Normalize rex/siong envs to .env.example + gitignore pattern

Untracks envs/rex/.env and envs/siong/.env (kept on disk so existing
deploys keep working) and adds matching .env.example templates so a
fresh clone has something to copy from. .gitignore widens from
envs/dev/.env to envs/*/.env to cover all three deployments.

Per-deployment secrets are no longer committed; rotation deemed
unnecessary because the repo is hosted on a private self-hosted Gitea
instance.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -2,4 +2,4 @@ __pycache__
 .DS_Store
 *.html
 logs
-envs/dev/.env
+envs/*/.env

README.md

@@ -9,21 +9,27 @@ Brief, copy/paste-ready steps to run the published images from `gitea.04080616.x
 
 ## Environment configs
 
-Pre-configured `.env` files for each deployment are in the `envs/` folder:
+Per-deployment templates live in `envs/<name>/.env.example` (committed). Each operator copies the example to a sibling `.env` (gitignored — never committed) and fills in the real secrets:
+
 ```
 envs/
-├── rex/.env      # Rex deployment (port 8001)
-└── siong/.env    # Siong deployment (port 8005)
+├── dev/.env.example      # Local development tier — see "Local Development" below
+├── rex/.env.example      # Rex deployment (port 8001)
+└── siong/.env.example    # Siong deployment (port 8005)
 ```
 
-For local development, copy the desired env to the project root:
+For Portainer-hosted deployments (rex/siong):
 ```bash
-cp envs/rex/.env .env
-# or
-cp envs/siong/.env .env
+cp envs/rex/.env.example envs/rex/.env
+# Fill in DB_PASSWORD, CM_AGENT_*, CM_SECURITY_PIN, TELEGRAM_BOT_TOKEN, etc.
+# Then load the variables into the Portainer stack environment.
 ```
 
-For Portainer, load the env vars from the appropriate file into the stack environment variables.
+For local development, see the dev tier flow:
+```bash
+cp envs/dev/.env.example .env
+bash scripts/dev.sh up
+```
 
 ## Key variables
 | Variable | Description |

envs/rex/.env

@@ -1,28 +0,0 @@
-# === Deployment Identity ===
-CM_DEPLOY_NAME=rex-cm
-CM_WEB_HOST_PORT=8001
-
-# === Docker Registry ===
-CM_IMAGE_PREFIX=gitea.04080616.xyz/yiekheng
-DOCKER_IMAGE_TAG=latest
-
-# === Telegram ===
-TELEGRAM_BOT_TOKEN=5315819168:AAH31xwNgPdnk123x97XalmTW6fQV5EUCFU
-TELEGRAM_ALERT_CHAT_ID=818380985
-
-# === Database ===
-DB_HOST=192.168.0.210
-DB_USER=rex_cm
-DB_PASSWORD=hengserver
-DB_NAME=rex_cm
-DB_PORT=3306
-DB_CONNECTION_TIMEOUT=8
-DB_CONNECT_RETRIES=5
-DB_CONNECT_RETRY_DELAY=2
-
-# === Bot Config ===
-CM_PREFIX_PATTERN=13c
-CM_AGENT_ID=cm13a3
-CM_AGENT_PASSWORD=Sky533535
-CM_SECURITY_PIN=Sky533535
-CM_BOT_BASE_URL=https://cm99.net

envs/rex/.env.example

@@ -0,0 +1,38 @@
+# rex deployment template. Copy to envs/rex/.env (which is gitignored) and
+# fill in the real secrets for the rex environment, OR paste the variables
+# directly into the Portainer stack environment.
+
+# === Runtime ===
+# Leave unset (or 'false') in production. Setting CM_DEBUG=true exposes the
+# Werkzeug debugger and is RCE if the port is reachable.
+CM_DEBUG=false
+
+# === Deployment Identity ===
+CM_DEPLOY_NAME=rex-cm
+CM_WEB_HOST_PORT=8001
+
+# === Docker Registry / Build ===
+CM_IMAGE_PREFIX=gitea.04080616.xyz/yiekheng
+DOCKER_IMAGE_TAG=latest
+
+# === Telegram ===
+TELEGRAM_BOT_TOKEN=
+TELEGRAM_ALERT_CHAT_ID=
+TELEGRAM_ALERT_BOT_TOKEN=
+
+# === Database ===
+DB_HOST=
+DB_USER=
+DB_PASSWORD=
+DB_NAME=
+DB_PORT=3306
+DB_CONNECTION_TIMEOUT=8
+DB_CONNECT_RETRIES=5
+DB_CONNECT_RETRY_DELAY=2
+
+# === Bot Config ===
+CM_PREFIX_PATTERN=
+CM_AGENT_ID=
+CM_AGENT_PASSWORD=
+CM_SECURITY_PIN=
+CM_BOT_BASE_URL=

envs/siong/.env

@@ -1,28 +0,0 @@
-# === Deployment Identity ===
-CM_DEPLOY_NAME=siong-cm
-CM_WEB_HOST_PORT=8005
-
-# === Docker Registry ===
-CM_IMAGE_PREFIX=gitea.04080616.xyz/yiekheng
-DOCKER_IMAGE_TAG=latest
-
-# === Telegram ===
-TELEGRAM_BOT_TOKEN=7028479329:AAH_UTPoYcaB0iZMXJjO7pKYxyub8ZSXn2E
-TELEGRAM_ALERT_CHAT_ID=818380985
-
-# === Database ===
-DB_HOST=192.168.0.210
-DB_USER=siong_cm
-DB_PASSWORD=hengserver
-DB_NAME=siong_cm
-DB_PORT=3306
-DB_CONNECTION_TIMEOUT=8
-DB_CONNECT_RETRIES=5
-DB_CONNECT_RETRY_DELAY=2
-
-# === Bot Config ===
-CM_PREFIX_PATTERN=13sa
-CM_AGENT_ID=cm13a39
-CM_AGENT_PASSWORD=Wenwen12345
-CM_SECURITY_PIN=Wenwen12345
-CM_BOT_BASE_URL=https://cm99.net

envs/siong/.env.example

@@ -0,0 +1,38 @@
+# siong deployment template. Copy to envs/siong/.env (which is gitignored) and
+# fill in the real secrets for the siong environment, OR paste the variables
+# directly into the Portainer stack environment.
+
+# === Runtime ===
+# Leave unset (or 'false') in production. Setting CM_DEBUG=true exposes the
+# Werkzeug debugger and is RCE if the port is reachable.
+CM_DEBUG=false
+
+# === Deployment Identity ===
+CM_DEPLOY_NAME=siong-cm
+CM_WEB_HOST_PORT=8005
+
+# === Docker Registry / Build ===
+CM_IMAGE_PREFIX=gitea.04080616.xyz/yiekheng
+DOCKER_IMAGE_TAG=latest
+
+# === Telegram ===
+TELEGRAM_BOT_TOKEN=
+TELEGRAM_ALERT_CHAT_ID=
+TELEGRAM_ALERT_BOT_TOKEN=
+
+# === Database ===
+DB_HOST=
+DB_USER=
+DB_PASSWORD=
+DB_NAME=
+DB_PORT=3306
+DB_CONNECTION_TIMEOUT=8
+DB_CONNECT_RETRIES=5
+DB_CONNECT_RETRY_DELAY=2
+
+# === Bot Config ===
+CM_PREFIX_PATTERN=
+CM_AGENT_ID=
+CM_AGENT_PASSWORD=
+CM_SECURITY_PIN=
+CM_BOT_BASE_URL=