feat: auth route uses named admin lookup, embeds name in JWT

- Login/verify use findAdminByKey; JWT and response include admin name
- Verify returns 403 when token lacks name (legacy tokens)
- Test tokens include name for getAuthToken()
- Set Content-Type on supertest JSON bodies (superagent/mime resolution)

Made-with: Cursor

tests/api/session-notes.test.js

@@ -157,6 +157,7 @@ describe('PUT /api/sessions/:id/notes', () => {
     const res = await request(app)
       .put(`/api/sessions/${session.id}/notes`)
       .set('Authorization', getAuthHeader())
+      .set('Content-Type', 'application/json')
       .send({ notes: 'New notes here' });
 
     expect(res.status).toBe(200);
@@ -169,6 +170,7 @@ describe('PUT /api/sessions/:id/notes', () => {
     const res = await request(app)
       .put(`/api/sessions/${session.id}/notes`)
       .set('Authorization', getAuthHeader())
+      .set('Content-Type', 'application/json')
       .send({ notes: 'Replacement' });
 
     expect(res.status).toBe(200);
@@ -179,6 +181,7 @@ describe('PUT /api/sessions/:id/notes', () => {
     const res = await request(app)
       .put('/api/sessions/99999/notes')
       .set('Authorization', getAuthHeader())
+      .set('Content-Type', 'application/json')
       .send({ notes: 'test' });
 
     expect(res.status).toBe(404);
@@ -189,6 +192,7 @@ describe('PUT /api/sessions/:id/notes', () => {
 
     const res = await request(app)
       .put(`/api/sessions/${session.id}/notes`)
+      .set('Content-Type', 'application/json')
       .send({ notes: 'test' });
 
     expect(res.status).toBe(401);
@@ -200,6 +204,7 @@ describe('PUT /api/sessions/:id/notes', () => {
     const res = await request(app)
       .put(`/api/sessions/${session.id}/notes`)
       .set('Authorization', 'Bearer invalid-token')
+      .set('Content-Type', 'application/json')
       .send({ notes: 'test' });
 
     expect(res.status).toBe(403);