fix(security #15): read API keys from process.env at request time

Module-level const assignments (SONARR_API_KEY, RADARR_API_KEY,
SABNZBD_API_KEY, EMBY_URL, EMBY_API_KEY) captured values at startup
and would not pick up rotated credentials without a restart.

Replaced all module-level captures in emby.js, sabnzbd.js, sonarr.js,
radarr.js, and dashboard.js with inline process.env reads at each
call site. A process restart is still needed for dotenv-loaded values
but environment-injected vars (Docker, Kubernetes) are re-read live.

server/routes/dashboard.js

@@ -9,8 +9,6 @@ const { pollAllServices, getLastPollTimings, POLLING_ENABLED } = require('../uti
 const { getSonarrInstances, getRadarrInstances } = require('../utils/config');
 const sanitizeError = require('../utils/sanitizeError');
 
-const EMBY_URL = process.env.EMBY_URL;
-const EMBY_API_KEY = process.env.EMBY_API_KEY;
 
 // Helper function to extract poster/cover art URL from a movie or series object
 function getCoverArt(item) {
@@ -102,8 +100,8 @@ async function getEmbyUsers() {
   const cached = cache.get('emby:users');
   if (cached) return cached;
   try {
-    const response = await axios.get(`${EMBY_URL}/Users`, {
-      headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
+    const response = await axios.get(`${process.env.EMBY_URL}/Users`, {
+      headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
     });
     // Build map: both raw lowercase and sanitized form -> display name
     const map = new Map();
@@ -624,8 +622,8 @@ router.get('/user-summary', requireAuth, async (req, res) => {
     const radarrInstances = getRadarrInstances();
 
     // Get all Emby users
-    const usersResponse = await axios.get(`${EMBY_URL}/Users`, {
-      headers: { 'X-MediaBrowser-Token': EMBY_API_KEY }
+    const usersResponse = await axios.get(`${process.env.EMBY_URL}/Users`, {
+      headers: { 'X-MediaBrowser-Token': process.env.EMBY_API_KEY }
     });
 
     // Get all series, movies, and tags from all instances