feat: add origin-aware managed/direct assignment methods to RbacService

- Add clearManagedAssignments, assignManagedRole, addUserToManagedGroup to interface
- Update assignRoleToUser and addUserToGroup to explicitly set origin='direct'
- Update getDirectRolesForUser to filter by origin='direct'
- Implement managed assignment methods with ON CONFLICT upsert

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-core/src/main/java/com/cameleer3/server/core/rbac/RbacService.java

@@ -17,4 +17,7 @@ public interface RbacService {
     List<UserSummary> getEffectivePrincipalsForRole(UUID roleId);
     List<String> getSystemRoleNames(String userId);
     RbacStats getStats();
+    void clearManagedAssignments(String userId);
+    void assignManagedRole(String userId, UUID roleId, UUID mappingId);
+    void addUserToManagedGroup(String userId, UUID groupId, UUID mappingId);
 }