fix(lab-content-engine): phase 5 — read-роуты auth-only, мутации inline admin

GET /related и /links возвращали 200 без токена: они были ПОСЛЕ blanket
router.use(requireRole('admin')) (хрупкий порядок при повторном mount роутера
в тестах). Убрал blanket; каждая мутация (patch/reorder/links POST+DELETE)
имеет INLINE requireRole('admin'); read-роуты — auth-only.
Также lab-links seed переведён на seedRow() (NOT NULL дрейф схемы).

lab-links 18/18, lab-sims 11/11, route-auth: 0 роутов lab.js во флаге.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

backend/tests/lab-links.test.js

@@ -42,15 +42,11 @@ describe('/api/lab curriculum links', () => {
   before(async () => {
     adminToken = (await getToken('admin')).token;
     studentToken = (await getToken('student')).token;
-    // Seed a textbook + topic to link against.
-    db.prepare(`INSERT INTO textbooks (slug, title, subject, grade, is_active)
-                VALUES ('phys-test', 'Физика тест', 'physics', 9, 1)
-                ON CONFLICT(slug) DO NOTHING`).run();
+    // Seed a textbook + topic to link against (schema-robust — fills NOT NULL cols).
     tbSlug = 'phys-test';
-    const subj = db.prepare(`INSERT INTO subjects (name) VALUES ('LinkTest Subj')`).run();
-    const tp = db.prepare(`INSERT INTO topics (subject_id, name) VALUES (?, 'Колебания тест')`)
-      .run(subj.lastInsertRowid);
-    topicId = tp.lastInsertRowid;
+    seedRow('textbooks', { slug: tbSlug, title: 'Физика тест', subject: 'physics', grade: 9, is_active: 1 });
+    const subjId = seedRow('subjects', { name: 'LinkTest Subj', slug: 'linktest-subj' });
+    topicId = seedRow('topics', { subject_id: subjId, name: 'Колебания тест', slug: 'kolebaniya-test' });
   });
 
   it('GET /related requires auth (401)', async () => {