feat: add static api key middleware for dev stats (CM-1055)

[ulemons]

Summary

Sets up the foundation for the DevStats public API:

• Adds CROWD_DEV_STATS_API_KEY static API key authentication middleware
• Mounts the dev-stats router under /v1/dev-stats with a temporary placeholder endpoint for testing

Test plan

• Call POST /api/v1/dev-stats/affiliations without a key → 401
• Call with wrong key → 401
• Call with correct key → 200

---

Note

Medium Risk
Introduces a new API-key authentication path for public endpoints and a new apiKeys database table; mistakes in auth/header handling or scope assignment could unintentionally grant/deny access.

Overview
Adds a new public /v1/dev-stats API surface protected by a staticApiKeyMiddleware (Bearer token → SHA-256 hash lookup), separate from the existing Auth0-protected /v1 routes.

Introduces a minimal dev-stats router with rate limiting and a placeholder POST /affiliations endpoint gated by the new READ_AFFILIATIONS scope.

Adds persistence for API keys via a new apiKeys table and data-access helpers (findApiKeyByHash, touchApiKeyLastUsed), and exports the new DAL module.

^{Written by Cursor Bugbot for commit 80f6b61. This will update automatically on new commits. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

This PR introduces a new “DevStats” public API surface by adding a static API key authentication middleware and mounting a new /v1/dev-stats router with a placeholder endpoint.

Changes:

• Added devStats.apiKey configuration wiring via CROWD_DEV_STATS_API_KEY.
• Implemented staticApiKeyMiddleware and mounted the DevStats router at /v1/dev-stats.
• Added a placeholder POST /v1/dev-stats/affiliations endpoint for initial connectivity testing.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
backend/src/conf/index.ts	Exposes DEV_STATS_CONFIG from node-config.
backend/src/conf/configTypes.ts	Adds DevStatsConfiguration type.
backend/src/api/public/v1/dev-stats/index.ts	Introduces DevStats router with a placeholder POST /affiliations.
backend/src/api/public/middlewares/staticApiKeyMiddleware.ts	Adds static API key auth middleware and sets req.actor.
backend/src/api/public/index.ts	Mounts DevStats router behind the static API key middleware.
backend/config/default.json	Adds devStats config block.
backend/config/custom-environment-variables.json	Maps devStats.apiKey to CROWD_DEV_STATS_API_KEY.
backend/.env.dist.local	Adds local env template entry for CROWD_DEV_STATS_API_KEY.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[joanagmaia]

👌