feat: add admin authentication UI for backup/restore endpoints

[lupita-hom]

Summary

The /api/database/backup and /api/database/restore endpoints are now protected by ADMIN_API_TOKEN (added in PR #22). However, the frontend still calls these endpoints without sending any authentication headers, meaning the backup/restore UI will return 401 errors.

Scope

• Add an admin authentication mechanism to the frontend (e.g., a settings page or modal that accepts the admin token)
• Store the token securely in the browser session (not localStorage — consider sessionStorage or in-memory only)
• Pass Authorization: Bearer <token> header when calling /api/database/backup and /api/database/restore
• Show appropriate error messages when the token is missing or invalid (401/503)

Context

This was identified during Copilot code review on PR #22 (security/fix-vulnerabilities). The backend security is in place; this issue covers the frontend integration.

Acceptance Criteria

• Backup/restore UI prompts for admin token before making API calls
• Token is not persisted in localStorage (use sessionStorage or in-memory)
• Clear error messaging for 401 (bad token) and 503 (token not configured on server)
• Existing backup/restore functionality works end-to-end with valid token