Overhaul nav, fix DB transaction bugs, add admin UI

- Replace nav user area with display name (non-clickable), gear settings
  modal, admin button (admins only), and logout button
- Settings modal handles display name, timezone, and password change
- Add admin.html + admin.js: user table with reset PW, disable/enable,
  login-as (impersonation), and delete; return-to-admin flow in nav
- Add is_admin to UserResponse so frontend can gate the Admin button
- Fix all db.begin() bugs in admin.py and users.py (transaction already
  active from get_current_user query; use commit() directly instead)
- Add email-validator and pin bcrypt==4.0.1 for passlib compatibility
- Add escHtml() to api.js and admin API namespace
- Group nav brand + links in nav-left for left-aligned layout

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/js/api.js

@@ -1,5 +1,9 @@
 /* Central API client — all fetch calls go through here */
 
+function escHtml(str) {
+  return String(str ?? '').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;');
+}
+
 const API = (() => {
   const base = '/api';
 
@@ -55,5 +59,15 @@ const API = (() => {
     public: {
       stats: () => request('GET', '/public/stats'),
     },
+    admin: {
+      listUsers:     ()           => request('GET',    '/admin/users'),
+      createUser:    (body)       => request('POST',   '/admin/users', body),
+      resetPassword: (id, body)   => request('POST',   `/admin/users/${id}/reset-password`, body),
+      disable:       (id)         => request('POST',   `/admin/users/${id}/disable`, {}),
+      enable:        (id)         => request('POST',   `/admin/users/${id}/enable`, {}),
+      delete:        (id)         => request('DELETE', `/admin/users/${id}`),
+      impersonate:   (id)         => request('POST',   `/admin/users/${id}/impersonate`, {}),
+      unimpersonate: ()           => request('POST',   '/admin/unimpersonate', {}),
+    },
   };
 })();