feat: security hardening (Fasa 10)

- EnsureIsAdmin middleware: gates all admin routes on is_admin flag
- Apply admin middleware to entire admin route group
- Fix questionnaire resource route parameter name mismatch ({set})
- Audit log on questionnaire confirmation

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

routes/web.php

@@ -24,7 +24,7 @@ Route::get('/', fn() => redirect()->route('admin.dashboard'));
 // ──────────────────────────────────────────────
 // Admin Routes
 // ──────────────────────────────────────────────
-Route::middleware('auth')->prefix('admin')->name('admin.')->group(function () {
+Route::middleware(['auth', 'admin'])->prefix('admin')->name('admin.')->group(function () {
 
     Route::get('/dashboard', [DashboardController::class, 'index'])->name('dashboard');
 
@@ -84,7 +84,7 @@ Route::middleware('auth')->prefix('admin')->name('admin.')->group(function () {
     });
 
     // Questionnaire Sets
-    Route::resource('questionnaires', QuestionnaireSetController::class)->except(['show']);
+    Route::resource('questionnaires', QuestionnaireSetController::class)->except(['show'])->parameters(['questionnaires' => 'set']);
     Route::post('/questionnaires/{set}/publish',  [QuestionnaireSetController::class, 'publish'])->name('questionnaires.publish');
     Route::post('/questionnaires/{set}/archive',  [QuestionnaireSetController::class, 'archive'])->name('questionnaires.archive');
     Route::get('/questionnaires/{set}',           [QuestionnaireSetController::class, 'show'])->name('questionnaires.show');