feat: add origin-aware managed/direct assignment methods to RbacService

- Add clearManagedAssignments, assignManagedRole, addUserToManagedGroup to interface
- Update assignRoleToUser and addUserToGroup to explicitly set origin='direct'
- Update getDirectRolesForUser to filter by origin='direct'
- Implement managed assignment methods with ON CONFLICT upsert

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-app/src/main/java/com/cameleer3/server/app/rbac/RbacServiceImpl.java

@@ -54,8 +54,11 @@ public class RbacServiceImpl implements RbacService {
 
     @Override
     public void assignRoleToUser(String userId, UUID roleId) {
-        jdbc.update("INSERT INTO user_roles (user_id, role_id) VALUES (?, ?) ON CONFLICT DO NOTHING",
-                userId, roleId);
+        jdbc.update("""
+                INSERT INTO user_roles (user_id, role_id, origin)
+                VALUES (?, ?, 'direct')
+                ON CONFLICT (user_id, role_id, origin) DO NOTHING
+                """, userId, roleId);
     }
 
     @Override
@@ -65,8 +68,11 @@ public class RbacServiceImpl implements RbacService {
 
     @Override
     public void addUserToGroup(String userId, UUID groupId) {
-        jdbc.update("INSERT INTO user_groups (user_id, group_id) VALUES (?, ?) ON CONFLICT DO NOTHING",
-                userId, groupId);
+        jdbc.update("""
+                INSERT INTO user_groups (user_id, group_id, origin)
+                VALUES (?, ?, 'direct')
+                ON CONFLICT (user_id, group_id, origin) DO NOTHING
+                """, userId, groupId);
     }
 
     @Override
@@ -243,7 +249,8 @@ public class RbacServiceImpl implements RbacService {
     public List<RoleSummary> getDirectRolesForUser(String userId) {
         return jdbc.query("""
                 SELECT r.id, r.name, r.system FROM user_roles ur
-                JOIN roles r ON r.id = ur.role_id WHERE ur.user_id = ?
+                JOIN roles r ON r.id = ur.role_id
+                WHERE ur.user_id = ? AND ur.origin = 'direct'
                 """, (rs, rowNum) -> new RoleSummary(rs.getObject("id", UUID.class),
                 rs.getString("name"), rs.getBoolean("system"), "direct"), userId);
     }
@@ -255,4 +262,28 @@ public class RbacServiceImpl implements RbacService {
                 """, (rs, rowNum) -> new GroupSummary(rs.getObject("id", UUID.class),
                 rs.getString("name")), userId);
     }
+
+    @Override
+    public void clearManagedAssignments(String userId) {
+        jdbc.update("DELETE FROM user_roles WHERE user_id = ? AND origin = 'managed'", userId);
+        jdbc.update("DELETE FROM user_groups WHERE user_id = ? AND origin = 'managed'", userId);
+    }
+
+    @Override
+    public void assignManagedRole(String userId, UUID roleId, UUID mappingId) {
+        jdbc.update("""
+                INSERT INTO user_roles (user_id, role_id, origin, mapping_id)
+                VALUES (?, ?, 'managed', ?)
+                ON CONFLICT (user_id, role_id, origin) DO UPDATE SET mapping_id = EXCLUDED.mapping_id
+                """, userId, roleId, mappingId);
+    }
+
+    @Override
+    public void addUserToManagedGroup(String userId, UUID groupId, UUID mappingId) {
+        jdbc.update("""
+                INSERT INTO user_groups (user_id, group_id, origin, mapping_id)
+                VALUES (?, ?, 'managed', ?)
+                ON CONFLICT (user_id, group_id, origin) DO UPDATE SET mapping_id = EXCLUDED.mapping_id
+                """, userId, groupId, mappingId);
+    }
 }

cameleer3-server-core/src/main/java/com/cameleer3/server/core/rbac/RbacService.java

@@ -17,4 +17,7 @@ public interface RbacService {
     List<UserSummary> getEffectivePrincipalsForRole(UUID roleId);
     List<String> getSystemRoleNames(String userId);
     RbacStats getStats();
+    void clearManagedAssignments(String userId);
+    void assignManagedRole(String userId, UUID roleId, UUID mappingId);
+    void addUserToManagedGroup(String userId, UUID groupId, UUID mappingId);
 }