Add BYOC page, admin section, and is_byoc team visibility gating

- Frontend: BYOC hosts page (/dashboard/byoc) with register/delete flows,
  shimmer loading, pulsing online status, animated token reveal checkmark
- Frontend: Admin section (/admin/hosts) with platform + BYOC tabs, stat
  pills, skeleton loading, slide-in animations for new rows
- Frontend: AdminSidebar component with accent top bar and admin pill badge
- Frontend: BYOC nav item shown only when team.is_byoc is true (derived
  from teams store, not JWT); disabled for members
- Frontend: Admin shield button in Sidebar, visible only to platform admins
- Backend: is_admin in JWT claims + requireAdmin middleware (DB-validated)
- Backend: is_byoc added to teamResponse so frontend derives visibility
  from fresh team data rather than stale JWT fields
- Backend: SetBYOC admin endpoint (PUT /v1/admin/teams/{id}/byoc)
- Backend: Admin hosts list enriches BYOC entries with team_name
- Host agent: load .env file via godotenv on startup

internal/auth/context.go

@@ -8,11 +8,12 @@ const authCtxKey contextKey = 0
 
 // AuthContext is stamped into request context by auth middleware.
 type AuthContext struct {
-	TeamID string
-	UserID string // empty when authenticated via API key
-	Email  string // empty when authenticated via API key
-	Name   string // empty when authenticated via API key
-	Role   string // owner, admin, or member; empty when authenticated via API key
+	TeamID  string
+	UserID  string // empty when authenticated via API key
+	Email   string // empty when authenticated via API key
+	Name    string // empty when authenticated via API key
+	Role    string // owner, admin, or member; empty when authenticated via API key
+	IsAdmin bool   // platform-level admin; always false when authenticated via API key
 }
 
 // WithAuthContext returns a new context with the given AuthContext.