fix(security): restrict auth-config mutations to Admin role (#5)

Restrict manager-wide authentication configuration mutations (OIDC, SMTP, IP allowlist) to Admin role. Operators now receive 403 forbidden_role.

- New admin_required helper in settings.rs
- 4 gate changes: update_settings, discover_oidc, test_oidc, update_ip_whitelist
- 5 new AuditAction variants + migration 019
- SPA friendly error message on 403
- 3 admin_required unit tests pass (43/43)
- Full integration tests deferred to issue #15

Closes #5

crates/pm-core/src/audit.rs

@@ -51,6 +51,12 @@ pub enum AuditAction {
     HealthCheckUpdated,
     HealthCheckDeleted,
     CertificateReissued,
+    // Issue #5: Manager-wide auth-config mutations (Admin-only)
+    OidcConfigUpdated,
+    SmtpConfigUpdated,
+    IpWhitelistUpdated,
+    OidcTestPerformed,
+    OidcDiscoverPerformed,
 }
 
 impl AuditAction {
@@ -88,6 +94,12 @@ impl AuditAction {
             Self::HealthCheckUpdated => "health_check_updated",
             Self::HealthCheckDeleted => "health_check_deleted",
             Self::CertificateReissued => "certificate_reissued",
+            // Issue #5: Manager-wide auth-config mutations (Admin-only)
+            Self::OidcConfigUpdated => "oidc_config_updated",
+            Self::SmtpConfigUpdated => "smtp_config_updated",
+            Self::IpWhitelistUpdated => "ip_whitelist_updated",
+            Self::OidcTestPerformed => "oidc_test_performed",
+            Self::OidcDiscoverPerformed => "oidc_discover_performed",
         }
     }
 }