fix: include managed role assignments in direct roles query

getDirectRolesForUser filtered on origin='direct', which excluded
roles assigned via claim mapping (origin='managed'). This caused
OIDC users to appear roleless even when claim mappings matched.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-app/src/main/java/com/cameleer3/server/app/rbac/RbacServiceImpl.java

@@ -248,11 +248,11 @@ public class RbacServiceImpl implements RbacService {
     @Override
     public List<RoleSummary> getDirectRolesForUser(String userId) {
         return jdbc.query("""
-                SELECT r.id, r.name, r.system FROM user_roles ur
+                SELECT r.id, r.name, r.system, ur.origin FROM user_roles ur
                 JOIN roles r ON r.id = ur.role_id
-                WHERE ur.user_id = ? AND ur.origin = 'direct'
+                WHERE ur.user_id = ?
                 """, (rs, rowNum) -> new RoleSummary(rs.getObject("id", UUID.class),
-                rs.getString("name"), rs.getBoolean("system"), "direct"), userId);
+                rs.getString("name"), rs.getBoolean("system"), rs.getString("origin")), userId);
     }
 
     private List<GroupSummary> getDirectGroupsForUser(String userId) {