feat(codev): retire Surprise + QR public + mode admin suppr fiches

- carto.vue : retire bouton Surprise (Alliance seul reste), ajoute isAdmin + deleteFiche + colonne supprimer annuaire
- middleware : /codev/qr exempté d'authentification
- auth.post.ts : détecte mdp admin → pose cookie codev_admin
- DELETE /api/codev/fiches/[id] : vérifie cookie admin avant suppression NocoDB
- GET /api/codev/me : retourne { admin, session }
- nuxt.config.ts : codevAdminPassword ajouté

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/api/codev/auth.post.ts

@@ -15,10 +15,14 @@ export default defineEventHandler(async (event) => {
   const config = useRuntimeConfig()
   const expected = config.codevPassword || 'merci'
 
-  if (parsed.data.password.trim().toLowerCase() !== expected.trim().toLowerCase()) {
+  const isAdmin = parsed.data.password.trim().toLowerCase() === (config.codevAdminPassword || 'admin2026').trim().toLowerCase()
+  const isUser = parsed.data.password.trim().toLowerCase() === expected.trim().toLowerCase()
+
+  if (!isAdmin && !isUser) {
     throw createError({ statusCode: 401, statusMessage: 'Mauvais mot de passe' })
   }
 
+  // Cookie session (user + admin)
   setCookie(event, 'codev_session', 'ok', {
     httpOnly: true,
     sameSite: 'lax',
@@ -27,5 +31,16 @@ export default defineEventHandler(async (event) => {
     path: '/',
   })
 
-  return { status: 200, ok: true }
+  // Cookie admin si mot de passe admin
+  if (isAdmin) {
+    setCookie(event, 'codev_admin', 'ok', {
+      httpOnly: true,
+      sameSite: 'lax',
+      secure: process.env.NODE_ENV === 'production',
+      maxAge: 60 * 60 * 24, // 24h
+      path: '/',
+    })
+  }
+
+  return { status: 200, ok: true, admin: isAdmin }
 })