Public-flip audit: env-driven paths, scrub audit-ticket prefixes, terser README

Lucy bind paths + LAN host pins replaced with env defaults. Repository URLs
→ git.sulkta.com. Audit-changelog scaffolding stripped from inline comments
(technical reasoning preserved). README sheds marketing scaffolding. AI-speak
in load-bearing prompts/SOULs left alone — that IS the product.

.env.example

@@ -1,6 +1,5 @@
-# Cauldron — copy to /mnt/cache/appdata/secrets/cauldron.env on Lucy
-# (chmod 600, root:root). Some values are already populated by the deploy
-# bootstrap (CLAWDFORGE_*); fill in the rest before first start.
+# Cauldron — copy to .env (chmod 600). Point compose at it via
+# CAULDRON_ENV_FILE if you keep it elsewhere.
 
 # Flask
 SECRET_KEY=change-me-32-bytes-of-entropy
@@ -9,12 +8,12 @@ SECRET_KEY=change-me-32-bytes-of-entropy
 BIND_HOST=0.0.0.0
 BIND_PORT=7790
 
-# Mealie (recipes.sulkta.com is already wired with Authentik OIDC)
-MEALIE_BASE_URL=https://recipes.sulkta.com
+# Mealie
+MEALIE_BASE_URL=https://mealie.example.com
 MEALIE_API_TOKEN=
 
-# clawdforge (centralized claude-runner on Lucy)
-CLAWDFORGE_URL=http://192.168.0.5:8800
+# clawdforge (claude-runner HTTP service)
+CLAWDFORGE_URL=http://clawdforge:8800
 CLAWDFORGE_TOKEN=
 DEFAULT_MODEL=sonnet
 DEFAULT_TIMEOUT_SECS=120
@@ -22,14 +21,15 @@ DEFAULT_TIMEOUT_SECS=120
 # Admin bearer for batch ops (sterilize-all, etc.) — separate from user OIDC
 ADMIN_BEARER=change-me-this-is-the-cauldron-admin-batch-token
 
-# Authentik OIDC (provisioned 2026-04-28; client_id + secret minted by Authentik)
-OIDC_ISSUER=https://auth.sulkta.com/application/o/cauldron/
+# Authentik OIDC (or any OIDC provider that exposes
+# /.well-known/openid-configuration)
+OIDC_ISSUER=https://auth.example.com/application/o/cauldron/
 OIDC_CLIENT_ID=
 OIDC_CLIENT_SECRET=
-OIDC_REDIRECT_URI=http://192.168.0.5:7790/auth/callback
+OIDC_REDIRECT_URI=http://localhost:7790/auth/callback
 
-# DB (sulkta-mariadb on the sulkta bridge)
-DB_HOST=sulkta-mariadb
+# DB
+DB_HOST=mariadb
 DB_PORT=3306
 DB_NAME=cauldron
 DB_USER=cauldron_app
@@ -39,28 +39,26 @@ DB_PASSWORD=
 # Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
 CAULDRON_FERNET_KEY=
 
-# --- Public-deploy hardening (added 2026-05-02 CVE audit) ---
-# Comma-separated list of authentik subjects who get the operator-tier
-# /me admin tools panel (consolidate, discover scrape). Empty = nobody.
-# Cobb's authentik sub goes here for production.
+# --- Public-deploy hardening ---
+# Comma-separated list of OIDC subjects who get the operator-tier /me
+# admin tools panel (consolidate, discover scrape). Empty = nobody.
 CAULDRON_ADMIN_SUBS=
 
-# External base URL where cauldron is reachable. Set to your public host
-# (e.g. https://cauldron.sulkta.com) when going public; leave empty for
-# LAN-only HTTP. When set: enables CSRF Origin guard, HSTS, secure cookie.
+# External base URL where cauldron is reachable (e.g. https://cauldron.example.com).
+# Leave empty for LAN-only HTTP. When set: enables CSRF Origin guard,
+# HSTS, secure cookie.
 CAULDRON_BASE_URL=
 
-# Whether the deploy is fronted by TLS (rackham apache → cauldron over
-# OpenVPN). Independent toggle from base_url so dev/staging can override.
-# When true: SESSION_COOKIE_SECURE=True, HSTS header emitted.
+# Whether the deploy is fronted by TLS. Independent toggle from base_url
+# so dev/staging can override. When true: SESSION_COOKIE_SECURE=True,
+# HSTS header emitted.
 CAULDRON_BEHIND_TLS=false
 
 # Comma-separated CIDR list of trusted proxies whose X-Forwarded-* we
 # honor. Empty = trust nothing → ProxyFix is OFF and X-Forwarded-* are
-# stripped from every request. For the rackham→OpenVPN→lucy:7790 deploy,
-# set this to rackham's WireGuard-internal IP (e.g. 10.20.30.1/32). Any
-# X-Forwarded-* from a peer outside this list gets dropped before
-# ProxyFix sees it.
+# stripped from every request. Set this to the reverse-proxy peer's
+# address (e.g. 10.20.30.1/32). Any X-Forwarded-* from a peer outside
+# this list gets dropped before ProxyFix sees it.
 CAULDRON_TRUSTED_PROXIES=
 
 # bugs.sulkta.com integration. Per-service key minted via: