fix: harden admin access, repair ORM joins, and add migration/tests

app/main.py

@@ -16,7 +16,6 @@ from typing import AsyncGenerator
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 
-from app.admin import admin as admin_app
 from app.core.config import get_settings
 from app.database import close_db, init_db
 from app.routers import (
@@ -41,10 +40,18 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
     """
     # Startup: Initialize database
     await init_db()
+    if settings.ENABLE_ADMIN:
+        from app.admin import configure_admin_app
+
+        await configure_admin_app()
     
     yield
     
     # Shutdown: Close database connections
+    if settings.ENABLE_ADMIN:
+        from app.admin import shutdown_admin_app
+
+        await shutdown_admin_app()
     await close_db()
 
 
@@ -162,25 +169,27 @@ app.include_router(
     wordpress_router,
     prefix=f"{settings.API_V1_STR}",
 )
-app.include_router(
-    ai_router,
-    prefix=f"{settings.API_V1_STR}",
-)
 app.include_router(
     reports_router,
     prefix=f"{settings.API_V1_STR}",
 )
 
+if settings.ENABLE_ADMIN:
+    from app.admin import admin as admin_app
 
-# Mount FastAPI Admin panel
-app.mount("/admin", admin_app)
+    app.include_router(
+        ai_router,
+        prefix=f"{settings.API_V1_STR}",
+    )
 
+    # Mount FastAPI Admin panel
+    app.mount("/admin", admin_app)
 
-# Include admin API router for custom actions
-app.include_router(
-    admin_router,
-    prefix=f"{settings.API_V1_STR}",
-)
+    # Include admin API router for custom actions
+    app.include_router(
+        admin_router,
+        prefix=f"{settings.API_V1_STR}",
+    )
 
 
 # Placeholder routers for future implementation