Harden admin API security for VPS pilot

[Spbd1]

Motivation

• Improve protection of researcher-facing admin exports and the submission/health endpoints for a small VPS pilot without adding heavy authentication infrastructure.
• Avoid accidental exposure or acceptance of default/example secrets and ensure admin requests and responses are not cached or leaked.

Description

• Add a centralized server-side admin auth helper in lib/adminAuth.server.ts that validates Authorization: Bearer <token>, performs constant-time SHA-256 token comparison, trims configured tokens, and refuses a missing or placeholder change-me-before-production token in production.
• Wire admin endpoints to the helper and standardize responses so admin JSON/CSV responses include Cache-Control: no-store using adminJsonResponse/withAdminNoStore, and update app/api/admin/* routes to use those helpers.
• Make submission responses non-cacheable by adding a server-side submissionJsonResponse helper that sets Cache-Control: no-store and switch submission success and error paths to use it in app/api/submissions/route.ts.
• Harden the health endpoint (app/api/health/route.ts) to be dynamic, include Cache-Control: no-store, and only return non-sensitive booleans (serverSubmissionEnabled, databaseConfigured) instead of secrets like DATABASE_URL.
• Update VPS and deployment docs (docs/VPS_DEPLOYMENT.md, docs/DEPLOYMENT.md) to require HTTPS, discourage query-string tokens, document the need for a strong ADMIN_EXPORT_TOKEN, and include an optional Caddy basic_auth example protecting /admin* and /api/admin*.

Testing

• Ran npm run typecheck and it passed with no type errors.
• Ran npm run lint and it passed; a pre-existing React Hook exhaustive-deps warning in components/ParticipantBackgroundForm.tsx was reported but unchanged.
• Ran npm run build (Next.js production build) and it completed successfully with the same lint/type output noted above.

---

Codex Task