feat: add first-run admin bootstrap flow and site-admin badge

CHANGELOG.md

@@ -9,12 +9,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ### Added
 - Added migrations to enforce workspace membership roles as `owner`/`member` only and to introduce DB-backed application-admin identities with access-audit storage.
 - Added centralized admin authorization and audit helpers so internal `/admin/*` routes can use one shared access check and log admin support activity.
+- Added a first-run admin bootstrap flow with `/api/admin/bootstrap/status` and `/api/admin/bootstrap/claim` so the initial application-admin account can be claimed safely.
+- Added `bootstrap-token` and `bootstrap-enabled` environment/config support, plus setup docs and operational checklist updates for first-run admin provisioning.
+- Added authenticated UI admin-badge visibility by exposing `isAdmin` on shared session/auth payloads.
 
 ### Changed
 - Replaced env-only billing-admin authorization with application-admin checks backed by database records, while keeping env allowlist fallback support for rollout safety.
 - Updated account and workspace permission handling so only workspace owners can manage workspace settings, and admin tooling visibility is driven by the new app-admin identity.
 - Updated environment and setup docs for Stripe keys plus the new preferred `ADMIN_EMAILS` allowlist variable (with `BILLING_ADMIN_EMAILS` retained as a deprecated fallback).
 - Reorganized the pricing rollout tracker to reflect completed phases, deferred work, and the new app-admin and workspace-role migration milestones.
+- Updated auth/session responses to include canonical admin-status checks so admin UI state stays consistent after refresh and login.
+- Updated README and TODO planning docs for phased admin-console rollout and the first-run operational checklist.
 
 ## [2026-05-22]