feat(roadmap-pdf): audit metadata, integrity hash, page numbers, attestation page

Session A of the audit-credibility upgrades. Adds the surface-level
report provenance items that auditors look for first, with negligible
risk to the existing PDF flow.

Audit metadata captured per export (PDF + CSV):
- Run ID (GUID, distinct per export)
- UTC timestamp + local TZ label ("Pacific/Auckland (UTC+13)")
- Tool version (from AutoUpdateService)
- Operator (DOMAIN\username + RBAC role)
- Compliance framework version string
Embedded into:
- Cover page audit-metadata block (replaces the legacy "Generated …" line)
- Footer line on every page (run-short, UTC, TZ)
- CSV header rows (same fields)
- Filenames now use UTC sortable form (yyyyMMdd_HHmmssZ)

Integrity hash:
- Post-export, compute SHA-256 of the produced PDF
- Write a sibling .manifest.json containing run-id, timestamps, operator,
  tool version, framework version, server list and SHA-256
- Auditor can later re-hash the PDF they hold and compare to manifest

Page X of Y:
- Bottom-right of every printed page via @media print body::after with
  counter(page) / counter(pages) chromium-supported tokens

Operator Attestation page:
- Print-only DOM element after the compliance panel (page-break-before)
- Repeats run-id, timestamps, tool version, operator, framework, server scope
- Has signature/date lines for handover scenarios
- Hidden on screen, shown only during PrintPrepareDomAsync

Worklist:
- Added explicit DEFERRED section for the DRAFT/non-prod watermark.
  Requires per-server "Production/Staging/Dev" tagging that doesn't
  exist yet — captured as a prerequisite before the watermark itself.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: SQLAdrian

Config/version.json

@@ -1,6 +1,6 @@
 {
     "version":  "0.85.3",
-    "buildNumber":  1429,
+    "buildNumber":  1432,
     "buildDate":  "2026-04-27",
     "releaseType":  "Production",
     "updateCheckUrl":  "https://api.github.com/repos/SQLAdrian/SQLTriage/releases/latest",