Replace IsAdmin with role-based admin

Switch user admin handling from an AppUser boolean to ASP.NET Identity roles. Removed AppUser.IsAdmin and related configuration/model entries; added migration ReplaceIsAdminWithRoles to copy Users.IsAdmin=true into a persistent admin role and drop the IsAdmin column. CurrentUserResponse now exposes roles (string[]), AuthController returns ordered roles from UserManager, and IdentitySeedService now ensures the admin role exists and assigns/creates an initial admin user in that role. Program.cs registers an Admin-only policy (PolicyNames/RoleNames), adjusts cookie auth events to return 401/403 for API requests, and wires up authorization. Frontend updated to use roles: authSession normalizes roles, adds hasRole and ROLE_ADMIN, router and layout support meta.requiredRoles, and new Forbidden and AdminUsers pages/route are added. codexInfo.md updated to reflect the migration to role-based auth.

API/Controllers/Auth/AuthController.cs

@@ -58,11 +58,13 @@ namespace API.Controllers.Auth
             if (user is null)
                 return Unauthorized();
 
+            var roles = await userManager.GetRolesAsync(user);
+
             return Ok(new CurrentUserResponse
             {
                 Id = user.Id,
                 UserName = user.UserName ?? string.Empty,
-                IsAdmin = user.IsAdmin,
+                Roles = roles.OrderBy(x => x).ToList(),
                 IsActive = user.IsActive,
                 MustChangePassword = user.MustChangePassword
             });
@@ -114,4 +116,4 @@ namespace API.Controllers.Auth
             return Ok(new { message = "Passwort geändert. Du wurdest auf allen Geräten abgemeldet." });
         }
     }
-}
+}