feat: implement super admin and platform admin roles

Add multi-platform admin authorization system with:
- AdminPlatform junction table for admin-platform assignments
- is_super_admin flag on User model for global admin access
- Platform selection flow for platform admins after login
- JWT token updates to include platform context
- New API endpoints for admin user management (super admin only)
- Auth dependencies for super admin and platform access checks

Includes comprehensive test coverage:
- Unit tests for AdminPlatform model and User admin methods
- Unit tests for AdminPlatformService operations
- Integration tests for admin users API endpoints

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

tests/fixtures/auth_fixtures.py

@@ -40,7 +40,7 @@ def test_user(db, auth_manager):
 
 @pytest.fixture
 def test_admin(db, auth_manager):
-    """Create a test admin user with unique username."""
+    """Create a test admin user with unique username (super admin by default)."""
     unique_id = str(uuid.uuid4())[:8]
     hashed_password = auth_manager.hash_password("adminpass123")
     admin = User(
@@ -49,6 +49,7 @@ def test_admin(db, auth_manager):
         hashed_password=hashed_password,
         role="admin",
         is_active=True,
+        is_super_admin=True,  # Default to super admin for backward compatibility
     )
     db.add(admin)
     db.commit()
@@ -56,6 +57,68 @@ def test_admin(db, auth_manager):
     return admin
 
 
+@pytest.fixture
+def test_super_admin(db, auth_manager):
+    """Create a test super admin user with unique username."""
+    unique_id = str(uuid.uuid4())[:8]
+    hashed_password = auth_manager.hash_password("superadminpass123")
+    admin = User(
+        email=f"superadmin_{unique_id}@example.com",
+        username=f"superadmin_{unique_id}",
+        hashed_password=hashed_password,
+        role="admin",
+        is_active=True,
+        is_super_admin=True,
+    )
+    db.add(admin)
+    db.commit()
+    db.refresh(admin)
+    return admin
+
+
+@pytest.fixture
+def test_platform_admin(db, auth_manager):
+    """Create a test platform admin user (not super admin)."""
+    unique_id = str(uuid.uuid4())[:8]
+    hashed_password = auth_manager.hash_password("platformadminpass123")
+    admin = User(
+        email=f"platformadmin_{unique_id}@example.com",
+        username=f"platformadmin_{unique_id}",
+        hashed_password=hashed_password,
+        role="admin",
+        is_active=True,
+        is_super_admin=False,  # Platform admin, not super admin
+    )
+    db.add(admin)
+    db.commit()
+    db.refresh(admin)
+    return admin
+
+
+@pytest.fixture
+def super_admin_headers(client, test_super_admin):
+    """Get authentication headers for super admin user."""
+    response = client.post(
+        "/api/v1/admin/auth/login",
+        json={"email_or_username": test_super_admin.username, "password": "superadminpass123"},
+    )
+    assert response.status_code == 200, f"Super admin login failed: {response.text}"
+    token = response.json()["access_token"]
+    return {"Authorization": f"Bearer {token}"}
+
+
+@pytest.fixture
+def platform_admin_headers(client, test_platform_admin):
+    """Get authentication headers for platform admin user (no platform context yet)."""
+    response = client.post(
+        "/api/v1/admin/auth/login",
+        json={"email_or_username": test_platform_admin.username, "password": "platformadminpass123"},
+    )
+    assert response.status_code == 200, f"Platform admin login failed: {response.text}"
+    token = response.json()["access_token"]
+    return {"Authorization": f"Bearer {token}"}
+
+
 @pytest.fixture
 def another_admin(db, auth_manager):
     """Create another test admin user for testing admin-to-admin interactions."""
@@ -67,6 +130,7 @@ def another_admin(db, auth_manager):
         hashed_password=hashed_password,
         role="admin",
         is_active=True,
+        is_super_admin=True,  # Super admin for backward compatibility
     )
     db.add(admin)
     db.commit()