0e5e6904b5
Adds a `roles: readonly string[]` field to `AuthenticatedUser` and threads it through `toAuthenticatedUser()`. Entra includes the `roles` claim in the ID token when the user has at least one app role assigned on the BFF's app registration; the field flows onto `session.user` via the existing module-augmentation chain. No consumer yet — this is the prerequisite for the `AdminRoleGuard` and `@RequireAdmin()` decorator landing in the next PR per ADR-0020. Defensive parsing mirrors the `amr` claim: non-array claim → empty array; non-string entries filtered out. Empty array means "no app role assigned", not "claim unparseable". Tests: +4 specs covering claim present, absent, non-array, and mixed-type entries.