fix(security): restrict auth-config mutations to Admin role (#5)

Restrict manager-wide authentication configuration mutations (OIDC, SMTP, IP allowlist) to Admin role. Operators now receive 403 forbidden_role.

- New admin_required helper in settings.rs
- 4 gate changes: update_settings, discover_oidc, test_oidc, update_ip_whitelist
- 5 new AuditAction variants + migration 019
- SPA friendly error message on 403
- 3 admin_required unit tests pass (43/43)
- Full integration tests deferred to issue #15

Closes #5

migrations/019_auth_config_audit_actions.sql

@@ -0,0 +1,12 @@
+-- Migration: 019_auth_config_audit_actions
+-- Description: Add audit_action enum values for Manager-wide auth-config
+--              mutations (issue #5). These are gated behind Admin role
+--              and audit-logged with the acting user, the keys changed,
+--              and (for OIDC) a flag indicating whether client_secret was
+--              rotated (the secret value itself is never logged).
+
+ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'oidc_config_updated';
+ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'smtp_config_updated';
+ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'ip_whitelist_updated';
+ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'oidc_test_performed';
+ALTER TYPE audit_action ADD VALUE IF NOT EXISTS 'oidc_discover_performed';