fix: correct permission checks for compose loadServices and env editing

[Siumauricio]

Summary

Fixes #4052

• compose.loadServices required service: ["create"] but it's a read-only operation (parses YAML and returns service names). Changed to service: ["read"].
• Environment editing on database/compose services used the generic update mutation which requires service: ["create"]. All database routers already had saveEnvironment endpoints with correct envVars: ["write"] permission, but compose was missing one. Added compose.saveEnvironment and updated the frontend to use saveEnvironment for all service types.

Changes

1. packages/server/src/db/schema/compose.ts — Added apiSaveEnvironmentVariablesCompose input schema
2. apps/dokploy/server/api/routers/compose.ts — Changed loadServices permission to service: ["read"], added saveEnvironment endpoint with envVars: ["write"]
3. apps/dokploy/components/dashboard/application/environment/show-environment.tsx — Updated all mutation calls from .update to .saveEnvironment

Test plan

• Create a member user without "Create Services" permission but with project access
• Verify the member can load compose service names in the domain form dropdown
• Verify the member can edit and save environment variables on compose services
• Verify the member can edit and save environment variables on database services (postgres, mysql, mariadb, redis, mongo)
• Verify that users with full permissions can still update services normally via the update mutation

Greptile Summary

This PR fixes two permission check bugs for compose services and refactors environment variable saving to use purpose-specific endpoints across all service types.

• compose.loadServices had service: ["create"] permission but is a purely read-only operation (parses YAML and returns service names). Correctly changed to service: ["read"].
• compose.saveEnvironment is a new endpoint added with envVars: ["write"] permission, following the exact same pattern already established for all other service types (mongo, postgres, redis, etc.). Previously, compose was the only service type missing this endpoint, meaning environment variable saves for compose went through the generic .update mutation which incorrectly required service: ["create"] permission.
• show-environment.tsx is updated to call .saveEnvironment (instead of .update) for all 7 service types in the mutation map, so members with envVars.write but without service.create can now save environment variables on any service type.
• The new apiSaveEnvironmentVariablesCompose schema in compose.ts is minimal and follows the exact same pattern as apiSaveEnvironmentVariablesMongo and its siblings.
• The saveEnvironment endpoint correctly fires an audit event and throws a BAD_REQUEST error if the update returns nothing, consistent with all other service saveEnvironment implementations.

Confidence Score: 5/5

Safe to merge — focused permission fix with no behavioural regressions for existing users.

All three changes are minimal, correct, and consistent with established patterns in the codebase. The new saveEnvironment endpoint mirrors every other service's implementation exactly. The loadServices permission change is semantically correct (read-only operation now requires read permission). No logic errors, security regressions, or unhandled edge cases were found.

No files require special attention.

_{Reviews (1): Last reviewed commit: "fix: correct permission checks for compo..." | Re-trigger Greptile}