refactor(usermanagement): implement code review findings for User Management BC

Address all 18 findings from security code review (5 critical, 7 medium, 6 low):

Domain: make User and Role immutable with wither-pattern, add status transition
guards (ACTIVE->LOCKED, LOCKED->ACTIVE, ACTIVE|LOCKED->INACTIVE, INACTIVE->ACTIVE)

Application: enforce authorization via AuthorizationPort in all use cases, add
input validation, introduce LockUserCommand/UnlockUserCommand/RemoveRoleCommand,
fix audit event on password change failure (K5), use flatMap/mapError chains

Infrastructure: JWT blacklist with TTL and scheduled cleanup, login rate limiting
(5 attempts/15min), configurable CORS, generic error messages, conditional Swagger,
seed data context restriction

Tests: unit tests for all 10 use cases, adapted domain and integration tests

backend/src/main/resources/db/changelog/db.changelog-master.xml

@@ -8,7 +8,7 @@
     <include file="db/changelog/changes/001-create-user-management-schema.xml"/>
     <include file="db/changelog/changes/002-seed-roles-and-permissions.xml"/>
     <include file="db/changelog/changes/003-create-audit-logs-table.xml"/>
-    <include file="db/changelog/changes/004-seed-admin-user.xml"/>
+    <include file="db/changelog/changes/004-seed-admin-user.xml" context="dev"/>
     <include file="db/changelog/changes/005-create-masterdata-schema.xml"/>
     <include file="db/changelog/changes/006-create-supplier-schema.xml"/>
     <include file="db/changelog/changes/007-create-customer-schema.xml"/>