fix: move hardcoded DB credentials and Flask secret key to environment variables

[Tejas5405]

Problem

Database credentials and Flask secret key were hardcoded in source files:

src/config.py

host = "localhost"
user = "USERNAME"
password = "PASSWORD"

src/app.py

app.secret_key = "your_secret_key"

Hardcoded credentials are a security risk — anyone who clones the repo sees them, and they get committed to git history. This is especially problematic when deploying to cloud environments (Railway, Render, AWS, etc.).

Fix

• src/config.py: Load MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD from environment using python-dotenv
• src/app.py: Load FLASK_SECRET_KEY from environment
• .env.example: Added template so contributors know which variables to set

Usage after this fix

cp .env.example .env
# Fill in your values in .env
pip install python-dotenv
python src/app.py

References

• 12-Factor App — Config
• Closes Security: Move db creds from config.py to env variables #27

[brick-24]

Tested locally, reviewed implementation, LGTM.

[brick-24]

LGTM, added .env to .gitignore