Module development and code questions

Hello all!  While developing our Drupal site, we have set up some additional custom roles and assigned permissions to these roles.  As developers, we configure these incrementally and test on our development environment. Once this is tested and working, what is the best way to transfer all these custom roles and assigned permissions to test and production environments, such that the site administrators do not need to go into the Drupal administration page manually to re-configure and assign all these custom roles and assigned permissions? Should I build some custom module to handle this?

I am building a custom multi-step form with back/forward buttons. 

When a user clicks 'next' it saves the current steps values in form storage like this:
 

$storage['values'][$this->step] = $form_state->getValues();
$form_state->setStorage($storage);

When the user clicks 'Back', I am pulling the values out of storage and setting them to $form_state->setUserInput(); like this:
 

I am developping a custom module  that sends notifications.

The sending  service is more or less as follows

I am creating a form that uses an ajax modal confirm form. The confirm form is displayed, but pressing the "Confirm" button just disappears the panel, but the submitform() never runs. If I call the confirm form separately without ajax OpenModalDialog, it works, formsubmit() runs. How could this be implemented?

original form delete button:

I have my own form that shows a list of products. It can be scrolled, but I would like a "Load More" button. My problem is that I can't store the current position, because in the ajax callback I can't use the $form_state->set, get functions. How can I increase the position in the ajax callback function called when the "load more" button is pressed?

Hi,

I have developed a Drupal 10 website & it is hosted on xampp & it is not connected with any network. And it is scanned with ZAP Scan application, the result shows content Security Policy, for that i have installed CSP Module and set the CSP Header as Content-Security-Policy "default-src 'self'; script-src 'self' ; style-src 'self'; img-src 'self'; frame-ancestors 'self'; form-action 'self'" in .htaccess file. still the vulnerability is persisting while scanning in ZAP. please help me to resolve this vulnerability.