feat(admin): comprehensive admin interface (users, tunnels, metrics, audit, reserved subdomains)

Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'.

- lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes)
- middleware.ts: defense-in-depth /admin and /api/admin guarding
- API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains
- Self-lockout prevention (no self demote/ban/delete)
- Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL)
- admin_audit_log + reserved_subdomains migration (RLS on, service-role only)
- Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link

app/layout.tsx

@@ -19,6 +19,7 @@ export default async function RootLayout({
   const {
     data: { user },
   } = await supabase.auth.getUser();
+  const isAdmin = user?.app_metadata?.role === 'admin';
 
   return (
     <html lang="en">
@@ -32,6 +33,7 @@ export default async function RootLayout({
               <>
                 <Link href="/dashboard">Dashboard</Link>
                 <Link href="/billing">Billing</Link>
+                {isAdmin && <Link href="/admin">Admin</Link>}
                 <form action="/api/auth/signout" method="post" style={{ margin: 0 }}>
                   <button className="secondary" type="submit">
                     Sign out