🔒 [Security] Hardcoded Google Gemini API key exposed in source code

[KGFCH2]

Problem

The file chatbot.py contains a hardcoded Google Gemini API key directly in source code:

API_KEY = "AIzaSyCHaO_fHrrnttwyuWjSFznVrDAwGmB2xUo"

This key is publicly visible to anyone who views the repository.

Current Behavior

The API key is committed as a literal string. Any person who clones or views this repository has immediate access to the key and can make API calls billed to the project owner's account.

Why This Improvement Is Needed

• Financial risk: Malicious actors can exhaust API quota or incur charges
• Security baseline: Hardcoded credentials violate OWASP Top 10 (A02: Cryptographic Failures)
• GitHub secret scanning: GitHub automatically flags committed secrets and may suspend the repository
• Revocation required: The compromised key must be revoked at https://console.cloud.google.com/ immediately

Proposed Solution

Replace API_KEY = "..." with API_KEY = os.environ.get("GEMINI_API_KEY")
Raise a startup EnvironmentError if the key is missing (fail-fast principle)
Add .env.example documenting required environment variables
Add .gitignore to prevent .env from being committed
Sanitize error responses so raw exceptions are never sent to clients

Expected Outcome

• The repository contains zero secrets
• Contributors know to set GEMINI_API_KEY via environment variable
• The application fails loudly at startup if misconfigured

Additional Notes

The previously committed key AIzaSyCHaO_fHrrnttwyuWjSFznVrDAwGmB2xUo must be revoked immediately regardless of whether this PR is merged.