docs: v2 updates to Redundancy, ServiceHosting, security, README (Task 64)

- Redundancy.md: full rewrite — Akka-leader-driven ServiceLevel replaces
  operator-managed RedundancyRole. Documents the 5-tier ServiceLevelCalculator,
  RedundancyStateActor cluster singleton, and the DPS data flow.

- ServiceHosting.md: full rewrite — single fused OtOpcUa.Host binary with
  OTOPCUA_ROLES env gating. Documents the conditional DI graph and the new
  health endpoints (/health/ready, /health/active, /healthz).

- security.md: v2 banner at top covering path/project renames + new JWT bearer
  + DataProtection persisted to ConfigDb. Body unchanged because the 4-concern
  security model is unchanged in v2; full per-section rewrite waits for F15
  (Admin pages migration) since security.md references many pages that move.

- README.md: platform overview updated to v2 (fused Host + role gating).

docs/security.md

@@ -1,5 +1,19 @@
 # Security
 
+> **v2 status (2026-05-26).** The four security concerns below are unchanged in v2.
+> Paths + project names moved: `OtOpcUa.Server/Security/` → `OtOpcUa.Security/`
+> (`Ldap/`, `Jwt/`, `Endpoints/AuthEndpoints.cs`), `OtOpcUa.Admin` is gone (its
+> auth + role-grant pages live in `OtOpcUa.AdminUI`), and Admin auth policies
+> register in `OtOpcUa.Host/Program.cs` via `AddOtOpcUaAuth` rather than in a
+> separate Admin process. The v2 `Security:Jwt` section adds JWT bearer auth
+> alongside the existing cookie scheme (`AddJwtBearer` wired via
+> `IPostConfigureOptions<JwtBearerOptions>` in `OtOpcUa.Security`). DataProtection
+> keys persist to the shared `ConfigDb.DataProtectionKeys` table so cookies
+> survive failover between admin-role nodes.
+>
+> See `docs/plans/2026-05-26-akka-hosting-alignment-design.md` §5 for the v2
+> auth + DataProtection rationale.
+
 OtOpcUa has four independent security concerns. This document covers all four:
 
 1. **Transport security** — OPC UA secure channel (signing, encryption, X.509 trust).