public: landing + pricing + legal pages, apex-ready, lawyer-reviewed

Adds the unauthenticated surface that's needed to invite outsiders:

  - Landing (/) — dual-purpose root: dashboard for logged-in users,
    landing for everyone else. New maybe_current_user soft-auth helper
    in app/auth.py supports it without disturbing the per-route
    require_token deps on /news, /log, /upload, /settings.
  - About, Pricing, Disclaimer, Terms, Privacy — own router
    (app/routers/public.py), no auth dep, shared public_base layout
    (brand link, thin nav, footer with legal links + ICO ref + date).
  - Editorial positioning: news aggregator with a macro brain; tagline
    "Understand markets. Don't gamble on them."; anti-trading-as-gambling
    stance carried through About and Landing.

Legal pass following an independent lawyer-style review:

  - Privacy: explicit UK-GDPR Art. 6 lawful-basis section; Art. 22
    automated-decision line; explicit consent for sessionStorage sync
    key (PECR); 30-day IP-log retention; Art. 21 objection right;
    Children clause; Art. 33/34 breach-notification clause;
    international-transfer mechanism (IDTA + UK Addendum). ICO
    registration ZC098928 surfaced at the top.
  - Pricing: paid-card AI-portfolio-analysis bullet rewritten to remove
    advice-shaped wording ("what would invalidate the posture" gone);
    added italic carve-out citing FSMA / FCA COBS.
  - Disclaimer: separate EU/EEA carve-out + MAR 596/2014 Art. 3(1)(34)
    commentator safe-harbour; "qualifies the Terms" line; hallucination
    wording fixed.
  - Terms: cl.4 explicit AI-training prohibition + harassment line;
    cl.5 CCR 2013 14-day cancellation; cl.7 softened AI copyright
    claim under CDPA s.9(3) ambiguity; cl.8 proportionate suspension +
    pro-rata refund for paid users; cl.10 CRA 2015 Pt 1 statutory-rights
    carve-out from the liability cap; cl.11 right to close account on
    material change; cl.12 non-exclusive jurisdiction + UK consumer
    local courts.

Code-side enforcement of the Privacy claim:

  - openrouter.py: outbound OpenRouter calls now carry
    X-OR-Allow-Training: false. DeepSeek doesn't expose a per-request
    flag; the Privacy page discloses this caveat verbatim.

Apex domain prep:

  - branding.APP_URL flipped to https://read.markets (was app.). DNS for
    the apex already resolves; pending operator NPM step is a cert that
    covers the bare apex + a 301 from app.read.markets. No hard-coded
    subdomain references remain in code (verified with grep).

Nav + chrome:

  - app dropdown gains Pricing / Terms / Privacy / Disclaimer links.
  - login.html gains a small legal-links footer for the
    highest-leverage moment to surface them.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

app/templates/disclaimer.html

@@ -0,0 +1,110 @@
+{% extends "public_base.html" %}
+{% block title %}{{ BRAND_NAME }} · Disclaimer{% endblock %}
+
+{% block main %}
+
+<section class="public-section public-section--callout public-section--warning">
+  <h1 class="public-section__head" style="border:0; margin:0 0 6px;">
+    Financial disclaimer
+  </h1>
+  <p style="margin:0; font-size:15px;">
+    <strong>{{ BRAND_NAME }} is not investment advice.</strong>
+  </p>
+  <p style="margin-top:6px; font-size:12px; color: var(--muted);">
+    This page is part of, and qualifies, the
+    <a href="/terms">Terms of Service</a>.
+  </p>
+</section>
+
+<section class="public-section">
+  <h2 class="public-section__head">In short</h2>
+  <ul>
+    <li>Everything published here is for <strong>educational and
+        informational purposes only</strong>.</li>
+    <li>Nothing on this site is a buy or sell recommendation, a personal
+        recommendation, or an inducement to deal in any financial
+        instrument.</li>
+    <li>{{ BRAND_NAME }} is not a regulated financial firm. It is not
+        authorised by the Financial Conduct Authority and is not a
+        registered investment adviser in any jurisdiction.</li>
+    <li>The output is not tailored to your circumstances, objectives,
+        tax position, or risk tolerance.</li>
+    <li>Past performance does not predict future returns. Investing
+        carries the risk of losing money, including the principal.</li>
+  </ul>
+</section>
+
+<section class="public-section">
+  <h2 class="public-section__head">About the AI output</h2>
+  <p>
+    The strategic log, indicator summaries, and portfolio analysis are
+    generated by large language models from publicly available market
+    data and news. They can be wrong, incomplete, or out of date. Numbers
+    can be misread. Models occasionally generate inaccurate or invented
+    information (often called &ldquo;hallucinations&rdquo;). Treat them
+    as a <em>prompt to think</em>, not as facts to act on.
+  </p>
+  <p>
+    The portfolio analysis is an interpretation of holdings <em>you
+    supplied</em>. It does not consider your overall wealth, debts, tax
+    position, or anything we don&rsquo;t see. It is not personalised
+    advice.
+  </p>
+</section>
+
+<section class="public-section">
+  <h2 class="public-section__head">Before you act on anything</h2>
+  <p>
+    Consult a properly qualified, regulated financial adviser who knows
+    your full situation. Read the source documents (issuer accounts,
+    fund prospectus, etc.). If you are not in a position to lose the
+    money you would put at risk, do not put it at risk.
+  </p>
+</section>
+
+<section class="public-section">
+  <h2 class="public-section__head">Jurisdiction</h2>
+  <p>
+    {{ BRAND_NAME }} is operated from {{ OPERATOR_JURISDICTION }}. The
+    Service is not directed at, or intended for distribution to or use
+    by, any person in any jurisdiction where such distribution or use
+    would be contrary to local law or regulation.
+  </p>
+  <p>
+    No part of this Service constitutes an offer or solicitation of
+    securities to any US person within the meaning of US securities law.
+  </p>
+  <p>
+    The Service is not directed at retail or professional clients in any
+    EU/EEA member state, nor in any jurisdiction where its provision
+    would require local licensing or registration. Where any output of
+    the Service could be construed as an &ldquo;investment
+    recommendation&rdquo; under Regulation (EU) 596/2014 (Market Abuse
+    Regulation) or its UK equivalent, it is non-personalised, produced
+    by a non-regulated source for educational purposes only, and the
+    operator (a) has no position in, or remuneration linked to, the
+    specific instruments mentioned in any individual piece of commentary,
+    and (b) is not a &ldquo;relevant person&rdquo; within MAR Art.
+    3(1)(34).
+  </p>
+</section>
+
+<section class="public-section">
+  <h2 class="public-section__head">No warranty</h2>
+  <p>
+    The service is provided &ldquo;as is&rdquo; without warranties of any
+    kind. To the maximum extent permitted by applicable law, the operator
+    excludes liability for any loss arising from use of, or reliance on,
+    the content. See the <a href="/terms">Terms of Service</a> for the
+    full limitation of liability.
+  </p>
+</section>
+
+<section class="public-section">
+  <p style="font-size: 12px; color: var(--muted);">
+    Questions about this disclaimer:
+    <a href="mailto:{{ OPERATOR_EMAIL }}">{{ OPERATOR_EMAIL }}</a>.
+  </p>
+</section>
+
+{% endblock %}