Security: store credentials in .env file

Currently, sensitive credentials are stored directly in repository-managed config files.
We should move all secrets to environment variables loaded from a local .env file to reduce leak risk and align with standard security practices.