feat(env): persistent dev secrets via .env.secrets override

Local dev secrets like MANA_STT_API_KEY had no persistent home — they
lived only in the gitignored, generator-overwritten per-app .env files.
Every `pnpm setup:env` wiped them, so devs had to re-paste keys after
any env regeneration. Same recurring friction for MANA_LLM_API_KEY,
MANA_AUTH_KEK, OAuth keys, etc.

New layer: `.env.secrets` at the repo root.

- Gitignored, optional, never required for the build to pass
- Read by generate-env.mjs AFTER .env.development; non-empty values
  override the matching key, so the merged result drives every per-app
  .env the generator writes
- Empty values fall through to the .env.development defaults — a
  freshly-copied .env.secrets.example is a no-op
- One source of truth for all dev secrets, propagated to every app
  with one `pnpm setup:env`

Files:
- `.env.secrets.example` — committed template documenting all known
  secret keys (mana-stt, mana-llm, auth KEK, sync JWT, MinIO, third-
  party APIs). Devs `cp .env.secrets.example .env.secrets` and fill in.
- `.gitignore` — ignores .env.secrets, allows .env.secrets.example
- `scripts/generate-env.mjs` — loads .env.secrets if present, prints
  "Loaded N secrets from .env.secrets" so devs see the override
  taking effect
- `scripts/setup-secrets.mjs` + `pnpm setup:secrets` — convenience
  script that SSHes to mana-server, greps the prod .env for the keys
  defined in .env.secrets.example, and writes them locally. Confirms
  before overwriting an existing .env.secrets unless --force is set;
  reports which keys couldn't be found on the remote so devs know
  what's left to fill manually
- `docs/LOCAL_DEVELOPMENT.md` + `docs/ENVIRONMENT_VARIABLES.md` —
  walk-through and architecture diagram update

Verified end-to-end:
- `rm .env.secrets apps/mana/apps/web/.env && pnpm setup:env` →
  STT key empty (no regression for devs who haven't opted in)
- `pnpm setup:secrets --force && pnpm setup:env` →
  STT key propagated, "Loaded 3 secrets from .env.secrets" in output
- POST /api/v1/voice/transcribe with a real audio file →
  full transcript back via gpu-stt.mana.how, end-to-end working

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

scripts/generate-env.mjs

@@ -16,6 +16,11 @@ import { fileURLToPath } from 'url';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const ROOT_DIR = join(__dirname, '..');
 const ENV_FILE = join(ROOT_DIR, '.env.development');
+// Optional gitignored override for personal dev secrets. Keys defined
+// here win over .env.development, so devs can keep API keys in one
+// place instead of re-pasting them into per-app .env files after every
+// `pnpm setup:env`. See .env.secrets.example for the template.
+const SECRETS_FILE = join(ROOT_DIR, '.env.secrets');
 
 // Parse a .env file into an object
 function parseEnvFile(content) {
@@ -763,6 +768,25 @@ function main() {
 	const sourceContent = readFileSync(ENV_FILE, 'utf-8');
 	const sourceEnv = parseEnvFile(sourceContent);
 
+	// Layer .env.secrets (gitignored) on top — only non-empty values
+	// override. An empty value in .env.secrets is treated as "use the
+	// .env.development default", so a freshly-copied .env.secrets.example
+	// (all keys present, all values empty) is a no-op.
+	let secretsLoaded = 0;
+	if (existsSync(SECRETS_FILE)) {
+		const secretsContent = readFileSync(SECRETS_FILE, 'utf-8');
+		const secretsEnv = parseEnvFile(secretsContent);
+		for (const [key, value] of Object.entries(secretsEnv)) {
+			if (value !== '' && value !== undefined) {
+				sourceEnv[key] = value;
+				secretsLoaded++;
+			}
+		}
+		console.log(
+			`Loaded ${secretsLoaded} secret${secretsLoaded === 1 ? '' : 's'} from .env.secrets\n`
+		);
+	}
+
 	let generated = 0;
 	let skipped = 0;