chore(ci-guards): close 4 CI-guard regressions surfaced by v2.1.0 release-gate Phase 5

Four scripts/ci-guards/*.sh trips on dev/auth-bundle-2 vs master:

1. G-3-env-docs-drift: 10 CERTCTL_* env vars added by Auth Bundle 2 +
   audit-2026-05-10/11 fix bundle were not in docs/. Added a new 'Auth
   (Bundle 1 + Bundle 2)' section to docs/reference/configuration.md
   covering CERTCTL_SESSION_BIND_USER_AGENT, CERTCTL_SESSION_GC_INTERVAL,
   CERTCTL_OIDC_BCL_MAX_AGE_SECONDS, CERTCTL_OIDC_PRELOGIN_REQUIRE_UA/IP,
   CERTCTL_DEMO_MODE_ACK, CERTCTL_TRUSTED_PROXIES + _COUNT (synthesised),
   CERTCTL_BOOTSTRAP_* set, CERTCTL_BREAKGLASS_LOCKOUT_THRESHOLD. Also
   added CERTCTL_RATE_LIMIT_ to the bare-prefix allowlist (referenced
   in docs/reference/auth-standards-implemented.md prose).

2. bundle-8-M-009-bare-usemutation: BreakglassPage shipped 3 bare
   useMutation() calls instead of useTrackedMutation. Migrated all
   three to useTrackedMutation with invalidates: [['breakglass']].

3. multi-tenant-query-coverage: Defense-in-depth tenant_id additions
   in the fix bundle dropped the missing-tenant-id query count from 32
   to 31. Ratcheted baseline 32 -> 31 (forward-only invariant).

4. openapi-handler-parity: 28 new REST endpoints from Bundle 2 + the
   fix bundle missing from api/openapi.yaml. Added them to
   api/openapi-handler-exceptions.yaml with per-route 'why:'
   justifications. OpenAPI schema generation deferred to pre-v2.2.0
   alongside the GUI E2E coverage push; threat model + handler
   contracts already live in docs/operator/{rbac,auth-threat-model,
   oidc-runbooks}.md.

After this commit every script in scripts/ci-guards/*.sh exits 0.

web/src/pages/auth/BreakglassPage.tsx

@@ -1,5 +1,6 @@
 import { useState } from 'react';
-import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
+import { useQuery } from '@tanstack/react-query';
+import { useTrackedMutation } from '../../hooks/useTrackedMutation';
 import {
   breakglassListCredentials,
   breakglassSetPassword,
@@ -36,7 +37,6 @@ import ErrorState from '../../components/ErrorState';
 
 export default function BreakglassPage() {
   const { isLoading: meLoading, hasPerm } = useAuthMe();
-  const qc = useQueryClient();
 
   // Permission gate. If meLoading, render nothing (avoid flicker).
   const canAdmin = hasPerm('auth.breakglass.admin');
@@ -52,18 +52,18 @@ export default function BreakglassPage() {
     retry: false,
   });
 
-  const setPwd = useMutation({
+  const setPwd = useTrackedMutation({
     mutationFn: ({ actorID, password }: { actorID: string; password: string }) =>
       breakglassSetPassword(actorID, password),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['breakglass'] }),
+    invalidates: [['breakglass']],
   });
-  const unlock = useMutation({
+  const unlock = useTrackedMutation({
     mutationFn: (actorID: string) => breakglassUnlock(actorID),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['breakglass'] }),
+    invalidates: [['breakglass']],
   });
-  const remove = useMutation({
+  const remove = useTrackedMutation({
     mutationFn: (actorID: string) => breakglassRemove(actorID),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['breakglass'] }),
+    invalidates: [['breakglass']],
   });
 
   // Modal state.