Remove hardcoded API key - CRITICAL SECURITY FIX

- Remove hardcoded TTS API key from app.py (major security vulnerability)
- Add python-dotenv support for secure environment variable management
- Create .env.example with configuration template
- Add comprehensive SECURITY.md documentation
- Update README with security configuration instructions
- Add warning when TTS_API_KEY is not configured
- Enhance .gitignore to prevent accidental commits of .env files

BREAKING CHANGE: TTS_API_KEY must now be set via environment variable or .env file

Security measures:
- API keys must be provided via environment variables
- Added dotenv support for local development
- Clear documentation on secure deployment practices
- Multiple .env file patterns in .gitignore

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

app.py

@@ -4,6 +4,7 @@ import tempfile
 import requests
 import json
 import logging
+from dotenv import load_dotenv
 from flask import Flask, render_template, request, jsonify, Response, send_file, send_from_directory, stream_with_context
 from flask_cors import CORS, cross_origin
 import whisper
@@ -23,6 +24,9 @@ import atexit
 import threading
 from datetime import datetime, timedelta
 
+# Load environment variables from .env file
+load_dotenv()
+
 # Initialize logging
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)
@@ -92,7 +96,11 @@ except Exception as e:
 
 app.config['UPLOAD_FOLDER'] = upload_folder
 app.config['TTS_SERVER'] = os.environ.get('TTS_SERVER_URL', 'http://localhost:5050/v1/audio/speech')
-app.config['TTS_API_KEY'] = os.environ.get('TTS_API_KEY', '56461d8b44607f2cfcb8030dee313a8e')
+app.config['TTS_API_KEY'] = os.environ.get('TTS_API_KEY', '')
+
+# Warn if TTS API key is not set
+if not app.config['TTS_API_KEY']:
+    logger.warning("TTS_API_KEY not set. TTS functionality may not work. Set it via environment variable or .env file.")
 
 # Rate limiting storage
 rate_limit_storage = {}