feat: add admin role management and user deletion

Admins can now change user roles and permanently delete user accounts.

- New SetRole store method with validation (user/admin only)
- New Delete store method — cascades via foreign keys to sessions,
  faves, and fave_tags
- handleAdminSetRole: change role with self-modification prevention
- handleAdminDeleteUser: permanent deletion with image cleanup from
  disk before cascade delete, self-deletion prevention
- admin_users.html: role dropdown with save button per user row,
  delete button with hx-confirm for safety
- Routes: POST /admin/users/{id}/role, POST /admin/users/{id}/delete

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/store/user.go

@@ -198,6 +198,34 @@ func (s *UserStore) SetDisabled(userID int64, disabled bool) error {
 	return err
 }
 
+// SetRole changes a user's role (user/admin).
+func (s *UserStore) SetRole(userID int64, role string) error {
+	if role != "user" && role != "admin" {
+		return fmt.Errorf("invalid role: %s", role)
+	}
+	_, err := s.db.Exec(
+		`UPDATE users SET role = ?,
+			updated_at = strftime('%Y-%m-%dT%H:%M:%SZ', 'now')
+		WHERE id = ?`,
+		role, userID,
+	)
+	return err
+}
+
+// Delete permanently removes a user. Cascading foreign keys handle
+// sessions, faves, and fave_tags. Image cleanup must be done by the caller.
+func (s *UserStore) Delete(userID int64) error {
+	result, err := s.db.Exec("DELETE FROM users WHERE id = ?", userID)
+	if err != nil {
+		return fmt.Errorf("delete user: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return ErrUserNotFound
+	}
+	return nil
+}
+
 // ListAll returns all users, ordered by username.
 func (s *UserStore) ListAll() ([]*model.User, error) {
 	rows, err := s.db.Query(