test(api): add full API test suite with get_keycloak_client async fix

Add 45 API tests covering all 12 post endpoints (CRUD, publish/unpublish) with RBAC policy coverage across guest, user, admin roles.

Fix get_keycloak_client() in deps.py to be async - Dishka's async container requires await on get(), without it a coroutine object was returned instead of the actual client.

tests/TEST_MODEL.md

@@ -8,8 +8,8 @@ adding new tests.
 
 | Feature | Unit | Integration | API | E2E | Priority | Status |
 |---------|:----:|:-----------:|:---:|:---:|:--------:|:------:|
-| Post Lifecycle (CRUD, Publish) | 85% | — | — | 70% | P0 | ✅ Active |
-| RBAC & Access Control | 100% | — | — | 60% | P0 | ✅ Active |
+| Post Lifecycle (CRUD, Publish) | 85% | — | 90% | 70% | P0 | ✅ Active |
+| RBAC & Access Control | 100% | — | 90% | 60% | P0 | ✅ Active |
 | Domain Value Objects | 100% | — | — | — | P0 | ✅ Stable |
 | Domain Entities | 95% | — | — | — | P0 | ✅ Stable |
 | Domain Exceptions | 100% | — | — | — | P1 | ✅ Stable |
@@ -50,7 +50,7 @@ Legend: ✅ Covered / ⚠️ Partial / ❌ Missing / — Not Applicable
 ## Risk Areas
 
 1. **No Integration Tests**: SQLAlchemy repository has no integration tests against a real database.
-2. **Deleted API Tests**: API endpoint tests were removed in a previous refactor and need restoration.
+2. **Restored API Tests**: API endpoint tests restored in `tests/api/` covering all CRUD, publish/unpublish, and RBAC policies.
 3. **Web UI Error Handling**: Only covered indirectly via E2E; no dedicated error-scenario E2E tests.
 4. **Pagination Edge Cases**: Page boundaries, empty pages, and large offsets are not explicitly tested.
 5. **Edit/Delete Web Flows**: No E2E coverage for editing or deleting posts through the web UI.