Add production dependencies introduced in recent security commits. Add docs/ENVIRONMENT_VARIABLES.md documenting TRUST_PROXY, SECRET, SESSION_SECRET, and ALLOWED_ORIGINS with configuration guidance.