Fix email resolution from Azure AD token claims

Azure AD v1 access tokens (sts.windows.net issuer) use the 'upn' claim
for the user principal name/email, not 'email' or 'preferred_username'.
Add 'upn' as a fallback so email is correctly resolved on login.

Also add debug logging to show which claims are present.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/dependencies/auth.py

@@ -101,9 +101,17 @@ async def get_current_db_user(
             detail="Missing user identifier in token claims",
         )
 
+    # Azure AD v1 access tokens use 'upn'; v2/ID tokens use 'email' or 'preferred_username'
+    email = (
+        user_claims.get("email")
+        or user_claims.get("preferred_username")
+        or user_claims.get("upn")
+        or ""
+    )
+    logger.debug(f"[Auth] Resolved email='{email}' from claims keys: {list(user_claims.keys())}")
     user = await user_repo.get_or_create_from_azure(
         azure_ad_oid=azure_oid,
-        email=user_claims.get("email", user_claims.get("preferred_username", "")),
+        email=email,
         name=user_claims.get("name", "Unknown"),
     )