feat(online-inbox): gate access on Zitadel "user" project role

The Online API now requires the "user" project role (claim
urn:zitadel:iam:org:project:roles) instead of an ALLOWED_USER_IDS allowlist.

- IOnlineAuthProvider: add GetAccessTokenAsync(forceRefresh) overload
- ZitadelAuthProvider: forceRefresh drops the cached token and re-runs the
  refresh-token grant to mint a fresh, role-bearing token
- OnlineInboxApiClient: on 401, force-refresh and retry once; if still 401,
  throw a clear "missing 'user' role" error
- OnlineSyncService: surface the 401 at Error level (no longer silent)
- UI: ZitadelTokenInspector decodes the access token after login and warns
  early when the "user" role is absent (fail-open); shown in settings
- docs: online-inbox-api-contract reflects role-based access (no allowlist)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

src/ClaudeDo.Worker/Online/Interfaces/IOnlineAuthProvider.cs

@@ -3,4 +3,11 @@ namespace ClaudeDo.Worker.Online.Interfaces;
 public interface IOnlineAuthProvider
 {
     Task<string?> GetAccessTokenAsync(CancellationToken ct = default);
+
+    /// <summary>
+    /// Gets an access token, optionally dropping any cached token first so a fresh
+    /// (role-bearing) token is minted via the refresh-token grant. Used to recover from a
+    /// 401 caused by a stale token issued before role assertion was enabled.
+    /// </summary>
+    Task<string?> GetAccessTokenAsync(bool forceRefresh, CancellationToken ct = default);
 }