fix: restrict app suggestions to public boards

[BunsDev]

Motivation

• Prevent leakage of private-board posts from the embedding-backed /api/v1/apps/suggest endpoint which is callable by browser-scoped app keys by ensuring the vector search only returns posts from public, non-deleted boards.

Description

• Restrict the embedding vector search in apps/web/src/routes/api/v1/apps/suggest.ts by adding eq(boards.isPublic, true) and isNull(boards.deletedAt) to the query WHERE clause and updating the comment, while preserving the existing deletion/embedding/similarity filters, ordering, limit, text-search fallback, and API-key auth.

Testing

• Ran git diff --check which reported no issues; attempted bun run typecheck but it could not complete due to missing type definitions/dependencies; bun install failed with registry 403 responses so a full typecheck and test run were not possible.

---

Codex Task

[Copilot]

Pull request overview

This PR tightens the /api/v1/apps/suggest vector-similarity search to prevent returning posts from private or soft-deleted boards when the endpoint is called with browser-scoped app keys.

Changes:

• Restricts the vector search query to boards.isPublic = true.
• Excludes soft-deleted boards from vector search via boards.deletedAt IS NULL.
• Updates the in-code comment to reflect the new vector search scope.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.