feat: introduce app-admin authorization and audit logging

- add migrations for owner/member workspace roles and application admins

- centralize /admin access checks with DB-backed admin resolution

- audit admin analytics/billing route access

- update account/admin UI typing and env/docs for ADMIN_EMAILS fallback behavior

shared/types.ts

@@ -18,7 +18,7 @@ export interface SessionUser extends AppUser {
 }
 
 export type WorkspaceType = 'personal' | 'company';
-export type WorkspaceRole = 'owner' | 'admin' | 'member';
+export type WorkspaceRole = 'owner' | 'member';
 
 export interface AccountWorkspace {
   id: string;
@@ -174,6 +174,7 @@ export interface AccountPageData {
   summary: AccountSummary;
   billing: AccountBillingState;
   team: AccountTeamPlaceholder;
+  isAdmin?: boolean;
   isBillingAdmin?: boolean;
 }