fix: restrict public content API access by status and role

[bobbwal]

Description

Restricts the public content listing API so unpublished content is no longer exposed by default. Anonymous requests are now published-only, and non-public status access on the public list endpoints is limited to admin and editor roles.

Fixes #692

Changes

• Add a shared public-content access policy for:
  • GET /api/content
  • GET /api/collections/:collection/content
• Force anonymous requests to published-only results, even when callers try to filter for drafts/archived content
• Gate non-public list access by role:
  • admin / editor may request non-published statuses
  • author / viewer remain published-only on these public list endpoints
• Apply optionalAuth() to the public content list routes and normalize status filters safely
• Add focused unit and route-level coverage for anonymous/admin/viewer/author behavior
• Add Playwright regression coverage for public vs authenticated content visibility
• Update API/security docs to reflect the new default policy

Testing

• npm test --workspace=packages/core -- api-content-access-policy.test.ts api-public-content-status.test.ts
• npm run type-check
• BASE_URL=http://localhost:8787 npx playwright test tests/e2e/62-public-content-api-status-visibility.spec.ts --config tests/playwright.config.ts

Unit Tests

• Added/updated unit tests
• All unit tests passing

E2E Tests

• Added/updated E2E tests
• All E2E tests passing

Screenshots/Videos

• None

Checklist

• Code follows project conventions
• Tests added/updated and passing
• Type checking passes
• No console errors or warnings
• Documentation updated (if needed)