fix: address code review issues in flow-to-library sync

- Fix sync trigger: only fire on publish transition, not every PUT
- Add TestSyncOnPublish integration tests (2 tests, 16 total passing)
- Add group_label to frontend StepContent interface
- Guard Library Visibility select to procedure_step nodes only
- Block API edits to flow-synced steps (400 read-only guard)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/api/endpoints/steps.py

@@ -353,6 +353,12 @@ async def update_step(
     """Update a step (owner or admin only)."""
     step = await get_step_or_404(step_id, db, current_user, check_edit=True)
 
+    if step.is_flow_synced:
+        raise HTTPException(
+            status_code=400,
+            detail="Flow-synced steps are read-only. Fork to customize."
+        )
+
     # Validate category if being updated
     if step_data.category_id:
         cat_result = await db.execute(

backend/app/api/endpoints/trees.py

@@ -641,8 +641,8 @@ async def update_tree(
     if "tree_structure" in update_data:
         tree.version += 1
 
-    # Sync steps to step library when publishing
-    if update_data.get("status") == 'published' or tree.status == 'published':
+    # Sync steps to step library on publish transition only
+    if update_data.get("status") == 'published':
         _structure = update_data.get("tree_structure", tree.tree_structure)
         _type = update_data.get("tree_type", tree.tree_type)
         _is_public = update_data.get("is_public", tree.is_public)