fulfillr-dev: staging back-office container + Turso store prep

Add a second go-fulfillr container (fulfillr-dev) wired to the staging
Turso store + EasyPost/Stripe test keys via dev.json, served at
fulfillr-dev.debyltech.com (Caddy -> :9055), LAN-restricted like prod.

- fulfillr-dev.yml + dev.json.j2: the staging container, volumes, config
- defaults: fulfillr_dev_* vars; prod store URL stubbed off until cutover
- Caddyfile + caddy.yml: fulfillr-dev site block and static mount
- awsddns.yml: Route53 DDNS for the fulfillr-dev hostname
- production.json.j2: add store_database_url/store_auth, rename stripe key
  var to fulfillr_stripe_api_key
- vault.yml: dev + store/stripe secrets

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ansible/roles/podman/templates/caddy/Caddyfile.j2

@@ -389,6 +389,53 @@
 	}
 }
 
+# Fulfillr DEV/staging - {{ fulfillr_dev_server_name }} (Static + API with IP restrictions)
+{{ fulfillr_dev_server_name }} {
+{{ ip_restricted_site() }}
+
+	@api {
+		path /api/*
+	}
+
+	# Handle API requests with CORS for local development
+	handle @api {
+		header {
+			Access-Control-Allow-Origin "*"
+			Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+			Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
+			Access-Control-Allow-Credentials "true"
+		}
+
+		# Handle preflight requests
+		@options {
+			method OPTIONS
+		}
+		handle @options {
+			respond "" 204
+		}
+
+		reverse_proxy localhost:9055
+	}
+
+	# Serve static files with SPA fallback
+	handle {
+		root * /usr/local/share/fulfillr-site-dev
+		try_files {path} {path}/ /index.html
+		file_server
+	}
+
+	header {
+		Strict-Transport-Security "max-age=31536000; includeSubDomains"
+		X-Content-Type-Options "nosniff"
+		Referrer-Policy "same-origin"
+	}
+
+	log {
+		output file /var/log/caddy/fulfillr-dev.log
+		format json
+	}
+}
+
 # ============================================================================
 # TEST/STAGING SITES
 # ============================================================================