feat(18-03): add profile routes, public setup endpoint, and auth middleware updates

- GET /api/users/:id/profile: public profile with public setups (no auth)
- PUT /api/auth/profile: update own profile (requires auth)
- GET /api/setups/:id/public: public setup view with items (no auth)
- Auth middleware skips public profile and public setup GET endpoints
- Register profileRoutes at /api/users in index.ts
- Add getOrCreateUncategorized to category service (Rule 3 fix)
- 10 route tests covering auth, public access, and 404 cases

src/server/index.ts

@@ -16,6 +16,7 @@ import { imageRoutes } from "./routes/images.ts";
 import { itemRoutes } from "./routes/items.ts";
 import { oauthRoutes, wellKnownRoute } from "./routes/oauth.ts";
 import { settingsRoutes } from "./routes/settings.ts";
+import { profileRoutes } from "./routes/profiles.ts";
 import { setupRoutes } from "./routes/setups.ts";
 import { threadRoutes } from "./routes/threads.ts";
 import { totalRoutes } from "./routes/totals.ts";
@@ -73,7 +74,13 @@ app.use("/api/*", async (c, next) => {
 	if (c.req.path.startsWith("/api/auth")) return next();
 	// Skip health check
 	if (c.req.path === "/api/health") return next();
-	// All methods require auth for userId resolution
+	// Skip public profile endpoint (GET /api/users/:id/profile)
+	if (/^\/api\/users\/\d+\/profile$/.test(c.req.path) && c.req.method === "GET")
+		return next();
+	// Skip public setup view (GET /api/setups/:id/public)
+	if (/^\/api\/setups\/\d+\/public$/.test(c.req.path) && c.req.method === "GET")
+		return next();
+	// All other methods require auth for userId resolution
 	return requireAuth(c, next);
 });
 
@@ -85,6 +92,7 @@ app.route("/api/totals", totalRoutes);
 app.route("/api/images", imageRoutes);
 app.route("/api/settings", settingsRoutes);
 app.route("/api/threads", threadRoutes);
+app.route("/api/users", profileRoutes);
 app.route("/api/setups", setupRoutes);
 
 // MCP server (conditionally mounted)