Adds a `roles: readonly string[]` field to `AuthenticatedUser` and
threads it through `toAuthenticatedUser()`. Entra includes the
`roles` claim in the ID token when the user has at least one app
role assigned on the BFF's app registration; the field flows onto
`session.user` via the existing module-augmentation chain.
No consumer yet — this is the prerequisite for the `AdminRoleGuard`
and `@RequireAdmin()` decorator landing in the next PR per ADR-0020.
Defensive parsing mirrors the `amr` claim: non-array claim → empty
array; non-string entries filtered out. Empty array means "no app
role assigned", not "claim unparseable".
Tests: +4 specs covering claim present, absent, non-array, and
mixed-type entries.