fulfillr-dev: staging back-office container + Turso store prep

Add a second go-fulfillr container (fulfillr-dev) wired to the staging
Turso store + EasyPost/Stripe test keys via dev.json, served at
fulfillr-dev.debyltech.com (Caddy -> :9055), LAN-restricted like prod.

- fulfillr-dev.yml + dev.json.j2: the staging container, volumes, config
- defaults: fulfillr_dev_* vars; prod store URL stubbed off until cutover
- Caddyfile + caddy.yml: fulfillr-dev site block and static mount
- awsddns.yml: Route53 DDNS for the fulfillr-dev hostname
- production.json.j2: add store_database_url/store_auth, rename stripe key
  var to fulfillr_stripe_api_key
- vault.yml: dev + store/stripe secrets

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ansible/roles/podman/defaults/main.yml

@@ -9,6 +9,18 @@ factorio_path: "{{ podman_volumes }}/factorio"
 fulfillr_path: "{{ podman_volumes }}/fulfillr"
 fulfillr_cases_table: "debyltech-cases-prod"
 fulfillr_tickets_table: "debyltech-tickets-prod"
+# Turso ecommerce store (self-hosted checkout).
+# PROD store is OFF until cutover (empty URL -> store routes not registered). At
+# cutover set this to libsql://debyltech-store-prod-debyltech.aws-us-east-1.turso.io
+# and add `fulfillr_store_auth_token` (prod RW token) to the vault.
+fulfillr_store_database_url: ""
+fulfillr_store_auth_token: ""
+# Staging back-office (fulfillr-dev.debyltech.com, port 9055) -> staging Turso store.
+# Its RW token is `fulfillr_dev_store_auth_token` and EasyPost test key is
+# `fulfillr_dev_easypost_api_key`, both in the encrypted vault.
+fulfillr_dev_path: "{{ podman_volumes }}/fulfillr-dev"
+fulfillr_dev_server_name: fulfillr-dev.debyltech.com
+fulfillr_dev_store_database_url: "libsql://debyltech-store-staging-debyltech.aws-us-east-1.turso.io"
 gregtime_path: "{{ podman_volumes }}/gregtime"
 searxng_path: "{{ podman_volumes }}/searxng"
 hass_path: "{{ podman_volumes }}/hass"