feat: remove start.sh script and add appearance preferences management

- Deleted the start.sh script for container management.
- Added AGENTS.md for project guidelines and development principles.
- Introduced new SQL migration files for user appearance preferences and platform settings.
- Implemented appearance provider to manage user interface themes and preferences.
- Created branding utility to define and manage branding-related constants and types.

Co-authored-by: Copilot <copilot@github.com>

.env.example

@@ -1,43 +1,50 @@
-# Base application env
-NODE_ENV="development"
-PORT="3000"
-HOSTNAME="0.0.0.0"
+# Copy this file to .env before running Docker Compose:
+# cp .env.example .env
+
+# Runtime
+NODE_ENV=production
 
 # Auth
-# You can generate a new secret on the command line with:
-# openssl rand -base64 32
-AUTH_SECRET="your-auth-secret"
-BETTER_AUTH_URL="http://localhost:3000" # Set to your production URL in production
+# Generate with: openssl rand -base64 32
+AUTH_SECRET=change-me-generate-a-real-secret
+BETTER_AUTH_URL=http://localhost:3000
 
-# App URL
-# Used for client-side redirects and base URLs
-NEXT_PUBLIC_APP_URL="http://localhost:3000"
+# Public app URL
+NEXT_PUBLIC_APP_URL=http://localhost:3000
 
-# Database (Postgres)
-# These are required for Docker container initialization
-POSTGRES_USER="postgres"
-POSTGRES_PASSWORD="postgres"
-POSTGRES_DB="postgres"
+# Postgres used by docker-compose.yml
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=postgres
+POSTGRES_DB=postgres
+DATABASE_URL=postgres://postgres:postgres@localhost:5432/postgres
+DB_DISABLE_SSL=true
 
-# Connect string for the app
-DATABASE_URL="postgres://postgres:postgres@localhost:5432/postgres"
-# Disable SSL for Docker local Postgres; set to false or remove for managed Postgres
-DB_DISABLE_SSL="true"
+# White-label defaults used at image build time.
+# Admin-managed platform branding in the app can override these after setup.
+NEXT_PUBLIC_BRAND_NAME="beenvoice"
+NEXT_PUBLIC_BRAND_TAGLINE="Simple and efficient invoicing for freelancers and small businesses"
+NEXT_PUBLIC_BRAND_LOGO_TEXT="beenvoice"
+NEXT_PUBLIC_BRAND_ICON="$"
+NEXT_PUBLIC_DEFAULT_INTERFACE_THEME="beenvoice"
+NEXT_PUBLIC_DEFAULT_FONT="brand"
+NEXT_PUBLIC_DEFAULT_BODY_FONT="brand"
+NEXT_PUBLIC_DEFAULT_HEADING_FONT="brand"
+NEXT_PUBLIC_DEFAULT_RADIUS="xl"
+NEXT_PUBLIC_DEFAULT_SIDEBAR_STYLE="floating"
 
-# Email (Resend). Replace with real keys in production
-RESEND_API_KEY="your-resend-api-key"
-RESEND_DOMAIN=""
+# Email delivery via Resend (optional)
+# Leave blank to disable invoice/password-reset email delivery.
+RESEND_API_KEY=
+RESEND_DOMAIN=
 
-# Analytics
-NEXT_PUBLIC_UMAMI_WEBSITE_ID="your-website-id-here"
-NEXT_PUBLIC_UMAMI_SCRIPT_URL="https://analytics.umami.is/script.js"
-# Build tweaks
-# SKIP_ENV_VALIDATION=1
+# Analytics via Umami (optional)
+# Leave website ID blank to disable analytics.
+NEXT_PUBLIC_UMAMI_WEBSITE_ID=
+NEXT_PUBLIC_UMAMI_SCRIPT_URL=https://analytics.umami.is/script.js
 
-# SSO / Authentik (Optional - only needed if using SSO authentication)
-# Configure these if you want to enable Single Sign-On with Authentik OIDC
-# The issuer should be your Authentik application's OAuth2 provider URL
-# Example: https://auth.example.com/application/o/your-app-slug
-AUTHENTIK_ISSUER=""
-AUTHENTIK_CLIENT_ID=""
-AUTHENTIK_CLIENT_SECRET=""
+# SSO via Authentik OIDC (optional)
+NEXT_PUBLIC_AUTHENTIK_ENABLED=false
+AUTHENTIK_ISSUER=
+AUTHENTIK_CLIENT_ID=
+AUTHENTIK_CLIENT_SECRET=
+AUTHENTIK_ORIGIN=