feat(myopencre): gate MyOpenCRE behind deployment capability flag

[PRAteek-singHWY]

Summary

This PR introduces deployment-level capability gating for MyOpenCRE.

It is stacked on top of the existing MyOpenCRE no-op / CSV UX work (starting from #684).
This PR intentionally focuses only on backend capability control, not UI behavior.

Files intentionally modified in this PR:

• application/config.py
• application/web/web_main.py

Any other diffs are incidental (formatting / imports) and not part of the logical change.

MyOpenCRE is intended for self-hosted / admin-controlled OpenCRE deployments.
This change ensures the feature is completely unavailable on opencre.org unless explicitly enabled by the deployment owner.

---

What changed

• Added a deployment-scoped capability flag: ENABLE_MYOPENCRE
• Introduced a backend capability discovery endpoint: /api/capabilities
• Gated all MyOpenCRE CSV import/export routes behind the capability flag

When ENABLE_MYOPENCRE is disabled:

• MyOpenCRE routes return 404
• No CSV parsing occurs
• No database writes are performed
• No embeddings or gap analysis can be triggered
• No additional compute or graph overhead is introduced

---

Why

MyOpenCRE performs heavyweight operations (CSV parsing, graph writes, embeddings generation, gap analysis).

These are appropriate for self-hosted or admin-managed environments, but not for public opencre.org usage.

This change ensures:

• Zero accidental exposure on opencre.org
• A clear separation between public features and admin-only capabilities
• Backend-driven feature availability (no frontend assumptions)
• A safe foundation for future work (user scoping, explainability, etc.)

---

Testing

ENABLE_MYOPENCRE=false (default)

• GET /api/capabilities → { "myopencre": false }
• /rest/v1/cre_csv → 404
• /rest/v1/cre_csv_import → 404

ENABLE_MYOPENCRE=true

• GET /api/capabilities → { "myopencre": true }
• CSV export endpoint works as before
• CSV import endpoint is reachable
• Existing validation and import pipeline remains unchanged

---

Stacking / Follow-ups

This PR is logically stacked on top of #684 (no-op CSV handling).

Subsequent UI-focused PRs (#685 preview, #686 help guide) will be rebased onto main after this PR is merged, as they depend on this backend capability signal.

---

Next step:

A follow-up PR will update the frontend to consume /api/capabilities and conditionally expose or hide MyOpenCRE UI based on backend-provided capability signals.

[PRAteek-singHWY]

Hi @northdpole 👋

I’ve implemented the backend capability-gating we discussed for MyOpenCRE. The feature is now deployment-scoped via ENABLE_MYOPENCRE and disabled by default — when off, MyOpenCRE routes return 404 and no CSV parsing, DB writes, embeddings, or gap analysis can be triggered.

I also added a small /api/capabilities endpoint so the frontend can rely on backend-provided signals rather than assumptions.

This keeps MyOpenCRE strictly self-hosted/admin-only unless explicitly enabled and avoids any accidental exposure on opencre.org.
Next, I’ll follow up by wiring the frontend to this capability signal.

Would appreciate a quick review whenever you have time, mainly to confirm this matches the direction you had in mind.
Learning a lot here — thanks!