chore: add taxonomy annotations and role-category labels to IAM roles for UI grouping

[kevwilliams]

Summary

• Adds taxonomy.miloapis.com/role-category label to all IAM role files to support filterByLabel in the cloud portal UI
• Adds taxonomy.miloapis.com/product and taxonomy.miloapis.com/sort-order annotations to all previously unclassified roles
• Adds taxonomy labels to new iam-organization-admin/editor/viewer roles
• Adds docs/architecture/identity-and-access-management/role-taxonomy.md as a reference for service teams defining roles in other repos

Role categories

Label value	Description	Roles
platform	Top-level cross-cutting roles only	owner (future: editor, viewer)
service	Infrastructure service roles	IAM, resource management, org/project, quota, core
feature	Product capabilities end-users interact with	Notes, Notifications

Quota roles remain in milo-system namespace and are intentionally excluded from the customer-facing role selector until there is a quota management UI.

Product groups

Product	Sort order	Roles
Identity & Access Management	10/20/30/40	iam-admin/editor/viewer, iam-organization-, iam-role-, iam-platform-, iam-user-
Organization & Projects	10/20/30/40	owner, organization-, project-, organizationmembership-, resourcemanager-, project-manager
Platform Core	10/20/30/40	core-admin/editor/reader, apiextensions-reader
Quota	10/20/30/40	quota-admin/manager/operator/viewer, organization-quota-manager (milo-system, not customer-facing)
Notes	10/20/30	notes-admin/editor/creator/creator-editor/viewer
Notifications	10/20/30	notification-contact-, notification-email-

Test plan

• Verify roles appear grouped correctly in the cloud portal Add Role screen
• Check sort order within each group (admin → editor/manager → reader)
• Verify filterByLabel on taxonomy.miloapis.com/role-category=feature returns only Notes and Notification roles
• Verify filterByLabel on taxonomy.miloapis.com/role-category=platform returns only owner
• Verify filterByLabel on taxonomy.miloapis.com/role-category=service returns IAM, org/project, and core roles (not quota)
• Verify quota roles do NOT appear in the portal role selector

[joggrbot]

📝 Documentation Analysis

All docs are up to date! 🎉

---

✅ Latest commit analyzed: 17f75fd | Powered by Joggr

[github-actions]

🤖 I automatically added missing newlines at the end of 4 file(s) in this PR.

All files should now end with a newline character as per coding standards.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ kevwilliams
❌ github-actions[bot]
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ kevwilliams
❌ github-actions[bot]
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

🤖 I automatically added missing newlines at the end of 4 file(s) in this PR.

All files should now end with a newline character as per coding standards.

[kevwilliams]

@scotwells any thoughts on this? After we do this I can go through and add similar labels and annotations to the services e.g DNS etc.

[scotwells]

@kevwilliams overall looks good, just some feedback on roles labeled with the platform label.

[scotwells]

Think this would be a service level role? I see platform roles as the top-level "Owner", "Editor", "Viewer" roles and all other roles are either service or feature.