Add AdminSponsorEditPermissionMiddleware with super admin toggle

[balebbae]

Summary

Follow-up from #53. Implement the TODO on line 227 of cmd/api/api.go:

// TODO: Protect Under a AdminSponsorEditPermissionMiddleware

Requirements

1. Create AdminSponsorEditPermissionMiddleware

• Follow the existing AdminScheduleEditPermissionMiddleware pattern
• Protect sponsor edit routes under /admin/sponsors:
  • POST / (create)
  • PUT /{sponsorID} (update)
  • DELETE /{sponsorID} (delete)
  • POST /{sponsorID}/logo-upload-url (logo upload)
• GET / (list) should remain unprotected by this middleware (read-only)

2. Add super admin toggle routes

Add settings routes following the admin-schedule-edit-toggle pattern:

• GET /v1/superadmin/settings/admin-sponsor-edit-toggle
• POST /v1/superadmin/settings/admin-sponsor-edit-toggle

3. Implementation guide

• Reference AdminScheduleEditPermissionMiddleware for the middleware implementation
• Reference getAdminScheduleEditToggle / setAdminScheduleEditToggle handlers for the toggle endpoints
• Add the corresponding config key in the store layer
• Add migration if needed for the new config row
• Add tests following existing patterns

Linked PR

This is a follow-up from the sponsors feature PR linked to #53.