feat(api): expose source sync status

[danshapiro]

What changed

• Added read-only GET /api/v1/sources/status with optional source_type filtering.
• Returns source identity metadata plus active, latest, and last successful sync-run details.
• Added Store.GetLatestSync for latest sync-run lookup and tests for empty status handling.

Why

• Gives API clients a non-mutating way to inspect source sync health and progress without triggering scheduler work.

Impact

• No scheduler trigger endpoints or mutating behavior added.
• Sources with no sync runs return null sync status fields instead of errors.

Validation

• go test -tags "fts5 sqlite_vec" ./internal/api ./internal/store ./cmd/msgvault/cmd
• make testify-helper-check
• go vet -tags "fts5 sqlite_vec" ./...

[roborev-ci]

roborev: Combined Review (964d9b9)

The PR has one medium issue: the new source status endpoint is not wired correctly in production.

Medium

• internal/api/handlers.go:731 - /api/v1/sources/status type-asserts s.store to SourceStatusStore, but the production serve path passes a storeAPIAdapter that only implements MessageStore. As a result, the endpoint returns 503 even when the database is available. Add pass-through ListSources, GetActiveSync, GetLatestSync, and GetLastSuccessfulSync methods to storeAPIAdapter, or wire the concrete store into the API for this endpoint.

---

Panel: ci_default_security | Synthesis: codex, 7s | Members: codex_default (codex/default, done, 4m7s), codex_security (codex/security, done, 1m7s) | Total: 5m21s

[roborev-ci]

roborev: Combined Review (90d15a9)

Summary verdict: No Medium, High, or Critical findings to report.

The only reported issue was Low severity and has been omitted per instructions. Security review found no issues.

---

Panel: ci_default_security | Synthesis: codex, 4s | Members: codex_default (codex/default, done, 3m22s), codex_security (codex/security, done, 47s) | Total: 4m13s