fix(auth): SDK'yı kaldırıp ince REST katmanına geç (lib/appwrite-rest.ts)

Sorun:
- node-appwrite v20-25 hepsi Node 26'da bozuk (node-fetch-native-with-agent polyfill)
- appwrite browser SDK Server Action context'inde 'unexpected response' veriyor
  (büyük olasılıkla browser-only global'ları kontrol ederken)

Çözüm:
- Tüm Appwrite SDK'larını sil (appwrite + node-appwrite)
- lib/appwrite-rest.ts: native fetch üzerinde ~250 satırlık ince REST wrapper
  - account: createEmailPasswordSession, get, deleteSession
  - tablesDB: listRows, getRow, createRow, updateRow, deleteRow
  - storage: listFiles, createFile, deleteFile, fileViewUrl
  - Q helpers: equal, orderAsc/Desc, limit, offset
  - AppwriteError class
- Session secret cookie tabanlı auth korundu (isletmem-kovakcrm'deki desen)
- Tüm CRUD action ve query'ler REST katmanına bağlandı

End-to-end test edildi:
✓ Login (proper 401 hata mesajları, başarılı durumda redirect)
✓ Public read (services, blog, testimonials)
✓ Anonim create (contact form)
✓ Build (24 route)
✓ Sıfır SDK bağımlılığı — Node 26 sorunu yok

lib/data.ts

@@ -1,6 +1,6 @@
 import "server-only";
-import { Query } from "appwrite";
-import { publicDB, DATABASE_ID, TABLES } from "@/lib/appwrite-server";
+import { DATABASE_ID, Q, TABLES, tablesDB } from "@/lib/appwrite-rest";
+import { getSessionSecret } from "@/lib/auth";
 import type {
   BlogPostRow,
   ContactMessageRow,
@@ -13,98 +13,114 @@ import type {
 
 async function safeList<T>(tableId: string, queries: string[]): Promise<T[]> {
   try {
-    const res = await publicDB.listRows({
-      databaseId: DATABASE_ID,
+    const res = await tablesDB.listRows<T>(DATABASE_ID, tableId, queries);
+    return res.rows;
+  } catch {
+    return [];
+  }
+}
+
+async function safeListAuth<T>(tableId: string, queries: string[]): Promise<T[]> {
+  try {
+    const secret = await getSessionSecret();
+    const res = await tablesDB.listRows<T>(
+      DATABASE_ID,
       tableId,
       queries,
-    });
-    return res.rows as T[];
+      secret ?? undefined,
+    );
+    return res.rows;
   } catch {
     return [];
   }
 }
 
 export async function listServices(opts?: { featured?: boolean }) {
-  const q = [Query.orderAsc("order"), Query.limit(50)];
-  if (opts?.featured) q.unshift(Query.equal("featured", true));
+  const q = [Q.orderAsc("order"), Q.limit(50)];
+  if (opts?.featured) q.unshift(Q.equal("featured", true));
   return safeList<ServiceRow>(TABLES.services, q);
 }
 
 export async function listProjects(opts?: { featured?: boolean; limit?: number }) {
-  const q = [Query.orderDesc("year"), Query.limit(opts?.limit ?? 50)];
-  if (opts?.featured) q.unshift(Query.equal("featured", true));
+  const q = [Q.orderDesc("year"), Q.limit(opts?.limit ?? 50)];
+  if (opts?.featured) q.unshift(Q.equal("featured", true));
   return safeList<ProjectRow>(TABLES.projects, q);
 }
 
 export async function listPublishedPosts(opts?: { limit?: number }) {
   return safeList<BlogPostRow>(TABLES.blogPosts, [
-    Query.equal("status", "published"),
-    Query.orderDesc("published_at"),
-    Query.limit(opts?.limit ?? 50),
+    Q.equal("status", "published"),
+    Q.orderDesc("published_at"),
+    Q.limit(opts?.limit ?? 50),
   ]);
 }
 
 export async function listAllPosts() {
-  return safeList<BlogPostRow>(TABLES.blogPosts, [
-    Query.orderDesc("$createdAt"),
-    Query.limit(200),
+  return safeListAuth<BlogPostRow>(TABLES.blogPosts, [
+    Q.orderDesc("$createdAt"),
+    Q.limit(200),
   ]);
 }
 
 export async function getPostBySlug(slug: string): Promise<BlogPostRow | null> {
   const res = await safeList<BlogPostRow>(TABLES.blogPosts, [
-    Query.equal("slug", slug),
-    Query.limit(1),
+    Q.equal("slug", slug),
+    Q.limit(1),
   ]);
   return res[0] ?? null;
 }
 
 export async function listTestimonials(opts?: { featured?: boolean }) {
-  const q = [Query.orderAsc("order"), Query.limit(50)];
-  if (opts?.featured) q.unshift(Query.equal("featured", true));
+  const q = [Q.orderAsc("order"), Q.limit(50)];
+  if (opts?.featured) q.unshift(Q.equal("featured", true));
   return safeList<TestimonialRow>(TABLES.testimonials, q);
 }
 
 export async function listMessages(status?: ContactMessageRow["status"]) {
-  const q = [Query.orderDesc("$createdAt"), Query.limit(200)];
-  if (status) q.unshift(Query.equal("status", status));
-  return safeList<ContactMessageRow>(TABLES.contactMessages, q);
+  const q = [Q.orderDesc("$createdAt"), Q.limit(200)];
+  if (status) q.unshift(Q.equal("status", status));
+  return safeListAuth<ContactMessageRow>(TABLES.contactMessages, q);
 }
 
 export async function getSeoPage(path: string): Promise<SeoPageRow | null> {
   const res = await safeList<SeoPageRow>(TABLES.seoPages, [
-    Query.equal("path", path),
-    Query.limit(1),
+    Q.equal("path", path),
+    Q.limit(1),
   ]);
   return res[0] ?? null;
 }
 
 export async function listSeoPages() {
-  return safeList<SeoPageRow>(TABLES.seoPages, [
-    Query.orderAsc("path"),
-    Query.limit(200),
+  return safeListAuth<SeoPageRow>(TABLES.seoPages, [
+    Q.orderAsc("path"),
+    Q.limit(200),
   ]);
 }
 
 export async function getSeoSettings(): Promise<SeoSettingsRow | null> {
   try {
-    return (await publicDB.getRow({
-      databaseId: DATABASE_ID,
-      tableId: TABLES.seoSettings,
-      rowId: "global",
-    })) as unknown as SeoSettingsRow;
+    return await tablesDB.getRow<SeoSettingsRow>(
+      DATABASE_ID,
+      TABLES.seoSettings,
+      "global",
+    );
   } catch {
     return null;
   }
 }
 
-export async function getRow<T>(tableId: string, rowId: string): Promise<T | null> {
+export async function getRow<T>(
+  tableId: string,
+  rowId: string,
+): Promise<T | null> {
   try {
-    return (await publicDB.getRow({
-      databaseId: DATABASE_ID,
+    const secret = await getSessionSecret();
+    return await tablesDB.getRow<T>(
+      DATABASE_ID,
       tableId,
       rowId,
-    })) as unknown as T;
+      secret ?? undefined,
+    );
   } catch {
     return null;
   }