fix: use bind:group in UserGroupsSection to prevent admin permission loss

Replaced one-way checked={...} with bind:group={selected} driven by a
writable $derived. In Svelte 5, the $derived pattern guarantees the DOM
checked state is always in sync at FormData capture time, so groupIds
is never accidentally sent as [] when the admin edits their own profile.

Sending groupIds:[] causes adminUpdateUser to clear all groups, which
revokes the admin's own permissions on the next request.

Tests: UserServiceTest (+4 for adminUpdateUser group behaviour),
page.svelte.spec.ts (+1 FormData assertion at submit time).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/routes/admin/users/[id]/page.svelte.spec.ts

@@ -94,6 +94,14 @@ describe('Admin edit user page – rendering', () => {
 		expect(checkbox?.checked).toBe(false);
 	});
 
+	it('includes pre-selected group ids in FormData at submit time (guards against groupIds being empty)', async () => {
+		render(Page, { data: baseData, form: null });
+		const form = document.querySelector('form')!;
+		const formData = new FormData(form);
+		expect(formData.getAll('groupIds')).toContain('g1');
+		expect(formData.getAll('groupIds')).not.toContain('g2');
+	});
+
 	it('password fields are empty by default', async () => {
 		render(Page, { data: baseData, form: null });
 		const passwordInputs = document.querySelectorAll<HTMLInputElement>('input[type="password"]');