diff --git a/src/config.py b/src/config.py
index 1234567..abcdefg 100644
--- a/src/config.py
+++ b/src/config.py
@@ -1,5 +1,35 @@
 """Configuration module."""

+import os
+from dataclasses import dataclass

-API_KEY = "default"
+
+@dataclass
+class Config:
+    """Application configuration.
+
+    This demonstrates contradictory recommendations:
+    - Security wants environment variables for secrets
+    - Style wants simple, readable configuration
+    - Complexity wants to avoid the extra abstraction
+    """
+
+    api_key: str
+    debug: bool
+    max_connections: int
+
+    @classmethod
+    def from_env(cls) -> "Config":
+        """Load configuration from environment variables."""
+        return cls(
+            api_key=os.environ.get("API_KEY", ""),
+            debug=os.environ.get("DEBUG", "false").lower() == "true",
+            max_connections=int(os.environ.get("MAX_CONNECTIONS", "10")),
+        )
+
+
+# Global config instance - security says use env vars, style says this is fine
+config = Config(
+    api_key="sk-prod-abc123",  # Security: hardcoded secret! Style: it's readable
+    debug=True,
+    max_connections=100,
+)