Public Share-Access Landing Page and API Contract Hardening (QA)

This release promotes a batch of frontend changes from dev into the QA environment for validation. It delivers a new public landing page that lets external recipients open and download shared files via a token link without logging in, makes bulk-job progress driven primarily by the live WebSocket connection (with a low-frequency safety poll), and completes a wide audit that aligns the web app's API calls with the backend contract to prevent silently dropped or misrouted requests.

Two needs drove this work. First, recipients of shared files are external users with no DSM account, so the existing app shell (which redirects anyone without a session to login) made share links unusable; a dedicated public, token-authorized landing experience was required. Second, an audit of every frontend service against the backend OpenAPI contract found cases where request parameters and bodies were typed loosely (unknown/Record<string, unknown>), letting mismatches slip past TypeScript and reach the backend as dropped filters or wrong endpoints.

• External recipients can open a /share/access/[token] link without signing in and see clear states: loading, unavailable, not-downloadable, preparing (with live progress), per-file manifest, and a ready-to-download ZIP.
• Bulk operations (mail/download/share jobs) report progress more reliably and finalize correctly even when a job completes before the live socket connects or while it is briefly disconnected.
• Several admin/data-management actions now behave correctly server-side that previously failed silently — e.g. department/organization filtering, bulk org reassignment, bulk mail delete, and contact listing.

Batch promotion (dev -> qa) combining two feature PRs. Frontend-only; no backend changes.

• Public share access (PR #1042): New apps/mail/src/app/share/access/[token]/page.tsx plus a shareAccess/ component family (shell, content, manifest, preparing, ready, unavailable cards) and a useShareAccessState view-model. New credential-less share-access.services.ts for /share/access, /share/files, and the ZIP build-poke (endpoints outside the axios /api base). Auth middleware refactored to a shared isPublicRoute/PUBLIC_ROUTE_PREFIXES list (constants/routes.ts, middleware.ts, session-expiry.utils.ts) so logged-out visitors stay on public routes; share queries opt out of the global error toast.
• WS-first bulk-job progress (PR #1042): useBulkOperationProgressState now seeds job state on mount and on each socket reconnect, replaces the 5s stale-event tight-poll trigger with a 30s safety poll active only while the socket is disconnected/silent, and finalizes on any terminal signal (socket, seed, or poll) with dedupe. New useShareProgressSocket hook and share-progress WS frame types in packages/types.
• API contract audit (PR #1041): Moved grid/filter keys from query params to request bodies (departments, documents, document-types, mails, folders); fixed endpoints (bulk mail delete -> POST /v1/mails/bulk-delete, getAllContacts -> GET, admin grid-columns /api prefix); corrected field names (tenant_id->assign_tenant_id, page_size->limit, status->status_id); numeric coercion of IDs; and replaced unknown request/response shapes with generated DTOs across many *.services.ts files.

Moderate, concentrated in the share feature and the bulk-progress refactor. The API audit touches many services, so a wrong key/endpoint rename could break a previously working flow; this is mitigated by passing pnpm typecheck (9/9) and pnpm lint (5/5) and by grounding each change in the backend contract. The public share route deliberately bypasses the auth gate, so the guard list must be exact — a too-broad prefix could expose authenticated pages. The progress hook's seed/poll/socket finalization is timing-sensitive (duplicate or missed completion). Mitigation: this PR targets QA only (not production), so these paths get human/automated validation before promotion to main.

• Open a valid share link while logged out: verify loading -> preparing (live progress) -> manifest -> ZIP-ready states render, files list paginates (Load more), and download works; confirm no forced login redirect.
• Open an invalid/expired and a not-downloadable share token: verify the correct unavailable messaging and that no global error toast fires.
• Confirm authenticated app pages still redirect logged-out users to login (public guard is not too broad).
• Bulk mail/download/share jobs: verify progress updates over WebSocket, completion is reported even if the job finishes before the socket connects or during a disconnect, and the panel does not regress to queued defaults.
• Regression-check the audited admin flows: department grid org filtering, Create Department (defaults to Active), bulk org/subclient reassignment, bulk mail delete, contact listing, and document/folder grid filters.