feat: super admin promote/demote endpoint + admin panel UI

Fix require_engineer_or_admin missing "admin" account_role, add
PUT /admin/users/{id}/super-admin endpoint with audit logging,
and promote/demote button with confirmation modal on UserDetailPage.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/api/endpoints/admin.py

@@ -371,6 +371,46 @@ async def update_account_role(
     return user
 
 
+@router.put("/users/{user_id}/super-admin", response_model=UserResponse)
+async def update_super_admin_status(
+    user_id: UUID,
+    data: dict,
+    db: Annotated[AsyncSession, Depends(get_db)],
+    current_user: Annotated[User, Depends(require_admin)]
+):
+    """Promote or demote a user to/from super admin (super admin only)."""
+    is_super_admin = data.get("is_super_admin")
+    if not isinstance(is_super_admin, bool):
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            detail="is_super_admin must be a boolean"
+        )
+
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found"
+        )
+
+    if user.id == current_user.id:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Cannot change your own super admin status"
+        )
+
+    old_status = user.is_super_admin
+    user.is_super_admin = is_super_admin
+    action = "user.promote_super_admin" if is_super_admin else "user.demote_super_admin"
+    await log_audit(db, current_user.id, action, "user", user.id,
+                    {"email": user.email, "old_is_super_admin": old_status, "new_is_super_admin": is_super_admin})
+    await db.commit()
+    await db.refresh(user)
+    return user
+
+
 @router.put("/users/{user_id}/deactivate", response_model=UserResponse)
 async def deactivate_user(
     user_id: UUID,