feat: Admin Moderation System: Listings Approval, Reports, Strikes & Bans

[jessmed749]

Summary

1. Admin Dashboard — Listing Moderation

• Approve/deny pending listings with reasons, delete reported content
• Secure admin-only endpoints with UUID validation, input sanitization, and service-role RLS bypass:
  • POST /api/admin/approve-listing
  • POST /api/admin/deny-listing (stores reason, user can resubmit after edits)
  • POST /api/admin/delete-listing (cascade: favorites → reports → listing)

2. Report System

Report Listing

• Report button on all listing pages
• 7 predefined reasons (Spam, Scam, Inappropriate, Fake, Prohibited, Duplicate, Other)
• Optional 500-char description
• Prevents duplicate reports and self-reporting

Report User

• Available on profiles and in chat windows
• 7 predefined reasons (Harassment, Spam, Scammer, Fake Profile, Inappropriate, Impersonation, Other)
• Prevents duplicate reports and self-reporting
• Reports stored in database for admin review

3. Strike System

• Admins can issue warnings, temporary suspensions, or permanent bans from the dashboard
• Suspension UI shows days remaining on user cards
• System notifications sent to users when action is taken (with icons per severity)
• /api/admin/lift-expired-suspensions auto-clears expired suspensions on page load

4. User Banning

• Permanent ban stores email in banned_emails table
• Banned email check on both email/password signup and Google OAuth callback
• Banned users are blocked from signing in with any account using that email
• Admin Users page updated with Suspended filter and ban/unban actions

5. Middleware Protection

• Active suspensions block access to /create and /messages
• Banned users redirected to /suspended?reason=banned
• Suspended users redirected to /suspended?reason=suspended&until=<date>
• Auth routes and the suspended page itself are exempt from checks