Make API router prefix configurable

[dceoy]

Summary

• remove the hardcoded /api/v1 default so the API serves root-level routes unless a prefix is configured
• centralize router mounting behind API_ROUTER_PREFIX and allow deployments to set the prefix via environment variable
• update tests, documentation, specs, OpenAPI artifacts, and MT5 agent skills to match the current routes and API behavior

Testing

• .agents/skills/local-qa/scripts/qa.sh

Notes

• the default router prefix is "", so existing routes in this branch remain unprefixed
• API_ROUTER_PREFIX normalizes values like api/v1, /api/v1, and /api/v1/ to the same mounted prefix

[claude]

Code Review Summary

Clean, well-structured PR. The separation into constants.py and config.py is sound, naming follows project conventions, and the parametrized tests for normalize_api_router_prefix are thorough. A few items worth addressing below.

What works well

• normalize_api_router_prefix is well-designed with clean logic and good edge-case coverage in tests
• constants.py eliminates scattered magic strings — genuine maintainability win
• Consistent Google-style docstrings and type annotations throughout
• Auth dependencies are unaffected by the routing changes — no bypass risk
• Config is resolved once at startup, not per-request — correct pattern

Suggestions (see inline comments)

1. Add input validation to normalize_api_router_prefix — values like ../../admin or api?x=1 pass through unchallenged and could confuse reverse proxies
2. Add test for get_configured_mt5_api_key empty-string coercion — MT5_API_KEY="" silently disables auth via the or None pattern, which is security-relevant and should be explicitly tested
3. Consider adversarial inputs in prefix tests — api//v1, api?v=1, path traversal patterns
4. importlib.reload test fragility — consider an app factory pattern to avoid module-level side effects in tests