Adds a second JWT bearer scheme for the medewerker realm; on validation it lifts
Keycloak's realm_access.roles onto the principal so the behandelaar policy can
require the role. /behandel/werkbak proxies the domain werkbak behind that policy
(401 without a token, 403 without the role). openapi.json + api-client regenerated;
Keycloak__MedewerkerAuthority wired into compose.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>