chore: update prod-compose to use file-envs for secrets

README.md

@@ -250,7 +250,7 @@ For actual production deployment:
    - Set `OIDC_BASE_URL` to your production OIDC provider
    - Configure proper Docker networks
 3. **Set up SSL/TLS** (e.g., via reverse proxy like Nginx/Traefik)
-4. **Use secure secrets management** (environment variables, Docker secrets, vault)
+4. **Use secure secrets management** — All sensitive environment variables support a `_FILE` suffix for Docker secrets (e.g., `SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base`). See `docker-compose.prod.yml` for an example setup with Docker secrets.
 5. **Configure database backups**