fix(test): admin shortcut to flip teacher verified for class-mode e2e

CI v6 cleared the email-required + birth-year-select issues but
exposed the next G-14 layer: golden-paths #5 (class mode) creates
a teacher then immediately POSTs /api/nauczyciel/class. New
teachers default to verified=false (G-14 spec), so the gate I
added returns 403 with `teacher-not-verified`.

Production fix is the email-link flow at /verify?token=…, but the
token isn't returned in the signup response (security: tokens go
out via the mailer, not the HTTP body). Tests need a way to
flip the flag without intercepting email.

Solution mirrors the existing admin-endpoint pattern in
`app/api/admin/seed-demo-school` and `purge-e2e-accounts`:

- `app/api/admin/teacher-verify/route.ts` (NEW). POST { username }
  with `Authorization: Bearer $ADMIN_SECRET`. Calls
  `markTeacherVerified` directly. Local dev without the secret is
  allowed (same pattern as seed-demo-school) so dev workflow isn't
  blocked.
- golden-paths #5 calls the admin endpoint with the same
  E2E_ADMIN_SECRET fallback string `production-ready.spec.ts`
  already uses.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: B2JK-Industry

app/api/admin/teacher-verify/route.ts

@@ -0,0 +1,43 @@
+import { NextRequest } from "next/server";
+import { z } from "zod";
+import { markTeacherVerified } from "@/lib/class";
+
+/* PR-P G-14 follow-up — admin shortcut to flip a teacher's `verified`
+ * flag without going through the email link. Used by the e2e suite
+ * (golden-paths #5 class mode) to bypass the verify gate. ADMIN_SECRET
+ * is the primary guard; local dev without the secret is allowed
+ * (matches the pattern in `seed-demo-school` and other admin
+ * endpoints).
+ *
+ * POST { username } with `Authorization: Bearer $ADMIN_SECRET`.
+ */
+
+const BodySchema = z.object({
+  username: z.string().min(1).max(64),
+});
+
+function unauthorized() {
+  return Response.json({ ok: false, error: "unauthorized" }, { status: 401 });
+}
+
+function checkSecret(req: NextRequest): boolean {
+  const expected = process.env.ADMIN_SECRET;
+  if (!expected) return true;
+  const authz = req.headers.get("authorization") ?? "";
+  return authz === `Bearer ${expected}`;
+}
+
+export async function POST(req: NextRequest) {
+  if (!checkSecret(req)) return unauthorized();
+  let parsed;
+  try {
+    parsed = BodySchema.parse(await req.json());
+  } catch (e) {
+    return Response.json(
+      { ok: false, error: `bad-body: ${(e as Error).message}` },
+      { status: 400 },
+    );
+  }
+  await markTeacherVerified(parsed.username);
+  return Response.json({ ok: true, verified: true });
+}

e2e/golden-paths.spec.ts

@@ -230,6 +230,15 @@ test.describe("golden paths", () => {
       schoolName: "Playwright School",
     });
     expect(tSignup.status, `teacher signup: ${JSON.stringify(tSignup)}`).toBeLessThan(400);
+    // G-14 — new teachers default to verified=false; class POST is
+    // 403 until /verify?token=… is consumed. Tests bypass via the
+    // admin shortcut endpoint (see app/api/admin/teacher-verify).
+    const ADMIN_SECRET =
+      process.env.E2E_ADMIN_SECRET ?? "e2e-admin-secret-not-for-production";
+    await t.request.post("/api/admin/teacher-verify", {
+      headers: { authorization: `Bearer ${ADMIN_SECRET}` },
+      data: { username: teacherUser },
+    });
 
     // Class POST requires { name, grade, subject? } — see
     // app/api/nauczyciel/class/route.ts.