fix: use managed assignments for OIDC fallback role paths

The roles-claim and default-roles fallback paths in applyClaimMappings
were using assignRoleToUser (origin='direct'), causing OIDC-derived
roles to accumulate across logins and never be cleared. Changed both
to assignManagedRole (origin='managed') so all OIDC-assigned roles
are cleared and re-evaluated on every login, same as claim mapping
rules. Only roles assigned directly via the admin UI are preserved.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java

@@ -222,7 +222,7 @@ public class OidcAuthController {
                 for (String roleName : oidcExtractedRoles) {
                     UUID roleId = SystemRole.BY_NAME.get(SystemRole.normalizeScope(roleName));
                     if (roleId != null) {
-                        rbacService.assignRoleToUser(userId, roleId);
+                        rbacService.assignManagedRole(userId, roleId, null);
                         log.info("OIDC role {} assigned to {} (from token claim)", roleName, userId);
                     }
                 }
@@ -232,7 +232,7 @@ public class OidcAuthController {
                     for (String roleName : defaultRoles) {
                         UUID roleId = SystemRole.BY_NAME.get(SystemRole.normalizeScope(roleName));
                         if (roleId != null) {
-                            rbacService.assignRoleToUser(userId, roleId);
+                            rbacService.assignManagedRole(userId, roleId, null);
                             log.debug("Default role {} assigned to {} (no claim mapping or OIDC roles)", roleName, userId);
                         }
                     }