Replace the ALLOWED_USER_IDS sub-allowlist with a Zitadel project role
check: tokens must carry the role from REQUIRED_ROLE (default "user")
in the urn:zitadel:iam:org:project[:id]:roles claim. Roles are granted
per account in Zitadel (project ClaudeDo), where access is now managed.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The desktop pushes its full Idle backlog as a JSON array to /tasks/mirror, not per-task.
Previously /tasks/mirror matched tasks/[id].put.ts (id=mirror) and rejected the array with
400. New static route validates per-element, accepts empty arrays, upserts each as
consumed=true (desktop-owned), deletes consumed=true rows not in the array, and leaves
web-created consumed=false rows untouched. Mirrors PUT /lists.
