Add tenant-aware admin 2FA with authenticator apps and passkeys

[AZ0228]

Summary

• add tenant-scoped admin MFA model/service support for TOTP and WebAuthn passkeys
• require step-up MFA at login for admin-level accounts when factors are configured
• add admin MFA management APIs (status, TOTP setup/enable/disable, passkey registration/remove, pending challenge lookup)
• propagate MFA claims into access/refresh tokens and admin middleware checks
• add frontend MFA step-up UX on login and an Admin Security settings panel for factor enrollment
• extend SAML callback flow to route admin users through MFA pending flow

Validation

• syntax-checked modified backend files with node --check
• linted modified frontend files with eslint (warnings only, no new errors)
• built frontend successfully
• exercised API flows end-to-end against local backend:
  • admin login returns requiresMfa after enrollment
  • tenant mismatch rejects pending challenge
  • /mfa/verify-totp completes login successfully
  • passkey registration options endpoint returns a valid challenge
• manually tested UI login MFA flow in browser and recorded walkthrough video