feat(security): enforce admin allowlist guard on admin APIs and attach bearer for admin client

backend/app/api/admin_catalog.py

@@ -40,9 +40,14 @@ from app.schemas.catalog import (
 )
 from app.schemas.permissions import PermissionGrantRequest, PermissionRevokeRequest
 from app.security.api_client_auth import require_api_client
+from app.security.admin_guard import require_admin_principal
 from app.services.authentik_admin_service import AuthentikAdminService
 
-router = APIRouter(prefix="/admin", tags=["admin"])
+router = APIRouter(
+    prefix="/admin",
+    tags=["admin"],
+    dependencies=[Depends(require_admin_principal)],
+)
 
 
 def _resolve_module_id(db: Session, system_key: str, module_key: str | None) -> str: