Fix blank-screen on load + close 3 admin gaps (v0.1.0:79)

The web UI rendered a blank screen for every user. Root cause: the page
loaded @babel/standalone from unpkg with no version pin, so the CDN silently
served Babel 8.0.0. Babel 8 defaults @babel/preset-react to the automatic JSX
runtime, which prepends `import {jsx} from "react/jsx-runtime"` to the compiled
output. An ESM import is illegal in this classic (non-module) inline <script>,
so the browser rejected the whole bundle and React never mounted — hence the
blank screen. The prior "verified live" checks were server-up/curl, which can't
catch a browser-render failure.

- Pin @babel/standalone@7.29.7 (its preset-react defaults to the classic
  React.createElement runtime). Verified via headless render: app mounts, login
  screen renders, no console error. Follow-up: vendor + SRI-pin the CDN libs so
  a third party can't swap our front-end deps in production again.
- Close three server-side admin gaps surfaced by a permissions audit — endpoints
  that were UI-hidden from members but not API-enforced: GET /api/users,
  /api/email/status, /api/email/accounts now require_admin. Removed the now-dead
  non-admin mailbox-row filter. 21/21 backend tests green; py_compile clean.

backend/email_integration/routes.py

@@ -115,7 +115,9 @@ def _require_admin(handler) -> Optional[dict]:
 # ---------------------------------------------------------------------------- GET handlers
 
 def _h_status(handler):
-    user = _require_auth(handler)
+    # Email Capture is an admin-only surface (nav-hidden from members); these read
+    # endpoints expose mailbox/sync metadata, so enforce admin server-side too.
+    user = _require_admin(handler)
     if not user:
         return
     snap = _sched.status_snapshot()
@@ -150,7 +152,9 @@ def _h_status(handler):
 
 
 def _h_list_accounts(handler):
-    user = _require_auth(handler)
+    # Admin-only: the mailbox list (addresses, sync state, errors) belongs to the
+    # admin-only Email Capture surface. Enforced server-side, not just nav-hidden.
+    user = _require_admin(handler)
     if not user:
         return
     conn = _conn()
@@ -180,9 +184,6 @@ def _h_list_accounts(handler):
             r["matched"] = matched.get(r["id"], 0)
     finally:
         conn.close()
-    # Non-admins only see their own row
-    if user.get("role") != "admin":
-        rows = [r for r in rows if r["user_id"] == user["user_id"]]
     handler.send_json({"accounts": rows})
 
 

backend/server.py

@@ -3914,6 +3914,11 @@ class CRMHandler(BaseHTTPRequestHandler):
         return self.send_json({"data": res})
 
     def handle_list_users(self, user):
+        # The full user directory (names, emails, roles) is admin-only — it is only
+        # consumed by the admin section of Settings. The nav already hides it from
+        # members; this enforces the same boundary server-side.
+        if not require_admin(user):
+            return self.send_error_json("Admin access required", 403)
         conn = get_db()
         users = rows_to_list(conn.execute(
             "SELECT id, username, email, full_name, role, is_active, created_at FROM users ORDER BY full_name"