security: harden admin user mutation endpoints

[CaseyLabs]

Summary

This narrows the admin user mutation API so generic create and patch routes cannot mutate sensitive account-owned fields.

• PATCH accepts only explicit supported user/profile and character fields.
• Sensitive account fields such as role, username, password, joined time, macros, aliases, config options, and completed tips are rejected with clear errors.
• API-created users always start as user; role changes stay with dedicated admin tooling.
• Password resets use POST /admin/api/v1/users/{userid}/password.
• Admin Users UI and API docs are updated for the restricted behavior.
• Tests cover rejected sensitive fields, allowed profile/character updates, defensive cloning, password reset, and create-user role rejection.

Stack

1. Fix mapper JavaScript lint errors #568: mapper JavaScript lint cleanup
2. Add domain clone helpers for user patches #569: domain clone helpers
3. This PR: admin user mutation endpoint hardening

Compatibility

• POST /admin/api/v1/users still creates users, but no longer accepts Role.
• PATCH /admin/api/v1/users/{userid} no longer changes role, username, or password.
• Existing password reset flows should use POST /admin/api/v1/users/{userid}/password.
• Admin role changes should use existing role tooling such as modify role.

Validation

Previously run before the branch split:

• go test ./internal/web
• go test ./internal/web ./internal/users ./internal/characters ./internal/items ./internal/pets ./internal/buffs
• make validate
• go test ./...
• make js-lint
• make test

Not rerun after the branch split; commits were cherry-picked into the stack.