fix(auth): hide /admin/users when flag off; pass OPTIONS preflight through gate

- operator_users router now depends on _require_auth_enabled, which raises
  404 when OPERATOR_AUTH_ENABLED is false — prevents world-open pre-seeding
  of a superadmin while the flag is off (the default).  Flag is read as a
  live module attribute (operator_auth.OPERATOR_AUTH_ENABLED) so monkeypatching
  in tests and a runtime flip both take effect.
- operator_gate passes OPTIONS requests through immediately before the exempt-
  path check, so CORS preflight reaches CORSMiddleware rather than being
  303/401'd by the gate.
- Two new tests: test_admin_surface_404s_when_flag_off (test_operator_users)
  and test_options_preflight_passes_through_gate (test_operator_gate).
  Full suite: 90 passed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/routers/operator_users.py

@@ -12,9 +12,21 @@ from backend.operator_auth import (
     require_role, create_operator, reset_operator_password,
     set_operator_active, set_operator_role,
 )
+import backend.operator_auth as operator_auth
 from backend.utils.timezone import format_local_datetime
 
-router = APIRouter(tags=["operator-users"])
+
+def _require_auth_enabled():
+    """The operator-management surface does not exist while operator auth is
+    disabled — otherwise these net-new endpoints would be world-open with the
+    flag off (the default), letting anyone pre-seed a superadmin. Read the flag
+    as a live module attribute so the test monkeypatch and a runtime flip both
+    take effect."""
+    if not operator_auth.OPERATOR_AUTH_ENABLED:
+        raise HTTPException(status_code=404, detail="Not found")
+
+
+router = APIRouter(tags=["operator-users"], dependencies=[Depends(_require_auth_enabled)])
 _superadmin = require_role("superadmin")