Add requireSetupIncompleteOrAdmin and adjust routes

Introduce a new middleware requireSetupIncompleteOrAdmin that allows unauthenticated access while the setup wizard is in progress but enforces admin authentication once setup is complete. Replace requireSetupIncomplete with the new guard in test-paths, test-abs and test-oidc API routes. Update the front-end hook to use fetchWithAuth for authenticated requests. Revise setup-guard tests to cover the new semantics: shared endpoints now return 401 when setup is complete and no auth is provided, return 403 for authenticated non-admin users, and allow admin access or unauthenticated access during setup/DB-unready conditions; also add jwt verification and user lookup mocks to the tests.

src/lib/middleware/auth.ts

@@ -253,3 +253,35 @@ export async function requireSetupIncomplete(
 
   return handler(request);
 }
+
+/**
+ * Middleware: Require setup incomplete OR authenticated admin
+ * For endpoints shared between the setup wizard and admin settings.
+ * Allows access during setup (no auth needed) or after setup (admin auth required).
+ */
+export async function requireSetupIncompleteOrAdmin(
+  request: NextRequest,
+  handler: (request: NextRequest) => Promise<NextResponse>
+): Promise<NextResponse> {
+  let setupComplete = false;
+
+  try {
+    const config = await prisma.configuration.findUnique({
+      where: { key: 'setup_completed' },
+    });
+    setupComplete = config?.value === 'true';
+  } catch {
+    // If database is not ready, setup is definitely not complete — allow through
+    return handler(request);
+  }
+
+  if (!setupComplete) {
+    // Setup in progress — allow unauthenticated access (setup wizard)
+    return handler(request);
+  }
+
+  // Setup is complete — require admin authentication
+  return requireAuth(request, (authenticatedReq) =>
+    requireAdmin(authenticatedReq, () => handler(request))
+  );
+}