fix: resolve curl_cffi TLS errors and fix FRED/upgrades endpoints

- Pin curl_cffi==0.7.4 to avoid BoringSSL bug in 0.12-0.14
- Patch curl_cffi Session to use safari TLS fingerprint instead of
  chrome, which triggers SSL_ERROR_SYSCALL on some networks
- Register FRED API key with OpenBB credentials at startup
- Fix macro overview to return latest data instead of oldest, and
  extract values by FRED series ID key
- Replace Finnhub upgrades endpoint (premium-only) with yfinance
  upgrades_downgrades which includes price target changes
- Remove redundant curl_cffi upgrade from Dockerfile

routes_sentiment.py

@@ -8,6 +8,7 @@ from models import ApiResponse
 from route_utils import safe, validate_symbol
 import alphavantage_service
 import finnhub_service
+import openbb_service
 
 import logging
 
@@ -96,17 +97,7 @@ async def stock_recommendations(symbol: str = Path(..., min_length=1, max_length
 @router.get("/stock/{symbol}/upgrades", response_model=ApiResponse)
 @safe
 async def stock_upgrades(symbol: str = Path(..., min_length=1, max_length=20)):
-    """Get recent analyst upgrades and downgrades."""
+    """Get recent analyst upgrades and downgrades (via yfinance)."""
     symbol = validate_symbol(symbol)
-    raw = await finnhub_service.get_upgrade_downgrade(symbol)
-    upgrades = [
-        {
-            "company": u.get("company"),
-            "action": u.get("action"),
-            "from_grade": u.get("fromGrade"),
-            "to_grade": u.get("toGrade"),
-            "date": u.get("gradeTime"),
-        }
-        for u in raw[:20]
-    ]
-    return ApiResponse(data=upgrades)
+    data = await openbb_service.get_upgrades_downgrades(symbol)
+    return ApiResponse(data=data)