Revert "Implement admin back-pass flow and guarded admin actions"

This reverts commit 5595bfd3b1.

TESTS.md

@@ -42,13 +42,13 @@ stateDiagram-v2
 - /api/state returns player-specific phase, votesFinal, hasJoker, counts; unauthorized returns 401.
 - GetPhase auto-upgrades legacy Reveal -> Vote and realigns when resultsOpen toggles (to Results and back to Vote clearing votesFinal).
 - /me/phase/next: moves Suggest->Vote, Vote->Results only when resultsOpen true; clears votesFinal; rejects when results locked.
-- /me/phase/prev: admin moves back one step; non-admin can move Vote->Suggest only with granted back pass; move clears votesFinal and consumes pass.
+- /me/phase/prev: admin only; moves back one step, clears votesFinal, rejects for player.
 - Display name is immutable after registration; attempts to change via /api/me/name return 404.
 
 ### 3) Suggestions
 - GET /mine returns only caller’s suggestions ordered by CreatedAt.
 - POST /: success with valid data; enforces ≤5 per player; trims optional fields; requires display name; rejects bad image URL/ext, unreachable image (mocked), invalid game/youtube URLs, invalid player counts, missing name/too long.
-- Back-pass path: admin grants pass in Vote, player can consume it to move Vote->Suggest once; consumable and clears finalized state.
+- Joker path: when phase=Vote and HasJoker=true allows creation, consumes joker, resets VotesFinal for all players.
 - Phase gating: non-admin cannot create/update/delete outside Suggest (except joker create); admin bypasses phase checks for update/delete.
 - PUT /{id}: player can edit own in Suggest; name locked outside Suggest; admin can edit any time; validation mirrors create.
 - DELETE /{id}: player deletes own in Suggest; admin any time; also breaks child links and deletes related votes.
@@ -65,15 +65,14 @@ stateDiagram-v2
 - Phase mismatch and locked results return 400; unauthorized 401.
 
 ### 6) Admin Operations
-- POST /admin/results toggles resultsOpen and aligns all player phases (to Results, or back to Vote only for players with suggestions and Suggest otherwise); updates UpdatedAt.
+- POST /admin/results toggles resultsOpen and aligns all player phases (to Results or back to Vote clearing votesFinal); updates UpdatedAt.
 - GET /admin/vote-status returns list ordered by display/username with suggestion counts, finalized flag, joker flag; ready/waiting derived correctly.
-- POST /admin/joker grants one-time back pass only when target in Vote; resets VotesFinal for target.
-- POST /admin/players/{id}/phase allows admin to move a player from Vote back to Suggest.
-- DELETE /admin/players/{id}: requires admin password; removes player, cascades suggestions, breaks links to their suggestions, deletes related votes, wrapped in transaction.
+- POST /admin/joker grants joker only when target in Vote; resets VotesFinal for target.
+- DELETE /admin/players/{id}: removes player, cascades suggestions, breaks links to their suggestions, deletes related votes, wrapped in transaction.
 - POST /admin/link-suggestions: only in Vote; errors on same ids/already linked/not found; re-parents groups correctly; deletes votes for affected group and unfinalizes affected players.
 - POST /admin/unlink-suggestions: only in Vote; clears parents for group, deletes votes in group, unfinalizes affected players; no-op safe when missing.
-- POST /admin/reset: requires admin password; wipes suggestions/votes, resets phases to Suggest, clears votesFinal/hasJoker, closes results, updates timestamp.
-- POST /admin/factory-reset: requires admin password; wipes all players/suggestions/votes/state; reseeds AppState with defaults; transactional.
+- POST /admin/reset: wipes suggestions/votes, resets phases to Suggest, clears votesFinal/hasJoker, closes results, updates timestamp.
+- POST /admin/factory-reset: wipes all players/suggestions/votes/state; reseeds AppState with defaults; transactional.
 
 ### 7) Infrastructure/Helpers
 - PasswordHasher: hash+verify roundtrip, rejects empty password, constant-time compare (FixedTimeEquals usage).