overhaul: single-session deployment + redesigned frontend

Backend simplification:
- The server now loads ONE pool JSON from $QUIZ_POOL_PATH at startup and
  upserts a single canonical session. The session id comes from the pool
  JSON's optional "session_id" field, falling back to $QUIZ_SESSION_ID.
- The multi-quiz / multi-session CRUD API is gone:
    DELETED  GET/POST /admin/api/quizzes
    DELETED  POST    /admin/api/quizzes/upload
    DELETED  GET/POST /admin/api/sessions
    DELETED  GET     /admin/login (HTML stub)
    DELETED  GET     /admin/api/sessions/{sid}/csv (replaced by /admin/api/csv)
  Replaced with a single-session control surface:
    GET  /admin/                — serves admin.html unconditionally
    GET  /admin/api/state       — admin-gated; pool meta + state + QR + join URL
    POST /admin/api/reset       — admin-gated; wipe submissions + back to lobby
    POST /admin/logout          — clear admin cookie
    GET  /admin/api/csv         — single-session results
    WS   /ws/instructor/{sid}   — kept; new commands "next" + "reset"
- Instructor "Next" button is now a single state-driving command
  (RoomManager.advance_to_next): from lobby it opens Q0; from question_open
  it closes the current Q and opens the next; from question_closed it
  opens the next; if past the last question it ends the session.
- New RoomManager.reset wipes submissions, participants, and per-question
  state, then broadcasts a clean lobby.
- Student GET / now redirects to /?sid=<canonical> when no sid is given,
  so the QR / share URL is fully deterministic.

Frontend rewrite (functional baseline; visual polish to follow):
- /admin/ is now a single SPA: GET /admin/api/state decides login form
  vs dashboard. No separate /admin/login URL bar.
- Admin dashboard is state-driven with one primary action per state.
  QR code, join URL, and live participant list are always visible on the
  left so the operator can leave the page on a projector.
- Student answer buttons are big and tappable; reveal screen highlights
  correct/wrong choice + shows score, total, and rank.
- Static admin/student SPAs share a CSS palette with light/dark support.

Tests rewritten around the single canonical session id.
The auto-bootstrapped session lets each test fixture skip the old
quiz/session creation dance. 39/39 tests pass.

Cleanup:
- Deleted CODEX_PROMPT.md, IMPLEMENTATION_REPORT.md, NOTES.md, SPEC.md,
  static/observer.html (obsolete codex-build artifacts and the unused
  observer view).
- .gitignore now blocks /pool.json (the runtime file the operator drops
  on the server) and the leftover .codex_done / codex_run.log / etc.
- bootstrap.sh seeds /opt/quiz/pool.json from examples/pool_example.json
  on first deploy so a fresh box reaches a usable state without manual
  intervention; .env now includes QUIZ_POOL_PATH.

tests/test_api_admin.py

@@ -1,42 +1,56 @@
-from conftest import admin_login, create_quiz, create_session, join_student
+from conftest import admin_login, join_student
 
 
-def test_admin_login_required_and_quiz_session_crud(client, sample_pool):
-    assert client.get("/admin/").status_code == 401
+def test_admin_state_requires_login(client):
+    # /admin/api/state is the canonical "am I logged in" probe used by the SPA.
+    assert client.get("/admin/api/state").status_code == 401
     assert client.post("/admin/login", json={"password": "wrong"}).status_code == 401
 
-    admin_login(client)
-    assert client.get("/admin/").status_code == 200
-    quiz_id = create_quiz(client, sample_pool)
-    quizzes = client.get("/admin/api/quizzes").json()["quizzes"]
-    assert any(item["id"] == quiz_id for item in quizzes)
 
-    response = client.post("/admin/api/sessions", json={"quiz_id": quiz_id})
+def test_admin_state_after_login_includes_pool_meta_and_qr(client, sid):
+    admin_login(client)
+    response = client.get("/admin/api/state")
     assert response.status_code == 200
     payload = response.json()
-    assert len(payload["sid"]) == 6
-    assert payload["join_url"].endswith(f"?sid={payload['sid']}")
+    assert payload["sid"] == sid
+    assert payload["state"] == "lobby"
+    assert payload["join_url"].endswith(f"?sid={sid}")
     assert payload["qr_url"].startswith("data:image/svg+xml;base64,")
-
-    sessions = client.get("/admin/api/sessions").json()["sessions"]
-    assert sessions[0]["sid"] == payload["sid"]
+    assert payload["pool_meta"]["question_count"] == 5
+    assert payload["pool_meta"]["score_fn"] == "linear_decay"
 
 
-def test_quiz_upload_and_csv_export(client, sample_pool):
-    sid = create_session(client, sample_pool)
-    join_student(client, sid, "s1", "Student One")
-    csv_response = client.get(f"/admin/api/sessions/{sid}/csv")
-    assert csv_response.status_code == 200
-    assert "student_id,name,question_idx" in csv_response.text
-
-    upload = client.post(
-        "/admin/api/quizzes/upload",
-        files={"file": ("pool.json", __import__("json").dumps(sample_pool), "application/json")},
-    )
-    assert upload.status_code == 200
+def test_admin_html_served_without_auth_gate(client):
+    # The HTML shell is unauthed; the SPA decides login vs dashboard from
+    # the /admin/api/state response. Anything else would force a separate
+    # /admin/login page back into the URL bar.
+    response = client.get("/admin/")
+    assert response.status_code == 200
+    assert "<title>Quiz Admin</title>" in response.text
 
 
-def test_invalid_quiz_and_session_errors(client):
+def test_csv_endpoint_is_admin_only_and_serves_results(client, sid):
+    assert client.get("/admin/api/csv").status_code == 401
     admin_login(client)
-    assert client.post("/admin/api/quizzes", json={"pool_json": {"title": "bad", "questions": []}}).status_code == 400
-    assert client.post("/admin/api/sessions", json={"quiz_id": 999}).status_code == 404
+    join_student(client, sid)
+    response = client.get("/admin/api/csv")
+    assert response.status_code == 200
+    assert "student_id,name,question_idx" in response.text
+
+
+def test_admin_logout_clears_cookie(client):
+    admin_login(client)
+    assert client.get("/admin/api/state").status_code == 200
+    client.post("/admin/logout")
+    assert client.get("/admin/api/state").status_code == 401
+
+
+def test_admin_reset_clears_participants_and_state(client, sid):
+    admin_login(client)
+    join_student(client, sid, "s1", "First")
+    join_student(client, sid, "s2", "Second")
+    response = client.post("/admin/api/reset")
+    assert response.status_code == 200
+    state = client.get("/admin/api/state").json()
+    assert state["state"] == "lobby"
+    assert state["current_question_idx"] is None