fix: sanitize API_KEY and BLOCK_PRIVATE_IPS in config generation

- Fix Issue 1: Normalize BLOCK_PRIVATE_IPS to safe boolean (true/false) using shell case statement to prevent PHP injection from non-boolean values like 'yes'
- Fix Issue 2: Strip single quotes from API_KEY to prevent PHP string injection if the value contains quotes
- Update docker-compose-dev.yml to document these configuration options

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose-dev.yml

@@ -13,5 +13,7 @@ services:
 
     environment:
       - URL=http://localhost:8080
+      # - API_KEY=your-secret-key      # if set, all /api requests must provide it
+      # - BLOCK_PRIVATE_IPS=true       # block LAN/loopback/metadata IPs (recommended for public hosting)
     ports:
       - 8080:80