security: fix trace ownership bypass and externalize secrets to .env

- Add userId guard in trace upsert to prevent cross-user overwrites
- Move AUTH_SECRET, STRIPE_WEBHOOK_SECRET, POSTGRES_PASSWORD to .env
- docker-compose.yml now references env vars instead of hardcoded secrets
- Add .env.example with placeholder values for documentation

apps/web/src/app/api/traces/route.ts

@@ -241,9 +241,14 @@ export async function POST(request: NextRequest) {
       for (const trace of body.traces) {
         const existing = await tx.trace.findUnique({
           where: { id: trace.id },
-          select: { id: true },
+          select: { id: true, userId: true },
         });
 
+        // Security: prevent cross-user trace overwrite
+        if (existing && existing.userId !== userId) {
+          continue; // skip traces owned by other users
+        }
+
         const traceData = {
           name: trace.name,
           sessionId: trace.sessionId,