docs: document runtime env vars and same-origin proxy access

surfsense_web/content/docs/docker-installation/dev-compose.mdx

@@ -26,12 +26,14 @@ The following `.env` variables are **only used by the dev compose file** (they h
 | `PGADMIN_DEFAULT_EMAIL` | pgAdmin login email | `admin@surfsense.com` |
 | `PGADMIN_DEFAULT_PASSWORD` | pgAdmin login password | `surfsense` |
 | `REDIS_PORT` | Exposed Redis port (internal-only in prod) | `6379` |
-| `NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE` | Frontend build arg for auth type | `LOCAL` |
-| `NEXT_PUBLIC_ETL_SERVICE` | Frontend build arg for ETL service | `DOCLING` |
-| `NEXT_PUBLIC_ZERO_CACHE_URL` | Frontend build arg for Zero-cache URL | `http://localhost:4848` |
-| `NEXT_PUBLIC_DEPLOYMENT_MODE` | Frontend build arg for deployment mode | `self-hosted` |
+| `AUTH_TYPE` | Runtime auth mode | `LOCAL` |
+| `ETL_SERVICE` | Runtime document parsing service | `DOCLING` |
+| `DEPLOYMENT_MODE` | Runtime deployment mode | `self-hosted` |
+| `ZERO_CACHE_PORT` | Exposed zero-cache port for debugging | `4848` |
 
-In the production compose file, the `NEXT_PUBLIC_*` frontend variables are automatically derived from `AUTH_TYPE`, `ETL_SERVICE`, and the port settings. In the dev compose file, they are passed as build args since the frontend is built from source.
+In the production compose file, the frontend reads `AUTH_TYPE`, `ETL_SERVICE`,
+and `DEPLOYMENT_MODE` at request time. Browser API and Zero traffic are
+same-origin relative through bundled Caddy.
 Production Docker exposes only the bundled Caddy proxy by default; dev compose
 keeps direct service ports so contributors can inspect and restart individual
 services without going through the proxy.