fix: allow JwtDecoder bean override in test context

- Add @Primary + @ConditionalOnMissingBean so TestSecurityConfig.jwtDecoder()
  wins over SecurityConfig.jwtDecoder() without needing a real OIDC endpoint
- Add spring.main.allow-bean-definition-overriding=true and
  cameleer.clickhouse.enabled=false to src/test/resources/application-test.yml
  so Testcontainers @ServiceConnection can supply the datasource
- Disable ClickHouse in test profile (src/main/resources/application-test.yml)
  so the explicit ClickHouseConfig DataSource bean is not created, allowing
  @ServiceConnection to wire the Testcontainers Postgres datasource
- Fix TenantControllerTest and LicenseControllerTest to explicitly grant
  ROLE_platform-admin authority via .authorities() on the test JWT, since
  spring-security-test does not run the custom JwtAuthenticationConverter
- Fix EnvironmentService.createDefaultForTenant() to use an internal
  bootstrap path that skips license enforcement (chicken-and-egg: no license
  exists at tenant creation time yet)
- Remove now-unnecessary license stub from EnvironmentServiceTest

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java

@@ -6,6 +6,7 @@ import com.nimbusds.jose.proc.JWSVerificationKeySelector;
 import com.nimbusds.jose.proc.SecurityContext;
 import com.nimbusds.jwt.proc.DefaultJWTProcessor;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
@@ -78,6 +79,7 @@ public class SecurityConfig {
     }
 
     @Bean
+    @ConditionalOnMissingBean
     public JwtDecoder jwtDecoder(
             @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}") String jwkSetUri,
             @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri:}") String issuerUri) throws Exception {

src/main/java/net/siegeln/cameleer/saas/environment/EnvironmentService.java

@@ -49,7 +49,19 @@ public class EnvironmentService {
 
     public EnvironmentEntity createDefaultForTenant(UUID tenantId) {
         return environmentRepository.findByTenantIdAndSlug(tenantId, "default")
-                .orElseGet(() -> create(tenantId, "default", "Default", null));
+                .orElseGet(() -> createInternal(tenantId, "default", "Default"));
+    }
+
+    /** Creates an environment without license enforcement — used for bootstrapping (e.g., tenant provisioning). */
+    private EnvironmentEntity createInternal(UUID tenantId, String slug, String displayName) {
+        if (environmentRepository.existsByTenantIdAndSlug(tenantId, slug)) {
+            throw new IllegalArgumentException("Slug already exists for this tenant: " + slug);
+        }
+        var entity = new EnvironmentEntity();
+        entity.setTenantId(tenantId);
+        entity.setSlug(slug);
+        entity.setDisplayName(displayName);
+        return environmentRepository.save(entity);
     }
 
     public List<EnvironmentEntity> listByTenantId(UUID tenantId) {

src/main/resources/application-test.yml

@@ -8,3 +8,7 @@ spring:
       resourceserver:
         jwt:
           issuer-uri: https://test-issuer.example.com/oidc
+
+cameleer:
+  clickhouse:
+    enabled: false