overhaul: single-session deployment + redesigned frontend

Backend simplification:
- The server now loads ONE pool JSON from $QUIZ_POOL_PATH at startup and
  upserts a single canonical session. The session id comes from the pool
  JSON's optional "session_id" field, falling back to $QUIZ_SESSION_ID.
- The multi-quiz / multi-session CRUD API is gone:
    DELETED  GET/POST /admin/api/quizzes
    DELETED  POST    /admin/api/quizzes/upload
    DELETED  GET/POST /admin/api/sessions
    DELETED  GET     /admin/login (HTML stub)
    DELETED  GET     /admin/api/sessions/{sid}/csv (replaced by /admin/api/csv)
  Replaced with a single-session control surface:
    GET  /admin/                — serves admin.html unconditionally
    GET  /admin/api/state       — admin-gated; pool meta + state + QR + join URL
    POST /admin/api/reset       — admin-gated; wipe submissions + back to lobby
    POST /admin/logout          — clear admin cookie
    GET  /admin/api/csv         — single-session results
    WS   /ws/instructor/{sid}   — kept; new commands "next" + "reset"
- Instructor "Next" button is now a single state-driving command
  (RoomManager.advance_to_next): from lobby it opens Q0; from question_open
  it closes the current Q and opens the next; from question_closed it
  opens the next; if past the last question it ends the session.
- New RoomManager.reset wipes submissions, participants, and per-question
  state, then broadcasts a clean lobby.
- Student GET / now redirects to /?sid=<canonical> when no sid is given,
  so the QR / share URL is fully deterministic.

Frontend rewrite (functional baseline; visual polish to follow):
- /admin/ is now a single SPA: GET /admin/api/state decides login form
  vs dashboard. No separate /admin/login URL bar.
- Admin dashboard is state-driven with one primary action per state.
  QR code, join URL, and live participant list are always visible on the
  left so the operator can leave the page on a projector.
- Student answer buttons are big and tappable; reveal screen highlights
  correct/wrong choice + shows score, total, and rank.
- Static admin/student SPAs share a CSS palette with light/dark support.

Tests rewritten around the single canonical session id.
The auto-bootstrapped session lets each test fixture skip the old
quiz/session creation dance. 39/39 tests pass.

Cleanup:
- Deleted CODEX_PROMPT.md, IMPLEMENTATION_REPORT.md, NOTES.md, SPEC.md,
  static/observer.html (obsolete codex-build artifacts and the unused
  observer view).
- .gitignore now blocks /pool.json (the runtime file the operator drops
  on the server) and the leftover .codex_done / codex_run.log / etc.
- bootstrap.sh seeds /opt/quiz/pool.json from examples/pool_example.json
  on first deploy so a fresh box reaches a usable state without manual
  intervention; .env now includes QUIZ_POOL_PATH.

tests/conftest.py

@@ -2,6 +2,8 @@
 
 from __future__ import annotations
 
+import json
+
 import pytest
 from fastapi.testclient import TestClient
 
@@ -9,12 +11,16 @@ from app.config import Settings
 from app.main import create_app
 
 
+CANONICAL_SID = "main"
+
+
 @pytest.fixture
 def sample_pool():
     return {
         "title": "Sample Quiz",
         "score_fn": "linear_decay",
         "time_limit_default": 2,
+        "session_id": CANONICAL_SID,
         "questions": [
             {
                 "id": "q1",
@@ -57,35 +63,30 @@ def sample_pool():
 
 
 @pytest.fixture
-def client(tmp_path):
+def client(tmp_path, sample_pool):
+    pool_path = tmp_path / "pool.json"
+    pool_path.write_text(json.dumps(sample_pool))
     settings = Settings(
         db_path=str(tmp_path / "quiz.db"),
         secret_key="test-secret",
         admin_password="admin-pass",
         public_url="http://testserver",
+        pool_path=str(pool_path),
+        default_session_id=CANONICAL_SID,
     )
     app = create_app(settings)
     with TestClient(app) as test_client:
         yield test_client
 
 
+@pytest.fixture
+def sid() -> str:
+    return CANONICAL_SID
+
+
 def admin_login(client: TestClient) -> None:
     response = client.post("/admin/login", json={"password": "admin-pass"})
-    assert response.status_code == 200
-
-
-def create_quiz(client: TestClient, pool: dict) -> int:
-    admin_login(client)
-    response = client.post("/admin/api/quizzes", json={"pool_json": pool})
     assert response.status_code == 200, response.text
-    return response.json()["quiz_id"]
-
-
-def create_session(client: TestClient, pool: dict) -> str:
-    quiz_id = create_quiz(client, pool)
-    response = client.post("/admin/api/sessions", json={"quiz_id": quiz_id})
-    assert response.status_code == 200, response.text
-    return response.json()["sid"]
 
 
 def join_student(client: TestClient, sid: str, student_id: str = "s1", name: str = "Student One") -> dict: