feat: auth-aware UI and role-based access control (#67)

## Summary

- Add `is_admin` column to users table with Alembic migration and a `require_admin` FastAPI dependency that protects all admin-facing write endpoints (games, pokemon, evolutions, bosses, routes CRUD)
- Expose admin status to frontend via user API and update AuthContext to fetch/store `isAdmin` after login
- Make navigation menu auth-aware (different links for logged-out, logged-in, and admin users) and protect frontend routes with `ProtectedRoute` and `AdminRoute` components, preserving deep-linking through redirects
- Fix test reliability: `drop_all` before `create_all` to clear stale PostgreSQL enums from interrupted test runs
- Fix test auth: add `admin_client` fixture and use valid UUID for mock user so tests pass with new admin-protected endpoints

## Test plan

- [x] All 252 backend tests pass
- [ ] Verify non-admin users cannot access admin write endpoints (games, pokemon, evolutions, bosses CRUD)
- [ ] Verify admin users can access admin endpoints normally
- [ ] Verify navigation shows correct links for logged-out, logged-in, and admin states
- [ ] Verify `/admin/*` routes redirect non-admin users with a toast
- [ ] Verify `/runs/new` and `/genlockes/new` redirect unauthenticated users to login, then back after auth

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #67
Co-authored-by: Julian Tabel <juliantabel.jt@gmail.com>
Co-committed-by: Julian Tabel <juliantabel.jt@gmail.com>

backend/tests/conftest.py

@@ -7,7 +7,7 @@ from httpx import ASGITransport, AsyncClient
 from sqlalchemy.ext.asyncio import async_sessionmaker, create_async_engine
 
 import app.models  # noqa: F401 — ensures all models register with Base.metadata
-from app.core.auth import AuthUser, get_current_user
+from app.core.auth import AuthUser, get_current_user, require_admin
 from app.core.database import Base, get_session
 from app.main import app
 
@@ -24,6 +24,7 @@ async def engine():
     """Create the test engine and schema once for the entire session."""
     eng = create_async_engine(TEST_DATABASE_URL, echo=False)
     async with eng.begin() as conn:
+        await conn.run_sync(Base.metadata.drop_all)
         await conn.run_sync(Base.metadata.create_all)
     yield eng
     async with eng.begin() as conn:
@@ -69,7 +70,11 @@ async def client(db_session):
 @pytest.fixture
 def mock_auth_user():
     """Return a mock authenticated user for tests."""
-    return AuthUser(id="test-user-123", email="test@example.com", role="authenticated")
+    return AuthUser(
+        id="00000000-0000-4000-a000-000000000001",
+        email="test@example.com",
+        role="authenticated",
+    )
 
 
 @pytest.fixture
@@ -93,11 +98,34 @@ async def auth_client(db_session, auth_override):
         yield ac
 
 
+@pytest.fixture
+def admin_override(mock_auth_user):
+    """Override require_admin and get_current_user to return a mock user."""
+
+    def _override():
+        return mock_auth_user
+
+    app.dependency_overrides[require_admin] = _override
+    app.dependency_overrides[get_current_user] = _override
+    yield
+    app.dependency_overrides.pop(require_admin, None)
+    app.dependency_overrides.pop(get_current_user, None)
+
+
+@pytest.fixture
+async def admin_client(db_session, admin_override):
+    """Async HTTP client with mocked admin authentication."""
+    async with AsyncClient(
+        transport=ASGITransport(app=app), base_url="http://test"
+    ) as ac:
+        yield ac
+
+
 @pytest.fixture
 def valid_token():
     """Generate a valid JWT token for testing."""
     payload = {
-        "sub": "test-user-123",
+        "sub": "00000000-0000-4000-a000-000000000001",
         "email": "test@example.com",
         "role": "authenticated",
         "aud": "authenticated",