fix(consumer): Wire findagram/findadispo to public API

- Update Dockerfiles to use cannaiq.co as API base URL
- Change findagram API client from /api/az to /api/v1 endpoints
- Add trusted origin bypass in public-api middleware for consumer sites
- Consumer sites (findagram.co, findadispo.com) can now access /api/v1
  endpoints without API key authentication

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/src/routes/public-api.ts

@@ -120,6 +120,35 @@ function isDomainAllowed(origin: string, allowedDomains: string[]): boolean {
   }
 }
 
+// Trusted origins for consumer sites (bypass API key auth)
+const CONSUMER_TRUSTED_ORIGINS = [
+  'https://findagram.co',
+  'https://www.findagram.co',
+  'https://findadispo.com',
+  'https://www.findadispo.com',
+  'http://localhost:3001',
+  'http://localhost:3002',
+];
+
+/**
+ * Check if request is from a trusted consumer origin
+ */
+function isConsumerTrustedRequest(req: Request): boolean {
+  const origin = req.headers.origin;
+  if (origin && CONSUMER_TRUSTED_ORIGINS.includes(origin)) {
+    return true;
+  }
+  const referer = req.headers.referer;
+  if (referer) {
+    for (const trusted of CONSUMER_TRUSTED_ORIGINS) {
+      if (referer.startsWith(trusted)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
 /**
  * Middleware to validate API key and build scope
  */
@@ -128,6 +157,19 @@ async function validatePublicApiKey(
   res: Response,
   next: NextFunction
 ) {
+  // Allow trusted consumer origins without API key (read-only access to all dispensaries)
+  if (isConsumerTrustedRequest(req)) {
+    // Create a synthetic internal permission for consumer sites
+    req.scope = {
+      type: 'internal',
+      dispensaryIds: 'ALL',
+      apiKeyId: 0,
+      apiKeyName: 'consumer-site',
+      rateLimit: 100,
+    };
+    return next();
+  }
+
   const apiKey = req.headers['x-api-key'] as string;
 
   if (!apiKey) {