Fix audit-trail Move security audit findings

[itsyaasir]

Description of change

Fixes two audit-trail Move security audit findings.

• Adds the missing Migrate permission to the default Admin permission set, so Admin capabilities can authorize package migration.
• Adds regression coverage proving Admin permissions include migration.
• Changes CountBased(N) delete-record locking to protect the last N records currently present in trail order, instead of using monotonic sequence-number distance.
• Uses linked_table::back() and linked_table::prev() to evaluate the protected tail window after deletions.
• Adds a tail-deletion regression test covering the case where a deleted tail record moves older records into the protected count window.
• Updates Rust, WASM, and example docs to describe the current-record semantics and the linear gas trade-off for large count windows.

Links to any relevant issues

Type of change

• Bug fix (a non-breaking change which fixes an issue)
• Enhancement (a non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation Fix

How the change has been tested

Change checklist

• I have followed the contribution guidelines for this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• I have checked that new and existing unit tests pass locally with my changes
• I have updated the CHANGELOG.md, if my changes are significant enough

[chrisgitiota]

Regarding:

Adds a tail-deletion regression test covering the case where a deleted tail record moves older records into the protected count window.

In fun delete_records_batch() do we want to protect those moved older records even when they move into the window during the batch deletion?