feat: add additional admin users subcommands (#842)

## Summary

Adds admin user management commands to the tea CLI, enabling admins to create, edit, and delete user accounts.

## Features Added

### Admin User Management Commands

- **Create users**: `tea admin users create` - Create new user accounts with configurable options
- **Edit users**: `tea admin users edit <username>` - Update user properties including password, permissions, and profile settings
- **Delete users**: `tea admin users delete <username>` - Remove user accounts with confirmation prompt

### Implementation Details

#### Create Command (`admin users create`)
- Required: username
- Optional: email, full name, password
- Flags: admin, restricted, prohibit-login, visibility
- Password input: command-line flag, file, stdin, or interactive prompt with confirmation
- Default: users must change password on first login (use `--no-must-change-password` to skip)
- Post-creation updates for admin/restricted/prohibit-login (not available during creation)

#### Edit Command (`admin users edit`)
- Updates only explicitly provided fields (partial updates)
- Password change support with the same input methods as create
- Editable fields:
  - Profile: email, full name, description, website, location
  - Permissions: admin/restricted/active status
  - Settings: visibility, max repo creation limits
  - Advanced: git hooks, local imports, organization creation
- Default: password changes require password change on next login (use `--no-must-change-password` to skip)

#### Delete Command (`admin users delete`)
- Confirmation prompt by default
- `--confirm` flag to skip confirmation
- Displays user details before deletion

### Security Features

- Secure password input via interactive prompts (hidden input)
- Multiple password input methods: flag, file, stdin, interactive
- Password confirmation for interactive mode
- Whitespace trimming for file/stdin inputs

### Password Input Methods

1. **Command-line flag**: `--password <value>`
2. **File input**: `--password-file <file>` - Read from file
3. **Stdin input**: `--password-stdin` - Read from stdin
4. **Interactive prompt**: Automatically prompts if password not provided (with confirmation)

For edit command: Use `--password=""` to trigger interactive prompt.

## Usage Examples

```bash
# Create a new user
tea admin users create --username john --email john@example.com --admin --no-must-change-password

# Create with interactive password prompt
tea admin users create jane --email jane@example.com

# Edit user properties
tea admin users edit john --email newemail@example.com --restricted

# Change user password (will prompt if not provided)
tea admin users edit john --password=""
tea admin users edit john --password-file /path/to/password.txt

# Delete a user (with confirmation)
tea admin users delete olduser

# Delete without confirmation
tea admin users delete olduser --confirm
```

## Related Issue

Resolves #161

## Testing

- Unit tests for all commands
- Flag validation and default value tests
- Password input method tests (file, stdin, interactive)
- Test coverage for all user option structures
- Confirmation logic tests for delete command

## Technical Details

- Uses Gitea SDK `AdminCreateUser`, `AdminEditUser`, and `AdminDeleteUser` APIs
- Follows existing tea CLI patterns and conventions
- Handles fields not available during creation via post-creation updates
- Partial update support for edit command (only updates explicitly set fields)
- Consistent with other tea commands (webhooks, secrets) in password handling and confirmation patterns

All tests pass and the implementation integrates with existing tea CLI infrastructure.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://gitea.com/gitea/tea/pulls/842
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: ghainer <gehainer@gmail.com>
Co-committed-by: ghainer <gehainer@gmail.com>

