feat(auth)!: ScadaBridge canonical roles + SoD collapse (Audit→Administrator, AuditReadOnly→Viewer) + config-DB migration (Task 1.7)

Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
  Admin        -> Administrator
  Design       -> Designer
  Deployment   -> Deployer
  Audit        -> Administrator   (COLLAPSE; accepted privilege escalation)
  AuditReadOnly-> Viewer          (COLLAPSE; keeps audit-read, no export)

SoD: OperationalAuditRoles = { Administrator, Viewer },
     AuditExportRoles      = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).

Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
  honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
  admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
  is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
  dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
  Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
  operator-added rows. Down is lossy on the collapse (documented in-file).
  No pending model changes.

Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.

CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.

tests/ZB.MOM.WW.ScadaBridge.CentralUI.Tests/Pages/Design/TransportExportPageTests.cs

@@ -88,7 +88,7 @@ public class TransportExportPageTests : BunitContext
                 SourceEnvironment = "test-cluster",
             }));
 
-        var principal = BuildPrincipal("alice", "Design");
+        var principal = BuildPrincipal("alice", "Designer");
         Services.AddSingleton<AuthenticationStateProvider>(new TestAuthStateProvider(principal));
         Services.AddAuthorizationCore();
     }
@@ -304,8 +304,8 @@ public class TransportExportPageTests : BunitContext
         using var provider = services.BuildServiceProvider();
         var authService = provider.GetRequiredService<IAuthorizationService>();
 
-        // Audit-only user — has a role but it isn't Design.
-        var principal = BuildPrincipal("bob", "Audit");
+        // Administrator user — has a role but it isn't Designer.
+        var principal = BuildPrincipal("bob", "Administrator");
         var result = await authService.AuthorizeAsync(
             principal, null, AuthorizationPolicies.RequireDesign);
 

tests/ZB.MOM.WW.ScadaBridge.CentralUI.Tests/Pages/Design/TransportImportPageTests.cs

@@ -62,7 +62,7 @@ public class TransportImportPageTests : BunitContext
         dbContext.Database.EnsureCreated();
         Services.AddSingleton(dbContext);
 
-        var principal = BuildPrincipal("alice", "Admin");
+        var principal = BuildPrincipal("alice", "Administrator");
         Services.AddSingleton<AuthenticationStateProvider>(new TestAuthStateProvider(principal));
         Services.AddAuthorizationCore();
     }
@@ -299,7 +299,7 @@ public class TransportImportPageTests : BunitContext
         var authService = provider.GetRequiredService<IAuthorizationService>();
 
         // Design-only user — has a role but it isn't Admin.
-        var principal = BuildPrincipal("bob", "Design");
+        var principal = BuildPrincipal("bob", "Designer");
         var result = await authService.AuthorizeAsync(
             principal, null, AuthorizationPolicies.RequireAdmin);