feat(security): design OIDC and SAML SSO integration path

[however-yir]

Problem

Enterprise teams often need KnowledgeOps Agent to integrate with existing identity providers instead of managing only API keys and local JWT flows.

Scope

• Document target OIDC/SAML authentication flows.
• Define how external identities map to tenants, roles, and permissions.
• Identify Spring Security configuration changes and migration risks.

Acceptance criteria

• Architecture notes are added under docs/.
• Tenant and RBAC mapping strategy is documented.
• Implementation tasks are split into follow-up issues.