public: landing + pricing + legal pages, apex-ready, lawyer-reviewed

Adds the unauthenticated surface that's needed to invite outsiders:

  - Landing (/) — dual-purpose root: dashboard for logged-in users,
    landing for everyone else. New maybe_current_user soft-auth helper
    in app/auth.py supports it without disturbing the per-route
    require_token deps on /news, /log, /upload, /settings.
  - About, Pricing, Disclaimer, Terms, Privacy — own router
    (app/routers/public.py), no auth dep, shared public_base layout
    (brand link, thin nav, footer with legal links + ICO ref + date).
  - Editorial positioning: news aggregator with a macro brain; tagline
    "Understand markets. Don't gamble on them."; anti-trading-as-gambling
    stance carried through About and Landing.

Legal pass following an independent lawyer-style review:

  - Privacy: explicit UK-GDPR Art. 6 lawful-basis section; Art. 22
    automated-decision line; explicit consent for sessionStorage sync
    key (PECR); 30-day IP-log retention; Art. 21 objection right;
    Children clause; Art. 33/34 breach-notification clause;
    international-transfer mechanism (IDTA + UK Addendum). ICO
    registration ZC098928 surfaced at the top.
  - Pricing: paid-card AI-portfolio-analysis bullet rewritten to remove
    advice-shaped wording ("what would invalidate the posture" gone);
    added italic carve-out citing FSMA / FCA COBS.
  - Disclaimer: separate EU/EEA carve-out + MAR 596/2014 Art. 3(1)(34)
    commentator safe-harbour; "qualifies the Terms" line; hallucination
    wording fixed.
  - Terms: cl.4 explicit AI-training prohibition + harassment line;
    cl.5 CCR 2013 14-day cancellation; cl.7 softened AI copyright
    claim under CDPA s.9(3) ambiguity; cl.8 proportionate suspension +
    pro-rata refund for paid users; cl.10 CRA 2015 Pt 1 statutory-rights
    carve-out from the liability cap; cl.11 right to close account on
    material change; cl.12 non-exclusive jurisdiction + UK consumer
    local courts.

Code-side enforcement of the Privacy claim:

  - openrouter.py: outbound OpenRouter calls now carry
    X-OR-Allow-Training: false. DeepSeek doesn't expose a per-request
    flag; the Privacy page discloses this caveat verbatim.

Apex domain prep:

  - branding.APP_URL flipped to https://read.markets (was app.). DNS for
    the apex already resolves; pending operator NPM step is a cert that
    covers the bare apex + a 301 from app.read.markets. No hard-coded
    subdomain references remain in code (verified with grep).

Nav + chrome:

  - app dropdown gains Pricing / Terms / Privacy / Disclaimer links.
  - login.html gains a small legal-links footer for the
    highest-leverage moment to surface them.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

app/templates/public_base.html

@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>{% block title %}{{ BRAND_NAME }}{% endblock %}</title>
+  <meta name="description" content="{{ TAGLINE }}">
+  {# Same flash-prevention theme bootstrap as the app shell. #}
+  <script>
+    (function() {
+      try {
+        var t = localStorage.getItem('cassandra.theme') || 'light';
+        document.documentElement.dataset.theme = t;
+      } catch (e) { document.documentElement.dataset.theme = 'light'; }
+    })();
+  </script>
+  <link rel="stylesheet" href="{{ url_for('static', path='/css/cassandra.css') }}" />
+</head>
+<body class="public-page">
+<div class="public-shell">
+  <header class="public-header">
+    <a class="public-header__brand" href="/" aria-label="{{ BRAND_NAME }} home">
+      {{ BRAND_NAME }}
+    </a>
+    <nav class="public-header__nav">
+      <a href="/pricing" class="{% if request.url.path == '/pricing' %}active{% endif %}">Pricing</a>
+      <a href="/about"   class="{% if request.url.path == '/about'   %}active{% endif %}">About</a>
+      {% if cu and (cu.user or cu.is_admin) %}
+        <a href="/" class="public-header__cta">Dashboard</a>
+      {% else %}
+        <a href="/login" class="public-header__cta">Sign in / sign up</a>
+      {% endif %}
+    </nav>
+  </header>
+
+  <main class="public-main">
+    {% block main %}{% endblock %}
+  </main>
+
+  <footer class="public-footer">
+    <div class="public-footer__inner">
+      <div class="public-footer__brand">
+        <strong>{{ BRAND_NAME }}</strong>
+        <span class="public-footer__tagline">{{ TAGLINE }}</span>
+      </div>
+      <nav class="public-footer__links">
+        <a href="/pricing">Pricing</a>
+        <a href="/about">About</a>
+        <a href="/terms">Terms</a>
+        <a href="/privacy">Privacy</a>
+        <a href="/disclaimer">Disclaimer</a>
+      </nav>
+      <div class="public-footer__meta">
+        &copy; 2026 {{ LEGAL_OPERATOR }} &middot;
+        Not investment advice &middot;
+        {{ OPERATOR_JURISDICTION }} &middot;
+        ICO ZC098928 &middot;
+        Last reviewed 2026-05-24
+      </div>
+    </div>
+  </footer>
+</div>
+</body>
+</html>