feat(env): persistent dev secrets via .env.secrets override

Local dev secrets like MANA_STT_API_KEY had no persistent home — they
lived only in the gitignored, generator-overwritten per-app .env files.
Every `pnpm setup:env` wiped them, so devs had to re-paste keys after
any env regeneration. Same recurring friction for MANA_LLM_API_KEY,
MANA_AUTH_KEK, OAuth keys, etc.

New layer: `.env.secrets` at the repo root.

- Gitignored, optional, never required for the build to pass
- Read by generate-env.mjs AFTER .env.development; non-empty values
  override the matching key, so the merged result drives every per-app
  .env the generator writes
- Empty values fall through to the .env.development defaults — a
  freshly-copied .env.secrets.example is a no-op
- One source of truth for all dev secrets, propagated to every app
  with one `pnpm setup:env`

Files:
- `.env.secrets.example` — committed template documenting all known
  secret keys (mana-stt, mana-llm, auth KEK, sync JWT, MinIO, third-
  party APIs). Devs `cp .env.secrets.example .env.secrets` and fill in.
- `.gitignore` — ignores .env.secrets, allows .env.secrets.example
- `scripts/generate-env.mjs` — loads .env.secrets if present, prints
  "Loaded N secrets from .env.secrets" so devs see the override
  taking effect
- `scripts/setup-secrets.mjs` + `pnpm setup:secrets` — convenience
  script that SSHes to mana-server, greps the prod .env for the keys
  defined in .env.secrets.example, and writes them locally. Confirms
  before overwriting an existing .env.secrets unless --force is set;
  reports which keys couldn't be found on the remote so devs know
  what's left to fill manually
- `docs/LOCAL_DEVELOPMENT.md` + `docs/ENVIRONMENT_VARIABLES.md` —
  walk-through and architecture diagram update

Verified end-to-end:
- `rm .env.secrets apps/mana/apps/web/.env && pnpm setup:env` →
  STT key empty (no regression for devs who haven't opted in)
- `pnpm setup:secrets --force && pnpm setup:env` →
  STT key propagated, "Loaded 3 secrets from .env.secrets" in output
- POST /api/v1/voice/transcribe with a real audio file →
  full transcript back via gpu-stt.mana.how, end-to-end working

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/ENVIRONMENT_VARIABLES.md

@@ -17,16 +17,26 @@ That's it! All app-specific `.env` files are generated from `.env.development`.
 ## How It Works
 
 ```
-.env.development          # Central config (committed)
+.env.development          # Central config (committed, no secrets)
+        │
+        ├── .env.secrets   # Optional gitignored override (your API keys)
+        ▼
+scripts/generate-env.mjs   # Merges + transforms variables
         │
         ▼
-scripts/generate-env.mjs  # Transforms variables
-        │
-        ▼
-apps/**/apps/**/.env      # Generated files (gitignored)
+apps/**/apps/**/.env       # Generated files (gitignored)
 ```
 
-The generator reads `.env.development` and creates app-specific `.env` files with the correct prefixes for each platform:
+The generator reads `.env.development` first, then layers `.env.secrets` (if it exists) on
+top — non-empty values in `.env.secrets` override the matching key in `.env.development`.
+This is where personal dev secrets like `MANA_STT_API_KEY` live, so you don't have to
+re-paste them into per-app `.env` files after every `pnpm setup:env`.
+
+To populate `.env.secrets` from the Mac Mini in one shot, run `pnpm setup:secrets` (see
+[`docs/LOCAL_DEVELOPMENT.md`](LOCAL_DEVELOPMENT.md#personal-dev-secrets--envsecrets) for
+the full walk-through).
+
+The generator then creates app-specific `.env` files with the correct prefixes for each platform:
 
 | Platform | Prefix | Example |
 |----------|--------|---------|

docs/LOCAL_DEVELOPMENT.md

@@ -101,12 +101,50 @@ pnpm docker:up
 # 2. Build mana-sync (first time only, or after Go changes)
 pnpm dev:sync:build
 
-# 3. Generate environment files (runs automatically on pnpm install)
+# 3. (Optional) Pull dev secrets from the Mac Mini into .env.secrets
+pnpm setup:secrets
+
+# 4. Generate environment files (runs automatically on pnpm install)
 pnpm setup:env
 ```
 
 For `dev:*:local`, only mana-sync needs to be built. No Docker required unless your server uses a database.
 
+### Personal dev secrets — `.env.secrets`
+
+`.env.development` is committed and contains non-secret defaults. Real API keys (mana-stt,
+gpu-llm, OpenRouter, etc.) live in a separate gitignored `.env.secrets` at the repo root.
+The env generator merges this file on top of `.env.development`, so any key you set there
+gets propagated into every per-app `.env` on `pnpm setup:env` — no more re-pasting keys
+into individual app folders after every regeneration.
+
+**One-time setup:**
+
+```bash
+# Pulls keys from ~/projects/mana-monorepo/.env on the Mac Mini via SSH
+pnpm setup:secrets
+
+# Then propagate into per-app .env files
+pnpm setup:env
+```
+
+`pnpm setup:secrets` reads `.env.secrets.example` to know which keys to look for, asks
+before overwriting an existing `.env.secrets`, and reports which keys it couldn't find on
+the remote (some service-specific keys live in their own per-service `.env` files on the
+Mac Mini and need to be filled in manually).
+
+If you don't have SSH access to `mana-server`, copy the template and fill values manually:
+
+```bash
+cp .env.secrets.example .env.secrets
+$EDITOR .env.secrets
+pnpm setup:env
+```
+
+Empty values in `.env.secrets` are no-ops — they fall through to the `.env.development`
+defaults. So a freshly-copied template doesn't change anything until you start filling
+keys in.
+
 ## Database Setup Commands
 
 ### Individual Service Setup