bug: duplicate username provisioning exposes raw database IntegrityError

[jsell-rh]

Summary

When two SSO users share the same preferred_username claim, the second user's JIT provisioning fails with a raw SQLAlchemy IntegrityError that propagates to the caller. This should be caught and converted to a domain-level error.

Expected Behavior

Per specs/iam/users.spec.md:

• The second provisioning fails with a provisioning conflict error
• The error does not expose database internals

Actual Behavior

iam/application/services/user_service.py:96-102 catches all exceptions, logs them, and re-raises unchanged:

except Exception as e:
    self._probe.user_provision_failed(...)
    raise

The user repository (iam/infrastructure/user_repository.py) has no IntegrityError handling — it propagates as a raw database exception, which surfaces as a 500 Internal Server Error with SQLAlchemy details in the response.

Impact

• Exposes database internals (table names, constraint names) in error responses
• Returns 500 instead of a meaningful error code (409 Conflict)
• No actionable error message for the caller

Fix

Catch IntegrityError in the user repository or service layer, check for the username uniqueness constraint, and raise a domain exception (e.g., DuplicateUsernameError) that maps to 409 Conflict.

References

• specs/iam/users.spec.md — "Duplicate username" scenario