derive JWT roles from FetchUserByEmail (not GetRoleIDsFromEmail)
keep /me primary role as role_id
exclude primary role from additional_role_id (empty if no extra roles)
add project-to-role debug logs for role source tracing
- Change JWT access token RoleID claim from int to []int to support multiple roles per user
- Update all token generation and refresh logic to handle multiple role IDs as []int
- Refactor services to return and process multiple role IDs from user_roles table
- Fix OAuth state handling explanation and improve code comments
- Clean up related function signatures and usages for consistency
admin