fix(ui): sudo confirmation before team delete

[kkopanidis]

Problem

Team delete in the admin UI called DELETE /authentication/teams/:teamId without checking whether the admin session had sudo. After the API change, deletes would fail for sessions missing the sudo claim unless the UI re-authenticates first.

Solution

• Add hasSudoAccess, sudoReauthenticate, and completeSudoTwoFactor server actions
• Add SudoDialog + useSudoAction hook to collect password (and 2FA when required) before sensitive operations
• Wrap team delete in runWithSudo so re-auth runs only when the JWT lacks sudo
• Harden 2FA token handling to accept both token and legacy result response shapes

Test plan

• Delete a team immediately after login — should delete without extra password prompt
• Delete a team with an old session token (no sudo claim) — password dialog appears, then delete succeeds
• Admin with 2FA enabled — password step then authenticator code, then delete succeeds
• Cancel sudo dialog — team is not deleted

[kkopanidis]

Closing: sudo is for Client API end-user actions (user bearer token), not Admin API. Team delete in Conduit-UI uses DELETE /authentication/teams/:id on the admin API and should not prompt for sudo. Reverted SudoDialog/useSudoAction in acaac2b.