feat(admin): add box preview and password bypass for administrators

Introduce an `AdminViewBox` handler and route that allows administrators
to view any box directly. If the box is password-protected, the handler
bypasses the protection by setting an unlock cookie with an unlock token
and logs the bypass event.

Additionally, add CSS and JS foundations for a file context menu and
preview actions in the file browser UI.

backend/libs/handlers/admin.go

@@ -140,6 +140,33 @@ func (a *App) AdminDeleteBox(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, "/admin/files", http.StatusSeeOther)
 }
 
+func (a *App) AdminViewBox(w http.ResponseWriter, r *http.Request) {
+	if !a.requireAdmin(w, r) {
+		return
+	}
+
+	box, err := a.uploadService.GetBox(r.PathValue("boxID"))
+	if err != nil {
+		http.NotFound(w, r)
+		return
+	}
+
+	if a.uploadService.IsProtected(box) {
+		http.SetCookie(w, &http.Cookie{
+			Name:     unlockCookieName(box.ID),
+			Value:    a.uploadService.UnlockToken(box),
+			Path:     "/d/" + box.ID,
+			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
+			Secure:   r.TLS != nil,
+			Expires:  box.ExpiresAt,
+		})
+		a.logger.Info("admin bypassed box password", "source", "admin", "severity", "user_activity", "code", 2302, "box_id", box.ID)
+	}
+
+	http.Redirect(w, r, "/d/"+box.ID, http.StatusSeeOther)
+}
+
 func (a *App) renderAdminLogin(w http.ResponseWriter, status int, message string) {
 	a.renderer.Render(w, status, "admin_login.html", web.PageData{
 		Title:       "Admin login",

backend/libs/handlers/app.go

@@ -32,6 +32,7 @@ func (a *App) RegisterRoutes(mux *http.ServeMux) {
 	mux.HandleFunc("POST /admin/logout", a.AdminLogout)
 	mux.HandleFunc("GET /admin", a.AdminDashboard)
 	mux.HandleFunc("GET /admin/files", a.AdminFiles)
+	mux.HandleFunc("GET /admin/boxes/{boxID}/view", a.AdminViewBox)
 	mux.HandleFunc("POST /admin/boxes/{boxID}/delete", a.AdminDeleteBox)
 	mux.HandleFunc("GET /d/{boxID}", a.DownloadPage)
 	mux.HandleFunc("POST /d/{boxID}/unlock", a.UnlockBox)