feat: add role to user and include it in JWT

[Manuthor]

Summary

• Adds a roles: Vec<String> field to the UserPass model, persisted in a new roles TEXT NOT NULL DEFAULT '[]' column across all three database backends (SQLite, PostgreSQL, MySQL) via automatic schema migration.
• Emits a roles claim and an as_domain private claim (set to the authenticated realm ID) in every JWT issued at login, enabling downstream RBAC enforcement (e.g. KMS OPA middleware).
• Introduces an AuthorizationClaims struct to carry role and domain information through the JWT token lifecycle.
• Adds a roles field to ServerParams (TOML config) so operators can declare the canonical set of available role names for the deployment.
• Adds a GET /public/roles endpoint (no auth required) that returns the configured role list; used by the admin UI to populate dropdowns.
• Updates all CRUD operations (create, get, update, list credentials) in the server and the auth_client library to persist and retrieve roles correctly.
• Updates the OpenAPI schema with the roles property on UserPass and the new /public/roles path.
• Extends the admin UI with a multi-select Roles field in CreateCredentialModal, an EditCredentialModal for updating roles of existing credentials, and a Roles column (blue tags) in the credentials table — wired in both single-realm and super-admin views.
• Fixes a 32-bit setTimeout overflow in AuthContext.scheduleExpiry (tokens with exp far in the future previously reset auth state immediately) and fixes E2E test navigation that was broken by the same overflow and an incorrect page.goto("/") base URL.

[Copilot]

Pull request overview

Adds first-class RBAC role support to user credentials across the Rust client/server and the admin UI, and propagates those roles into issued JWTs for downstream authorization (OPA). This includes server configuration and a new public endpoint for discovering available roles.

Changes:

• Extend UserPass with roles: Vec<String> and persist it in all DB backends (SQLite/PostgreSQL/MySQL), including migrations and OpenAPI updates.
• Emit roles (authorization claims) and as_domain (private claim) when issuing JWTs during login; add GET /public/roles backed by ServerParams.roles.
• Update admin UI to fetch available roles, display them, and allow editing/assigning roles; adjust tests and docs accordingly.

Reviewed changes

Copilot reviewed 34 out of 34 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
server/src/tests/username_password_tests.rs	Test fixture updated for new roles field on UserPass.
server/src/tests/params.rs	Test server params updated to include roles default.
server/src/tests/helpers.rs	Test helper updated for new roles field on UserPass.
server/src/session/jwt.rs	JWT issuance now includes authorization roles and as_domain; signature refactor to take JwtTokenConfig.
server/src/server/parameters/server_params.rs	Adds roles: Vec<String> to server configuration.
server/src/server/endpoints/mod.rs	Exposes new roles_endpoint from endpoints module.
server/src/server/endpoints/client_endpoints.rs	Adds /public/roles endpoint; login now loads roles for username/password sessions and passes them to JWT issuance.
server/src/server/auth_server.rs	Wires /public/roles route; seeds dev realm admin with empty roles.
server/src/lib.rs	Re-exports AuthorizationClaims from client crate.
server/src/database/trait.rs	Ensures default roles on built-in admin UserPass bootstrap.
server/src/database/tests.rs	DB tests updated for new roles field on UserPass.
server/src/database/impls/sqlite.rs	Adds roles column + migration; updates CRUD to store/load roles JSON.
server/src/database/impls/postgres.rs	Adds roles column + migration; updates CRUD to store/load roles JSON.
server/src/database/impls/mysql.rs	Adds roles column + migration; updates CRUD to store/load roles JSON.
server/documentation/openapi.yaml	Documents roles on UserPass and updates examples.
server/documentation/client_library.md	Client library docs updated for roles usage (example needs alignment with actual model).
server/auth_server.toml	Adds example roles = [...] configuration.
server/auth_server.dev.toml	Adds dev roles = [...] configuration and adjusts dev DB URL.
client/src/models/mod.rs	Re-exports AuthorizationClaims.
client/src/models/client_claims.rs	Introduces AuthorizationClaims and adds as_domain to private claims; flattens authorization into JWT claims.
client/src/models/base.rs	Adds roles: Vec<String> to UserPass.
client/src/lib.rs	Re-exports AuthorizationClaims.
CHANGELOG/add_role_to_user.md	Changelog entry describing RBAC roles, JWT claim propagation, and related UI changes.
admin-ui/tests/vitest.int.config.ts	Allows integration test suite to pass when no tests are present.
admin-ui/tests/unit/contexts/AuthContext.test.tsx	Updates expectations for same-origin default server URL.
admin-ui/tests/unit/components/credentials/CreateCredentialModal.test.tsx	Updates tests for new availableRoles prop.
admin-ui/tests/e2e/realms.spec.ts	Mocks /public/roles, modernizes routes, and updates mocked JWT timing.
admin-ui/tests/e2e/navigation.spec.ts	Improves route matching, mocks /public/roles, and fixes navigation base URL usage.
admin-ui/src/types/api.ts	Adds optional roles to UserPass API type.
admin-ui/src/services/rolesApi.ts	New API helper for GET /public/roles.
admin-ui/src/pages/CredentialsPage.tsx	Fetches available roles, displays role tags, and adds edit roles flow via new modal.
admin-ui/src/contexts/AuthContext.tsx	Defaults server URL to same-origin and caps expiry timer delay to avoid setTimeout overflow.
admin-ui/src/components/credentials/EditCredentialModal.tsx	New modal to edit roles on an existing credential.
admin-ui/src/components/credentials/CreateCredentialModal.tsx	Adds roles multi-select and extends submit callback to include roles.

[charming-wicket-5502]

Minor frontend refactoring concerns but otherwise looks good to me.