feat: add public notes API for publishing encrypted notes

  - Add public_notes table with slug-based access
  - Implement CRUD endpoints for publishing/unpublishing notes
  - Add XSS protection with DOMPurify (blocks script, iframe, javascript: URLs)
  - Hide sensitive fields (id, noteId, userId) from public GET response
  - Add publish status fields to notes API responses
  - Generate cryptographically secure slugs with nanoid

Security: Server-side HTML sanitization, ownership checks on all authenticated endpoints, no enumeration possible

Author: rui-typelets

drizzle/0002_mixed_bulldozer.sql

@@ -0,0 +1,19 @@
+CREATE TABLE "public_notes" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"slug" text NOT NULL,
+	"note_id" uuid NOT NULL,
+	"user_id" text NOT NULL,
+	"title" text NOT NULL,
+	"content" text NOT NULL,
+	"type" text DEFAULT 'note' NOT NULL,
+	"author_name" text,
+	"published_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "public_notes_slug_unique" UNIQUE("slug")
+);
+--> statement-breakpoint
+ALTER TABLE "public_notes" ADD CONSTRAINT "public_notes_note_id_notes_id_fk" FOREIGN KEY ("note_id") REFERENCES "public"."notes"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "public_notes" ADD CONSTRAINT "public_notes_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "idx_public_notes_slug" ON "public_notes" USING btree ("slug");--> statement-breakpoint
+CREATE INDEX "idx_public_notes_note_id" ON "public_notes" USING btree ("note_id");--> statement-breakpoint
+CREATE INDEX "idx_public_notes_user_id" ON "public_notes" USING btree ("user_id");