Replace IsAdmin with role-based admin

Switch user admin handling from an AppUser boolean to ASP.NET Identity roles. Removed AppUser.IsAdmin and related configuration/model entries; added migration ReplaceIsAdminWithRoles to copy Users.IsAdmin=true into a persistent admin role and drop the IsAdmin column. CurrentUserResponse now exposes roles (string[]), AuthController returns ordered roles from UserManager, and IdentitySeedService now ensures the admin role exists and assigns/creates an initial admin user in that role. Program.cs registers an Admin-only policy (PolicyNames/RoleNames), adjusts cookie auth events to return 401/403 for API requests, and wires up authorization. Frontend updated to use roles: authSession normalizes roles, adds hasRole and ROLE_ADMIN, router and layout support meta.requiredRoles, and new Forbidden and AdminUsers pages/route are added. codexInfo.md updated to reflect the migration to role-based auth.

GUI/src/Layout.vue

@@ -9,6 +9,7 @@ import { Visibility, routes } from '@/plugins/routesLayout'
 import {
   AuthRequestError,
   fetchCurrentUser,
+  hasRole,
   logout,
   type CurrentUser,
 } from '@/services/authSession'
@@ -75,6 +76,18 @@ const sidebarRoutes = computed(() =>
       return currentUser.value === null
     }
 
+    if (item.visible === Visibility.Authorized) {
+      if (!currentUser.value) {
+        return false
+      }
+
+      if (!item.requiredRoles || item.requiredRoles.length === 0) {
+        return true
+      }
+
+      return item.requiredRoles.every((role) => hasRole(currentUser.value, role))
+    }
+
     if (item.visible !== Visibility.Route) {
       return false
     }