fix(e2e): resolve shard 4 failures from 3-tier role model changes

Three tests broke when the Admin/User/Passthrough privilege model replaced
the old admin/user/guest hierarchy in PR-3.

- user-management: tighten heading locator to name='User Management' to avoid
  strict mode violation; the settings layout now renders a second h1
  ('Settings') alongside the page content heading
- user-lifecycle: update audit trail assertion from 2 to 1; users are now
  created with a role in a single API call so the backend does not emit a
  user_update audit entry when STEP 2 sends the same role value as creation
- auth-fixtures: replace invalid role='guest' with role='passthrough' in the
  guestUser fixture; the 'guest' role was removed in PR-3 and 'passthrough' is
  the equivalent lowest-privilege role in the new model

Verified: all three previously-failing tests now pass locally.

tests/fixtures/auth-fixtures.ts

@@ -403,19 +403,20 @@ export const test = base.extend<AuthFixtures>({
   },
 
   /**
-   * Guest user (read-only) fixture
-   * Use for testing read-only access
+   * Guest user (restricted access) fixture — using 'passthrough' role
+   * (the 'guest' role was removed in PR-3; 'passthrough' is the equivalent
+   * lowest-privilege role in the Admin / User / Passthrough model)
    */
   guestUser: async ({ testData }, use) => {
     const user = await testData.createUser({
       name: `Test Guest ${Date.now()}`,
       email: `guest-${Date.now()}@test.local`,
       password: TEST_PASSWORD,
-      role: 'guest',
+      role: 'passthrough',
     });
     await use({
       ...user,
-      role: 'guest',
+      role: 'passthrough',
     });
   },
 });

tests/settings/user-lifecycle.spec.ts

@@ -443,7 +443,7 @@ test.describe('Admin-User E2E Workflow', () => {
       }, {
         timeout: 30000,
         message: `Expected user lifecycle audit entries for ${testUser.email}`,
-      }).toBe(2);
+      }).toBe(1);
     });
   });
 

tests/settings/user-management.spec.ts

@@ -42,8 +42,9 @@ test.describe('User Management', () => {
 
       await test.step('Verify page URL and heading', async () => {
         await expect(page).toHaveURL(/\/users/);
-        // Wait for page to fully load - heading may take time to render
-        const heading = page.getByRole('heading', { level: 1 });
+        // Use name-scoped locator to avoid strict mode violation — the settings
+        // layout renders a second h1 ("Settings") alongside the content heading.
+        const heading = page.getByRole('heading', { name: 'User Management' });
         await expect(heading).toBeVisible({ timeout: 10000 });
       });