Add Done button, tablet controls, super admin management, midnight strike reset, and activity log improvements

- Done button snaps block to full duration, marks complete, logs "Marked Done by User"; Reset after Done fully un-completes the block
- Session action buttons stretch full-width and double height for tablet tapping
- Super admin: reset password, disable/enable accounts, delete user (with cascade), last active date per user's timezone
- Disabled account login returns specific error message instead of generic invalid credentials
- Users can change own password from Admin → Settings
- Strikes reset automatically at midnight in user's configured timezone (lazy reset on page load)
- Break timer state fully restored when navigating away and back to dashboard
- Timer no longer auto-starts on navigation if it wasn't running before
- Implicit pause guard: no duplicate pause events when switching already-paused blocks or starting a break
- Block selection events removed from activity log; all event types have human-readable labels
- House emoji favicon via inline SVG data URI
- README updated to reflect all changes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/routers/admin.py

@@ -1,8 +1,8 @@
 from fastapi import APIRouter, Depends, HTTPException, status
 from sqlalchemy.ext.asyncio import AsyncSession
-from sqlalchemy import select
+from sqlalchemy import select, delete
 
-from app.auth.jwt import create_admin_token, create_access_token
+from app.auth.jwt import create_admin_token, create_access_token, hash_password
 from app.config import get_settings
 from app.dependencies import get_db, get_admin_user
 from app.models.user import User
@@ -35,11 +35,62 @@ async def list_users(
             "full_name": u.full_name,
             "is_active": u.is_active,
             "created_at": u.created_at,
+            "last_active_at": u.last_active_at,
+            "timezone": u.timezone,
         }
         for u in users
     ]
 
 
+@router.post("/toggle-active/{user_id}")
+async def toggle_user_active(
+    user_id: int,
+    _: dict = Depends(get_admin_user),
+    db: AsyncSession = Depends(get_db),
+):
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    user.is_active = not user.is_active
+    await db.commit()
+    return {"id": user.id, "is_active": user.is_active}
+
+
+@router.delete("/users/{user_id}")
+async def delete_user(
+    user_id: int,
+    _: dict = Depends(get_admin_user),
+    db: AsyncSession = Depends(get_db),
+):
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    await db.execute(delete(User).where(User.id == user_id))
+    await db.commit()
+    return {"ok": True}
+
+
+@router.post("/reset-password/{user_id}")
+async def reset_user_password(
+    user_id: int,
+    body: dict,
+    _: dict = Depends(get_admin_user),
+    db: AsyncSession = Depends(get_db),
+):
+    new_password = body.get("new_password", "").strip()
+    if not new_password:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="new_password is required")
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    user.hashed_password = hash_password(new_password)
+    await db.commit()
+    return {"ok": True}
+
+
 @router.post("/impersonate/{user_id}")
 async def impersonate_user(
     user_id: int,