review(ControlPlane): fix premature deploy-seal from unexpected-node ack

Review at HEAD 7286d320. ControlPlane-001 (Medium): ConfigPublishCoordinator.HandleAck
now discards acks from nodes not in _expectedAcks (prevented premature SealDeployment) +
regression test. -002 (flipped-node log count), -003 (redundant mapper arms) tidied.

src/Server/ZB.MOM.WW.OtOpcUa.ControlPlane/Audit/AuditOutcomeMapper.cs

@@ -29,16 +29,10 @@ public static class AuditOutcomeMapper
     public static AuditOutcome FromAction(string action) => action switch
     {
         "OpcUaAccessDenied" or "CrossClusterNamespaceAttempt" => AuditOutcome.Denied,
-        "DraftCreated"
-            or "DraftEdited"
-            or "Published"
-            or "RolledBack"
-            or "NodeApplied"
-            or "ClusterCreated"
-            or "NodeAdded"
-            or "CredentialAdded"
-            or "CredentialDisabled"
-            or "ExternalIdReleased" => AuditOutcome.Success,
+        // All other known config-write verbs (DraftCreated, DraftEdited, Published, RolledBack,
+        // NodeApplied, ClusterCreated, NodeAdded, CredentialAdded, CredentialDisabled,
+        // ExternalIdReleased) and any future verbs default to Success — config writes are the
+        // overwhelming majority and the only non-success cases are the two Denied entries above.
         _ => AuditOutcome.Success,
     };
 }