Phase 1.3: Implement Role Extraction and Precedence Logic

[bakhterets]

Purpose:
Implement helper functions to extract user roles from JWT and determine role precedence.

Tasks:

• In internal/api/auth/rbac.go:
  • Implement GetUserRoles(jwtToken) -> []string (extracts groups claim from JWT)
  • Implement GetHighestPrivilegeRole(roles []string, config) -> Role (applies role hierarchy)
  • Support legacy "admin-group" mapping to sd_admins
• Write unit tests for:
  • All possible combinations and edge cases of groups/roles in the JWT
  • Correct mapping and precedence determination

Acceptance Criteria:

• JWT parsing extracts groups reliably
• Precedence logic follows documented hierarchy
• All functions fully covered by unit tests, including edge cases