chore: remove Dart-only admin profile service; use Edge Function for lock operations

lib/utils/lock_enforcer.dart

@@ -3,21 +3,38 @@ import 'package:supabase_flutter/supabase_flutter.dart';
 /// Call after sign-in and on app start to enforce app-level profile lock.
 /// If the user's `profiles.is_locked` flag is true, this signs out the user.
 Future<void> enforceLockForCurrentUser(SupabaseClient supabase) async {
-  final user = supabase.auth.currentUser;
+  final current = supabase.auth.currentUser;
-  if (user == null) return;
+  if (current == null) return;
 
   try {
-    final record = await supabase
+    // Fetch the authoritative user record from the auth API and inspect
-        .from('profiles')
+    // `banned_until`. This is the canonical source after an admin `set_lock`.
-        .select('is_locked')
+    final resp = await supabase.auth.getUser();
-        .eq('id', user.id)
+    final user = resp.user;
-        .maybeSingle();
+    if (user == null) return;
 
-    if (record == null) return;
+    dynamic bannedRaw;
-    if (record['is_locked'] == true) {
+    try {
+      // Support multiple SDK shapes: `bannedUntil`, `banned_until`, or rawData
+      bannedRaw =
+          (user as dynamic).bannedUntil ??
+          (user as dynamic).rawData?['banned_until'] ??
+          (user as dynamic).banned_until;
+    } catch (_) {
+      bannedRaw = null;
+    }
+
+    DateTime? bannedUntil;
+    if (bannedRaw is String) {
+      bannedUntil = DateTime.tryParse(bannedRaw);
+    } else if (bannedRaw is DateTime) {
+      bannedUntil = bannedRaw;
+    }
+
+    if (bannedUntil != null && bannedUntil.isAfter(DateTime.now())) {
       await supabase.auth.signOut();
     }
   } catch (_) {
-    // swallow; enforcement is a best-effort client-side check
+    // swallow; enforcement is best-effort on the client
   }
 }