feat(api): tokens on all routes; items expose claims/claimedQuantity/remainingQuantity

app/api/[slug]/route.ts

@@ -1,12 +1,19 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { eq } from 'drizzle-orm';
 import { db, wishlists } from '@/lib/db';
+import { getGuestFromRequest, verifyAdminToken } from '@/lib/auth/tokens';
 
 export async function GET(
   request: NextRequest,
   { params }: { params: Promise<{ slug: string }> }
 ) {
   try {
+    const isAdmin = verifyAdminToken(request);
+    const guest = await getGuestFromRequest(request);
+    if (!isAdmin && !guest) {
+      return NextResponse.json({ error: 'Convite necessário' }, { status: 401 });
+    }
+
     const { slug } = await params;
 
     const wishlist = await db
@@ -22,8 +29,8 @@ export async function GET(
       );
     }
 
-    // Only return public wishlists
-    if (!wishlist[0].isPublic) {
+    // Only return public wishlists (admin can see all)
+    if (!wishlist[0].isPublic && !isAdmin) {
       return NextResponse.json(
         { error: 'Wishlist not found' },
         { status: 404 }