docs(security): document dev disable-login flag + ship default-false config key

Adds a "Dev Disable-Login Flag" subsection to Component-Security.md covering
ScadaBridge:Security:Auth:DisableLogin / User, the AutoLoginAuthenticationHandler
mechanism, and the no-environment-guard / startup-warning production risk.

Ships DisableLogin: false under ScadaBridge → Security → Auth in:
  - src/.../Host/appsettings.json (canonical default)
  - docker/central-node-a/appsettings.Central.json
  - docker/central-node-b/appsettings.Central.json

Also records DL-3 commit SHAs in the plan tasks file.

docker/central-node-a/appsettings.Central.json

@@ -31,6 +31,10 @@
         "ServiceAccountDn": "cn=serviceaccount,dc=zb,dc=local",
         "ServiceAccountPassword": "serviceaccount123"
       },
+      "Auth": {
+        "DisableLogin": false,
+        "User": "multi-role"
+      },
       "JwtSigningKey": "scadabridge-dev-jwt-signing-key-must-be-at-least-32-characters-long",
       "JwtExpiryMinutes": 15,
       "IdleTimeoutMinutes": 30,