Fix admin URL baking: bake NEXT_PUBLIC_API_URL at Docker build time

Next.js bakes NEXT_PUBLIC_* vars into the client JS bundle at build
time, not runtime. The admin image was being built with
admin/.env.local containing NEXT_PUBLIC_API_URL=http://localhost:8000,
hardcoding localhost into the browser bundle. The runtime configMap
value had no effect on the already-compiled JS, causing prod admin
login to throw CORS errors hitting localhost.

Fix:
- Dockerfile: admin-builder stage accepts ARG NEXT_PUBLIC_API_URL and
  strips any committed .env.local/.env.development.local before
  npm run build.
- .dockerignore: explicitly exclude admin/.env.* (root-level .env.*
  pattern doesn't match nested paths), so a local dev .env.local can
  never sneak into the build context again.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.dockerignore

@@ -11,10 +11,15 @@ deploy/secrets/*.txt
 deploy/secrets/*.p8
 deploy/scripts/
 
-# Local env files
+# Local env files — dockerignore patterns apply from the context root, so
+# the explicit admin/ line is needed to catch admin/.env.local (which would
+# otherwise bake NEXT_PUBLIC_API_URL=http://localhost:8000 into the bundle).
 .env
 .env.*
+admin/.env
+admin/.env.*
 !.env.example
+!admin/.env.example
 
 # Node (admin)
 admin/node_modules

Dockerfile

@@ -3,6 +3,11 @@ FROM node:20-alpine AS admin-builder
 
 WORKDIR /app
 
+# NEXT_PUBLIC_* vars are baked into the client bundle at build time.
+# Pass via `--build-arg NEXT_PUBLIC_API_URL=https://api.myhoneydue.com`.
+ARG NEXT_PUBLIC_API_URL
+ENV NEXT_PUBLIC_API_URL=${NEXT_PUBLIC_API_URL}
+
 # Copy admin panel files
 COPY admin/package*.json ./
 
@@ -12,6 +17,10 @@ RUN npm ci
 # Copy source
 COPY admin/ .
 
+# Strip any committed .env.local that would override the build-time URL
+# with a dev value (e.g. http://localhost:8000).
+RUN rm -f .env.local .env.development.local
+
 # Build (standalone mode)
 RUN npm run build