feat: two-role system — super_admin & admin program (Fasa 12)

- Replace is_admin boolean with role enum('super_admin','admin') via migration
- ProgramPolicy: admin program can only view/edit/delete own programs
- EnsureIsAdmin: accepts both roles; EnsureSuperAdmin: super_admin only
- UserController + views: super_admin can manage admin accounts
- Sidebar: user management link & role badge gated on isSuperAdmin()
- Fix Controller base class: add AuthorizesRequests trait
- Fix tests: replace nonAdmin() (invalid enum) with adminProgram() against super_admin-only route

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

routes/web.php

@@ -2,6 +2,7 @@
 
 use Illuminate\Support\Facades\Route;
 use App\Http\Controllers\Admin\DashboardController;
+use App\Http\Controllers\Admin\UserController;
 use App\Http\Controllers\Admin\ProgramController;
 use App\Http\Controllers\Admin\QrCodeController;
 use App\Http\Controllers\Admin\ParticipantController;
@@ -83,6 +84,11 @@ Route::middleware(['auth', 'admin'])->prefix('admin')->name('admin.')->group(fun
         Route::post('/email-all',        [AdminCertificateController::class, 'emailAll'])->name('email-all');
     });
 
+    // User Management (Super Admin only)
+    Route::middleware('super_admin')->group(function () {
+        Route::resource('users', UserController::class)->except(['show']);
+    });
+
     // Questionnaire Sets
     Route::resource('questionnaires', QuestionnaireSetController::class)->except(['show'])->parameters(['questionnaires' => 'set']);
     Route::post('/questionnaires/{set}/publish',  [QuestionnaireSetController::class, 'publish'])->name('questionnaires.publish');