Fix API key security vulnerability

- Remove hardcoded Firebase API keys from src/config/firebase.ts
- Replace with environment variables (REACT_APP_FIREBASE_*)
- Create .env.example template for user configuration
- Update README with proper environment variable setup instructions
- Add security warning about not committing .env.local files

This fixes the GitHub security warning about exposed API keys.

Author: charlotteliang

.env.example

@@ -0,0 +1,17 @@
+# Firebase Configuration
+# Copy this file to .env.local and fill in your Firebase project details
+
+REACT_APP_FIREBASE_API_KEY=your_api_key_here
+REACT_APP_FIREBASE_AUTH_DOMAIN=your_project_id.firebaseapp.com
+REACT_APP_FIREBASE_PROJECT_ID=your_project_id
+REACT_APP_FIREBASE_STORAGE_BUCKET=your_project_id.appspot.com
+REACT_APP_FIREBASE_MESSAGING_SENDER_ID=your_sender_id
+REACT_APP_FIREBASE_APP_ID=your_app_id
+
+# Instructions:
+# 1. Go to Firebase Console: https://console.firebase.google.com
+# 2. Select your project
+# 3. Go to Project Settings > General
+# 4. Scroll down to "Your apps" section
+# 5. Copy the config values from your web app
+# 6. Replace the placeholder values above with your actual Firebase config