feat: replace token-based impersonation with enterprise-grade header-based system

Replaces the insecure token-in-localStorage approach with a header-based
impersonation system backed by cache sessions and MFA verification.

Key changes:
- New impersonation_sessions audit table (immutable, ULID PK)
- MFA verification required to start impersonation (TOTP/email/backup)
- X-Impersonate-User header + HandleImpersonation middleware
- Per-request auth context swap (admin session never modified)
- IP pinning, sensitive route blocking, no nesting, sliding 60-min TTL
- Activity log auto-tagged with impersonated_by during sessions
- Frontend: sessionStorage, BroadcastChannel sync, countdown timer
- ImpersonateDialog with reason + MFA verification flow
- 26 comprehensive tests covering core, middleware, audit, lifecycle

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/app/src/App.vue

@@ -5,6 +5,7 @@ import initCore from '@core/initCore'
 import { initConfigStore, useConfigStore } from '@core/stores/config'
 import { hexToRgb } from '@core/utils/colorConverter'
 import { useAuthStore } from '@/stores/useAuthStore'
+import { useImpersonationStore } from '@/stores/useImpersonationStore'
 import { useNotificationStore } from '@/stores/useNotificationStore'
 
 const { global } = useTheme()
@@ -14,8 +15,13 @@ initConfigStore()
 
 const configStore = useConfigStore()
 const authStore = useAuthStore()
+const impersonationStore = useImpersonationStore()
 const notificationStore = useNotificationStore()
 
+// Restore impersonation state and listen for cross-tab sync
+impersonationStore.restoreFromStorage()
+impersonationStore.listenForBroadcasts()
+
 // Validate stored token on app startup — must complete before rendering protected content
 authStore.initialize()
 </script>