a dedicated Doppler project and CI/runtime injection model.

Expected outcome

Doppler project cms with stage and prod configurations is integrated into deployment workflows and documented, with clear key mapping to CMS runtime config.

Acceptance criteria

• Doppler project cms exists with configs: stage, prod (and optional dev if needed).
• Required CMS keys are defined with owner notes and rotation expectations.
• GitHub Actions uses Doppler token(s) to inject runtime values.
• No sensitive CMS secrets are committed to repo or long-lived static GH secrets.
• Secret mapping document links key -> consuming config path.

Possible solution(s)

1. Use Doppler service tokens scoped per environment.
2. Inject env vars at workflow runtime for Terraform/app deploy jobs.
3. Keep a generated non-secret .env.example contract in repo for developer clarity.

References

• Parent epic: feat(cms-deploy): deploy cms to aws with stage/prod #67
• apps/cms/.env.example
• apps/cms/config/server.ts
• apps/cms/config/database.ts
• .github/workflows/*

[tataihono]

Execution plan for #71:

1. Audit current Terraform + workflow setup for CMS secrets and ECS task environment wiring.
2. Add Terraform resources for SSM Parameter Store paths for CMS stage/prod and IAM permissions for ECS task/runtime reads.
3. Add/extend CI workflow to sync Doppler cms config values into SSM Parameter Store for stage/main deploy flows.
4. Wire ECS task definition/container env to consume the synced SSM parameters immediately on deploy.
5. Add minimal docs mapping Doppler keys -> SSM paths -> container env contract.
6. Validate workflow syntax and Terraform formatting/validation for touched modules.