Adds POST /admin/posts/feature, POST /admin/posts/unfeature
(both auth-required, admin-checked inside controller via the
use case's ForbiddenException), and public GET /posts/featured.
Post serialization now includes featureSlot.
Wires PostController (recent, show, create, delete, listByUser)
and CommentController (listForPost, create, delete) to the
existing use cases. Posts and comments expose author display
names alongside user IDs. CommentRepository binding added to
RepositoryServiceProvider.
Adds AuthenticatesUsers feature trait that runs the full
signup -> confirm -> login flow and exposes the resulting auth
cookie. Bumps phpunit defaultTimeLimit to 30 seconds so the
multi-bcrypt-per-test feature flow finishes inside the limit.
Wires AuthController (signup, confirmEmail, login, me, logout)
to the existing auth use cases. Routes mounted under /api with
AuthMiddleware on logout/me. RepositoryServiceProvider gains
EmailConfirmationToken and Post bindings; AppServiceProvider
binds the Emailer/EmailFactory and constructs SignupUser with
the configured from-address.
Signup now collects only email + displayName, creates an
unconfirmed user with empty password hash, mints an
EmailConfirmationToken, and dispatches a confirmation email.
Password is set during ConfirmUserEmail.
Adds displayname to existing assertions and new tests covering:
null/short/invalid-charset displayname, duplicate displayname,
findability by displayname. AuthenticateUser tests pick up the
seedUser displayname argument.
Add display_name (unique) and email_confirmed_at columns plus
matching getters, DTO fields, repo methods (findByDisplayName,
update), and migration. Existing auth tests updated to construct
User with the new params.
7 cases: zero postId or requesterId -> BadRequest; unknown post
is idempotent no-op; author can delete own post; admin can
delete anyone's post; non-author non-admin -> ForbiddenException;
forbidden attempts leave post intact.
