feat: public end-user API (/api/public/v1) for native/portal clients

[apple-techie]

Summary

Adds a thin public end-user REST API under /api/public/v1/* so native apps (and any first-party client) can read and write feedback as an end user — without a workspace API key. It reuses existing domain services (no new business logic, no schema migrations) and uses the existing better-auth bearer session for writes.

Motivation: the admin /api/v1/* API is API-key/team-scoped (not shippable in a consumer app), and end-user content is otherwise only reachable via the portal's server functions / the widget iframe — neither a public contract. This unblocks a native give-feedback app (a separate iOS repo consumes this via the published OpenAPI spec).

Auth model

• Reads: anonymous allowed. When a bearer session is present, responses are enriched (e.g. hasVoted).
• Writes: require a session. requirePortalSession (new domains/api/portal-auth.ts) resolves a better-auth session token → user + principal, mirroring getWidgetSession. The actor is always session.principal.id — never client-supplied.

Endpoints

Reads: GET /config, /boards, /posts (feed, hasVoted), /posts/:id, /posts/:id/comments, /changelog(+/:id), /help/categories, /help/articles/:slug, /help/search, /openapi.json.
Writes (bearer): POST /posts (submit), /posts/:id/vote, /posts/:id/comments.

Visibility / safety (enforced + tested)

• Feed, detail, and comments only expose public-board, non-deleted, non-merged posts; detail/comments return an identical 404 for private/deleted/merged posts (no existence oracle).
• Public comment list excludes private/team-only comments (publicOnly option, backward-compatible) and prunes deleted leaves.
• Changelog/help return published content only.
• Submit rejects private/nonexistent boards with a uniform 404.

Reuse, not rewrite

Handlers call existing services (createPost, voteOnPost, createComment, listChangelogs, getPublicArticleBySlug, hybridSearch, getPublicWidgetConfig, …). The only new query is listPublicPostFeed (cursor keyset over public boards). The one shared change — adding board.isPublic to PostWithDetails and an optional publicOnly to getCommentsWithReplies — is additive and leaves admin behavior unchanged (verified: admin posts tests pass, tsc clean).

Test plan

• bunx vitest run over the public API + touched services: 114 tests pass
• Admin v1/posts tests still pass (10/10) — no regression from shared-service changes
• tsc --noEmit -p apps/web → 0 errors (with route tree generated, as CI does)
• eslint clean on all new files
• Built via TDD; per-task + holistic review caught and fixed real issues (board-visibility leak, private-comment exposure, deleted/merged exposure, enumeration oracle, nullable-email/empty-returning hardening, author-injection guards)
• CI green on this PR

🤖 Generated with Claude Code

[BunsDev]

Closing this as superseded/stale after the public mobile API work landed on current main.\n\nThe read surface from this PR now overlaps/conflicts with the merged public API compatibility routes in #3, and the branch no longer merges cleanly. The remaining useful pieces here — portal-session auth, public write endpoints, config/openapi/search/detail expansions — should be re-cut as a smaller follow-up PR against current main so they can be reviewed and verified independently without replaying the already-shipped route work.