feat(auth): add Monitoring role with read access to financial dashboard

[TaprootFreak]

Summary

• Adds a new MONITORING user role with read-only access to the financial dashboard endpoints.
• Hierarchy: ADMIN ⊃ COMPLIANCE ⊃ MONITORING — all three roles are explicitly listed on the affected guards so each can hit the endpoints without changing the existing additionalRoles hierarchy map.
• Extends RoleGuard to accept multiple entry roles (variadic, backward-compatible — existing single-arg call sites are unaffected).

Changes

• src/shared/auth/user-role.enum.ts: add MONITORING = 'Monitoring' (positioned after MARKETING, before service / external roles).
• src/shared/auth/role.guard.ts: make RoleGuard(...entryRoles) variadic; canActivate returns true if the request role matches (or is in the additionalRoles of) any of the supplied entry roles.
• src/subdomains/supporting/dashboard/dashboard-financial.controller.ts: widen guards on all four endpoints (GET /dashboard/financial/log, /latest, /changes/latest, /ref-recipients, /changes) from RoleGuard(ADMIN) to RoleGuard(ADMIN, COMPLIANCE, MONITORING).

Test plan

• npm run lint
• npm run format (no diff)
• npm run type-check
• npm run build
• npm test (938 passed, 106 skipped — unchanged baseline)
• Manual: assign a user the Monitoring role and verify they can hit the five financial dashboard endpoints; verify they cannot hit other admin-only endpoints.

Migration notes

None — additive enum value + guard widening only. No DB / schema changes.

Coordination

Touches a different file than the in-flight PR #3725 (perf/dashboard-financial-log-optimization modifies the service, this PR modifies the controller + auth) — no merge conflicts expected.

[davidleomay]

Add [UserRole.MONITORING]: [UserRole.ADMIN, UserRole.SUPER_ADMIN], to additionalRoles -> can remove admin on dashboard controller endpoints