0d610be3dc
The OIDC callback extracted roles from the token's Custom JWT claim (e.g. roles: [server:admin]) but never used them. The applyClaimMappings fallback only assigned defaultRoles (VIEWER). Now the fallback priority is: claim mapping rules > OIDC token roles > defaultRoles. This ensures users get their org-mapped roles (owner → server:admin) without requiring manual claim mapping rule configuration. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>