Move secrets to env_file, add security hardening to docker-compose

- Use env_file referencing /root/.katheryn_credentials for all secrets
- Remove inline secrets from environment block (PayPal, SMTP, store token)
- Add directus_katheryn-internal network for internal CMS access
- Add container security: read_only, cap_drop ALL, no-new-privileges

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

frontend/docker-compose.yml

@@ -7,9 +7,12 @@ services:
         - DIRECTUS_API_TOKEN=katheryn-frontend-readonly-8591de0316ded82fab45328cf1e49cb1
     container_name: katheryn-frontend
     restart: unless-stopped
+    env_file:
+      - /root/.katheryn_credentials
     environment:
       - NEXT_PUBLIC_DIRECTUS_URL=https://katheryn-cms.jeffemmett.com
       - DIRECTUS_API_TOKEN=katheryn-frontend-readonly-8591de0316ded82fab45328cf1e49cb1
+      - DIRECTUS_INTERNAL_URL=http://katheryn-cms:8055
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.katheryn-staging.rule=Host(`katheryn-staging.jeffemmett.com`)"
@@ -17,7 +20,17 @@ services:
       - "traefik.http.services.katheryn-staging.loadbalancer.server.port=3000"
     networks:
       - traefik-public
+      - directus_katheryn-internal
+    read_only: true
+    tmpfs:
+      - /tmp
+    cap_drop:
+      - ALL
+    security_opt:
+      - no-new-privileges:true
 
 networks:
   traefik-public:
     external: true
+  directus_katheryn-internal:
+    external: true