feat: admin endpoints to reset username sync flags

Add POST /v1/admin/users/{pubkey}/reset-username and
POST /v1/admin/users/reset-usernames to clear manual_username
and last_synced_at so nostr profile sync re-evaluates users.
Includes OpenAPI docs, audit actions, and tests.

internal/http/handlers/admin_users.go

@@ -144,6 +144,39 @@ func (h *AdminUsers) Update(w http.ResponseWriter, r *http.Request) {
 	WriteJSON(w, http.StatusOK, userResponse(u))
 }
 
+func (h *AdminUsers) ResetUsername(w http.ResponseWriter, r *http.Request) {
+	hexpk, err := nostr.NormalizePubkey(chi.URLParam(r, "pubkey"))
+	if err != nil {
+		WriteError(w, http.StatusBadRequest, "ValidationError", "Invalid pubkey format")
+		return
+	}
+	u, err := h.Users.ResetUsername(r.Context(), hexpk)
+	if err != nil {
+		if errors.Is(err, user.ErrUserNotFound) {
+			WriteError(w, http.StatusNotFound, "NotFound", "user not found")
+			return
+		}
+		WriteError(w, http.StatusInternalServerError, "InternalError", err.Error())
+		return
+	}
+	h.Audit.Log(r.Context(), audit.ActionUserUsernameReset, audit.ActorAdmin, u.Pubkey, map[string]any{
+		"username": u.Username,
+	})
+	WriteJSON(w, http.StatusOK, userResponse(u))
+}
+
+func (h *AdminUsers) ResetAllUsernames(w http.ResponseWriter, r *http.Request) {
+	count, err := h.Users.ResetAllUsernames(r.Context())
+	if err != nil {
+		WriteError(w, http.StatusInternalServerError, "InternalError", err.Error())
+		return
+	}
+	h.Audit.Log(r.Context(), audit.ActionAllUsernamesReset, audit.ActorAdmin, "", map[string]any{
+		"reset": count,
+	})
+	WriteJSON(w, http.StatusOK, map[string]any{"reset": count})
+}
+
 func (h *AdminUsers) Delete(w http.ResponseWriter, r *http.Request) {
 	hexpk, err := nostr.NormalizePubkey(chi.URLParam(r, "pubkey"))
 	if err != nil {