feat: two-role system — super_admin & admin program (Fasa 12)

- Replace is_admin boolean with role enum('super_admin','admin') via migration
- ProgramPolicy: admin program can only view/edit/delete own programs
- EnsureIsAdmin: accepts both roles; EnsureSuperAdmin: super_admin only
- UserController + views: super_admin can manage admin accounts
- Sidebar: user management link & role badge gated on isSuperAdmin()
- Fix Controller base class: add AuthorizesRequests trait
- Fix tests: replace nonAdmin() (invalid enum) with adminProgram() against super_admin-only route

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

database/factories/UserFactory.php

@@ -30,7 +30,7 @@ class UserFactory extends Factory
             'email_verified_at'  => now(),
             'password'           => static::$password ??= Hash::make('password'),
             'remember_token'     => Str::random(10),
-            'is_admin'           => true,
+            'role'               => 'super_admin',
         ];
     }
 
@@ -41,8 +41,15 @@ class UserFactory extends Factory
         ]);
     }
 
+    public function adminProgram(): static
+    {
+        return $this->state(fn (array $attributes) => ['role' => 'admin']);
+    }
+
     public function nonAdmin(): static
     {
-        return $this->state(fn (array $attributes) => ['is_admin' => false]);
+        // role='none' bukan dalam enum yang valid → EnsureIsAdmin returns 403
+        // SQLite tidak enforce enum constraint dalam tests
+        return $this->state(fn (array $attributes) => ['role' => 'none']);
     }
 }

database/migrations/2026_05_17_000001_replace_is_admin_with_role_on_users_table.php

@@ -0,0 +1,36 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->enum('role', ['super_admin', 'admin'])->default('admin')->after('password');
+        });
+
+        // Migrate existing is_admin=true rows to super_admin
+        DB::table('users')->where('is_admin', true)->update(['role' => 'super_admin']);
+
+        Schema::table('users', function (Blueprint $table) {
+            $table->dropColumn('is_admin');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->boolean('is_admin')->default(false)->after('password');
+        });
+
+        DB::table('users')->where('role', 'super_admin')->update(['is_admin' => true]);
+
+        Schema::table('users', function (Blueprint $table) {
+            $table->dropColumn('role');
+        });
+    }
+};

database/seeders/AdminSeeder.php

@@ -15,7 +15,7 @@ class AdminSeeder extends Seeder
             [
                 'name'     => 'Admin eCert MBIP',
                 'password' => Hash::make('Admin@MBIP2025!'),
-                'is_admin' => true,
+                'role'     => 'super_admin',
             ]
         );