feat(auth): auto-promote members of SUPERUSER_GROUP

[mxhash]

Summary

Optional auto-superuser feature driven by group membership.

• New setting `SUPERUSER_GROUP` (case-insensitive). When set, members of that group are superusers.
• OIDC: the `groups` scope is auto-appended to the OIDC request, and the `groups` claim is evaluated on each login. Match → `is_superuser=True`; no match → `is_superuser=False`.
• SCIM: every group create/update/patch/delete re-derives the flag globally. Members of the named group are promoted, everyone else demoted. Renaming a group away from the configured name or deleting it clears its members' superuser flag.
• Manual `struudel superuser grant/revoke` still works but is overridden by the next login/SCIM sync when the setting is configured. Leaving `SUPERUSER_GROUP` empty makes the CLI authoritative (no-op behaviour).

Test plan

• PR image `ghcr.io/netways/struudel:pr-` built by CI
• Set `SUPERUSER_GROUP=` on the server, recreate app+worker
• In Authentik, ensure the user-info groups claim is enabled and the SCIM connector still syncs cleanly
• Log in as a user in the configured group → `g.user.is_superuser` is true (admin nav visible)
• Remove the user from the group in the IdP → next SCIM sync demotes them; relog confirms via OIDC too
• Empty `SUPERUSER_GROUP` → CLI grant/revoke still works and isn't overwritten