fix: #82 Abuse controls, device limits and P2P safety rules

[PatrickKish1]

Closes #82

Summary

• Adds a centralized abuse.service with guards for self-trading (existing), related accounts (shared phone_hash), buyer daily trade count/volume caps, per-device and per-IP daily limits, and cancellation cooldowns after repeated cancels.
• Introduces schema migration for user suspension, merchant configs, device tracking, platform risk audit events, trade messages, and trade disputes.
• Extends rate limiting to trade messages and disputes; auth and trade-create limits remain in place.
• Adds minimal admin endpoints to suspend/unsuspend users or merchants (X-Admin-Api-Key), with actions written to platform_risk_events.
• Auto-pauses merchants when daily cancellation or open-dispute thresholds are exceeded; suspended users are blocked in auth middleware and before new trades.
• Returns Spanish userMessage payloads via RiskBlockedError when an action is blocked by a limit or risk rule.

New / changed surfaces

Area	Details
Migration	micopay/sql/migrations/20260528120000_abuse_controls.up.sql
Service	micopay/backend/src/services/abuse.service.ts
Admin	POST/DELETE /admin/users/:id/suspend
Safety routes	GET/POST /trades/:id/messages, POST /trades/:id/disputes
Config	Limits and cooldowns in micopay/backend/.env.example

Test plan (For reviewers - Please test the following when reviewing and give feedback for a follow up)

• Apply migration: psql "$DATABASE_URL" -f micopay/sql/migrations/20260528120000_abuse_controls.up.sql
• Set ADMIN_API_KEY in backend env.
• Rapid POST /trades → expect 429 / RATE_LIMITED with Retry-After.
• Register buyer + seller with the same phone_hash → POST /trades returns RELATED_ACCOUNTS.
• POST /admin/users/:id/suspend with admin key → suspended user cannot create trades or pass JWT-protected routes (ACCOUNT_SUSPENDED).
• Cancel the same user’s trades repeatedly → expect CANCEL_COOLDOWN after threshold.
• Merchant exceeds daily cancel threshold → merchant auto-paused; new trades blocked with MERCHANT_UNAVAILABLE / MERCHANT_SUSPENDED.
• POST /trades/:id/messages and POST /trades/:id/disputes respect per-user rate limits.
• Run npm run test:rate-limit and npm run test:abuse in micopay/backend (pass on in-memory fallback).
• Confirm risk events appear in platform_risk_events for blocks, suspensions, and auto-pauses.

[drips-wave]

@PatrickKish1 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits