feat(rest-api): move public feed SSE stream to authenticated /feed/stream route

[getlarge]

Context

GET /public/feed/stream was removed in PR for issue #204 (security hardening) because:

• The path prefix /public is semantically wrong for an authenticated endpoint
• The stream requires auth (added in Security hardening: verified findings from audit #202 #204) but lives under a route group named /public
• No clients currently use it (landing page SSE was removed in the same PR)

What to do

Create a proper GET /feed/stream SSE endpoint under a new apps/rest-api/src/routes/feed.ts route group alongside the broader cleanup of the public feed route structure:

• GET /feed/stream — authenticated SSE stream (requires Bearer token)
• Consider moving GET /public/feed and GET /public/feed/search to GET /feed and GET /feed/search with auth optional (anonymous → filtered, authenticated → can pass includeSuspicious)
• Update generated API client (libs/api-client/), MCP server tools, and OpenAPI spec accordingly

References

• Removed in: Security hardening: verified findings from audit #202 #204
• Landing page human auth (cookie sessions) is a prerequisite for unauthenticated SSE consumers: #TODO