feat(deploy): Traefik active-leader routing + docker-dev compose (Task 63)

- scripts/install/traefik.yml + traefik-dynamic.yml: Traefik static + dynamic
  config. One :80 entry point, one router on HostRegexp(otopcua.*), one
  service load-balancing admin-a:9000 + admin-b:9000 with /health/active health
  check (interval 5s, timeout 2s, expected 200). Followers return 503 from
  /health/active so Traefik drops them within the next interval after a
  leadership change.

- scripts/install/Install-Traefik.ps1: downloads Traefik for Windows, drops the
  yml configs, registers the OtOpcUaTraefik Windows service via sc.exe with
  restart-on-failure. Companion to Install-Services.ps1.

- docker-dev/{Dockerfile,docker-compose.yml,traefik-dynamic.yml,README.md}:
  Mac-friendly four-node fleet (admin-a + admin-b + driver-a + driver-b) plus
  SQL Server 2022 + OpenLDAP + Traefik. Single OtOpcUa.Host image built once;
  Compose drives OTOPCUA_ROLES + Cluster:* per container to differentiate the
  four hosts. README walks through bring-up + failover smoke + the dev LDAP
  users.

Note: untested on macOS (no local Docker — see docs/v2/dev-environment.md).

scripts/install/traefik.yml

@@ -0,0 +1,30 @@
+# Traefik static configuration for the OtOpcUa fleet HTTP front door.
+#
+# Routes admin-role HTTP traffic (Blazor + auth + SignalR + /auth/*) to whichever
+# OtOpcUa.Host node currently holds the admin role-leader. Uses the /health/active
+# endpoint as the active-leader signal: a node returns 200 only when it is the
+# Akka admin role-leader; followers return 503 and Traefik routes around them.
+#
+# OPC UA traffic is NOT routed through Traefik — clients connect directly to
+# opc.tcp://node:4840 on every driver node and use the standard ServiceLevel
+# heuristic for failover.
+
+entryPoints:
+  web:
+    address: ":80"
+
+providers:
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true
+
+api:
+  insecure: true
+  dashboard: true
+
+log:
+  level: INFO
+  format: common
+
+accessLog:
+  format: common