feat: Phase 1c — Platform Admin Dashboard

Full super-admin dashboard for SaaS platform management:

Backend (10 files):
- Migration 003: Add is_super_admin column to users table
- JWT Claims: Carry is_super_admin through access tokens
- SuperAdmin extractor: Axum FromRequestParts that rejects non-admins (403)
- Admin API module: 10 endpoints behind /api/admin/*
  - GET /stats (KPIs: licenses, users, MRR, servers, signups)
  - GET/POST /licenses (paginated, filterable, manual generation)
  - GET/PATCH /licenses/:id (detail view, revoke/activate)
  - GET /subscriptions (module sub list with MRR breakdown)
  - GET/PATCH /users (paginated, toggle admin, disable accounts)
  - GET /servers (fleet overview across all licenses)
  - GET /health (DB pool, NATS status, table row counts)
- Bootstrap updated: first user gets is_super_admin = true

Frontend (8 files):
- 5 admin views in src/views/platform-admin/
- DashboardLayout: "Platform" nav section (gated on isSuperAdmin)
- Router: /admin/* routes with superAdmin meta guard
- Auth store: isSuperAdmin computed property
- Types: is_super_admin on User interface

Build: 80 chunks, zero TS errors, clean production build.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/src/services/auth.rs

@@ -36,6 +36,7 @@ pub fn create_access_token(
     email: &str,
     license_id: Option<Uuid>,
     role: Option<String>,
+    is_super_admin: bool,
 ) -> Result<String> {
     let now = Utc::now().timestamp();
     let claims = Claims {
@@ -43,6 +44,7 @@ pub fn create_access_token(
         email: email.to_string(),
         license_id,
         role,
+        is_super_admin,
         exp: now + config.jwt_access_expiry_seconds,
         iat: now,
         token_type: "access".to_string(),
@@ -68,6 +70,7 @@ pub fn create_refresh_token(
         email: email.to_string(),
         license_id: None,
         role: None,
+        is_super_admin: false,
         exp: now + config.jwt_refresh_expiry_seconds,
         iat: now,
         token_type: "refresh".to_string(),