fix: make GET /settings/branding public to break login loading loop

LoginPage calls /settings/branding to load branding config (logo, colors).
Without @Public(), the JWT guard returns 401, which triggered the axios
response interceptor to attempt a silent refresh, fail, and call
window.location.href = '/login' — creating an infinite reload loop on
the login page itself.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/core-service/src/core/settings/settings.controller.ts

@@ -10,6 +10,7 @@ import {
   BadRequestException,
 } from '@nestjs/common';
 import { ApiTags, ApiOperation } from '@nestjs/swagger';
+import { Public } from '../../common/decorators/public.decorator';
 import { Roles } from '../../common/decorators/roles.decorator';
 import { RolesGuard } from '../../common/guards/roles.guard';
 import { randomUUID, X509Certificate, createPrivateKey } from 'crypto';
@@ -152,6 +153,7 @@ export class SettingsController {
    * Branding-Einstellungen lesen (Logo, Sidebar-Farbe, Login-Hintergrund etc.).
    */
   @Get('branding')
+  @Public()
   @ApiOperation({ summary: 'Branding-Einstellungen lesen' })
   async getBranding(): Promise<{
     logo: string | null;