feat: integrate python-decouple for environment-based configuration

Replace hardcoded SECRET_KEY, DEBUG, ALLOWED_HOSTS, SITE_NAME, COPYRIGHT_TEXT
with decouple.config() calls; add CSRF_TRUSTED_ORIGINS support via .env.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

yitao_gallery/settings.py

@@ -12,6 +12,7 @@ https://docs.djangoproject.com/en/4.2/ref/settings/
 
 import os
 from pathlib import Path
+from decouple import config, Csv
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -21,12 +22,14 @@ BASE_DIR = Path(__file__).resolve().parent.parent
 # See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = 'django-insecure-!@#$%^&*()_+yitao-ren-gallery-secret-key-change-in-production'
+SECRET_KEY = config('SECRET_KEY')
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = True
+DEBUG = config('DEBUG', default=False, cast=bool)
 
-ALLOWED_HOSTS = ["localhost", "106.15.60.252", "gallery.lizexua.com"]
+ALLOWED_HOSTS = config('ALLOWED_HOSTS', default='localhost', cast=Csv())
+
+CSRF_TRUSTED_ORIGINS = config('CSRF_TRUSTED_ORIGINS', default='', cast=Csv())
 
 
 # Application definition
@@ -148,8 +151,8 @@ IMAGE_MAX_HEIGHT = 1080
 THUMBNAIL_SIZE = (400, 400)
 
 # Site settings
-SITE_NAME = "YITAO-REN GALLERY"
-COPYRIGHT_TEXT = "© 2026 Yitao-Ren Gallery & iTao TV"
+SITE_NAME = config('SITE_NAME', default='YITAO-REN GALLERY')
+COPYRIGHT_TEXT = config('COPYRIGHT_TEXT', default='© 2026 Yitao-Ren Gallery & iTao TV')
 
 # Security settings for production (commented out for development)
 # SECURE_SSL_REDIRECT = True