fix: frontend type errors and add k8s manifests

conductor/superadmin-crud.md

@@ -0,0 +1,56 @@
+# Superadmin CRUD Implementation Plan
+
+**Objective:** Implement a superadmin role to manage courses and tutors, ensuring only authorized users can perform system-wide administrative actions. This feature will be developed in an isolated git worktree.
+
+## Key Context & Decisions
+- **Role Strategy:** A new `is_superadmin` boolean column will be added to the `tutors` database table.
+- **UI Structure:** A dedicated `/admin/tutors` page will handle tutor management. Course management will remain on `/admin/courses` but will be enhanced with superadmin-only actions (e.g., assigning tutors to courses).
+- **Workspace:** Development will be done in `.worktrees/feature-superadmin-crud`.
+
+## Implementation Steps
+
+### 1. Workspace Isolation via Git Worktree
+- Create a new git worktree: `git worktree add .worktrees/feature-superadmin-crud -b feature-superadmin-crud`
+- All subsequent steps will be performed inside this isolated workspace.
+
+### 2. Database & Models
+- Create migration `backend/migrations/002_add_superadmin.sql` to add `is_superadmin BOOLEAN NOT NULL DEFAULT 0` to the `tutors` table.
+- Update `backend/demo/demo_seed.sql` to set the default `admin@tutortool.com` as a superadmin (`is_superadmin = 1`).
+- Update `backend/src/models.rs` to include `is_superadmin: bool` in the `Tutor` struct.
+- Add `CreateTutor` and `TutorResponse` structs to `backend/src/models.rs`.
+
+### 3. Auth & Core Backend
+- Modify `backend/src/auth.rs` to include `is_superadmin: bool` in `TutorClaims`. This allows auth guards to check permissions efficiently.
+- Update `backend/src/routes/auth_routes.rs` login handler to fetch `is_superadmin` and encode it in the JWT.
+- Add a helper function to verify superadmin access to reject unauthorized requests.
+
+### 4. Tutors API
+- Create `backend/src/routes/tutors.rs` with endpoints:
+  - `GET /api/admin/tutors` (list all tutors)
+  - `POST /api/admin/tutors` (create a tutor, hashing their password)
+  - `DELETE /api/admin/tutors/:id` (delete a tutor)
+- Merge these routes in `backend/src/routes/mod.rs`.
+
+### 5. Course Assignments API
+- Modify `backend/src/routes/courses.rs`:
+  - Enhance `GET /api/admin/courses` to return ALL courses if `claims.is_superadmin` is true, otherwise only return assigned courses.
+  - Restrict `POST /api/admin/courses` to superadmins only.
+  - Add `POST /api/admin/courses/:id/tutors` to assign a tutor to a course (superadmin only).
+  - Add `DELETE /api/admin/courses/:id/tutors/:tutor_id` to remove a tutor from a course (superadmin only).
+  - Add `GET /api/admin/courses/:id/tutors` to list tutors assigned to a course.
+
+### 6. Frontend Auth & API Client
+- Update `frontend/src/lib/types.ts` to include `Tutor` and the new `is_superadmin` flag in token payload or state.
+- Add the new endpoints to `frontend/src/lib/api.ts` under `api.admin.tutors` and enhance `api.admin.courses`.
+
+### 7. Frontend UI: Tutors Management
+- Update `frontend/src/lib/components/TutorShell.svelte` to conditionally render a "Tutor:innen" link in the sidebar if the user is a superadmin.
+- Create `frontend/src/routes/admin/tutors/+page.svelte` following the paper-bg design system. Include a list of tutors and a form to add a new tutor.
+
+### 8. Frontend UI: Courses Enhancements
+- Modify `frontend/src/routes/admin/courses/+page.svelte` to show a "Tutor:innen zuweisen" (Assign Tutors) section for each course if the logged-in user is a superadmin.
+- Restrict the course creation form to superadmins only.
+
+## Verification & Testing
+- Run `cargo test` in the backend to ensure existing tests pass and new route isolation works.
+- Perform a manual end-to-end test using the `make dev` script in the new worktree to verify the UI.