Add hostname configuration for production deployment

Add environment variable configuration to support deployment on custom
domains like https://awards.dj7nt.de

## Changes
- Add .env.example with configuration template
- Update API client to use VITE_API_BASE_URL with fallback to /api
- Update SvelteKit config to use VITE_APP_URL for CSRF trusted origins
- Update backend CORS to use configurable allowed origins
- Add ALLOWED_ORIGINS environment variable for production
- Add build and preview scripts to package.json
- Update README with production deployment guide and nginx example

## Environment Variables
- VITE_APP_URL: Application hostname (e.g., https://awards.dj7nt.de)
- VITE_API_BASE_URL: API base URL (empty = relative paths)
- ALLOWED_ORIGINS: Comma-separated CORS origins
- JWT_SECRET: Strong secret for production
- NODE_ENV: development/production

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

src/backend/index.js

@@ -25,10 +25,18 @@ import {
  * Main backend application
  * Serves API routes
  */
+
+// Get allowed origins from environment or allow all in development
+const ALLOWED_ORIGINS = process.env.ALLOWED_ORIGINS
+  ? process.env.ALLOWED_ORIGINS.split(',')
+  : process.env.NODE_ENV === 'production'
+    ? [process.env.VITE_APP_URL || 'https://awards.dj7nt.de']
+    : true; // Allow all in development
+
 const app = new Elysia()
   // Enable CORS for frontend communication
   .use(cors({
-    origin: true, // Allow all origins in development
+    origin: ALLOWED_ORIGINS,
     credentials: true,
     methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
   }))