Security/feature flags admin auth

[Muhamadmust]

PR: Enforce Role-Based Authorization for Feature Flags Admin Endpoint (#725)

Description

Resolves a security vulnerability where the feature flags management endpoint lacked role validation. This change restricts endpoint access strictly to users with the ADMIN role and ensures all modifications are securely tracked in the audit log.

Changes Implemented

• Secured Route Handlers: Added requireAuth() and explicit ADMIN permission filters to src/app/api/admin/feature-flags/route.ts and src/app/api/admin/feature-flags/[id]/route.ts.
• Enforced HTTP 403 Forbidden: Configured handlers to immediately return a 403 error status code for unauthorized roles like students or instructors.
• Added Mutation Audit Logging: Integrated tracking mechanics to record the identity of the administrative actor performing any feature flag configuration updates.
• Created Security Integration Tests: Validated access vectors across student, instructor, and admin profiles.

Verification Checklist

• TypeScript compiles cleanly with zero errors.
• Requests from unauthorized roles (students/instructors) correctly fail with an HTTP 403 status.
• Requests from authorized ADMIN profiles succeed as intended.
• Mutated states generate corresponding actor entries inside the audit log.
  Closes [Security] Feature flags admin endpoint lacks role-based authorization #725

[drips-wave]

@Muhamadmust Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[RUKAYAT-CODER]

Great job so far

There’s just one blocker — the workflow is failing. Could you take a look and fix it so all checks pass?

Happy to review again once that’s done.