feat(auth)!: OtOpcUa canonical control-plane roles + config-DB migration (Task 1.7)

Standardize the control-plane admin role VALUES on the canonical six
(ZB.MOM.WW.Auth CanonicalRole). OtOpcUa uses four:
  ConfigViewer   -> Viewer
  ConfigEditor   -> Designer
  FleetAdmin     -> Administrator
  DriverOperator -> Operator   (appsettings-only string role)

This is a rename, not a permission change: enforcement semantics are
preserved (whoever could deploy/administer/operate before still can).

- AdminRole enum members renamed (persisted as string names via
  HasConversion<string>); RoleGrants.razor dropdown default updated.
- EF DATA migration CanonicalizeAdminRoles rewrites existing
  LdapGroupRoleMapping.Role rows old->new (Up) and back (Down); schema /
  model snapshot byte-identical (no pending model changes).
- Enforcement role STRINGS canonicalized:
  * Security policies keep their NAMES ("DriverOperator"/"FleetAdmin")
    but require canonical roles: RequireRole("Operator","Administrator")
    and RequireRole("Administrator").
  * Deployments.razor [Authorize(Roles="Administrator,Designer")].
  * DevStub now grants "Administrator"; LdapOptions/doc-comment examples
    canonicalized.
- Data-plane authorization (NodePermissions/NodeAcl/IPermissionEvaluator/
  TriePermissionEvaluator/UserAuthorizationState) UNTOUCHED.
- New CanonicalAdminRolesTests pins canonical claim values end-to-end and
  the real registered policies; existing role-string tests updated.

tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/OtOpcUaGroupRoleMapperTests.cs

@@ -31,11 +31,11 @@ public sealed class OtOpcUaGroupRoleMapperTests
     [Fact]
     public async Task Maps_config_group_and_drops_unmapped_group()
     {
-        var mapper = Build(new Dictionary<string, string> { ["AdminGroup"] = "FleetAdmin" });
+        var mapper = Build(new Dictionary<string, string> { ["AdminGroup"] = "Administrator" });
 
         var result = await mapper.MapAsync(["AdminGroup", "UnmappedGroup"], CancellationToken.None);
 
-        result.Roles.ShouldBe(["FleetAdmin"]);
+        result.Roles.ShouldBe(["Administrator"]);
         result.Scope.ShouldBeNull();
     }
 
@@ -43,13 +43,13 @@ public sealed class OtOpcUaGroupRoleMapperTests
     public async Task System_wide_db_row_adds_role_on_top_of_config_baseline()
     {
         var mapper = Build(
-            new Dictionary<string, string> { ["viewers"] = "ConfigViewer" },
-            new LdapGroupRoleMapping { LdapGroup = "admins", Role = AdminRole.FleetAdmin, IsSystemWide = true });
+            new Dictionary<string, string> { ["viewers"] = "Viewer" },
+            new LdapGroupRoleMapping { LdapGroup = "admins", Role = AdminRole.Administrator, IsSystemWide = true });
 
         var result = await mapper.MapAsync(["viewers", "admins"], CancellationToken.None);
 
-        result.Roles.ShouldContain("ConfigViewer");
-        result.Roles.ShouldContain("FleetAdmin");
+        result.Roles.ShouldContain("Viewer");
+        result.Roles.ShouldContain("Administrator");
         result.Scope.ShouldBeNull();
     }
 
@@ -61,14 +61,14 @@ public sealed class OtOpcUaGroupRoleMapperTests
             new LdapGroupRoleMapping
             {
                 LdapGroup = "site-a-editors",
-                Role = AdminRole.ConfigEditor,
+                Role = AdminRole.Designer,
                 IsSystemWide = false,
                 ClusterId = "SITE-A",
             });
 
         var result = await mapper.MapAsync(["site-a-editors"], CancellationToken.None);
 
-        result.Roles.ShouldNotContain("ConfigEditor");
+        result.Roles.ShouldNotContain("Designer");
         result.Roles.ShouldBeEmpty();
     }
 
@@ -77,13 +77,13 @@ public sealed class OtOpcUaGroupRoleMapperTests
     {
         var groupToRole = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
         {
-            ["viewers"] = "ConfigViewer",
-            ["editors"] = "ConfigEditor",
+            ["viewers"] = "Viewer",
+            ["editors"] = "Designer",
         };
         var dbRows = new[]
         {
-            new LdapGroupRoleMapping { LdapGroup = "admins", Role = AdminRole.FleetAdmin, IsSystemWide = true },
-            new LdapGroupRoleMapping { LdapGroup = "site-a", Role = AdminRole.ConfigEditor, IsSystemWide = false, ClusterId = "SITE-A" },
+            new LdapGroupRoleMapping { LdapGroup = "admins", Role = AdminRole.Administrator, IsSystemWide = true },
+            new LdapGroupRoleMapping { LdapGroup = "site-a", Role = AdminRole.Designer, IsSystemWide = false, ClusterId = "SITE-A" },
         };
         var groups = new[] { "viewers", "editors", "admins", "site-a", "noise" };