docs(audit): apply per-cluster judgment fixes across living docs

Resolve audit findings: correct WorkerEnvelope proto/route/metric/session
facts; rewrite auth (ZB.MOM.WW.Auth migration), dashboard (ZB.MOM.WW.Theme),
and StyleGuide (foreign-project copy-paste); document alarm subsystem, Ldap
options, and gateway alarm broker; fix client CLI flags and package paths.

gateway.md

@@ -145,9 +145,10 @@ for the alarm subsystem.
 
 Dashboard authentication is LDAP-backed (distinct from the API-key model on
 the gRPC API). `/login` accepts username and password in a form body, binds
-against `MxGateway:Ldap`, maps the user's LDAP groups to `Admin` or `Viewer`
-via `MxGateway:Dashboard:GroupToRole`, and issues an HTTP-only secure
-`__Host-MxGatewayDashboard` cookie. `/logout` clears it. Login and logout
+against `MxGateway:Ldap`, maps the user's LDAP groups to `Administrator` or
+`Viewer` via `MxGateway:Dashboard:GroupToRole`, and issues an HTTP-only secure
+`MxGatewayDashboard` cookie (the name is configurable via
+`MxGateway:Dashboard:CookieName`). `/logout` clears it. Login and logout
 posts validate antiforgery tokens. SignalR hub connections accept either the
 cookie or a 30-minute data-protected bearer minted at `/hubs/token`.
 `MxGateway:Dashboard:AllowAnonymousLocalhost` permits loopback to bypass the
@@ -232,27 +233,35 @@ message WorkerEnvelope {
   uint32 protocol_version = 1;
   string session_id = 2;
   uint64 sequence = 3;
-  uint64 correlation_id = 4;
+  string correlation_id = 4;
+
   oneof body {
-    WorkerHello worker_hello = 10;
-    GatewayHello gateway_hello = 11;
+    GatewayHello gateway_hello = 10;
+    WorkerHello worker_hello = 11;
     WorkerReady worker_ready = 12;
-    WorkerCommand command = 20;
-    WorkerCommandReply command_reply = 21;
-    WorkerEvent event = 22;
-    WorkerHeartbeat heartbeat = 23;
-    WorkerCancel cancel = 24;
-    WorkerShutdown shutdown = 25;
-    WorkerFault fault = 26;
+    WorkerCommand worker_command = 13;
+    WorkerCommandReply worker_command_reply = 14;
+    WorkerCancel worker_cancel = 15;
+    WorkerShutdown worker_shutdown = 16;
+    WorkerShutdownAck worker_shutdown_ack = 17;
+    WorkerEvent worker_event = 18;
+    WorkerHeartbeat worker_heartbeat = 19;
+    WorkerFault worker_fault = 20;
   }
 }
 ```
 
+The contract evolves additively only: field numbers and enum values are never
+renumbered or repurposed, so a stale gateway and worker that disagree on the
+newest tags still decode the fields they share. `correlation_id` is a `string`
+(not a numeric id) because it is the same correlation token the public gRPC API
+carries end to end, so the worker never has to translate id formats.
+
 Rules:
 
 - `sequence` is monotonic per sender.
 - `correlation_id` links commands to replies.
-- Events use their own correlation id or zero.
+- Events carry their own correlation id or an empty string.
 - Replies must preserve MXAccess HRESULT/status information even when the
   command is also represented as a protocol-level failure.
 - Protocol version mismatch fails session creation.
@@ -659,8 +668,10 @@ External gateway:
 - authenticate v1 gRPC clients with `authorization: Bearer
   mxgw_<key-id>_<secret>` API-key metadata,
 - reject missing or invalid API keys with gRPC `Unauthenticated`,
-- reject valid keys that lack the required session, invoke, event, metadata, or
-  admin scope with gRPC `PermissionDenied`,
+- reject valid keys that lack the required scope with gRPC `PermissionDenied`.
+  Scopes are fine-grained: `session:open`, `session:close`, `invoke:read`,
+  `invoke:write`, `invoke:secure`, `events:read`, `metadata:read`, and `admin`
+  (see `GatewayScopes`),
 - authorize access to commands that can write, authenticate users, expose
   metadata, stream events, or alter runtime state.
 
@@ -901,6 +912,7 @@ State machine:
 Creating
   -> StartingWorker
   -> WaitingForPipe
+  -> Handshaking
   -> InitializingWorker
   -> Ready
   -> Closing