feat(security): enforce admin allowlist guard on admin APIs and attach bearer for admin client

backend/app/schemas/auth.py

@@ -1,4 +1,4 @@
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 
 
 class AuthentikPrincipal(BaseModel):
@@ -6,6 +6,7 @@ class AuthentikPrincipal(BaseModel):
     email: str | None = None
     name: str | None = None
     preferred_username: str | None = None
+    groups: list[str] = Field(default_factory=list)
 
 
 class MeSummaryResponse(BaseModel):