Epic 5 Complete: Billing, Subscriptions, and Admin Features

Resolve all 5 deferred items from Epic 5 adversarial code review:
- Migration 124: Add CASCADE to subscriptionstatus enum drop (prevent orphaned references)
- Stripe rate limiting: In-memory per-user limiter (20 calls/60s) on verify-checkout-session
- Subscription request cooldown: 24h cooldown before resubmitting rejected requests
- Token reset date: Initialize on first subscription activation
- Checkout URL validation: Confirmed HTTPS-only (Stripe always returns HTTPS)

Implement Story 5.4 (Usage Tracking & Rate Limit Enforcement):
- Page quota pre-check at HTTP upload layer
- Extend UserRead schema with token quota fields
- Frontend 402 error handling in document upload
- Quota indicator in dashboard sidebar

Story 5.5 (Admin Seed & Approval Flow):
- Seed admin user migration with default credentials warning
- Subscription approval/rejection routes with admin guard
- 24h rejection cooldown enforcement

Story 5.6 (Admin-Only Model Config):
- Global model config visible across all search spaces
- Per-search-space model configs with user access control
- Superuser CRUD for global configs

Additional fixes from code review:
- PageLimitService: PAST_DUE subscriptions enforce free-tier limits
- TokenQuotaService: PAST_DUE subscriptions enforce free-tier limits
- Config routes: Fixed user_id.is_(None) filter on mutation endpoints
- Stripe webhook: Added guard against silent plan downgrade on unrecognized price_id

All changes formatted with Ruff (Python) and Biome (TypeScript).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

surfsense_backend/app/routes/image_generation_routes.py

@@ -30,6 +30,7 @@ from app.db import (
 from app.schemas import (
     GlobalImageGenConfigRead,
     ImageGenerationConfigCreate,
+    ImageGenerationConfigPublic,
     ImageGenerationConfigRead,
     ImageGenerationConfigUpdate,
     ImageGenerationCreate,
@@ -41,7 +42,7 @@ from app.services.image_gen_router_service import (
     ImageGenRouterService,
     is_image_gen_auto_mode,
 )
-from app.users import current_active_user
+from app.users import current_active_user, current_superuser
 from app.utils.rbac import check_permission
 from app.utils.signed_image_urls import verify_image_token
 
@@ -261,19 +262,11 @@ async def get_global_image_gen_configs(
 async def create_image_gen_config(
     config_data: ImageGenerationConfigCreate,
     session: AsyncSession = Depends(get_async_session),
-    user: User = Depends(current_active_user),
+    user: User = Depends(current_superuser),
 ):
-    """Create a new image generation config for a search space."""
+    """Create a new image generation config for a search space. Superuser only."""
     try:
-        await check_permission(
-            session,
-            user,
-            config_data.search_space_id,
-            Permission.IMAGE_GENERATIONS_CREATE.value,
-            "You don't have permission to create image generation configs in this search space",
-        )
-
-        db_config = ImageGenerationConfig(**config_data.model_dump(), user_id=user.id)
+        db_config = ImageGenerationConfig(**config_data.model_dump(), user_id=None)
         session.add(db_config)
         await session.commit()
         await session.refresh(db_config)
@@ -289,7 +282,9 @@ async def create_image_gen_config(
         ) from e
 
 
-@router.get("/image-generation-configs", response_model=list[ImageGenerationConfigRead])
+@router.get(
+    "/image-generation-configs", response_model=list[ImageGenerationConfigPublic]
+)
 async def list_image_gen_configs(
     search_space_id: int,
     skip: int = 0,
@@ -297,7 +292,7 @@ async def list_image_gen_configs(
     session: AsyncSession = Depends(get_async_session),
     user: User = Depends(current_active_user),
 ):
-    """List image generation configs for a search space."""
+    """List image generation configs for a search space (includes global admin configs)."""
     try:
         await check_permission(
             session,
@@ -309,7 +304,10 @@ async def list_image_gen_configs(
 
         result = await session.execute(
             select(ImageGenerationConfig)
-            .filter(ImageGenerationConfig.search_space_id == search_space_id)
+            .filter(
+                (ImageGenerationConfig.search_space_id == search_space_id)
+                | (ImageGenerationConfig.search_space_id == None)  # noqa: E711
+            )
             .order_by(ImageGenerationConfig.created_at.desc())
             .offset(skip)
             .limit(limit)
@@ -367,25 +365,20 @@ async def update_image_gen_config(
     config_id: int,
     update_data: ImageGenerationConfigUpdate,
     session: AsyncSession = Depends(get_async_session),
-    user: User = Depends(current_active_user),
+    user: User = Depends(current_superuser),
 ):
-    """Update an existing image generation config."""
+    """Update an existing image generation config. Superuser only."""
     try:
         result = await session.execute(
-            select(ImageGenerationConfig).filter(ImageGenerationConfig.id == config_id)
+            select(ImageGenerationConfig).filter(
+                ImageGenerationConfig.id == config_id,
+                ImageGenerationConfig.user_id.is_(None),
+            )
         )
         db_config = result.scalars().first()
         if not db_config:
             raise HTTPException(status_code=404, detail="Config not found")
 
-        await check_permission(
-            session,
-            user,
-            db_config.search_space_id,
-            Permission.IMAGE_GENERATIONS_CREATE.value,
-            "You don't have permission to update image generation configs in this search space",
-        )
-
         for key, value in update_data.model_dump(exclude_unset=True).items():
             setattr(db_config, key, value)
 
@@ -407,25 +400,20 @@ async def update_image_gen_config(
 async def delete_image_gen_config(
     config_id: int,
     session: AsyncSession = Depends(get_async_session),
-    user: User = Depends(current_active_user),
+    user: User = Depends(current_superuser),
 ):
-    """Delete an image generation config."""
+    """Delete an image generation config. Superuser only."""
     try:
         result = await session.execute(
-            select(ImageGenerationConfig).filter(ImageGenerationConfig.id == config_id)
+            select(ImageGenerationConfig).filter(
+                ImageGenerationConfig.id == config_id,
+                ImageGenerationConfig.user_id.is_(None),
+            )
         )
         db_config = result.scalars().first()
         if not db_config:
             raise HTTPException(status_code=404, detail="Config not found")
 
-        await check_permission(
-            session,
-            user,
-            db_config.search_space_id,
-            Permission.IMAGE_GENERATIONS_DELETE.value,
-            "You don't have permission to delete image generation configs in this search space",
-        )
-
         await session.delete(db_config)
         await session.commit()
         return {