Require admin password for destructive admin actions

API.md

@@ -34,8 +34,10 @@ GET /api/results — leaderboard with totals, counts, averages, caller’s vote,
 ## Admin (requires authenticated admin user)
 POST /api/admin/results — `{ resultsOpen: bool }` locks/unlocks results and aligns player phases  
 GET  /api/admin/vote-status — readiness overview (who finalized)  
+POST /api/admin/joker — `{ playerId }` grants a vote-phase joker to the target player  
+POST /api/admin/player-phase — `{ playerId, phase }`; currently supports Vote→Suggest transitions only  
+DELETE /api/admin/players/{playerId} — `{ password }`; deletes player account plus their suggestions/votes  
 POST /api/admin/link-suggestions — `{ sourceSuggestionId, targetSuggestionId }`; merges vote groups during Vote, clears votes in the linked group, unfinalizes **all** players  
 POST /api/admin/unlink-suggestions — `{ suggestionId }`; breaks links, clears votes for that group, unfinalizes **all** players  
-POST /api/admin/player-phase — `{ playerId, phase }`; currently supports Vote→Suggest transitions only  
-POST /api/admin/reset — clear suggestions/votes; keep players; reset phases/vote-final flags  
-POST /api/admin/factory-reset — wipe players, suggestions, votes, state
+POST /api/admin/reset — `{ password }`; clear suggestions/votes, keep players, reset phases/vote-final flags  
+POST /api/admin/factory-reset — `{ password }`; wipe players, suggestions, votes, state