feat(ui-admin): AuthGate + BaseClient + CollectionCRUD for hanzoai/base SPAs

[hanzo-dev]

Summary

• New @hanzogui/admin/auth AuthGate — single declarative guard for any hanzoai/base-backed admin SPA. Wraps the route subtree, intercepts /login and /callback, drives the OIDC dance via the canonical IAM client. Structural IAMClient type keeps the gate version-agnostic against @hanzo/iam@^0.8.x and ^0.9.x.
• New @hanzogui/admin/data createBaseClient({apiPrefix, getToken}) + BaseClientProvider + useBaseClient() + makeAuthedFetcher. Typed wrapper around any Base instance — one mount knob (/v1, /v1/auto, /v1/commerce) flips the entire surface.
• New @hanzogui/admin/crud <CollectionCRUD collection="X"> — schema-driven list + filter + paginate + detail-sheet + create-form for one Base collection. Phase 1 stops at create. Phase 2 = edit + delete (the client already exposes both).
• New apps/admin-auto-stub/ — 40 LOC of consumer wiring renders the full chrome end-to-end against base.hanzo.ai. Override target via VITE_BASE_TARGET.

This is the unblocking primitive for the unified admin UI vision. Every hanzoai/base-backed service (base, auto, commerce, bot, custom org-bases) drops in <AuthGate> + <BaseClientProvider> + <AdminApp> + one route per collection.

Test plan

• bun run typecheck passes in pkgs/ui-admin and apps/admin-auto-stub
• bun run test passes — 32 files / 237 tests (13 new across test/data/baseClient.test.ts and test/auth/authGate.test.tsx)
• Dev server boots: bun run dev in apps/admin-auto-stub → AuthGate redirects to /login and renders the default sign-in screen (Sign in to Hanzo Base).
• With a sessionStorage token injected, /superusers renders the full chrome and CollectionCRUD surfaces the canonical Base 401 error from base.hanzo.ai/v1/collections/_superusers ("The request requires valid record authorization token.").
• Live OIDC dance against iam.hanzo.ai — requires an IAM app registration for hanzo-base with http://localhost:5179/callback whitelisted. Out of scope for this PR.

Why this lives in @hanzogui/admin, not a new @hanzo/gui-admin package

The original task spec proposed @hanzo/gui-admin. @hanzogui/admin v7.2.3 already exists at pkgs/ui-admin/ with the canonical AdminApp, Sidebar, TopBar, Empty, DataTable, etc. Per "one and only one way to do everything," extending the existing package is correct; spawning a parallel one would duplicate the surface.

API additions (top-level barrel)

from '@hanzogui/admin'
  AuthGate              (auth)
  CallbackHandler       (auth)
  useAuth               (auth)
  IAMClient (type)      (auth)
  createBaseClient      (data)
  BaseClientProvider    (data)
  useBaseClient         (data)
  makeAuthedFetcher     (data)
  BaseClient (type)     (data)
  BrandInfo (type)      (data)
  CollectionCRUD        (crud)

Subpath exports added: ./crud. Existing exports unchanged.