fix: remove admin from sidebar + add PATCH to CORS allowed methods

Two hotfixes:

1. Admin link removed from Sidebar -- was visible to ALL users.
   Admin page still accessible via /dashboard/admin URL only.
   Non-admins get 403 from backend, clean error in frontend.

2. PATCH added to CORS allow_methods. The admin tier endpoint
   uses PATCH but it was missing from the CORS config, causing
   preflight failures on the tier update call.

3. Added retry:false to AdminPage React Query so non-admin
   users don't hammer the 403 endpoint.

Author: DevanshuNEU

backend/main.py

@@ -84,7 +84,7 @@ async def dispatch(self, request: Request, call_next):
     allow_origins=ALLOWED_ORIGINS,
     allow_origin_regex=ALLOW_ORIGIN_REGEX or None,
     allow_credentials=True,
-    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allow_methods=["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
     allow_headers=["Authorization", "Content-Type"],
 )
 

frontend/src/components/dashboard/Sidebar.tsx

@@ -2,7 +2,6 @@ import { Link, useLocation } from 'react-router-dom'
 import { 
   FolderGit2, 
   BookOpen, 
-  Shield,
   ChevronLeft, 
   ChevronRight,
   ExternalLink,
@@ -25,7 +24,6 @@ interface NavItem {
 
 const mainNavItems: NavItem[] = [
   { name: 'Repositories', href: '/dashboard', icon: <FolderGit2 className="w-5 h-5" /> },
-  { name: 'Admin', href: '/dashboard/admin', icon: <Shield className="w-5 h-5" /> },
 ]
 
 const bottomNavItems: NavItem[] = [

frontend/src/pages/AdminPage.tsx

@@ -50,6 +50,7 @@ export function AdminPage() {
       return resp.json()
     },
     enabled: !!session?.access_token,
+    retry: false,
   })
 
   const users = data?.users ?? []