feat: auth-aware UI and role-based access control (#67)

## Summary

- Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD)
- Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login
- Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects
- Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs
- Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints

## Test plan

- [x] All 252 backend tests pass
- [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD)
- [ ] Verify admin users can access admin endpoints normally
- [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states
- [ ] Verify `/admin/*` routes redirect non-admin users with a toast
- [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #67
Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com>
Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com>

backend/src/app/api/bosses.py

@@ -5,7 +5,7 @@ from sqlalchemy import or_, select
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
 
-from app.core.auth import AuthUser, require_auth
+from app.core.auth import AuthUser, require_admin, require_auth
 from app.core.database import get_session
 from app.models.boss_battle import BossBattle
 from app.models.boss_pokemon import BossPokemon
@@ -86,7 +86,7 @@ async def reorder_bosses(
     game_id: int,
     data: BossReorderRequest,
     session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
     vg_id = await _get_version_group_id(session, game_id)
 
@@ -130,7 +130,7 @@ async def create_boss(
     game_id: int,
     data: BossBattleCreate,
     session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
     vg_id = await _get_version_group_id(session, game_id)
 
@@ -161,7 +161,7 @@ async def update_boss(
     boss_id: int,
     data: BossBattleUpdate,
     session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
     vg_id = await _get_version_group_id(session, game_id)
 
@@ -202,7 +202,7 @@ async def delete_boss(
     game_id: int,
     boss_id: int,
     session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
     vg_id = await _get_version_group_id(session, game_id)
 
@@ -225,7 +225,7 @@ async def bulk_import_bosses(
     game_id: int,
     items: list[BulkBossItem],
     session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
     vg_id = await _get_version_group_id(session, game_id)
 
@@ -268,7 +268,7 @@ async def set_boss_team(
     boss_id: int,
     team: list[BossPokemonInput],
     session: AsyncSession = Depends(get_session),
-    _user: AuthUser = Depends(require_auth),
+    _user: AuthUser = Depends(require_admin),
 ):
     vg_id = await _get_version_group_id(session, game_id)