security: remove public Supabase config endpoint

[saurabhhhcodes]

Fixes #1403.

What changed

• Removed the public /api/config JSON endpoint from backend/main.py.
• Render the frontend HTML with Supabase values injected server-side instead of fetching them over the network.
• Updated frontend/app.js to read injected config only when it is present.
• Added a small inline config object in frontend/index.html and documented the new render-time injection flow.

Why

The app only needs the public Supabase URL and anon key to bootstrap the client. Serving them from a dedicated public API route makes the values trivially discoverable and unnecessary on the wire.

How to test

• python3 -m py_compile backend/main.py
• node --check frontend/app.js
• git diff --check
• Start the app and confirm the page loads normally.
• Open the browser dev tools and verify there is no /api/config request during frontend bootstrap.

Validation

• python3 -m py_compile backend/main.py
• node --check frontend/app.js
• git diff --check

[github-actions]

🎉 Welcome to Hybrid Recommender, @saurabhhhcodes! This is your first contribution here!

Labels added: gssoc:approved | mentor:leonagoel | status:review-needed

PR Description Checklist:

YES - What changed section
YES - Why section
NO - How to test section
YES - Related issue linked

⚠️ Some required sections are missing. Please update your PR description.

What happens next:

1. @leonagoel will review your changes
2. CI checks must pass
3. Once approved, this PR will be auto-merged

⏱️ Please respond to review comments within 48 hours.