feat(admin): comprehensive admin interface (users, tunnels, metrics, audit, reserved subdomains)

Adds an authenticated admin surface gated by auth.users.app_metadata.role==='admin'.

- lib/auth/admin-guard.ts: requireAdmin() (pages) + requireAdminApi() (routes)
- middleware.ts: defense-in-depth /admin and /api/admin guarding
- API: users (list/detail/role/ban/delete), tunnels (list + active/quota/reset/reassign/regenerate-token/delete), metrics, audit log, reserved subdomains
- Self-lockout prevention (no self demote/ban/delete)
- Best-effort Redis kill-switch via dependency-free net-socket client (REDIS_URL)
- admin_audit_log + reserved_subdomains migration (RLS on, service-role only)
- Admin UI (overview, users, tunnels, reserved, audit) + conditional nav link

lib/auth/audit.ts

@@ -0,0 +1,33 @@
+import type { User } from '@supabase/supabase-js';
+import { getSupabaseAdmin } from '@/lib/supabase/admin';
+
+export type AuditEntry = {
+  action: string;
+  target_type?: string | null;
+  target_id?: string | null;
+  details?: Record<string, unknown>;
+};
+
+/**
+ * Best-effort audit logging. Never throws — a failed audit write must not
+ * break the underlying admin operation.
+ */
+export async function logAdminAction(
+  actor: User,
+  entry: AuditEntry,
+): Promise<void> {
+  try {
+    const admin = getSupabaseAdmin();
+    await admin.from('admin_audit_log').insert({
+      actor_id: actor.id,
+      actor_email: actor.email ?? null,
+      action: entry.action,
+      target_type: entry.target_type ?? null,
+      target_id: entry.target_id ?? null,
+      details: entry.details ?? {},
+    });
+  } catch (e) {
+    // Swallow — audit failures should not surface to the client.
+    console.error('[audit] failed to write audit log', e);
+  }
+}