fix(api): improve Station router - review feedback

- Rinomina _RecipeSummary -> RecipeSummary: il leading underscore
  segnalava "privato" ma la classe e usata come response_model pubblico
  ed esposta nell'OpenAPI schema.
- Aggiunge commento esplicativo sopra /by-code/{code}/recipes sul perche
  l'ordine di dichiarazione conta (protezione gia data dal tipo int di
  station_id, ma esplicito per prevenire regressioni durante refactor).
- Detail message del 404 by-code uniformato a "Station not found"
  (senza distinguere not-found vs inactive, evita leak di esistenza).
- Aggiunge 3 test mancanti sul router:
  * test_admin_can_list_stations (copertura happy path + active_only)
  * test_assign_recipe_not_found_returns_404
  * test_duplicate_assignment_returns_409

Feedback da code-reviewer su Task 5. Full suite: 11/11 passed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

server/tests/test_stations_api.py

@@ -134,3 +134,70 @@ async def test_list_recipes_by_unknown_code_404(
         headers=auth_headers(measurement_tec_user),
     )
     assert resp.status_code == 404
+
+
+async def test_admin_can_list_stations(client: AsyncClient, admin_user):
+    await client.post(
+        "/api/stations",
+        headers=auth_headers(admin_user),
+        json={"code": "ST-L1", "name": "A"},
+    )
+    await client.post(
+        "/api/stations",
+        headers=auth_headers(admin_user),
+        json={"code": "ST-L2", "name": "B", "active": False},
+    )
+    resp = await client.get("/api/stations", headers=auth_headers(admin_user))
+    assert resp.status_code == 200
+    codes = {s["code"] for s in resp.json()}
+    assert {"ST-L1", "ST-L2"}.issubset(codes)
+
+    resp_active = await client.get(
+        "/api/stations?active_only=true", headers=auth_headers(admin_user),
+    )
+    assert resp_active.status_code == 200
+    active_codes = {s["code"] for s in resp_active.json()}
+    assert "ST-L1" in active_codes
+    assert "ST-L2" not in active_codes
+
+
+async def test_assign_recipe_not_found_returns_404(
+    client: AsyncClient, admin_user,
+):
+    created = await client.post(
+        "/api/stations",
+        headers=auth_headers(admin_user),
+        json={"code": "ST-NR", "name": "NR"},
+    )
+    sid = created.json()["id"]
+    resp = await client.post(
+        f"/api/stations/{sid}/recipes",
+        headers=auth_headers(admin_user),
+        json={"recipe_id": 99999},
+    )
+    assert resp.status_code == 404
+
+
+async def test_duplicate_assignment_returns_409(
+    client: AsyncClient, admin_user, db_session,
+):
+    recipe = await create_test_recipe(db_session, user_id=admin_user.id, code="REC-DUP")
+    await db_session.commit()
+    created = await client.post(
+        "/api/stations",
+        headers=auth_headers(admin_user),
+        json={"code": "ST-DUP-A", "name": "Dup"},
+    )
+    sid = created.json()["id"]
+    first = await client.post(
+        f"/api/stations/{sid}/recipes",
+        headers=auth_headers(admin_user),
+        json={"recipe_id": recipe.id},
+    )
+    assert first.status_code == 201
+    second = await client.post(
+        f"/api/stations/{sid}/recipes",
+        headers=auth_headers(admin_user),
+        json={"recipe_id": recipe.id},
+    )
+    assert second.status_code == 409