fix: Prevent cache-control middleware from caching API responses

The catch-all else clause in the cache-control middleware was overriding
the security middleware's no-cache headers for /api/ paths, setting them
to 'public, max-age=3600'. This caused browsers to cache stale API
responses, resulting in the blog page showing "0 posts found" despite
the API having data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/server.js

@@ -114,7 +114,13 @@ app.use((req, res, next) => {
   else if (path === '/manifest.json') {
     res.setHeader('Cache-Control', 'public, max-age=86400'); // 1 day
   }
-  // Everything else: Short cache
+  // API responses: NEVER cache (security middleware sets this too, but catch-all below would override)
+  else if (path.startsWith('/api/')) {
+    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+    res.setHeader('Pragma', 'no-cache');
+    res.setHeader('Expires', '0');
+  }
+  // Everything else (static assets without extensions): Short cache
   else {
     res.setHeader('Cache-Control', 'public, max-age=3600'); // 1 hour
   }