Add Super Admin panel with user impersonation

- New /super-admin/login and /super-admin routes with separate auth
- Super admin can view all registered accounts and impersonate any user
- Impersonation banner shows at top of screen with exit button
- ADMIN_USERNAME and ADMIN_PASSWORD config added to .env and docker-compose.yml
- Fixed auth store: export setToken, clearToken, and setUser so they are
  accessible from superAdmin store
- Updated README with super admin feature, new env vars, and setup notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -19,6 +19,7 @@ A self-hosted web app for managing homeschool schedules, tracking daily learning
 - **Timezone Support** — Set your local timezone in Admin → Settings. All activity log timestamps display in your timezone, including the TV dashboard clock.
 - **Multi-Child Support** — Manage multiple students under one parent account, each with their own color, schedule, and history.
 - **JWT Authentication** — Secure parent login with access tokens and httpOnly refresh cookies. TV dashboard is public (no login required).
+- **Super Admin Panel** — A separate admin interface (at `/super-admin`) for site-wide management. Log in with a dedicated admin username and password (set in `.env`). Lists all registered parent accounts and allows impersonating any user — switching into their session to view and manage their data. An impersonation banner is shown at the top of the screen with a one-click "Exit to Admin Panel" button.
 
 ---
 
@@ -73,6 +74,7 @@ homeschool/
 │       │   ├── morning_routine.py
 │       │   ├── break_activity.py # Break activities CRUD
 │       │   ├── dashboard.py      # Public snapshot endpoint (TV)
+│       │   ├── admin.py          # Super admin: login, user list, impersonation
 │       │   └── users.py
 │       ├── utils/
 │       │   └── timer.py          # Elapsed-time computation for block and break timers
@@ -85,8 +87,9 @@ homeschool/
         ├── composables/
         │   ├── useApi.js         # Axios with auto token-refresh
         │   └── useWebSocket.js   # Auto-reconnecting WebSocket
-        ├── stores/               # Pinia: auth, children, schedule
-        ├── views/                # LoginView, TVView, DashboardView, LogView, AdminView
+        ├── stores/               # Pinia: auth, children, schedule, superAdmin
+        ├── views/                # LoginView, TVView, DashboardView, LogView, AdminView,
+        │                         #   SuperAdminLoginView, SuperAdminView
         └── components/           # TimerDisplay, ScheduleBlock, NavBar, etc.
 ```
 
@@ -129,6 +132,10 @@ REFRESH_TOKEN_EXPIRE_DAYS=30
 
 # Your host IP or domain (no trailing slash)
 CORS_ORIGINS=http://localhost:8054
+
+# Super admin credentials (for /super-admin)
+ADMIN_USERNAME=admin
+ADMIN_PASSWORD=change_me_admin_password
 ```
 
 ### 3. Build and start
@@ -166,6 +173,15 @@ Open **http://localhost:8054/login** and register. This creates your admin accou
 | `/logs` | Browse timer and strike event history and manual notes; filter by child and date |
 | `/admin` | Manage children, subjects (with activity options), morning routine, break activities, schedule templates, and account settings |
 
+### Super Admin Views
+
+| URL | Description |
+|-----|-------------|
+| `/super-admin/login` | Log in with the `ADMIN_USERNAME` / `ADMIN_PASSWORD` from `.env` |
+| `/super-admin` | List all registered parent accounts and impersonate any user |
+
+While impersonating, a yellow banner appears at the top of every page showing who you're viewing as, with an **Exit to Admin Panel** button to return.
+
 ### Dashboard Controls
 
 While a session is active, clicking a block in the schedule list **selects** it as the current block without starting the timer. The action buttons then provide explicit control:
@@ -259,6 +275,10 @@ Break timer events (`break_*`) are stored as `TimerEvent` records alongside regu
 | `ACCESS_TOKEN_EXPIRE_MINUTES` | No | Access token lifetime (default: `30`) |
 | `REFRESH_TOKEN_EXPIRE_DAYS` | No | Refresh token lifetime (default: `30`) |
 | `CORS_ORIGINS` | No | Comma-separated allowed origins (default: `http://localhost:8054`) |
+| `ADMIN_USERNAME` | No | Super admin login username (default: `admin`) |
+| `ADMIN_PASSWORD` | No | Super admin login password (default: `change_me_admin_password`) |
+
+> **Note:** `ADMIN_USERNAME` and `ADMIN_PASSWORD` must be set in `.env` **and** listed in the `backend` service's `environment` block in `docker-compose.yml`. Changing them in `.env` alone is not sufficient — the backend container reads them as environment variables, not from the file directly.
 
 ---