refactor: architecture cleanup — OIDC dedup, PKCE, K8s hardening

- Extract OidcProviderHelper for shared discovery + JWK source construction
- Add SystemRole.normalizeScope() to centralize role normalization
- Merge duplicate claim extraction in OidcTokenExchanger
- Add PKCE (S256) to OIDC authorization flow (frontend + backend)
- Add SecurityContext (runAsNonRoot) to all K8s deployments
- Fix postgres probe to use $POSTGRES_USER instead of hardcoded username
- Remove default credentials from Dockerfile
- Extract sanitize_branch() to shared .gitea/sanitize-branch.sh
- Fix sidebar to use /exchanges/ paths directly, remove legacy redirects
- Centralize basePath computation in router.tsx via config module

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-core/src/main/java/com/cameleer3/server/core/rbac/SystemRole.java

@@ -20,4 +20,14 @@ public final class SystemRole {
             "AGENT", AGENT_ID, "VIEWER", VIEWER_ID, "OPERATOR", OPERATOR_ID, "ADMIN", ADMIN_ID);
 
     public static boolean isSystem(UUID id) { return IDS.contains(id); }
+
+    /**
+     * Normalizes an OIDC scope name to a system role name.
+     * Strips optional {@code server:} prefix, case-insensitive.
+     * E.g. {@code "server:admin"} → {@code "ADMIN"}, {@code "viewer"} → {@code "VIEWER"}.
+     */
+    public static String normalizeScope(String scope) {
+        String upper = scope.toUpperCase();
+        return upper.startsWith("SERVER:") ? upper.substring("SERVER:".length()) : upper;
+    }
 }