feat(web): add environment management workflow

[RSO]

Summary

• Add one idempotent pnpm web:env set command that asks whether a variable is sensitive, then updates both Vercel projects across Development, Staging, and Production.
• Mirror sensitive Production values to the shared 1Password vault while leaving Development exportable for local setup.
• Update tracked dotenv defaults, highlight matching remote values without blocking intentional reuse, and run contributor setup smoke checks when relevant environment templates change.

Verification

• Confirmed the sensitivity prompt rejects sensitive NEXT_PUBLIC_* values before accessing remote providers.
• Confirmed local argument validation, pinned Vercel CLI invocation, and 1Password create/update template behavior.
• Did not run the main command against live Vercel resources during implementation.

Visual Changes

N/A

Reviewer Notes

• The implementation is intentionally small and idempotent: partial failures are recovered by rerunning the same command rather than maintaining transaction or resume state.
• Multiline values use --development-file, --staging-file, and --production-file; normal values use hidden terminal prompts.
• Matching tracked and remote values produce a highlighted warning but remain allowed.

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

Adds a well-structured pnpm web:env set workflow for managing environment variables across Vercel projects and 1Password, with trackable dotenv defaults and CI smoke checks — no new code issues beyond the pre-existing CodeQL flag about op error output.

Files Reviewed (10 files)

• .github/workflows/ci.yml — Added env file paths to kilocode_backend change filter
• .github/workflows/setup-smoke.yml — Added PR trigger for env template changes, gated notify on non-PR events
• DEVELOPMENT.md — Added section c documenting the new env management workflow
• package.json — Added web:env script and @types/node devDep
• pnpm-lock.yaml — Lockfile updates for @types/node version pinning
• scripts/lint-all.sh — Added scripts/web-env to lint scope
• scripts/typecheck-all.sh — Added scripts/web-env tsconfig to typecheck pass
• scripts/web-env/index.ts — Main CLI entry point: arg parsing, sensitivity prompt, value collection, plan/apply loop
• scripts/web-env/shared.ts — Shared utilities: process execution, Vercel/1Password integration, env file management
• scripts/web-env/tsconfig.json — Minimal tsconfig for the scripts directory

---

_{Reviewed by deepseek-v4-pro-20260423 · 299,689 tokens}

_{Review guidance: REVIEW.md from base branch main}