feat: add role-based user management, audit log, and session tracking

Introduces a full user management system with three roles (admin, operator,
viewer), an audit log, and per-session login history.

Backend:
- app/internal/audit.py: write_audit() helper → audit_log Firestore collection
- app/internal/auth.py: get_role() helper; require_admin_token accepts both
  legacy admin:true claim and new role:"admin" claim for backward compat
- app/routers/users.py: CRUD under /admin/users — list, create (returns
  one-time invite link), get (with sessions), patch role/nodes/name,
  disable, enable, delete; operator role requires ≥1 owned node
- app/routers/links.py: POST /auth/session records sign-in events to
  user_sessions Firestore collection
- app/routers/admin.py: GET /admin/audit paginated endpoint
- app/main.py: register users router

Frontend:
- AuthProvider: exposes role, isAdmin, isOperator, ownedNodeIds from claims
- Nav: role-gated links — viewers get dashboard/calls/incidents/map/alerts/
  trips; operators add nodes/systems/tokens; admins add admin
- admin/page.tsx: new Users tab (list table, create modal, inline edit panel
  with role/nodes editor, disable/enable/delete, login history) and Audit
  Log tab (paginated, color-coded actions)
- login/page.tsx: calls recordSession() on email and Google sign-in
- nodes, systems, tokens pages: role guards redirect viewers to dashboard
- profile/page.tsx: shows accurate role badge and label
- lib/types.ts: UserRole, UserRecord, UserSession, AuditEntry types
- lib/c2api.ts: user management methods + recordSession

Firestore collections added: user_profiles, audit_log, user_sessions
Firebase custom claims schema: { role, owned_node_ids, admin (legacy) }

drb-c2-core/app/routers/links.py

@@ -1,7 +1,8 @@
 import random
 import string
 from datetime import datetime, timezone, timedelta
-from fastapi import APIRouter, HTTPException, Depends
+from uuid import uuid4
+from fastapi import APIRouter, HTTPException, Depends, Request
 from pydantic import BaseModel
 from app.internal import firestore as fstore
 from app.internal.auth import require_firebase_token, require_service_key
@@ -126,3 +127,26 @@ async def unlink(decoded: dict = Depends(require_firebase_token)):
     await fstore.doc_delete("discord_links", discord_user_id)
     await fstore.doc_delete("firebase_discord_links", firebase_uid)
     return {"ok": True}
+
+
+# ---------------------------------------------------------------------------
+# Session recording — called by the frontend on each successful sign-in
+# ---------------------------------------------------------------------------
+
+@router.post("/session")
+async def record_session(request: Request, decoded: dict = Depends(require_firebase_token)):
+    """Record a sign-in event for the authenticated user."""
+    session_id = str(uuid4())
+    ip = request.client.host if request.client else None
+    user_agent = request.headers.get("user-agent", "")
+
+    await fstore.doc_set("user_sessions", session_id, {
+        "session_id": session_id,
+        "uid": decoded["uid"],
+        "email": decoded.get("email", ""),
+        "timestamp": datetime.now(timezone.utc).isoformat(),
+        "ip": ip,
+        "user_agent": user_agent,
+    }, merge=False)
+
+    return {"ok": True}