feat: replace token-based impersonation with enterprise-grade header-based system

Replaces the insecure token-in-localStorage approach with a header-based
impersonation system backed by cache sessions and MFA verification.

Key changes:
- New impersonation_sessions audit table (immutable, ULID PK)
- MFA verification required to start impersonation (TOTP/email/backup)
- X-Impersonate-User header + HandleImpersonation middleware
- Per-request auth context swap (admin session never modified)
- IP pinning, sensitive route blocking, no nesting, sliding 60-min TTL
- Activity log auto-tagged with impersonated_by during sessions
- Frontend: sessionStorage, BroadcastChannel sync, countdown timer
- ImpersonateDialog with reason + MFA verification flow
- 26 comprehensive tests covering core, middleware, audit, lifecycle

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Resources/Admin/ImpersonationSessionResource.php

@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Resources\Admin;
+
+use Illuminate\Http\Request;
+use Illuminate\Http\Resources\Json\JsonResource;
+
+class ImpersonationSessionResource extends JsonResource
+{
+    /** @return array<string, mixed> */
+    public function toArray(Request $request): array
+    {
+        return [
+            'id' => $this->id,
+            'admin_id' => $this->admin_id,
+            'target_user_id' => $this->target_user_id,
+            'target_user' => new AdminUserResource($this->whenLoaded('targetUser')),
+            'reason' => $this->reason,
+            'mfa_method' => $this->mfa_method,
+            'started_at' => $this->started_at?->toIso8601String(),
+            'expires_at' => $this->expires_at?->toIso8601String(),
+            'ended_at' => $this->ended_at?->toIso8601String(),
+            'end_reason' => $this->end_reason,
+            'actions_count' => $this->actions_count,
+        ];
+    }
+}