refactor(auth): use group-only admin access and remove admin api-key flow from frontend/admin routes

app/api/admin.py

@@ -4,7 +4,6 @@ from fastapi import APIRouter, Depends, HTTPException, Query, status
 from sqlalchemy.orm import Session
 
 from app.db.session import get_db
-from app.models.api_client import ApiClient
 from app.repositories.companies_repo import CompaniesRepository
 from app.repositories.modules_repo import ModulesRepository
 from app.repositories.permissions_repo import PermissionsRepository
@@ -17,7 +16,6 @@ from app.schemas.permissions import (
     PermissionGrantRequest,
     PermissionRevokeRequest,
 )
-from app.security.api_client_auth import require_api_client
 from app.security.admin_guard import require_admin_principal
 
 router = APIRouter(
@@ -67,7 +65,6 @@ def _resolve_scope_ids(db: Session, scope_type: str, scope_id: str) -> tuple[str
 @router.post("/permissions/grant")
 def grant_permission(
     payload: PermissionGrantRequest,
-    _: ApiClient = Depends(require_api_client),
     db: Session = Depends(get_db),
 ) -> dict[str, str]:
     users_repo = UsersRepository(db)
@@ -96,7 +93,6 @@ def grant_permission(
 @router.post("/permissions/revoke")
 def revoke_permission(
     payload: PermissionRevokeRequest,
-    _: ApiClient = Depends(require_api_client),
     db: Session = Depends(get_db),
 ) -> dict[str, int | str]:
     users_repo = UsersRepository(db)
@@ -121,7 +117,6 @@ def revoke_permission(
 
 @router.get("/permissions/direct", response_model=DirectPermissionListResponse)
 def list_direct_permissions(
-    _: ApiClient = Depends(require_api_client),
     db: Session = Depends(get_db),
     keyword: str | None = Query(default=None),
     scope_type: str | None = Query(default=None),
@@ -146,7 +141,6 @@ def list_direct_permissions(
 @router.delete("/permissions/direct/{permission_id}")
 def delete_direct_permission(
     permission_id: str,
-    _: ApiClient = Depends(require_api_client),
     db: Session = Depends(get_db),
 ) -> dict[str, int | str]:
     try: