api/v1: public stats and recent reversals endpoints

[ZukwiZ]

Summary

Three new IP-rate-limited public endpoints, mirroring the existing `api/v1/users` pattern (no auth, throttled per IP):

• `GET /api/v1/stats/summary` — three KPI counts in one call
• `GET /api/v1/stats/reversals/daily?days={7|30|60|90|180|365}` — daily reversal counts, UTC, zero-filled to the requested window
• `GET /api/v1/reversals/recent?limit={1..100}` — newest non-expunged reversals, slim public projection (`marketplace_slug`, `steam_id`, `reversed_at`, `created_at`)

Implementation notes

• `/stats/*` share a 60s in-process `sync.Map` cache and a 60 req/min/IP throttle. `/reversals/recent` has its own 30 req/min/IP throttle and bypasses the cache.
• Authenticated `/api/v1/reversals` routes are wrapped in a `chi.Group` so `AuthMiddleware` no longer applies to the new `/recent` path while preserving every other route's behavior. No existing route changes shape.
• Aggregates use raw SQL (`COUNT DISTINCT … FILTER` for summary; `to_char` on `reversed_at` for daily bucketing) so we don't drag GORM through non-trivial expressions. The list endpoint stays on the GORM path.
• All queries filter `deleted_at IS NULL`; the flag/24h KPIs additionally filter `expunged_at IS NULL`.
• No schema changes.

README

Adds a postgres superuser note (required by `pgtestdb` for the new repository tests) and a public endpoints table. Seeding and dashboard sections are intentionally deferred to follow-up PRs.

Test plan

• `go test ./...` passes (note: requires the `postgres/postgres` superuser set up per the new README step)
• `curl -s 'http://localhost:80/api/v1/stats/summary' | jq` returns `{traders_indexed, traders_flagged, traders_flagged_24h}`
• `curl -s 'http://localhost:80/api/v1/stats/reversals/daily?days=30' | jq '.data | length'` returns `30`
• `curl -s 'http://localhost:80/api/v1/stats/reversals/daily?days=45'\` returns 400 with a useful detail
• `curl -s 'http://localhost:80/api/v1/reversals/recent?limit=5' | jq '.data | length'` returns at most 5; `limit=0` and `limit=101` return 400
• Existing authenticated `/api/v1/reversals` POST/GET/DELETE behavior unchanged (still requires bearer + permissions)

Made with Cursor

---

Note

Medium Risk
Introduces unauthenticated read APIs that expose Steam IDs and marketplace activity aggregates; mitigated by IP rate limits, expunged-row filtering on recent/daily data, and no write/auth changes to existing entity routes.

Overview
Adds three public, IP-rate-limited read APIs (no bearer token), alongside docs and tests for local Postgres/pgtestdb.

/api/v1/stats exposes GET /summary (three trader KPIs) and GET /reversals/daily?days=… (UTC daily reversal counts, zero-filled for 7/30/60/90/180/365). Both use a 60s in-process sync.Map cache and 60 req/min per IP.

GET /api/v1/reversals/recent returns the newest non-expunged rows as a slim JSON projection (marketplace_slug, steam_id, reversed_at, created_at), default/limit 1–100, 30 req/min per IP. The reversals router is refactored so AuthMiddleware only wraps authenticated routes; /recent stays public.

Repository work adds SummaryStats, DailyCounts, and ListRecent on the public reversal repo (raw SQL for aggregates; GORM for recent list), with matching handler and repository tests. README updates cover DB/superuser setup for tests, go test ./..., and a public endpoints table.

^{Reviewed by Cursor Bugbot for commit 9be036d. Bugbot is set up for automated code reviews on this repo. Configure here.}