Othala v0.3.0 — CVP hardening, access-model, OTel tracing, portal UX pass

Security hardening pass (admin authority on immutable identity id,
highest-available AAL on settings, admin-recovery refusal + wildcard blocks),
access-model refactor (central group registry + forward-auth gating), PII-safe
OpenTelemetry tracing, and the passkey-first portal UX/pristine pass.
~100 commits since v0.3.0-rc. Full substrate validated pre-tag via
BUILD_CI_IMAGE pipeline 2645135898 (smoke 32/32 + browser e2e green).