Remove api_v1 feature toggle, making API v1 generally available

[emilythericky]

What? Why?

• Closes Remove API v1 feature toggle #14012

API v1 has been gated behind the api_v1 feature toggle: unless the flag was enabled for a user, every /api/v1 endpoint returned 404, so the API was invisible except to selected pilot users. The funded credit-payments work (UK digital inclusion milestone) and the wider operational API roadmap both need v1 generally available, so this removes the toggle.

Authentication and authorization are unaffected. The toggle was only a visibility gate (and a usage-monitoring measure that API-key requests already cover). authenticate_user still identifies callers via session or X-Api-Token/token API key, and CanCan still scopes all data to enterprises the caller manages — verified live: an invalid API key still gets 401, and anonymous requests get empty result sets, not data.

Changes (5 files, +7/−15, no migration):

• base_controller.rb: remove the restrict_feature before-action and method — the single gate inherited by all v1 controllers
• feature_toggle.rb: remove api_v1 from CURRENT_FEATURES; FeatureToggle.setup! already removes stored Flipper records not in this list on boot, so the flag cleans itself up without a migration - the two v1 request specs: drop the feature: :api_v1 metadata (spec_helper raises on tags not in CURRENT_FEATURES)
• swagger/v1.yaml: regenerated via rswag; whitespace-only churn, no endpoint changes

While live-testing the customer transaction endpoint I found a pre-existing bug, unrelated to this change — filed separately as #14407.

What should we test?

• Restart the app, then visit /admin/feature-toggle/features as super admin: api_v1 is no longer listed; other toggles are unaffected.
• Visit /api-docs and select "API V1 Docs": all v1 endpoints are documented and "Try it out" works.
• GET /api/v1/customers as an enterprise owner (session or API key): 200 with that enterprise's customers, without enabling any feature.
• GET /api/v1/customers anonymously: 200 with empty data (previously 404). - GET /api/v1/customers with an invalid X-Api-Token: still 401 — auth is unchanged.
• POST /api/v1/customer_account_transaction as an enterprise owner: 201 — the credit endpoint works without the flag.

Release notes

Changelog Category (reviewers may add a label for the release notes):

• API changes (V0, V1, DFC or Webhook)

Documentation updates

• The wiki page listing current feature toggles, if it includes api_v1 — entry should be removed.
• The API documentation page(s) on the wiki / dev.openfoodnetwork.org that describe v1 as experimental or instruct instance managers to enable the api_v1 flag — should now say v1 is generally available.
• Any instance-manager / super-admin guide section that walks through enabling the flag for a user.

Screenshots

Toggle Removed

API-Docs page

API-Docs page works

Key still has to be turned on for user

API token works (not logged in)

Wrong token returns error

[rioug]

Nice one !