fix(security): restrict auth-config mutations to Admin role (#5)

Restrict manager-wide authentication configuration mutations (OIDC, SMTP, IP allowlist) to Admin role. Operators now receive 403 forbidden_role.

- New admin_required helper in settings.rs
- 4 gate changes: update_settings, discover_oidc, test_oidc, update_ip_whitelist
- 5 new AuditAction variants + migration 019
- SPA friendly error message on 403
- 3 admin_required unit tests pass (43/43)
- Full integration tests deferred to issue #15

Closes #5

frontend/src/pages/SettingsPage.tsx

@@ -99,6 +99,11 @@ export default function SettingsPage() {
       const { data } = await settingsApi.discoverOidc(oidc.discovery_url)
       setDiscoveryResult(data)
     } catch (err: unknown) {
+      const axiosErr = err as AxiosError
+      if (axiosErr.response?.status === 403) {
+        setDiscoveryResult({ success: false, issuer: '', authorization_endpoint: '', token_endpoint: '', jwks_uri: '', message: 'Only Admins can modify authentication configuration. Contact an Admin to make this change.' })
+        return
+      }
       const msg = err instanceof Error ? err.message : 'Discovery failed'
       setDiscoveryResult({ success: false, issuer: '', authorization_endpoint: '', token_endpoint: '', jwks_uri: '', message: msg })
     } finally {
@@ -151,6 +156,10 @@ export default function SettingsPage() {
       setSuccess('Settings saved successfully')
     } catch (err: unknown) {
       const axiosErr = err as AxiosError<{ error?: { message?: string } }>
+      if (axiosErr.response?.status === 403) {
+        setError('Only Admins can modify authentication configuration. Contact an Admin to make this change.')
+        return
+      }
       const msg =
         axiosErr.response?.data?.error?.message ??
         (err instanceof Error ? err.message : 'Failed to save settings')