Epic 5 Complete: Billing, Subscriptions, and Admin Features

Resolve all 5 deferred items from Epic 5 adversarial code review:
- Migration 124: Add CASCADE to subscriptionstatus enum drop (prevent orphaned references)
- Stripe rate limiting: In-memory per-user limiter (20 calls/60s) on verify-checkout-session
- Subscription request cooldown: 24h cooldown before resubmitting rejected requests
- Token reset date: Initialize on first subscription activation
- Checkout URL validation: Confirmed HTTPS-only (Stripe always returns HTTPS)

Implement Story 5.4 (Usage Tracking & Rate Limit Enforcement):
- Page quota pre-check at HTTP upload layer
- Extend UserRead schema with token quota fields
- Frontend 402 error handling in document upload
- Quota indicator in dashboard sidebar

Story 5.5 (Admin Seed & Approval Flow):
- Seed admin user migration with default credentials warning
- Subscription approval/rejection routes with admin guard
- 24h rejection cooldown enforcement

Story 5.6 (Admin-Only Model Config):
- Global model config visible across all search spaces
- Per-search-space model configs with user access control
- Superuser CRUD for global configs

Additional fixes from code review:
- PageLimitService: PAST_DUE subscriptions enforce free-tier limits
- TokenQuotaService: PAST_DUE subscriptions enforce free-tier limits
- Config routes: Fixed user_id.is_(None) filter on mutation endpoints
- Stripe webhook: Added guard against silent plan downgrade on unrecognized price_id

All changes formatted with Ruff (Python) and Biome (TypeScript).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

surfsense_web/components/settings/model-config-manager.tsx

@@ -14,6 +14,7 @@ import {
 } from "lucide-react";
 import { useMemo, useState } from "react";
 import { membersAtom, myAccessAtom } from "@/atoms/members/members-query.atoms";
+import { currentUserAtom } from "@/atoms/user/user-query.atoms";
 import { deleteNewLLMConfigMutationAtom } from "@/atoms/new-llm-config/new-llm-config-mutation.atoms";
 import {
 	globalNewLLMConfigsAtom,
@@ -87,15 +88,14 @@ export function ModelConfigManager({ searchSpaceId }: ModelConfigManagerProps) {
 		return map;
 	}, [members]);
 
-	// Permissions
+	// Permissions — only superusers can create/edit/delete model configs
 	const { data: access } = useAtomValue(myAccessAtom);
-	const canCreate =
-		!!access && (access.is_owner || (access.permissions?.includes("llm_configs:create") ?? false));
-	const canUpdate =
-		!!access && (access.is_owner || (access.permissions?.includes("llm_configs:update") ?? false));
-	const canDelete =
-		!!access && (access.is_owner || (access.permissions?.includes("llm_configs:delete") ?? false));
-	const isReadOnly = !canCreate && !canUpdate && !canDelete;
+	const { data: currentUser } = useAtomValue(currentUserAtom);
+	const isAdmin = !!currentUser?.is_superuser;
+	const canCreate = isAdmin;
+	const canUpdate = isAdmin;
+	const canDelete = isAdmin;
+	const isReadOnly = !isAdmin;
 
 	// Local state
 	const [isDialogOpen, setIsDialogOpen] = useState(false);