fix: SCIM reconciliation fixes and diagnostic logging

src/auth.ts

@@ -271,6 +271,7 @@ async function getAuthInstance() {
                   userGroupNames = tokenGroups;
                 }
 
+                console.log(`[oidc] User ${user.email} scimEnabled=${settings.scimEnabled}, final groups:`, userGroupNames);
                 const { reconcileUserTeamMemberships } = await import("@/server/services/group-mappings");
                 await prisma.$transaction(async (tx) => {
                   await reconcileUserTeamMemberships(tx, dbUser.id, userGroupNames);

src/server/services/group-mappings.ts

@@ -56,6 +56,7 @@ export async function reconcileUserTeamMemberships(
   userGroupNames: string[],
 ): Promise<void> {
   const allMappings = await loadGroupMappings();
+  console.log(`[reconcile] userId=${userId}, userGroups=${JSON.stringify(userGroupNames)}, mappings=${JSON.stringify(allMappings)}`);
 
   // Compute desired state: for each team, the highest role from any matching group
   const desiredTeamRoles = new Map<string, "VIEWER" | "EDITOR" | "ADMIN">();
@@ -69,10 +70,13 @@ export async function reconcileUserTeamMemberships(
     }
   }
 
+  console.log(`[reconcile] desiredTeamRoles=${JSON.stringify([...desiredTeamRoles.entries()])}`);
+
   // Fetch current group_mapping TeamMembers for this user
   const existing = await tx.teamMember.findMany({
     where: { userId, source: "group_mapping" },
   });
+  console.log(`[reconcile] existing group_mapping members=${JSON.stringify(existing.map(m => ({ teamId: m.teamId, role: m.role })))}`);
 
   const existingByTeam = new Map(existing.map((m) => [m.teamId, m]));