docs: dashboard SA cluster-read tightened to namespace-list + nodes only [ci skip]

Reflect the dashboard-nav-readonly ClusterRole: namespace-owners can list
namespaces/nodes (for dashboard nav) but not read other tenants' resources.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docs/architecture/authentication.md

@@ -136,7 +136,8 @@ Because OIDC SSO is blocked, the web dashboard at `k8s.viktorbarzin.me` uses a
    that maps `X-authentik-username` → that user's ServiceAccount token and sets
    `Authorization: Bearer` before proxying to kong-proxy, so the dashboard
    auto-authenticates. Namespace-owners → `dashboard-<user>` SA (admin on their
-   namespace + cluster read-only, `stacks/rbac/modules/rbac/dashboard-sa.tf`),
+   namespace + read-only on the namespace list & nodes only (dashboard-nav-readonly,
+   NOT cross-tenant resource reads); `stacks/rbac/modules/rbac/dashboard-sa.tf`),
    auto-derived from `k8s_users`. Admins → the cluster-admin `kubernetes-dashboard`
    SA token (admin identities listed explicitly in `dashboard_injector.tf`, since
    their Authentik login email ≠ their `k8s_users` email).

docs/architecture/multi-tenancy.md

@@ -177,7 +177,8 @@ Namespace-owners just log into `https://k8s.viktorbarzin.me` with their Authenti
 account and land straight in the dashboard scoped to their namespace — **no token
 to paste**. A token-injector (`stacks/k8s-dashboard/dashboard_injector.tf`) maps
 their Authentik identity (`X-authentik-username`) to their `dashboard-<user>` SA
-token (`admin` on their namespace + cluster read-only) and injects it as
+token (`admin` on their namespace + read-only on the namespace list & nodes
+only — they can't read other tenants' resources) and injects it as
 `Authorization: Bearer`. Forward-auth admits the `kubernetes-*` groups for this
 host (`stacks/authentik/admin-services-restriction.tf`).