Add .env.example template and protect secrets from version control

Improves security by preventing accidental commit of sensitive credentials to the
repository. The .env file contains Langfuse API keys, database passwords, and encryption
keys that should never be exposed in version control.

## Security Improvements

**Added .env to .gitignore:**
- Prevents .env file with real secrets from being committed
- Protects Langfuse API keys (public/secret)
- Protects database credentials
- Protects NextAuth secrets and encryption keys

**Created .env.example template:**
- Safe template file for new developers to copy
- Contains all required environment variables with placeholder values
- Includes helpful comments for key generation (openssl commands)
- Documents all configuration options

**Updated Claude settings:**
- Added git restore to allowed commands for workflow automation

## Setup Instructions for New Developers

1. Copy .env.example to .env: `cp .env.example .env`
2. Generate random secrets:
   - `openssl rand -base64 32` for NEXTAUTH_SECRET and SALT
   - `openssl rand -hex 32` for ENCRYPTION_KEY
3. Start Docker: `docker compose up -d`
4. Open Langfuse UI: http://localhost:3000
5. Create account, project, and copy API keys to .env
6. Restart API: `docker compose restart api`

## Files Changed

- .gitignore: Added .env to ignore list
- .env.example: New template file with placeholder values
- .claude/settings.local.json: Added git restore to allowed commands

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

.gitignore

@@ -5,6 +5,9 @@
 
 .research/
 
+# Environment variables with secrets
+.env
+
 # User-specific files
 *.rsuser
 *.suo