feat: team admin role

[msmithstubbs]

This PR adds an admin role which is required for destructive account actions.

• create/update/delete a team or backend requires team admin permission
• admin is granted to:
  • the team owner
  • a team user with admin role
  • an API request bearing a private:admin token

Team roles

• Adds role attribute to TeamUser, can be user or admin.
• All existing team users are user by default.
• admin permission (as detailed above) is required to update a team user role.

Access tokens and API scopes

• API tokens can be created with private:admin scope
• admin permission (as detailed above) is required to create private:admin tokens through the UI or API
• private:admin is a superset of private scope and is accepted where a private scope is required

Role management UI

The dashboard and account preferences will display and 'admin' label next to a team user with the admin role.

The term 'admin' can be ambiguous as we also have internal admins. I've used 'team admin' where possible to distinguish this. A team admin is a user with admin privileges for a team: either the team owner, or a team user with the admin role.

A team admin can add and remove other admins.

All team users created using the invite link as regular users. They can be granted team admin status after creation.

CleanShot.2026-01-06.at.10.34.49.mp4

If a team admin tries to remove their own admin role a warning is shown first.

CleanShot.2026-01-06.at.14.05.36.mp4

Users can create an API token with private:admin scope by checking Admin

Documentation

Updates documentation to include private:admin scope and note in OpenAPI spec.

Part of O11Y-1251

[Ziinc]

should /api/sources/:token/backends/:backend_token require admin scope?

attaching sources to a backend doesn't need admin scope. fine to let users view the backends as readonly.