feat: add require_admin dependency and protect admin endpoints

Add require_admin FastAPI dependency that checks is_admin column on users
table. Apply it to all admin-facing write endpoints (games, pokemon,
evolutions, bosses, routes CRUD). Run-scoped endpoints remain protected
by require_auth only since they manage user's own data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/src/app/core/auth.py

@@ -1,9 +1,14 @@
 from dataclasses import dataclass
+from uuid import UUID
 
 import jwt
 from fastapi import Depends, HTTPException, Request, status
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
 
 from app.core.config import settings
+from app.core.database import get_session
+from app.models.user import User
 
 
 @dataclass
@@ -81,3 +86,22 @@ def require_auth(user: AuthUser | None = Depends(get_current_user)) -> AuthUser:
             headers={"WWW-Authenticate": "Bearer"},
         )
     return user
+
+
+async def require_admin(
+    user: AuthUser = Depends(require_auth),
+    session: AsyncSession = Depends(get_session),
+) -> AuthUser:
+    """
+    Dependency that requires admin privileges.
+    Raises 401 if not authenticated, 403 if not an admin.
+    """
+    result = await session.execute(select(User).where(User.id == UUID(user.id)))
+    db_user = result.scalar_one_or_none()
+
+    if db_user is None or not db_user.is_admin:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin access required",
+        )
+    return user