Document public reverse proxy deployment

- Add README instructions for deploying the full report system through local Docker port 4002, frpc, Nginx Proxy Manager, and sstwbg.example.com.

- Document required HTTPS, WebSocket, request-size, timeout, health-check, login, AI, video-frame, and speech verification steps.

- Add TRUST_PROXY support so secure session cookies work behind public HTTPS reverse proxies.

- Preserve upstream X-Forwarded-Proto through the container Nginx API proxy.

- Allow Docker Compose session and trust-proxy variables to be overridden for public deployments.

- Update deployment and Docker docs with the same public reverse-proxy guidance.

docker-compose.yaml

@@ -28,8 +28,10 @@ services:
       API_BODY_LIMIT: 100mb
       CORS_ORIGIN: http://localhost:4002,https://localhost:4443,http://localhost:3001
       DATABASE_URL: postgresql://surclaw:surclaw_dev_password@db:5432/surclaw?schema=public
-      SESSION_SECRET: change-me-in-production
-      SESSION_COOKIE_SECURE: "false"
+      # XXX Public HTTPS reverse-proxy deployments can override these from the shell or .env.
+      SESSION_SECRET: ${SESSION_SECRET:-change-me-in-production}
+      SESSION_COOKIE_SECURE: ${SESSION_COOKIE_SECURE:-false}
+      TRUST_PROXY: ${TRUST_PROXY:-false}
       FILE_STORAGE_DIR: /app/uploads
       RUN_DB_MIGRATIONS: "true"
       RUN_DB_SEED: "true"