feat(core)!: introduce runtime extension registry and flat module conventions

BREAKING CHANGE: sup config now derives entries from package.json#exports and a server/client glob instead of manual lists; module structure follows flat + barrel convention with .server.js/.client.js runtime suffixes

src/features/admin/protect.js

@@ -2,35 +2,18 @@ import { getSession } from '@zen/core/features/auth/actions';
 import { hasPermission, PERMISSIONS } from '@zen/core/users';
 import { redirect } from 'next/navigation';
 
-/**
- * Protect an admin page - requires authentication and admin.access permission.
- * Use this in server components to require admin access.
- */
-async function protectAdmin(options = {}) {
-  const { redirectTo = '/auth/login', forbiddenRedirect = '/' } = options;
-
+export async function protectAdmin({ redirectTo = '/auth/login', forbiddenRedirect = '/' } = {}) {
   const session = await getSession();
-
-  if (!session) {
-    redirect(redirectTo);
-  }
+  if (!session) redirect(redirectTo);
 
   const allowed = await hasPermission(session.user.id, PERMISSIONS.ADMIN_ACCESS);
-  if (!allowed) {
-    redirect(forbiddenRedirect);
-  }
+  if (!allowed) redirect(forbiddenRedirect);
 
   return session;
 }
 
-/**
- * Check if the current user has admin.access permission.
- * Non-redirecting check for conditional rendering.
- */
-async function isAdmin() {
+export async function isAdmin() {
   const session = await getSession();
   if (!session) return false;
   return hasPermission(session.user.id, PERMISSIONS.ADMIN_ACCESS);
 }
-
-export { protectAdmin, isAdmin };