fix(auth): hide /admin/users when flag off; pass OPTIONS preflight through gate

- operator_users router now depends on _require_auth_enabled, which raises
  404 when OPERATOR_AUTH_ENABLED is false — prevents world-open pre-seeding
  of a superadmin while the flag is off (the default).  Flag is read as a
  live module attribute (operator_auth.OPERATOR_AUTH_ENABLED) so monkeypatching
  in tests and a runtime flip both take effect.
- operator_gate passes OPTIONS requests through immediately before the exempt-
  path check, so CORS preflight reaches CORSMiddleware rather than being
  303/401'd by the gate.
- Two new tests: test_admin_surface_404s_when_flag_off (test_operator_users)
  and test_options_preflight_passes_through_gate (test_operator_gate).
  Full suite: 90 passed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/operator_auth.py

@@ -185,6 +185,10 @@ async def operator_gate(request: Request, call_next):
     if not OPERATOR_AUTH_ENABLED:
         return await call_next(request)
 
+    # CORS preflight carries no auth and must reach CORSMiddleware, not the gate.
+    if request.method == "OPTIONS":
+        return await call_next(request)
+
     path = request.url.path
     if _is_exempt(path):
         return await call_next(request)