Othala v0.3.0 — CVP hardening, access-model, OTel tracing, portal UX pass Security hardening pass (admin authority on immutable identity id, highest-available AAL on settings, admin-recovery refusal + wildcard blocks), access-model refactor (central group registry + forward-auth gating), PII-safe OpenTelemetry tracing, and the passkey-first portal UX/pristine pass. ~100 commits since v0.3.0-rc. Full substrate validated pre-tag via BUILD_CI_IMAGE pipeline 2645135898 (smoke 32/32 + browser e2e green).