feat(security): enforce admin allowlist guard on admin APIs and attach bearer for admin client

app/core/config.py

@@ -30,6 +30,9 @@ class Settings(BaseSettings):
 
     public_frontend_origins: Annotated[list[str], NoDecode] = ["https://member.ose.tw"]
     internal_shared_secret: str = ""
+    admin_allowlist_emails: Annotated[list[str], NoDecode] = []
+    admin_allowlist_subs: Annotated[list[str], NoDecode] = []
+    admin_required_groups: Annotated[list[str], NoDecode] = []
 
     @field_validator("public_frontend_origins", mode="before")
     @classmethod
@@ -40,6 +43,15 @@ class Settings(BaseSettings):
             return []
         return [origin.strip() for origin in value.split(",") if origin.strip()]
 
+    @field_validator("admin_allowlist_emails", "admin_allowlist_subs", "admin_required_groups", mode="before")
+    @classmethod
+    def parse_csv(cls, value: str | list[str]) -> list[str]:
+        if isinstance(value, list):
+            return [str(v).strip() for v in value if str(v).strip()]
+        if not value:
+            return []
+        return [part.strip() for part in value.split(",") if part.strip()]
+
     @property
     def database_url(self) -> str:
         return (