tests/integration/admin_users_test.go

@@ -0,0 +1,139 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"code.gitea.io/sdk/gitea"
+	teacmd "code.gitea.io/tea/cmd"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func runAdminCommand(t *testing.T, args []string) error {
+	t.Helper()
+
+	adminCmd := teacmd.CmdAdmin
+	return adminCmd.Run(context.Background(), args)
+}
+
+func createAdminTestUser(t *testing.T, client *gitea.Client, username, password string) {
+	t.Helper()
+
+	mustChangePassword := false
+	user, _, err := client.AdminCreateUser(gitea.CreateUserOption{
+		LoginName:          username,
+		Username:           username,
+		Email:              username + "@example.com",
+		Password:           password,
+		MustChangePassword: &mustChangePassword,
+	})
+	require.NoError(t, err)
+	require.Equal(t, username, user.UserName)
+
+	t.Cleanup(func() {
+		if _, err := client.AdminDeleteUser(username); err != nil {
+			t.Logf("failed to delete integration test user %q: %v", username, err)
+		}
+	})
+}
+
+func TestAdminUsersCreateRequiresEmail(t *testing.T) {
+	login := createIntegrationLogin(t)
+
+	err := runAdminCommand(t, []string{
+		"admin", "users", "create",
+		"--username", fmt.Sprintf("create-no-email-%d", time.Now().UnixNano()),
+		"--password", "secret123",
+		"--login", login.Name,
+	})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "email")
+}
+
+func TestAdminUsersCreateAndDelete(t *testing.T) {
+	login := createIntegrationLogin(t)
+	client := login.Client()
+	username := fmt.Sprintf("tea-admin-create-%d", time.Now().UnixNano())
+
+	err := runAdminCommand(t, []string{
+		"admin", "users", "create",
+		"--username", username,
+		"--email", username + "@example.com",
+		"--password", "secret123",
+		"--admin",
+		"--prohibit-login",
+		"--visibility", "limited",
+		"--login", login.Name,
+	})
+	require.NoError(t, err)
+
+	createdUser, _, err := client.GetUserInfo(username)
+	require.NoError(t, err)
+	assert.Equal(t, username, createdUser.UserName)
+	assert.Equal(t, username+"@example.com", createdUser.Email)
+	assert.True(t, createdUser.IsAdmin)
+	assert.True(t, createdUser.ProhibitLogin)
+	assert.Equal(t, gitea.VisibleTypeLimited, createdUser.Visibility)
+
+	err = runAdminCommand(t, []string{
+		"admin", "users", "delete", username,
+		"--confirm",
+		"--login", login.Name,
+	})
+	require.NoError(t, err)
+
+	_, _, err = client.GetUserInfo(username)
+	require.Error(t, err)
+}
+
+func TestAdminUsersEdit(t *testing.T) {
+	login := createIntegrationLogin(t)
+	client := login.Client()
+	username := fmt.Sprintf("tea-admin-edit-%d", time.Now().UnixNano())
+	oldPassword := "old-secret"
+	newPassword := "new-secret"
+	createAdminTestUser(t, client, username, oldPassword)
+
+	passwordFile := filepath.Join(t.TempDir(), "password.txt")
+	require.NoError(t, os.WriteFile(passwordFile, []byte(newPassword+"\n"), 0o600))
+
+	err := runAdminCommand(t, []string{
+		"admin", "users", "edit", username,
+		"--email", username + "+new@example.com",
+		"--full-name", "Tea Integration",
+		"--restricted",
+		"--password-file", passwordFile,
+		"--no-must-change-password",
+		"--visibility", "private",
+		"--login", login.Name,
+	})
+	require.NoError(t, err)
+
+	updatedUser, _, err := client.GetUserInfo(username)
+	require.NoError(t, err)
+	assert.Equal(t, username+"+new@example.com", updatedUser.Email)
+	assert.Equal(t, "Tea Integration", updatedUser.FullName)
+	assert.True(t, updatedUser.IsActive)
+	assert.True(t, updatedUser.Restricted)
+	assert.False(t, updatedUser.ProhibitLogin)
+	assert.Equal(t, gitea.VisibleTypePrivate, updatedUser.Visibility)
+
+	passwordClient, err := gitea.NewClient(
+		integrationGiteaURL,
+		gitea.SetBasicAuth(username, newPassword),
+		gitea.SetGiteaVersion(""),
+	)
+	require.NoError(t, err)
+
+	me, _, err := passwordClient.GetMyUserInfo()
+	require.NoError(t, err)
+	assert.Equal(t, username, me.UserName)
+}