fix(security): remove hardcoded encryption keys from docker compose files

Replace hardcoded CHARON_ENCRYPTION_KEY with environment variable
substitution using Docker Compose required variable syntax.

docker-compose.playwright.yml: use ${CHARON_ENCRYPTION_KEY:?...}
docker-compose.e2e.yml: use ${CHARON_ENCRYPTION_KEY:?...}
e2e-tests.yml: add ephemeral key generation per CI run
.env.test.example: document the requirement prominently
Security: The old key exists in git history and must never be used
in production. Each CI run now generates a unique ephemeral key.

Refs: OWASP A02:2021 - Cryptographic Failures

.docker/compose/docker-compose.e2e.yml

@@ -20,9 +20,9 @@ services:
       - CHARON_ENV=development
       - CHARON_DEBUG=0
       - TZ=UTC
-      # E2E testing encryption key - 32 bytes base64 encoded (not for production!)
-      # Generated with: openssl rand -base64 32
-      - CHARON_ENCRYPTION_KEY=ucDWy5ScLubd3QwCHhQa2SY7wL2OF48p/c9nZhyW1mA=
+      # Encryption key - MUST be provided via environment variable
+      # Generate with: export CHARON_ENCRYPTION_KEY=$(openssl rand -base64 32)
+      - CHARON_ENCRYPTION_KEY=${CHARON_ENCRYPTION_KEY:?CHARON_ENCRYPTION_KEY is required}
       - CHARON_HTTP_PORT=8080
       - CHARON_DB_PATH=/app/data/charon.db
       - CHARON_FRONTEND_DIR=/app/frontend/dist

.docker/compose/docker-compose.playwright.yml

@@ -37,8 +37,9 @@ services:
       - CHARON_DEBUG=0
       - TZ=UTC
       # E2E testing encryption key - 32 bytes base64 encoded (not for production!)
-      # Generated with: openssl rand -base64 32
-      - CHARON_ENCRYPTION_KEY=ucDWy5ScLubd3QwCHhQa2SY7wL2OF48p/c9nZhyW1mA=
+      # Encryption key - MUST be provided via environment variable
+      # Generate with: export CHARON_ENCRYPTION_KEY=$(openssl rand -base64 32)
+      - CHARON_ENCRYPTION_KEY=${CHARON_ENCRYPTION_KEY:?CHARON_ENCRYPTION_KEY is required}
       # Server settings
       - CHARON_HTTP_PORT=8080
       - CHARON_DB_PATH=/app/data/charon.db