feat(admin): comprehensive admin interface (users, tunnels, metrics, audit, reserved subdomains)

Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'.

- lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes)
- middleware.ts: defense-in-depth /admin and /api/admin guarding
- API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains
- Self-lockout prevention (no self demote/ban/delete)
- Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL)
- admin_audit_log + reserved_subdomains migration (RLS on, service-role only)
- Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link

lib/auth/admin-guard.ts

@@ -0,0 +1,48 @@
+import { redirect } from 'next/navigation';
+import { NextResponse } from 'next/server';
+import type { User } from '@supabase/supabase-js';
+import { createSupabaseServerClient } from '@/lib/supabase/server';
+
+export function isAdmin(user: User | null | undefined): boolean {
+  return user?.app_metadata?.role === 'admin';
+}
+
+/**
+ * For server components / pages. Redirects to /login if unauthenticated,
+ * or /dashboard if authenticated but not an admin (does not leak /admin).
+ */
+export async function requireAdmin(): Promise<User> {
+  const supabase = createSupabaseServerClient();
+  const {
+    data: { user },
+  } = await supabase.auth.getUser();
+  if (!user) redirect('/login');
+  if (!isAdmin(user)) redirect('/dashboard');
+  return user;
+}
+
+/**
+ * For route handlers. Returns the authenticated admin user, or a NextResponse
+ * (401 when no session, 403 when not admin) that the caller must return.
+ */
+export async function requireAdminApi(): Promise<
+  { ok: true; user: User } | { ok: false; response: NextResponse }
+> {
+  const supabase = createSupabaseServerClient();
+  const {
+    data: { user },
+  } = await supabase.auth.getUser();
+  if (!user) {
+    return {
+      ok: false,
+      response: NextResponse.json({ error: 'unauthorized' }, { status: 401 }),
+    };
+  }
+  if (!isAdmin(user)) {
+    return {
+      ok: false,
+      response: NextResponse.json({ error: 'forbidden' }, { status: 403 }),
+    };
+  }
+  return { ok: true, user };
+}