fix(auth): protect bare api root path

[vernonstinebaker]

Summary

• fix auth.isPublicPath() so bare /api is treated as a protected path instead of falling through as public
• add a regression test for /api alongside the existing /api/status protected-path coverage
• close a small but real auth boundary gap in the server auth gate, which checks isPublicPath(target) before requiring a bearer token
• keep the change narrowly scoped to auth-path classification

Validation

• zig build test -Dembed-ui=false -Dbuild-ui=false --summary all
• npm --prefix ui ci --no-audit --no-fund
• npm --prefix ui run build
• bash tests/test_e2e.sh
• zig fmt --check src/
• git diff --check

Notes

• this is a production fix plus regression test, not just a test-only change
• the behavior is consistent with the existing intent that API paths require auth unless explicitly public (/health)
• follow-up Phase 5 slices will continue with orchestration proxy coverage, installer failure/cleanup coverage, and service helper boundary coverage