feat(auth)!: ScadaBridge canonical roles + SoD collapse (Audit→Administrator, AuditReadOnly→Viewer) + config-DB migration (Task 1.7)

Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
  Admin        -> Administrator
  Design       -> Designer
  Deployment   -> Deployer
  Audit        -> Administrator   (COLLAPSE; accepted privilege escalation)
  AuditReadOnly-> Viewer          (COLLAPSE; keeps audit-read, no export)

SoD: OperationalAuditRoles = { Administrator, Viewer },
     AuditExportRoles      = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).

Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
  honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
  admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
  is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
  dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
  Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
  operator-added rows. Down is lossy on the collapse (documented in-file).
  No pending model changes.

Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.

CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.

tests/ZB.MOM.WW.ScadaBridge.Security.Tests/ScadaBridgeGroupRoleMapperTests.cs

@@ -68,8 +68,8 @@ public class ScadaBridgeGroupRoleMapperTests
         // Two matched mappings: an Admin group and a site-scoped Deployment group.
         var mappings = new List<LdapGroupMapping>
         {
-            Mapping(1, "SCADA-Admins", Roles.Admin),
-            Mapping(2, "SiteDeployers", Roles.Deployment),
+            Mapping(1, "SCADA-Admins", Roles.Administrator),
+            Mapping(2, "SiteDeployers", Roles.Deployer),
         };
         var scopeRules = new Dictionary<int, IReadOnlyList<SiteScopeRule>>
         {
@@ -91,8 +91,8 @@ public class ScadaBridgeGroupRoleMapperTests
 
         // Roles: same set as RoleMapper.
         Assert.Equal(expected.Roles.OrderBy(r => r), mapping.Roles.OrderBy(r => r));
-        Assert.Contains(Roles.Admin, mapping.Roles);
-        Assert.Contains(Roles.Deployment, mapping.Roles);
+        Assert.Contains(Roles.Administrator, mapping.Roles);
+        Assert.Contains(Roles.Deployer, mapping.Roles);
 
         // Scope: carries the full RoleMappingResult (no site-scope info lost).
         var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
@@ -109,7 +109,7 @@ public class ScadaBridgeGroupRoleMapperTests
         // Unscoped Deployment mapping -> system-wide, empty PermittedSiteIds.
         var mappings = new List<LdapGroupMapping>
         {
-            Mapping(1, "GlobalDeployers", Roles.Deployment),
+            Mapping(1, "GlobalDeployers", Roles.Deployer),
         };
         var repo = new FakeSecurityRepository(mappings, new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
         var roleMapper = new RoleMapper(repo);
@@ -117,7 +117,7 @@ public class ScadaBridgeGroupRoleMapperTests
 
         var mapping = await sut.MapAsync(new[] { "GlobalDeployers" }, CancellationToken.None);
 
-        Assert.Contains(Roles.Deployment, mapping.Roles);
+        Assert.Contains(Roles.Deployer, mapping.Roles);
         var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
         Assert.True(scope.IsSystemWideDeployment);
         Assert.Empty(scope.PermittedSiteIds);
@@ -134,7 +134,7 @@ public class ScadaBridgeGroupRoleMapperTests
         // shared LDAP service fail-closes a zero-GROUP LDAP result before it ever reaches
         // the mapper.
         var repo = new FakeSecurityRepository(
-            new List<LdapGroupMapping> { Mapping(1, "SCADA-Admins", Roles.Admin) },
+            new List<LdapGroupMapping> { Mapping(1, "SCADA-Admins", Roles.Administrator) },
             new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
         var sut = new ScadaBridgeGroupRoleMapper(new RoleMapper(repo));
 
@@ -154,7 +154,7 @@ public class ScadaBridgeGroupRoleMapperTests
         // yields zero roles (not an error) — the mapper is the authoritative empty-roles
         // boundary now that the LDAP service no longer admits zero-group successes.
         var repo = new FakeSecurityRepository(
-            new List<LdapGroupMapping> { Mapping(1, "SCADA-Admins", Roles.Admin) },
+            new List<LdapGroupMapping> { Mapping(1, "SCADA-Admins", Roles.Administrator) },
             new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
         var sut = new ScadaBridgeGroupRoleMapper(new RoleMapper(repo));