Role-gate follow-up from v0.3 plan Ch1:
- `build_login_attempt` appends the `urn:zitadel:iam:org:project:roles` scope,
so the gate no longer depends on Zitadel's out-of-band "Assert Roles on
Authentication" checkbox (which silently broke it once). Idempotent if the
scope is already present.
- docs/guides/operator-dashboard-sso.md step 1b + config reference: drop the
wrong checkbox instruction, document the in-band scope.
Role extraction stays local to each crate (dashboard object-map; callout
configurable claim path) — two small, genuinely-different parsers, not a
shared crate. Lifting `require_role` to a composable layer is skipped as
YAGNI — only `fleet-admin` exists; revisit at the second role.
