Add Directus service configuration and environment variables to deployment stack

.env.example

@@ -51,6 +51,61 @@ PROCESSOR_TAG=main
 # Pending Entries List, which is undefined behaviour).
 PROCESSOR_INSTANCE_ID=processor-1
 
+# ---------------------------------------------------------------------
+# directus (business plane)
+# ---------------------------------------------------------------------
+
+# Image tag to pull. `main` auto-tracks the latest commit on the main branch.
+# In production, pin to a specific commit SHA for reproducibility.
+#   Example: DIRECTUS_TAG=ef8bd91
+DIRECTUS_TAG=main
+
+# Note: directus is intentionally NOT host-published. The admin UI + API
+# listen on port 8055 inside the `trm_default` Compose network only,
+# reachable as `http://directus:8055` from a reverse proxy (Traefik /
+# Caddy / nginx) on the host or attached to the same network. Wire your
+# proxy to forward your public domain to that internal address; the
+# proxy handles TLS, auth headers, and any WAF / rate-limit policy.
+# For local dev (compose.dev.yaml in trm/directus) the dev compose
+# host-publishes 8055 directly — this prod stack does not.
+
+# REQUIRED. Instance identity key (any UUID) and JWT signing secret
+# (long random string). Generate fresh values per environment:
+#   DIRECTUS_KEY=$(uuidgen)
+#   DIRECTUS_SECRET=$(openssl rand -hex 64)
+# Two instances sharing these produce colliding tokens — never reuse
+# stage's KEY/SECRET in production. The compose defaults are obvious
+# placeholders and will fail on any meaningful KEY validation.
+DIRECTUS_KEY=REPLACE-ME-WITH-A-UUID
+DIRECTUS_SECRET=REPLACE-ME-WITH-A-LONG-RANDOM-STRING
+
+# First-boot admin user. Created automatically when directus_users is
+# empty at first boot; ignored on subsequent boots. Change the password
+# via the admin UI after first login (the password env var is NOT a
+# rotation mechanism — only the initial seed).
+DIRECTUS_ADMIN_EMAIL=admin@example.com
+DIRECTUS_ADMIN_PASSWORD=CHANGE-ON-FIRST-LOGIN
+
+# Public-facing URL used in password-reset emails, OAuth redirects, and
+# asset URLs. In real prod set to https://<your-domain>; the localhost
+# default is for first-deploy smoke testing only.
+DIRECTUS_PUBLIC_URL=http://localhost:8055
+
+# Optional toggles. Defaults disable cache and CORS. Enable per env:
+#   DIRECTUS_CACHE_ENABLED=true   (then configure CACHE_STORE etc. directly
+#                                  in compose.yaml — Directus has 20+
+#                                  cache-related env vars not exposed here)
+#   DIRECTUS_CORS_ENABLED=true
+#   DIRECTUS_CORS_ORIGIN=https://your-spa.example.com
+DIRECTUS_CACHE_ENABLED=false
+DIRECTUS_CORS_ENABLED=false
+DIRECTUS_CORS_ORIGIN=false
+
+# pino log style: json (structured, for log aggregators) | pretty (human-readable).
+# Defaults to json in compose.yaml — production-friendly. Set to `pretty`
+# for local debugging.
+LOG_STYLE=json
+
 # ---------------------------------------------------------------------
 # Shared
 # ---------------------------------------------------------------------