feat: rewrite frontend auth — roles from org store, Logto org role names

Replace ID-token claim reads with org store lookups in useAuth and
usePermissions; add currentOrgRoles to useOrgStore; update role names
to Logto org role conventions (admin/member); remove username from
Layout (no longer derived from token claims).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ui/src/auth/useAuth.ts

@@ -1,35 +1,11 @@
 import { useLogto } from '@logto/react';
-import { useState, useEffect, useCallback } from 'react';
+import { useCallback } from 'react';
 import { useOrgStore } from './useOrganization';
 
-interface IdTokenClaims {
-  sub?: string;
-  email?: string;
-  name?: string;
-  username?: string;
-  roles?: string[];
-  organization_id?: string;
-  [key: string]: unknown;
-}
-
 export function useAuth() {
-  const { isAuthenticated, isLoading, getIdTokenClaims, signOut, signIn } = useLogto();
-  const [claims, setClaims] = useState<IdTokenClaims | null>(null);
+  const { isAuthenticated, isLoading, signOut, signIn } = useLogto();
   const { currentTenantId, isPlatformAdmin } = useOrgStore();
 
-  useEffect(() => {
-    if (isAuthenticated) {
-      getIdTokenClaims().then((c) => setClaims(c as IdTokenClaims));
-    } else {
-      setClaims(null);
-    }
-  }, [isAuthenticated, getIdTokenClaims]);
-
-  const username = claims?.username ?? claims?.name ?? claims?.email ?? claims?.sub ?? null;
-  const roles = (claims?.roles as string[]) ?? [];
-  // tenantId is the DB UUID from the org store (set by OrgResolver after /api/me)
-  const tenantId = currentTenantId;
-
   const logout = useCallback(() => {
     signOut(window.location.origin + '/login');
   }, [signOut]);
@@ -37,9 +13,7 @@ export function useAuth() {
   return {
     isAuthenticated,
     isLoading,
-    username,
-    roles,
-    tenantId,
+    tenantId: currentTenantId,
     isPlatformAdmin,
     logout,
     signIn,