fix: resolve curl_cffi TLS errors and fix FRED/upgrades endpoints

- Pin curl_cffi==0.7.4 to avoid BoringSSL bug in 0.12-0.14
- Patch curl_cffi Session to use safari TLS fingerprint instead of
  chrome, which triggers SSL_ERROR_SYSCALL on some networks
- Register FRED API key with OpenBB credentials at startup
- Fix macro overview to return latest data instead of oldest, and
  extract values by FRED series ID key
- Replace Finnhub upgrades endpoint (premium-only) with yfinance
  upgrades_downgrades which includes price target changes
- Remove redundant curl_cffi upgrade from Dockerfile

main.py

@@ -4,7 +4,27 @@ import uvicorn
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
+# Patch curl_cffi to use safari TLS fingerprint instead of chrome.
+# curl_cffi's chrome impersonation triggers BoringSSL SSL_ERROR_SYSCALL on
+# some networks; safari works reliably. This must happen before any import
+# that creates a curl_cffi Session (yfinance, openbb).
+import curl_cffi.requests as _cffi_requests
+
+_orig_session_init = _cffi_requests.Session.__init__
+
+def _patched_session_init(self, *args, **kwargs):
+    if kwargs.get("impersonate") == "chrome":
+        kwargs["impersonate"] = "safari"
+    _orig_session_init(self, *args, **kwargs)
+
+_cffi_requests.Session.__init__ = _patched_session_init
+
+from openbb import obb
 from config import settings
+
+# Register optional provider credentials with OpenBB
+if settings.fred_api_key:
+    obb.user.credentials.fred_api_key = settings.fred_api_key
 from routes import router
 from routes_sentiment import router as sentiment_router
 from routes_macro import router as macro_router