Role-Based Editing [DONE] `PL-F1810`

Every CMS mutation route runs through `enforce_site_edit_scope`, which maps the target CmsSite's SiteTemplate (federation/region/club) to a required capability — `cms:edit:federation`, `cms:edit:region`, `cms:edit:club`. For region and club editors the enforcement also checks org_node scope: an editor with `cms:edit:club` for OrgNode `Bk Hagaberg` cannot mutate any other club's site, even within the same tenant. Federation admins get a blanket override across the federation.

The approval workflow is a state machine — `APPROVAL_WORKFLOW_TRANSITIONS` defines legal moves: editors with `cms:edit:*` push draft → review; approvers with `cms:approve` push review → published or back to draft with a rejection reason; users with `cms:publish:immediate` bypass the queue and go draft → published in one step; users with both `cms:approve` and `cms:publish:schedule` can approve from review and schedule for a future date. Role templates ship preconfigured: `federation-content-editor` (edit + approve + schedule), `club-content-editor` (edit + immediate publish), `region-content-editor` (edit + immediate). The audit trail (`audit_cms_mutation`) writes to AuditLogDomain.CMS for every create, update, delete, publish, schedule, approve and reject event, capturing actor, timestamp, before/after diff and reason.

Denied attempts are also logged via `_audit_cms_denied` so security incidents are reviewable. Enforcement is integrated across every CMS router (cms, cms_media, cms_blog, cms_forms, cms_seo, cms_widget) so no surface bypasses RBAC. The result: a small club uses immediate publish with one editor, a large federation uses a full editorial workflow with separate approvers and translators, and both share the same engine.