feat: introduce app-admin authorization and audit logging

- add migrations for owner/member workspace roles and application admins

- centralize /admin access checks with DB-backed admin resolution

- audit admin analytics/billing route access

- update account/admin UI typing and env/docs for ADMIN_EMAILS fallback behavior

db/migrations/0007_workspace_roles_owner_member.sql

@@ -0,0 +1,10 @@
+update public.workspace_memberships
+set role = 'member'
+where role = 'admin';
+
+alter table public.workspace_memberships
+drop constraint if exists workspace_memberships_role_check;
+
+alter table public.workspace_memberships
+add constraint workspace_memberships_role_check
+check (role in ('owner', 'member'));