fix: add /posts/{slug} detail route so post titles resolve

Post cards on the home page have linked to /posts/<slug> since
Phase 1 (per the partial's inline comment), but the matching route
and template were never registered — clicking a post title returned
a JSON 404 from FastAPI. This adds:

- PostService.get_published_by_slug() — status-filtered, parameterized
  read that treats "draft" and "unknown slug" as the same 404 so
  unpublished titles cannot be enumerated via URL guessing.
- GET /posts/{slug} public route that 404s on miss.
- public/post.html detail template mirroring about.html's safe-render
  pattern for the bleach-sanitized body_html_cached.
- Supporting .page-article__date / .page-article__back CSS.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/templates/public/post.html

@@ -0,0 +1,36 @@
+{#
+  Single blog post detail page.
+
+  Receives:
+    - post        : app.models.entities.Post
+    - active_nav  : str   "home"
+
+  ``post.body_html_cached`` is the bleach-sanitized output of the
+  Markdown pipeline (allowlisted tags/attrs/protocols only), so
+  rendering with ``| safe`` does not reintroduce XSS risk. Same
+  rationale as ``public/about.html``.
+#}
+{% extends "public/base.html" %}
+
+{% block title %}{{ post.title }} — Chicken Babies R Us{% endblock %}
+{% block meta_description %}{{ post.title }} — a post from Chicken Babies R Us.{% endblock %}
+
+{% block content %}
+  <article class="page-article">
+    <header class="page-article__header">
+      <h1 class="page-article__title">{{ post.title }}</h1>
+      {% if post.published_at %}
+        <time class="page-article__date"
+              datetime="{{ post.published_at.isoformat() }}">
+          {{ post.published_at.strftime("%B %-d, %Y") }}
+        </time>
+      {% endif %}
+    </header>
+
+    {{ post.body_html_cached | safe }}
+  </article>
+
+  <p class="page-article__back">
+    <a href="/">&larr; Back to all posts</a>
+  </p>
+{% endblock %}