debug: log access_token format to diagnose opaque vs JWT

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java

@@ -117,6 +117,10 @@ public class OidcTokenExchanger {
         // Try roles from access_token first (JWT providers like Logto, Keycloak),
         // then fall back to id_token
         List<String> roles = Collections.emptyList();
+        log.info("OIDC access_token: isJwt={}, length={}, prefix='{}'",
+                accessTokenStr != null && accessTokenStr.contains("."),
+                accessTokenStr != null ? accessTokenStr.length() : 0,
+                accessTokenStr != null ? accessTokenStr.substring(0, Math.min(30, accessTokenStr.length())) : "null");
         if (accessTokenStr != null && accessTokenStr.contains(".")) {
             try {
                 String audience = config.audience() != null ? config.audience() : "";