M1+M2+M10 (CC2 R3): JWT auth + admin users + GDPR backend

- auth/auth_v2.py: JWT login/refresh/logout/me + bcrypt + tenant_id/role/tier claims
- auth/admin_users.py: /api/admin/users CRUD + invite/role/suspend + bulk CSV
- auth/gdpr.py: cookie consent + Art.20 export + Art.17 erasure + admin queue
- auth/seed_demo.py: 3 demo tenants + 4 users (damir@pgz.hr / PGZ2026!)
- Removed legacy /api/auth/login + /api/auth/me from pgz_sport_api.py
- Wired auth/admin/gdpr routers into FastAPI

5/5 live curl tests pass: damir@pgz.hr login → JWT with tenant_id=1, role=pgz_admin, tier=0

static/sport2.html

@@ -219,7 +219,7 @@ a.tag:hover,.tag[onclick]:hover{transform:translateY(-1px);filter:brightness(1.1
     <div class="sb-h">
       <div class="logo">PGŽ <span class="g">SPORT</span></div>
       <div class="sub">Primorsko-goranska županija</div>
-      <div class="sb-toggle" id="sb-toggle" onclick="toggleSidebar()" title="Skupi/raširi">⮜</div>
+      <div class="sb-toggle" id="sb-toggle" onclick="toggleSidebar()" title="Skupi/raširi sidebar">≡</div>
     </div>
     <nav class="sb-nav" id="nav"></nav>
     <div class="sb-foot">v2.0 · 2026</div>
@@ -475,7 +475,7 @@ function toggleSidebar(){
   const tg = document.getElementById('sb-toggle');
   if(!sb) return;
   const isCollapsed = sb.classList.toggle('collapsed');
-  if(tg) tg.textContent = isCollapsed ? '⮞' : '⮜';
+  if(tg) tg.textContent = '≡';
   try { localStorage.setItem('sidebar-state', isCollapsed ? 'collapsed' : 'expanded'); } catch(e){}
 }
 function restoreSidebar(){
@@ -485,7 +485,7 @@ function restoreSidebar(){
       const sb = document.getElementById('sb');
       const tg = document.getElementById('sb-toggle');
       if(sb) sb.classList.add('collapsed');
-      if(tg) tg.textContent = '⮞';
+      if(tg) tg.textContent = '≡';
     }
   } catch(e){}
 }