feat: API Keys via Umgebungsvariablen konfigurierbar

- Neuer getApiKey() Helper: prüft zuerst ENV-Vars, dann DB
- Alle Job-Routes nutzen getApiKey() statt direktem DB-Lookup
- Credentials-Status berücksichtigt ENV-Vars (Sidebar-Haken)
- .env.local.example: Platzhalter für alle 4 API Keys

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/api/jobs/serp-enrich/route.ts

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { prisma } from "@/lib/db";
-import { decrypt } from "@/lib/utils/encryption";
+import { getApiKey } from "@/lib/utils/apiKey";
 import { isSocialOrDirectory } from "@/lib/utils/domains";
 import { runGoogleSerpScraper, pollRunStatus, fetchDatasetItems } from "@/lib/services/apify";
 import { bulkSearchDomains, type DecisionMakerCategory } from "@/lib/services/anymailfinder";
@@ -17,14 +17,10 @@ export async function POST(req: NextRequest) {
       selectedDomains?: string[];
     };
 
-    const apifyCred = await prisma.apiCredential.findUnique({ where: { service: "apify" } });
-    const anymailCred = await prisma.apiCredential.findUnique({ where: { service: "anymailfinder" } });
+    const [apifyToken, anymailKey] = await Promise.all([getApiKey("apify"), getApiKey("anymailfinder")]);
 
-    if (!apifyCred?.value) return NextResponse.json({ error: "Apify API token not configured" }, { status: 400 });
-    if (!anymailCred?.value) return NextResponse.json({ error: "Anymailfinder API key not configured" }, { status: 400 });
-
-    const apifyToken = decrypt(apifyCred.value);
-    const anymailKey = decrypt(anymailCred.value);
+    if (!apifyToken) return NextResponse.json({ error: "Apify API token not configured" }, { status: 400 });
+    if (!anymailKey) return NextResponse.json({ error: "Anymailfinder API key not configured" }, { status: 400 });
 
     const job = await prisma.job.create({
       data: {