Refactor phase reads to pure lookups and align admin docs

API.md

@@ -1,6 +1,6 @@
 # API Contract (auth-enabled)
 
-All endpoints are JSON. Most routes require the HttpOnly `player` cookie issued after register/login. Admin access is granted via authenticated admin user or `X-Admin-Key`/`key` matching `ADMIN_PASSWORD`.
+All endpoints are JSON. Most routes require the HttpOnly `player` cookie issued after register/login. Admin access is granted only via an authenticated admin user session (`IsAdmin=true` on the account).
 
 ## Auth
 POST /api/auth/register — accepts optional `adminKey` to set `IsAdmin=true`  
@@ -31,7 +31,7 @@ POST /api/votes/finalize — `{ final: bool }` toggles caller’s finalized stat
 ## Results (requires auth + Results phase + resultsOpen)
 GET /api/results — leaderboard with totals, counts, averages, caller’s vote, media/links, link metadata
 
-## Admin (admin auth or admin key)
+## Admin (requires authenticated admin user)
 POST /api/admin/results — `{ resultsOpen: bool }` locks/unlocks results and aligns player phases  
 GET  /api/admin/vote-status — readiness overview (who finalized)  
 POST /api/admin/link-suggestions — `{ sourceSuggestionId, targetSuggestionId }`; merges vote groups during Vote, clears votes in the linked group, unfinalizes **all** players