fix(e2e): resolve shard 4 failures from 3-tier role model changes

Three tests broke when the Admin/User/Passthrough privilege model replaced
the old admin/user/guest hierarchy in PR-3.

- user-management: tighten heading locator to name='User Management' to avoid
  strict mode violation; the settings layout now renders a second h1
  ('Settings') alongside the page content heading
- user-lifecycle: update audit trail assertion from 2 to 1; users are now
  created with a role in a single API call so the backend does not emit a
  user_update audit entry when STEP 2 sends the same role value as creation
- auth-fixtures: replace invalid role='guest' with role='passthrough' in the
  guestUser fixture; the 'guest' role was removed in PR-3 and 'passthrough' is
  the equivalent lowest-privilege role in the new model

Verified: all three previously-failing tests now pass locally.

tests/settings/user-lifecycle.spec.ts

@@ -443,7 +443,7 @@ test.describe('Admin-User E2E Workflow', () => {
       }, {
         timeout: 30000,
         message: `Expected user lifecycle audit entries for ${testUser.email}`,
-      }).toBe(2);
+      }).toBe(1);
     });
   });
 

tests/settings/user-management.spec.ts

@@ -42,8 +42,9 @@ test.describe('User Management', () => {
 
       await test.step('Verify page URL and heading', async () => {
         await expect(page).toHaveURL(/\/users/);
-        // Wait for page to fully load - heading may take time to render
-        const heading = page.getByRole('heading', { level: 1 });
+        // Use name-scoped locator to avoid strict mode violation — the settings
+        // layout renders a second h1 ("Settings") alongside the content heading.
+        const heading = page.getByRole('heading', { name: 'User Management' });
         await expect(heading).toBeVisible({ timeout: 10000 });
       });