feat(api): tokens on all routes; items expose claims/claimedQuantity/remainingQuantity

app/api/public/wishlists/route.ts

@@ -1,9 +1,16 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { eq, asc } from 'drizzle-orm';
 import { db, wishlists } from '@/lib/db';
+import { getGuestFromRequest, verifyAdminToken } from '@/lib/auth/tokens';
 
 export async function GET(request: NextRequest) {
   try {
+    const isAdmin = verifyAdminToken(request);
+    const guest = await getGuestFromRequest(request);
+    if (!isAdmin && !guest) {
+      return NextResponse.json({ error: 'Convite necessário' }, { status: 401 });
+    }
+
     // Fetch only public wishlists
     const publicWishlists = await db
       .select()