fulfillr-dev: staging back-office container + Turso store prep

Add a second go-fulfillr container (fulfillr-dev) wired to the staging
Turso store + EasyPost/Stripe test keys via dev.json, served at
fulfillr-dev.debyltech.com (Caddy -> :9055), LAN-restricted like prod.

- fulfillr-dev.yml + dev.json.j2: the staging container, volumes, config
- defaults: fulfillr_dev_* vars; prod store URL stubbed off until cutover
- Caddyfile + caddy.yml: fulfillr-dev site block and static mount
- awsddns.yml: Route53 DDNS for the fulfillr-dev hostname
- production.json.j2: add store_database_url/store_auth, rename stripe key
  var to fulfillr_stripe_api_key
- vault.yml: dev + store/stripe secrets

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ansible/roles/podman/tasks/containers/debyltech/fulfillr-dev.yml

@@ -0,0 +1,67 @@
+---
+# Staging back-office: a second go-fulfillr container (same image as prod) wired to
+# the STAGING Turso store + EasyPost test key via dev.json. Served at
+# fulfillr-dev.debyltech.com (Caddy -> :9055), LAN-restricted like prod.
+- import_tasks: gitea/podman-gitea-login.yml
+
+- name: create nginx fulfillr-site-dev directory
+  become: true
+  ansible.builtin.file:
+    path: /usr/local/share/fulfillr-site-dev
+    state: directory
+    owner: "fedora"
+    group: "wheel"
+    mode: 0755
+
+- name: create fulfillr-dev host directory volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0755
+  notify: restorecon podman
+  loop:
+    - "{{ fulfillr_dev_path }}"
+
+- name: template fulfillr-dev config
+  become: true
+  ansible.builtin.template:
+    src: "templates/fulfillr/{{ item }}.j2"
+    dest: "{{ fulfillr_dev_path }}/{{ item }}"
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0644
+  loop:
+    - dev.json
+  notify:
+    - restorecon podman
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: fulfillr-dev
+    container_image: "{{ image }}"
+
+- name: create fulfillr-dev server container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: fulfillr-dev
+    image: "{{ image }}"
+    image_strict: true
+    command: --config /config/dev.json
+    restart_policy: on-failure:3
+    log_driver: journald
+    volumes:
+      - "{{ fulfillr_dev_path }}:/config"
+    ports:
+      - 9055:8080/tcp
+
+- name: create systemd startup job for fulfillr-dev
+  include_tasks: podman/systemd-generate.yml
+  vars:
+    container_name: fulfillr-dev