Fix SEC-09: hide admin nav links from non-admin users

- Add IsAdmin bool to PageData (embedded in all page view structs)
- Remove redundant IsAdmin from DashboardData
- Add isAdmin() helper to derive admin status from request claims
- Set IsAdmin in all page-level handlers that populate PageData
- Wrap admin-only nav links in base.html with {{if .IsAdmin}}
- Add tests: non-admin dashboard/profile hide admin links,
  admin dashboard shows them

Security: navigation links to /accounts, /audit, /policies,
and /pgcreds are now only rendered for admin users. Server-side
authorization (requireAdminRole middleware) was already in place;
this change removes the information leak of showing links that
return 403 to non-admin users.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/ui/handlers_audit.go

@@ -86,7 +86,7 @@ func (u *UIServer) handleAuditDetail(w http.ResponseWriter, r *http.Request) {
 	}
 
 	u.render(w, "audit_detail", AuditDetailData{
-		PageData: PageData{CSRFToken: csrfToken, ActorName: u.actorName(r)},
+		PageData: PageData{CSRFToken: csrfToken, ActorName: u.actorName(r), IsAdmin: isAdmin(r)},
 		Event:    event,
 	})
 }
@@ -116,7 +116,7 @@ func (u *UIServer) buildAuditData(r *http.Request, page int, csrfToken string) (
 	}
 
 	return AuditData{
-		PageData:   PageData{CSRFToken: csrfToken, ActorName: u.actorName(r)},
+		PageData:   PageData{CSRFToken: csrfToken, ActorName: u.actorName(r), IsAdmin: isAdmin(r)},
 		Events:     events,
 		EventTypes: auditEventTypes,
 		FilterType: filterType,