feat(security): implement safe guest auth flow and harden request_jwt

- Patched request_jwt to strip privileged IDs when signing with public keys
- Updated AccountContext and V3 dependencies to preserve JWT payloads for guests
- Whitelisted Archive, Post, Event, and other core objects for public read access
- Added 'default_qry_str' to Event searchable fields
- Added test_e2e_jwt_guest_auth.py for security verification

app/routers/api.py

@@ -93,6 +93,16 @@ async def request_jwt(
         log.error('No key found to sign the JWT with!')
         return mk_resp(data=False, status_code=400, response=response) # Bad Request
 
+    # SECURITY PATCH: Prevent public API key from minting privileged tokens
+    # If we are using the default system key (settings.JWT_KEY) but NO external signing key was provided 
+    # (i.e. access via public API Key), we must NOT allow minting account-level privileges.
+    if not x_aether_signing_key:
+        if account_id or person_id or user_id: # Check params from function signature (not payload dict yet)
+            log.warning("Security: Attempt to mint privileged JWT without signing key. Downgrading to Guest.")
+            account_id = None
+            person_id = None
+            user_id = None
+            # We allow json_str and b64_str to pass through for session context
 
     payload = {}
     payload['account_id'] = account_id