feat: server role mapping, Logto admin access, sign-in branding

- Add server:admin/operator/viewer scopes to bootstrap and org roles
- Grant SaaS admin Logto console access via admin:admin role
- Configure sign-in experience with Cameleer branding (colors + logos)
- Add rolesClaim and audience to server OIDC config
- Add server scopes to PublicConfigController for token inclusion
- Permit logo SVGs in SecurityConfig (fix 401 on /platform/logo.svg)
- Add cameleer3 logo SVGs (light + dark) to ui/public/

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/main/java/net/siegeln/cameleer/saas/config/PublicConfigController.java

@@ -36,7 +36,10 @@ public class PublicConfigController {
             "secrets:manage",
             "observe:read",
             "observe:debug",
-            "settings:manage"
+            "settings:manage",
+            "server:admin",
+            "server:operator",
+            "server:viewer"
     );
 
     @GetMapping("/api/config")

src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java

@@ -40,7 +40,7 @@ public class SecurityConfig {
                         .requestMatchers("/api/config").permitAll()
                         .requestMatchers("/", "/index.html", "/login", "/callback",
                                 "/environments/**", "/license", "/admin/**").permitAll()
-                        .requestMatchers("/_app/**", "/favicon.ico").permitAll()
+                        .requestMatchers("/_app/**", "/favicon.ico", "/logo.svg", "/logo-dark.svg").permitAll()
                         .anyRequest().authenticated()
                 )
                 .oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt ->