fix(admin): register /waf-tokens with SPA fallback handler

[toufali]

Because

• Hard reloading or directly visiting /waf-tokens returned 404 Cannot GET /waf-tokens because the path was missing from the SPA route allowlist in packages/fxa-admin-panel/server/lib/server.ts.

This pull request

• Adds /waf-tokens to the route array so the server falls through to index.html for that path.

Issue that this pull request solves

Closes: FXA-13701

Checklist

• My commit is GPG signed.
• If applicable, I have modified or added tests which pass locally.
• I have added necessary documentation (if appropriate).
• I have verified that my changes render correctly in RTL (if appropriate).
• I have manually reviewed all AI generated code.

How to review (Optional)

• To repro the original bug: check out main, run the admin panel, navigate to /waf-tokens via the nav (works), then hard reload — you'll see the 404.

[Copilot]

Pull request overview

Registers the /waf-tokens admin-panel SPA route with the server-side fallback handler so direct navigation or hard reload serves index.html instead of returning a 404.

Changes:

• Add /waf-tokens to the SPA route allowlist used by the Express server’s index.html fallback.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.