docs: document server:-prefixed scopes and case-insensitive role mapping

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/SERVER-CAPABILITIES.md

@@ -264,7 +264,17 @@ When OIDC is configured and enabled, the login page automatically redirects to t
 
 ### OIDC Resource Server
 
-When `CAMELEER_OIDC_ISSUER_URI` is configured, the server accepts external access tokens (e.g., Logto M2M tokens) in addition to internal HMAC JWTs. Dual-path validation: tries internal HMAC first, falls back to OIDC JWKS validation. OAuth2 scope-based role mapping: `admin` scope maps to ADMIN, `operator` to OPERATOR, `viewer` to VIEWER. Supports ES384, ES256, and RS256 algorithms. Handles RFC 9068 `at+jwt` token type.
+When `CAMELEER_OIDC_ISSUER_URI` is configured, the server accepts external access tokens (e.g., Logto M2M tokens) in addition to internal HMAC JWTs. Dual-path validation: tries internal HMAC first, falls back to OIDC JWKS validation. Supports ES384, ES256, and RS256 algorithms. Handles RFC 9068 `at+jwt` token type.
+
+Role mapping is case-insensitive and accepts both bare and `server:`-prefixed names:
+
+| Scope/claim value | Maps to |
+|-------------------|---------|
+| `admin`, `server:admin`, `Server:Admin` | ADMIN |
+| `operator`, `server:operator` | OPERATOR |
+| `viewer`, `server:viewer` | VIEWER |
+
+This applies to both M2M tokens (`scope` claim) and OIDC user login (configurable `rolesClaim` from id_token). The `server:` prefix allows dedicated API resource scopes without colliding with other platform scopes.
 
 | Variable | Purpose |
 |----------|---------|