feat(auth)!: ScadaBridge canonical roles + SoD collapse (Audit→Administrator, AuditReadOnly→Viewer) + config-DB migration (Task 1.7)

Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
  Admin        -> Administrator
  Design       -> Designer
  Deployment   -> Deployer
  Audit        -> Administrator   (COLLAPSE; accepted privilege escalation)
  AuditReadOnly-> Viewer          (COLLAPSE; keeps audit-read, no export)

SoD: OperationalAuditRoles = { Administrator, Viewer },
     AuditExportRoles      = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).

Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
  honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
  admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
  is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
  dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
  Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
  operator-added rows. Down is lossy on the collapse (documented in-file).
  No pending model changes.

Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.

CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.

src/ZB.MOM.WW.ScadaBridge.CentralUI/Components/Pages/Admin/LdapMappingForm.razor

@@ -30,11 +30,12 @@
                 <label class="form-label small">Role</label>
                 <select class="form-select form-select-sm" @bind="_formRole">
                     <option value="">Select role...</option>
-                    <option value="Admin">Admin</option>
-                    <option value="Design">Design</option>
-                    <option value="Deployment">Deployment</option>
+                    <option value="@Roles.Administrator">Administrator</option>
+                    <option value="@Roles.Designer">Designer</option>
+                    <option value="@Roles.Deployer">Deployer</option>
+                    <option value="@Roles.Viewer">Viewer</option>
                 </select>
-                <div class="form-text">Deployment role: configure site scope below after saving.</div>
+                <div class="form-text">Deployer role: configure site scope below after saving.</div>
             </div>
             @if (_formError != null)
             {

src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/BindingTester.cs

@@ -36,11 +36,11 @@ public sealed class BindingTester : IBindingTester
         CancellationToken ct = default)
     {
         // CentralUI-side role guard — sites don't enforce envelope-level
-        // roles, so the Design check must happen here before any cross-cluster
+        // roles, so the Designer check must happen here before any cross-cluster
         // traffic. Use HasClaim against JwtTokenService.RoleClaimType (not
         // IsInRole, per c1e16cf).
         var state = await _auth.GetAuthenticationStateAsync();
-        if (!state.User.HasClaim(JwtTokenService.RoleClaimType, "Design"))
+        if (!state.User.HasClaim(JwtTokenService.RoleClaimType, Roles.Designer))
         {
             return new ReadTagValuesResult(
                 Array.Empty<TagReadOutcome>(),

src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/BrowseService.cs

@@ -43,9 +43,9 @@ public sealed class BrowseService : IBrowseService
         CancellationToken cancellationToken = default)
     {
         // CentralUI-side role guard — sites don't enforce envelope-level roles,
-        // so the Design check must happen here before any cross-cluster traffic.
+        // so the Designer check must happen here before any cross-cluster traffic.
         var state = await _auth.GetAuthenticationStateAsync();
-        if (!state.User.HasClaim(JwtTokenService.RoleClaimType, "Design"))
+        if (!state.User.HasClaim(JwtTokenService.RoleClaimType, Roles.Designer))
         {
             return new BrowseNodeResult(
                 Array.Empty<BrowseNode>(),