Permission groups and authority mapping

[coopernetes]

Should be relatively simple - let admins create permission groups (with associated repo rules) and sync/specify the auth provider's "target" (LDAP DN, OIDC groups value). Users who login with that memberOf/groups value gets mapped into the corresponding authority.

[coopernetes]

Expanding the scope here based on further design discussion:

The basic group→role mapping described above is the foundation, but the more important use case for enterprise environments is having IdP-sourced groups drive permissions directly — not just role assignments.

For example: an OIDC/LDAP group membership (e.g. cn=team-alpha-devs,ou=groups,dc=example,dc=com) should be able to map directly to a named permission group, granting that group's repo access without requiring an admin to manually assign each user. This is the standard enterprise model for access governance:

• IdP groups → permission groups → repo permissions
• Role mappings (auth.role-mappings) handle role assignment today, but there is no equivalent bridge from IdP groups to permission grants

This is distinct from role mappings because roles are coarse-grained (ADMIN, USER, SELF_CERTIFY) while permission groups are fine-grained (which repos a user can touch). The two systems need to interoperate: a user in IdP group team-alpha gets ROLE_USER via role-mappings AND gets the team-alpha-repos permission group applied automatically.

Relates to the config unification work tracked in #221.