feat: add multi-tenancy, enrollment tokens, OIDC integration, and branding schemas

[SteveKueng]

Summary

• Add multi-tenancy support with UserTenant junction table (role-based: admin/operator/user) and is_default flag for user's primary tenant
• Add EnrollmentToken schema with token, max_uses, current_uses, expiry, and tenant/site links for secure agent registration
• Add OIDC tenant auto-assignment fields on Tenant (oidc_org_id, oidc_default_role)
• Refactor OIDC authentication role fields into separate admin/operator/user fields
• Add Branding schema for provider customization (logo, color, product name, login page)
• Add tenant_id to Certificate and enrollment_tokens edge to Site
• Fix duplicate disabled field in Profile schema
• Fix comments in netbirdsettings and memoryslot schemas

Schema changes

Schema	Change
UserTenant (new)	Junction table: user_id, tenant_id, role, is_default
EnrollmentToken (new)	token, max_uses, current_uses, expires_at, tenant/site edges
Branding (new)	logo_light, logo_small, primary_color, product_name, login_background_image, login_welcome_text
Tenant	Added oidc_org_id, oidc_default_role, user_tenants/enrollment_tokens edges
User	Added user_tenants edge
Site	Added enrollment_tokens edge
Certificate	Added tenant_id
Authentication	Split OIDC_role into OIDC_role_admin/operator/user
Profile	Removed duplicate disabled field

[doncicuto]

Hi @SteveKueng, I've done some changes that I think will work better or has more coherence with the way I use ent.

I've renamed the UserTenant entitity to RoleAssignment. RoleAssignment has only the role (admin, user, operator) and the edges with tenant and user, so no specific fields are needed (tenant_id, user_id)

I've set a relationship between the user and the tenant to establish with users are members of a tenant
I've set an additional relationship between the user and the tenant to establish which tenant is the default tenant for a user

erDiagram
    USER }o--o{ TENANT : members
    USER }o--o| TENANT : default
    USER ||--|{ ROLEASSIGNMENT : assignment
    ROLEASSIGNMENT }|--|| TENANT: assignment    

Loading

I hope these changes make sense to you, if not we can discuss them

As changes to entities affect the migrations, in case you'd like to use the main branch of OpenUEM once I merge your PRs, I should create a specific way to migrate your data for you.

[SteveKueng]

HI @doncicuto
Sounds good.
I didn't have anything specific in mind here. If it works better this way or fits the concept better, I'm all for it.
Data migration isn't a priority right now. I only have test environments up and running at the moment. I'll wait until we've finished this major design change.