fix: add server-side authorization to admin audit-log route

[Paranoa-dev]

Description

PR #154 added an admin audit log feature, but the creator-only restriction was only enforced on the client side. This meant anyone who knew or guessed a valid pool ID could call GET /api/admin/audit-log?poolId=<id> directly and receive the full audit log.

This fix adds server-side authorization to the API route by verifying the caller's wallet address against the pool's creator_address stored in the database before returning any data.

Changes

Server-side auth check (frontend/app/api/admin/audit-log/route.ts)

• Accept a new required callerAddress query parameter
• Fetch the pool's creator_address alongside existing fields
• Compare callerAddress (case-insensitive) against pool.creator_address
• Return 403 Forbidden if the addresses don't match
• Return 400 Bad Request if callerAddress is missing
• Rate limiting (readLimiter) continues to work unchanged

Client component update (frontend/components/group/admin-audit-log.tsx)

• Pass the connected wallet's address as callerAddress in the API request
• Handle 403 responses with a user-facing error message
• Add address to the useEffect dependency array

Tests (frontend/app/api/admin/audit-log/route.test.ts)

• 11 new unit tests covering:
  • Missing poolId → 400
  • Missing callerAddress → 400
  • Non-existent pool → 404
  • Unauthorized caller → 403
  • Authorized caller → 200 with audit data
  • Case-insensitive address comparison
  • Consistency check logic

Acceptance Criteria

• Calling the route directly with a pool ID you don't administer returns 403
• The legitimate pool creator can still retrieve their pool's audit log through the UI
• Rate limiting continues to work alongside the new check
• Unit tests cover both authorized and unauthorized cases

closes #160

[Sendi0011]

Great implementation 👍