fix: syncOidcRoles uses direct roles only, always overwrites

- Expose getDirectRolesForUser on RbacService interface so syncOidcRoles
  compares against directly-assigned roles only, not group-inherited ones
- Remove early-return that preserved existing roles when OIDC returned
  none — now always applies defaultRoles as fallback
- Update CLAUDE.md and SERVER-CAPABILITIES.md to reflect changes

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-core/src/main/java/com/cameleer3/server/core/rbac/RbacService.java

@@ -10,6 +10,7 @@ public interface RbacService {
     void removeRoleFromUser(String userId, UUID roleId);
     void addUserToGroup(String userId, UUID groupId);
     void removeUserFromGroup(String userId, UUID groupId);
+    List<RoleSummary> getDirectRolesForUser(String userId);
     List<RoleSummary> getEffectiveRolesForUser(String userId);
     List<GroupSummary> getEffectiveGroupsForUser(String userId);
     List<RoleSummary> getEffectiveRolesForGroup(UUID groupId);