f4eafd9a0f
Roles from the id_token's rolesClaim are now diffed against stored system roles on each OIDC login. Missing roles are added, revoked roles are removed. Group memberships (manually assigned) are never touched. This propagates scope revocations from the OIDC provider on next user login. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>