fix: DB password — read from secrets file, bypasses Docker Compose interpolation

- Add secrets/db_password file support to docker-compose.yml (Docker secrets mount)
- config.py reads POSTGRES_PASSWORD_FILE if set, builds DATABASE_URL with proper URL encoding
- Remove inline DATABASE_URL construction from docker-compose.yml (was subject to $VAR interpolation)
- Any password with any characters now works — no escaping needed

Authored by: Jack Levy

.env.example

@@ -17,16 +17,17 @@ ENCRYPTION_SECRET_KEY=
 
 # ─── PostgreSQL ───────────────────────────────────────────────────────────────
 POSTGRES_USER=congress
-# If your password contains special characters ($, &, #, etc.), wrap it in single quotes
-# to prevent Docker Compose from interpreting them as variable substitutions.
-# Example: POSTGRES_PASSWORD='p@$$w0rd&safe'
+# Any password works — special characters ($, &, #, @, etc.) are all fine.
+# Wrap in single quotes if your password contains spaces or leading/trailing chars
+# you want preserved. The DATABASE_URL is built automatically by the backend
+# with proper URL-encoding, so you never need to escape anything here.
 POSTGRES_PASSWORD=change-me
 POSTGRES_DB=pocketveto
 
-# These are constructed automatically from the above in docker-compose.yml.
-# Override here only if connecting to an external DB.
-# DATABASE_URL=postgresql+asyncpg://congress:congress@postgres:5432/pocketveto
-# SYNC_DATABASE_URL=postgresql://congress:congress@postgres:5432/pocketveto
+# DATABASE_URL and SYNC_DATABASE_URL are built automatically from the values
+# above. Set these only if connecting to an external database.
+# DATABASE_URL=postgresql+asyncpg://congress:mypassword@postgres:5432/pocketveto
+# SYNC_DATABASE_URL=postgresql://congress:mypassword@postgres:5432/pocketveto
 
 # ─── Redis ────────────────────────────────────────────────────────────────────
 REDIS_URL=redis://redis:6379/0