fix: MEDIUM — Cache-Control headers on admin GETs, Open Day past date validation

- Add Cache-Control headers to admin GET endpoints (sections 60s, team 60s, bookings 30s, unread 15s, open-day 60s)
- Validate Open Day date is not in the past on both create (POST) and update (PUT)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/app/api/admin/unread-counts/route.ts

@@ -2,5 +2,7 @@ import { NextResponse } from "next/server";
 import { getUnreadBookingCounts } from "@/lib/db";
 
 export async function GET() {
-  return NextResponse.json(getUnreadBookingCounts());
+  return NextResponse.json(getUnreadBookingCounts(), {
+    headers: { "Cache-Control": "private, max-age=15" },
+  });
 }