Remove hardcoded API key - CRITICAL SECURITY FIX

- Remove hardcoded TTS API key from app.py (major security vulnerability)
- Add python-dotenv support for secure environment variable management
- Create .env.example with configuration template
- Add comprehensive SECURITY.md documentation
- Update README with security configuration instructions
- Add warning when TTS_API_KEY is not configured
- Enhance .gitignore to prevent accidental commits of .env files

BREAKING CHANGE: TTS_API_KEY must now be set via environment variable or .env file

Security measures:
- API keys must be provided via environment variables
- Added dotenv support for local development
- Clear documentation on secure deployment practices
- Multiple .env file patterns in .gitignore

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

.gitignore

@@ -54,6 +54,9 @@ tmp/
 # Local environment
 .env.local
 .env.*.local
+.env.production
+.env.development
+.env.staging
 
 # VAPID keys
 vapid_private.pem