chore(api): drop unused uuid dep + redundant domain dev-dep; test internal exclusion + note list/count race

crates/api/tests/public.rs

@@ -108,29 +108,40 @@ async fn get_public_object_returns_it(pool: PgPool) {
 }
 
 #[sqlx::test(migrations = "../db/migrations")]
-async fn get_non_public_object_is_404(pool: PgPool) {
+async fn non_public_objects_are_404(pool: PgPool) {
     let db = db::Db::from_pool(pool.clone());
     let mut tx = db.pool().begin().await.unwrap();
-    let id = catalog::create_object(
+    let draft = catalog::create_object(
         &mut tx,
         AuditActor::System,
         &object("D-1", "draft vase", Visibility::Draft),
     )
     .await
     .unwrap();
+    let internal = catalog::create_object(
+        &mut tx,
+        AuditActor::System,
+        &object("I-1", "internal vase", Visibility::Internal),
+    )
+    .await
+    .unwrap();
     tx.commit().await.unwrap();
 
+    // both non-public states are hidden behind a 404 — not 403 — so existence isn't leaked
     let app = build_app(state(pool));
-    let resp = app
-        .oneshot(
-            Request::builder()
-                .uri(format!("/api/public/objects/{id}"))
-                .body(Body::empty())
-                .unwrap(),
-        )
-        .await
-        .unwrap();
-    assert_eq!(resp.status(), StatusCode::NOT_FOUND); // not 403 — don't leak existence
+    for id in [draft, internal] {
+        let resp = app
+            .clone()
+            .oneshot(
+                Request::builder()
+                    .uri(format!("/api/public/objects/{id}"))
+                    .body(Body::empty())
+                    .unwrap(),
+            )
+            .await
+            .unwrap();
+        assert_eq!(resp.status(), StatusCode::NOT_FOUND);
+    }
 }
 
 #[sqlx::test(migrations = "../db/migrations")]