Fix embed-key endpoint to use username/slug routing pattern

[Copilot]

The embed-key endpoint used /api/project/:slug/embed-key instead of following the application's standard username/slug pattern, causing routing ambiguity when multiple users have identically-named projects.

Changes

• Route: /api/project/:slug/embed-key → /api/project/:username/:slug/embed-key
• Handler signature: Path(slug) → Path((username, slug))
• SQL query: Match on both owner_username and slug with case-insensitive comparison
• Client calls: Include username in embed-key fetch URL (2 locations)

Example

Before:

// Ambiguous - which user's "my-tool" project?
GET /api/project/my-tool/embed-key
WHERE LOWER(slug) = LOWER($1)

After:

// Unambiguous project identification
GET /api/project/johndoe/my-tool/embed-key
WHERE LOWER(owner_username) = LOWER($1) AND LOWER(slug) = LOWER($2)

Route Structure

/api/project/:username/:slug              → project access (with security checks)
/api/project/:username/:slug/embed-key    → private key retrieval (owner-only)
/api/project/:slug/whitelist              → whitelist management (owner-only, session-based)
/api/project/:slug                        → project deletion (owner-only, session-based)

Note: Whitelist and delete endpoints remain slug-only as they verify ownership via session user.id.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.