fix: whitelist rvote GET API as public + guard campaign wizard auth client-side

1. Add GET /rvote/api/* to public endpoint whitelist so proposal
   listings work on private/permissioned spaces without auth.
2. Campaign wizard now checks for auth token before POSTing,
   showing "Please sign in" instead of a cryptic 401.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

modules/rsocials/components/folk-campaign-wizard.ts

@@ -170,6 +170,12 @@ export class FolkCampaignWizard extends HTMLElement {
 	}
 
 	private async createWizard(): Promise<string | null> {
+		const token = (window as any).__authToken || localStorage.getItem('auth_token') || '';
+		if (!token) {
+			this._error = 'Please sign in to create a campaign wizard';
+			this.render();
+			return null;
+		}
 		try {
 			const res = await this.apiFetch('/api/campaign/wizard', {
 				method: 'POST',

server/index.ts

@@ -2322,7 +2322,8 @@ for (const mod of getAllModules()) {
 			|| pathname.includes("/rcart/api/payments")
 			|| pathname.includes("/rcart/pay/")
 			|| pathname.includes("/rwallet/api/")
-			|| pathname.includes("/rdesign/api/");
+			|| pathname.includes("/rdesign/api/")
+			|| (c.req.method === "GET" && pathname.includes("/rvote/api/"));
 
 		if (!isHtmlRequest && !isPublicEndpoint && (vis === "private" || vis === "permissioned")) {
 			const token = extractToken(c.req.raw.headers);