docs: add super-admin role documentation

Add comprehensive documentation for the new super-admin role feature:

README.md:
- Update Users Table schema with isAdmin, isSuperAdmin, lastSeen fields
- Add Admin API section with all endpoints
- Add User Roles and Permissions section with security rules

docs/DOCUMENTATION.md:
- Update Users Table schema
- Add Admin System section with overview, roles, security rules
- Document all admin API endpoints
- Add audit logging details
- Include JWT token structure
- Add setup and deployment instructions

CLAUDE.md:
- Add Admin System and User Roles section
- Document admin service functions
- Include security rules
- Add JWT token claims structure
- Document frontend admin interface

Co-Authored-By: Claude <noreply@anthropic.com>

CLAUDE.md

@@ -553,3 +553,76 @@ const params = new URLSearchParams({
 **QSO Management**:
 - Fixed DELETE /api/qsos/all to handle foreign key constraints
 - Added cache invalidation after QSO deletion
+
+### Admin System and User Roles
+
+The application supports three user roles with different permission levels:
+
+**User Roles**:
+- **Regular User**: View own QSOs, sync from LoTW/DCL, track award progress
+- **Admin**: All user permissions + view system stats + manage users + impersonate regular users
+- **Super Admin**: All admin permissions + promote/demote admins + impersonate admins
+
+**Database Schema** (`src/backend/db/schema/index.js`):
+- `isAdmin`: Boolean flag for admin users (default: false)
+- `isSuperAdmin`: Boolean flag for super-admin users (default: false)
+
+**Admin Service** (`src/backend/services/admin.service.js`):
+- `isAdmin(userId)`: Check if user is admin
+- `isSuperAdmin(userId)`: Check if user is super-admin
+- `changeUserRole(adminId, targetUserId, newRole)`: Change user role ('user', 'admin', 'super-admin')
+- `impersonateUser(adminId, targetUserId)`: Start impersonating a user
+- `verifyImpersonation(token)`: Verify impersonation token validity
+- `stopImpersonation(adminId, targetUserId)`: Stop impersonation
+- `logAdminAction(adminId, actionType, targetUserId, details)`: Log admin actions
+
+**Security Rules**:
+1. Only super-admins can promote/demote super-admins
+2. Regular admins cannot promote users to super-admin
+3. Super-admins cannot demote themselves (prevents lockout)
+4. Cannot demote the last super-admin
+5. Regular admins can only impersonate regular users
+6. Super-admins can impersonate any user (including other admins)
+
+**Backend API Routes** (`src/backend/index.js`):
+- `POST /api/admin/users/:userId/role`: Change user role
+  - Body: `{ "role": "user" | "admin" | "super-admin" }`
+- `POST /api/admin/impersonate/:userId`: Start impersonating
+- `POST /api/admin/impersonate/stop`: Stop impersonating
+- `GET /api/admin/impersonation/status`: Check impersonation status
+- `GET /api/admin/stats`: System statistics
+- `GET /api/admin/users`: List all users
+- `GET /api/admin/actions`: Admin action log
+- `DELETE /api/admin/users/:userId`: Delete user
+
+**JWT Token Claims**:
+```javascript
+{
+  userId: number,
+  email: string,
+  callsign: string,
+  isAdmin: boolean,
+  isSuperAdmin: boolean,  // Super-admin flag
+  impersonatedBy: number,  // Present when impersonating
+  exp: number
+}
+```
+
+**Frontend Admin Page** (`src/frontend/src/routes/admin/+page.svelte`):
+- System statistics dashboard
+- User management with filtering (all, super-admin, admin, user)
+- Role change modal (user → admin → super-admin)
+- Impersonate button (enabled for super-admins targeting admins)
+- Admin action log viewing
+
+**To create the first super-admin**:
+1. Register a user account
+2. Access database: `sqlite3 src/backend/award.db`
+3. Run: `UPDATE users SET is_super_admin = 1 WHERE email = 'your@email.com';`
+4. Log out and log back in to get updated JWT token
+
+**To promote via admin interface**:
+1. Log in as existing super-admin
+2. Navigate to `/admin`
+3. Find user in Users tab
+4. Click "Promote" and select "Super Admin"