Updated `serve_admin_ui` to accept requests authenticated via admin
session cookie (set by `/admin/login`), in addition to the existing
X-Admin-Key and Authorization: Bearer header methods.
The auth middleware already unseals the session cookie and sets the
`AdminSessionId` extension - the UI handler now checks for this extension
to allow cookie-authenticated requests through.
Added comprehensive unit tests for:
- X-Admin-Key authentication
- Bearer token authentication
- Session cookie authentication (via extension)
- File serving with proper cache headers
- 404 for missing files
The embedded admin UI assets are ~35 KB gzipped (well under the 100 KB
requirement). Session sealing, CSRF, and cross-pod session invalidation
were already implemented in prior work.
Closes: miroir-uhj.19
e19f0c8137