docs(handler): note that GetConfig is public-only and what may be returned

Adds a doc comment on GetConfig spelling out that the endpoint is mounted on
the unauthenticated route group (so the login page can fetch GoogleClientID /
AllowSignup before the user is signed in) and that only instance-level public
fields may be added. Prevents accidentally returning user- or tenant-scoped
data from this handler in the future.

server/internal/handler/config.go

@@ -22,6 +22,10 @@ type AppConfig struct {
 	PosthogHost string `json:"posthog_host"`
 }
 
+// GetConfig is mounted on the public (unauthenticated) route group because
+// the web app calls it before login to decide whether to render the Google
+// sign-in button and signup UI. Only add fields here that are safe to expose
+// to anonymous callers — never user- or tenant-scoped data.
 func (h *Handler) GetConfig(w http.ResponseWriter, r *http.Request) {
 	config := AppConfig{
 		AllowSignup:    os.Getenv("ALLOW_SIGNUP") != "false",