Add OneShot admin observability endpoints/UI and make OpenAPI generation resilient without uv

[Copilot]

This PR replaces placeholder dashboard telemetry with real OneShot operational metrics, improves audit fidelity with token expiration visibility, and adds backend admin stats aggregation. It also resolves the OpenAPI generation blocker in environments where uv is unavailable.

• Backend: audit fidelity + stats endpoint

  • Added expires_at to OneShotTokenAuditItem and returned it from GET /api/admin/oneshot-tokens.
  • Added OneShotStatsResponse and GET /api/admin/stats (admin-protected) with SQL aggregate queries (count, sum, filtered counts), including active_tokens (is_used = false and expires_at > now()).
  • Extended integration coverage to assert expires_at presence and /api/admin/stats shape.

• OpenAPI contract sync

  • Updated backend/frontend generated OpenAPI artifacts for:
    • OneShotTokenAuditItem.expires_at
    • new /api/admin/stats path
    • new OneShotStatsResponse schema
  • Updated web/src/api/types.ts exports and route assertions for /api/admin/stats.

• Dashboard rewrite (real OneShot telemetry)

  • Replaced mock SaaS cards/charts/lists with live admin stats fetched from /api/admin/stats using getOrMintToken.
  • Added loading/error states with existing Alert.
  • Added four operational cards:
    • Total Files Received
    • Storage Used
    • Active Upload Links
    • Total Tokens Issued
  • Replaced lower section with a “Zero-Trust Mode” architecture summary card.

• Admin token history status model

  • Reworked Token History table:
    • Added Status column with dynamic badges:
      • Used (green)
      • Expired (red)
      • Active (blue)
    • Added expiration visibility under creation timestamp (with tooltip/title context).
  • Updated tests to cover the new audit payload field and status rendering.

• OpenAPI generation blocker fix (npm run gen)

  • web/scripts/gen-openapi.mjs now falls back to existing api/openapi.json only when schema dump fails due to missing uv (ENOENT), then proceeds with openapi-typescript.
  • Non-ENOENT dump failures still fail fast.

// web/scripts/gen-openapi.mjs (fallback behavior)
try {
  execFileSync("uv", [...]);
} catch (error) {
  const isMissingUv = typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT";
  const canFallback = existsSync(openapiJson) && isMissingUv;

  if (canFallback) {
    console.warn(`⚠ Reusing existing schema at ${openapiJson}`);
  } else {
    process.exit(1);
  }
}