feat: wire age review actions to Keycast account suspension (#79)

[mbradley]

Summary

• Adds keycast-client.ts module with suspendUser, unsuspendUser, banUser functions calling Keycast's PUT /admin/users/:pubkey/status endpoint
• Wires into age review state transitions: suspend on restrict, unsuspend on clear, ban on deny
• Wires into cron auto-close: ban expired cases
• Graceful degradation: missing config or Keycast failure never blocks a state transition
• Adds KEYCAST_URL to staging and production wrangler configs (KEYCAST_SERVICE_TOKEN added separately via wrangler secret)

Closes #79

Prerequisites

• Keycast PR feat: account-level suspension for under-16 age review keycast#235 (merged May 20)
• KEYCAST_SERVICE_TOKEN must be set on staging/production via wrangler secret put before Keycast calls fire (calls silently return "not configured" until then)

Test plan

• 15 new tests (10 unit, 5 integration), 160 total passing
• Verify on staging: restrict an age review case, confirm Keycast status changes to suspended
• Verify on staging: clear a case, confirm Keycast status returns to active
• Verify on staging: deny a case, confirm Keycast status changes to banned
• Verify graceful degradation: deploy without KEYCAST_SERVICE_TOKEN set, confirm age review transitions still work

[NotThatKindOfDrLiz]

Follow-up cleanup is pushed in aa989a1.

What changed:

• removed the out-of-scope worker/wrangler.test.toml file so this PR no longer introduces a public workers.dev config pointed at production data with a committed admin key
• tightened age-review side effects to trigger on the actual transition, not just the destination state
• only suspend when a case enters a restricted state for the first time
• only unsuspend when clearing a case that was previously restricted
• stopped re-firing bulk restriction and Keycast suspension on restricted-to-restricted transitions
• extracted the restricted-state helper into shared/age-review.ts so the transition logic has a single source of truth
• typed the Keycast reason values and removed the duplicate Keycast env fields from worker/src/index.ts
• added regression coverage for the previously unsafe under_moderator_review -> cleared path and for restricted-to-restricted transitions

Validation run locally:

• npm run test
• ./node_modules/.bin/tsc --noEmit
• cd worker && ../node_modules/.bin/vitest run

GitHub checks are green on the updated SHA.

[NotThatKindOfDrLiz]

Final pass looks clean. The unsafe test wrangler file is removed, the Keycast/account-status transitions are now gated correctly, and the new regression coverage closes the previously unsafe clear-path behavior. Local validation and GitHub checks are green on aa989a1.

[dcadenas]

The Keycast account state must be fixed before merge. Clearing an age review case can currently leave the account suspended after the case moves through review or follow-up states.

[dcadenas]

Make the clear transition unsuspend accounts that already passed through a restricted age-review state, not only accounts whose immediately previous state is restricted.
A normal path is restricted_pending_* -> submitted_for_review or needs_follow_up -> cleared, and the middle transition intentionally leaves Keycast suspended.
With the current clearedRestrictedState check, the final clear skips unsuspendUser and leaves the account suspended after the case is cleared.
Add a regression test for restricted_pending_* -> submitted_for_review -> cleared, and cover needs_follow_up if that path can also follow a suspension.

[mbradley]

Fixed in b4b9f3e. Replaced clearedRestrictedState (which required the immediately prior state to be restricted) with an unconditional check on requestedState === 'cleared'. Both unsuspendUser and un-age-restrict-all are idempotent, so they fire on every clear regardless of prior state.

Added regression tests for restricted_pending_* → submitted_for_review → cleared and needs_follow_up → cleared.

[dcadenas]

✅ Keycast age actions land cleanly.