fix: allow unauthenticated CreateUser for first user registration

Add CreateUser to PublicMethods ACL whitelist to fix "authentication required"
error during first-time setup. The CreateUser method already has proper security
logic that automatically assigns HOST role to the first user and enforces
DisallowUserRegistration setting for subsequent users.

Fixes #5352

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

server/router/api/v1/acl_config.go

@@ -18,6 +18,7 @@ var PublicMethods = map[string]struct{}{
 	"/memos.api.v1.InstanceService/GetInstanceSetting": {},
 
 	// User Service - public user profiles and stats
+	"/memos.api.v1.UserService/CreateUser":       {}, // Allow first user registration
 	"/memos.api.v1.UserService/GetUser":          {},
 	"/memos.api.v1.UserService/GetUserAvatar":    {},
 	"/memos.api.v1.UserService/GetUserStats":     {},

server/router/api/v1/acl_config_test.go

@@ -16,6 +16,7 @@ func TestPublicMethodsArePublic(t *testing.T) {
 		"/memos.api.v1.InstanceService/GetInstanceProfile",
 		"/memos.api.v1.InstanceService/GetInstanceSetting",
 		// User Service
+		"/memos.api.v1.UserService/CreateUser",
 		"/memos.api.v1.UserService/GetUser",
 		"/memos.api.v1.UserService/GetUserAvatar",
 		"/memos.api.v1.UserService/GetUserStats",