docs: document runtime env vars and same-origin proxy access

docker/.env.example

@@ -30,6 +30,9 @@ SECRET_KEY=replace_me_with_a_random_string
 # Auth type: LOCAL (email/password) or GOOGLE (OAuth)
 AUTH_TYPE=LOCAL
 
+# Deployment mode: self-hosted enables local filesystem connectors; cloud hides them.
+DEPLOYMENT_MODE=self-hosted
+
 # Allow new user registrations (TRUE or FALSE)
 # REGISTRATION_ENABLED=TRUE
 
@@ -45,9 +48,8 @@ EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2
 # ------------------------------------------------------------------------------
 # How You Access SurfSense
 # ------------------------------------------------------------------------------
-# Default local URL: http://localhost:3929
-# Most local installs can leave this unchanged.
-# SURFSENSE_PUBLIC_URL=http://localhost:3929
+# One public URL. Browser traffic stays same-origin and Caddy routes internally.
+SURFSENSE_PUBLIC_URL=http://localhost:3929
 
 # ------------------------------------------------------------------------------
 # Public Ports
@@ -57,8 +59,8 @@ EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2
 #
 # Local default: LISTEN_HTTP_PORT=3929
 # Domain default: LISTEN_HTTP_PORT=80 and LISTEN_HTTPS_PORT=443
-# LISTEN_HTTP_PORT=3929
-# LISTEN_HTTPS_PORT=443
+LISTEN_HTTP_PORT=3929
+LISTEN_HTTPS_PORT=443
 
 # ------------------------------------------------------------------------------
 # Custom Domain / HTTPS
@@ -67,8 +69,8 @@ EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2
 # Set it to your domain to enable automatic HTTPS:
 # SURFSENSE_SITE_ADDRESS=surf.example.com
 # CERT_EMAIL=you@example.com
-# SURFSENSE_SITE_ADDRESS=:80
-# CERT_EMAIL=
+SURFSENSE_SITE_ADDRESS=:80
+CERT_EMAIL=
 
 # ------------------------------------------------------------------------------
 # Advanced Reverse Proxy Settings
@@ -78,18 +80,13 @@ EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2
 #
 # CERT_ACME_CA=https://acme-v02.api.letsencrypt.org/directory
 # CERT_ACME_DNS=
+# If a CDN/load balancer sits in front of Caddy, narrow this to that proxy's CIDRs.
 # TRUSTED_PROXIES=0.0.0.0/0
 # SURFSENSE_MAX_BODY_SIZE=5GB
 #
-# These browser-facing URLs are derived from SURFSENSE_PUBLIC_URL in
-# docker-compose.yml:
-# NEXT_FRONTEND_URL=${SURFSENSE_PUBLIC_URL}
-# BACKEND_URL=${SURFSENSE_PUBLIC_URL}
-# NEXT_PUBLIC_FASTAPI_BACKEND_URL=${SURFSENSE_PUBLIC_URL}
-# NEXT_PUBLIC_ZERO_CACHE_URL=${SURFSENSE_PUBLIC_URL}/zero
-#
-# Internal service-to-service URL. Usually do not change.
-# FASTAPI_BACKEND_INTERNAL_URL=http://backend:8000
+# Browser API and Zero URLs are same-origin relative behind bundled Caddy.
+# Next.js server-side calls use Docker DNS through SURFSENSE_BACKEND_INTERNAL_URL
+# set internally by docker-compose.yml. Usually do not override it.
 
 # ------------------------------------------------------------------------------
 # Zero-cache (real-time sync)
@@ -485,10 +482,9 @@ NOLOGIN_MODE_ENABLED=FALSE
 # FRONTEND_PORT=3000
 # ZERO_CACHE_PORT=4848
 
-# -- Frontend build args (dev compose only) --
-# In dev, the frontend is built from source and these are passed as build args.
-# In prod, runtime values are derived from AUTH_TYPE, ETL_SERVICE, and
-# SURFSENSE_PUBLIC_URL.
-# NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=LOCAL
-# NEXT_PUBLIC_ETL_SERVICE=DOCLING
-# NEXT_PUBLIC_DEPLOYMENT_MODE=self-hosted
+# -- Frontend runtime flags (prod and dev compose) --
+# The frontend reads these at request time in Docker; no NEXT_PUBLIC_* rebuild
+# or startup substitution is required.
+# AUTH_TYPE=LOCAL
+# ETL_SERVICE=DOCLING
+# DEPLOYMENT_MODE=self-hosted