feat(analytics): persist recommendation outcome events

[web-dev0521]

Summary

• Implements feat(analytics): persist recommendation outcome events #301: persists recommendation outcome events as the private data spine for later recommendation quality analytics
• Adds "rejected" as the seventh outcome state — triggered when a targeted PR receives a CHANGES_REQUESTED review decision after the recommendation snapshot
• Adds surface and snapshotId fields to every persisted outcome record so analytics can slice by product surface (api/mcp/github_app/…) and context snapshot
• New D1 migration (0018) adds surface and snapshot_id columns with ALTER TABLE (nullable, backwards-compatible)

Closes: #301

Scope

• This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
• This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
• I linked an issue, or this is small enough that the summary explains why an issue is not needed.

Validation

• git diff --check
• npm run actionlint
• npm run typecheck — clean
• npm run test:coverage locally — 775 pass (1 skipped); pre-existing Windows failures in mcp-cli.test.ts and two syntax-error files confirmed on main before this branch; coverage stays above 97%
• npm run test:workers
• npm run build:mcp
• npm run test:mcp-pack
• npm run ui:openapi:check
• npm run ui:lint
• npm run ui:typecheck
• npm run ui:build
• npm audit --audit-level=moderate
• New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

• UI/MCP/worker checks not applicable — this PR is backend-only (types, DB, service, tests)

Safety

• No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
• Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
• Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests. (not applicable — no auth changes)
• API/OpenAPI/MCP behavior is updated and tested where needed. (not applicable — no public API surface changed)
• UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks. (not applicable)
• Visible UI changes include screenshots or a short recording. (not applicable)
• Public docs/changelogs are updated where needed. (not applicable)

Notes

• "rejected" is classified only on exact targetPullNumber matches with reviewDecision === "CHANGES_REQUESTED" after the action timestamp, consistent with the existing "improved" mirror condition
• rejected is counted as negative in totals (alongside closed, stale, ignored)
• Legacy rows without surface/snapshot_id map cleanly: surface is null (column is nullable), snapshotId is null
• Outcome records remain entirely private — the three new test cases verify this explicitly (serialized event JSON, privateSummary, and public-safe action copy)

[JSONbored]

@web-dev0521 this is the analytics persistence baseline I would land first.

A few notes:

• The migration and repository changes establish the outcome-event surface that later rollups can build on.
• The test coverage is tied to the persistence behavior rather than just the API shape.
• Follow-on analytics PRs should rebase and renumber migrations after this lands.

No code changes requested.

Validation expected:

• Keep the database/unit suite green through merge.