feat(authz): gate sprint + issue create/delete on admin or board_admin

[KunalDSoni]

Same gap as projects — only requireAuth was applied, so any logged-in user could create or delete sprints and tasks.

Now restricted:
POST /api/projects/:id/sprints create sprint admin/board_admin
PUT /api/sprints/:id edit sprint admin/board_admin
DELETE /api/sprints/:id delete sprint admin/board_admin
POST /api/projects/:id/issues create task admin/board_admin
DELETE /api/issues/:id delete task admin/board_admin

Deliberately left open to all authenticated users:
PUT /api/issues/:id — field updates (assign, edit, etc.)
PUT /api/issues/:id/move — drag between board columns

Locking PUT/move would break the kanban interaction model — regular users need to update status and reassign their own work.

All 188 tests pass.