Add BYOC page, admin section, and is_byoc team visibility gating

- Frontend: BYOC hosts page (/dashboard/byoc) with register/delete flows,
  shimmer loading, pulsing online status, animated token reveal checkmark
- Frontend: Admin section (/admin/hosts) with platform + BYOC tabs, stat
  pills, skeleton loading, slide-in animations for new rows
- Frontend: AdminSidebar component with accent top bar and admin pill badge
- Frontend: BYOC nav item shown only when team.is_byoc is true (derived
  from teams store, not JWT); disabled for members
- Frontend: Admin shield button in Sidebar, visible only to platform admins
- Backend: is_admin in JWT claims + requireAdmin middleware (DB-validated)
- Backend: is_byoc added to teamResponse so frontend derives visibility
  from fresh team data rather than stale JWT fields
- Backend: SetBYOC admin endpoint (PUT /v1/admin/teams/{id}/byoc)
- Backend: Admin hosts list enriches BYOC entries with team_name
- Host agent: load .env file via godotenv on startup

internal/api/middleware_jwt.go

@@ -26,12 +26,14 @@ func requireJWT(secret []byte) func(http.Handler) http.Handler {
 			}
 
 			ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{
-				TeamID: claims.TeamID,
-				UserID: claims.Subject,
-				Email:  claims.Email,
-				Name:   claims.Name,
-				Role:   claims.Role,
+				TeamID:  claims.TeamID,
+				UserID:  claims.Subject,
+				Email:   claims.Email,
+				Name:    claims.Name,
+				Role:    claims.Role,
+				IsAdmin: claims.IsAdmin,
 			})
+
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}