fix: restrict public content API access by status and role

[lane711]

Summary

Cherry-picked from #693 by @bobbwal

Restricts the public content listing API so unpublished content is no longer exposed by default. Anonymous requests are now published-only, and non-public status access on the public list endpoints is limited to admin and editor roles.

Security fix: Draft content was publicly readable via /api/collections/:collection/content without authentication (see #692).

Changes

• Add a shared public-content access policy for GET /api/content and GET /api/collections/:collection/content
• Force anonymous requests to published-only results, even when callers try to filter for drafts/archived content
• Gate non-public list access by role: admin/editor may request non-published statuses; author/viewer remain published-only
• Apply optionalAuth() to the public content list routes and normalize status filters safely
• Add focused unit and route-level coverage for anonymous/admin/viewer/author behavior
• Add Playwright regression coverage for public vs authenticated content visibility
• Update API/security docs to reflect the new default policy

Attribution

• Original PR: fix: restrict public content API access by status and role #693
• Original Author: @bobbwal (Rob Walton)
• Cherry-picked with full authorship preserved

Verification

• Type-check: passing
• Unit tests: 1246 passed (44 test files)

Closes #693
Fixes #692

🤖 Generated with Claude Code