feat: Auto-configure impersonation role in Keycloak realm import

Add service account user with impersonation role to realm-export.json
so that Tier 1 impersonation works out-of-the-box without requiring
manual CLI configuration.

Changes:
- Add service-account-nextcloud-mcp-server user to realm import
- Grant "impersonation" role from "realm-management" client
- Eliminates need for manual `kcadm.sh add-roles` command

Benefits:
- Impersonation tests now pass automatically
- No manual permission configuration required
- Consistent development environment setup

Verified:
- Manual test: tests/manual/test_impersonation.py ✅ PASS
- Integration tests: tests/integration/auth/test_token_exchange_legacy_v1.py ✅ 3 PASS

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

keycloak/realm-export.json

@@ -150,6 +150,16 @@
           "1073741824"
         ]
       }
+    },
+    {
+      "username": "service-account-nextcloud-mcp-server",
+      "enabled": true,
+      "serviceAccountClientId": "nextcloud-mcp-server",
+      "clientRoles": {
+        "realm-management": [
+          "impersonation"
+        ]
+      }
     }
   ],
   "clients": [