RBAC tests: trigger task routes (TRI-8733)

Per-route authorization config verified:
  - POST /api/v1/tasks/:taskId/trigger
      action: trigger, resource: { type: "tasks", id: params.taskId }
  - POST /api/v1/tasks/batch + /api/v2/tasks/batch
      action: batchTrigger, resource: body.items.map(i.task)
      → array of { type: "tasks", id }
  - POST /api/v3/batches
      action: batchTrigger, resource: { type: "tasks" } (collection-
      level — items are validated when streamed)

Coverage in this file (each describe block tests a route's specific
authorization config end-to-end):

Trigger task — single (api.v1.tasks.$taskId.trigger), 9 cases:
  - missing auth → 401
  - private API key → auth passes (4xx OK from handler — task may
    not exist; we assert NOT 401/403)
  - JWT write:tasks (type-level, ACTION_ALIASES write→trigger) → passes
  - JWT trigger:tasks:<exact> matching the route param → passes
  - JWT trigger:tasks:<other> → 403
  - JWT read:tasks → 403 (read NOT aliased to trigger)
  - JWT empty scopes → 403
  - JWT signed with wrong key (env A sub, env B's key) → 401
  - JWT admin → passes

Trigger task — batch v1 (api.v1.tasks.batch), 7 cases including the
multi-key-any-match contract from TRI-8719:
  - missing auth, private API key, write:tasks type-level, admin
  - batchTrigger:tasks:taskA + body has [taskA, taskB] → passes
    (any-match grants access — locks in legacy contract)
  - batchTrigger:tasks:<unrelated> + body has only taskA → 403
  - read:tasks → 403

Trigger task — batch v2 (api.v2.tasks.batch), 2-case sanity (config
is identical to v1):
  - missing auth, write:tasks pass.

Trigger task — batch v3 (api.v3.batches) collection-level, 4 cases:
  - missing auth, write:tasks pass, read:tasks 403, admin pass.

Verification status:
- Typecheck clean.
- Test execution NOT verified locally — the e2e.full harness
  currently fails to boot the webapp container with
  `TypeError: Cannot convert undefined or null to object` at
  build/index.js:71583 (allMachines). Looks like a module-init
  order problem with the @trigger.dev/platform `machines` import
  in the bundled build, NOT related to the test code in this
  commit. Filing a follow-up note on the affected tickets so this
  surfaces when someone next runs the suite.

Helper changes: none. Reuses seedTestEnvironment.

Author: matt-aitken