Fix: load OIDC role sync config from ENV in all environments

OIDC_ADMIN_GROUP_NAME and OIDC_GROUPS_CLAIM were only set in prod block;
in dev admin_group was nil so role sync never ran. Move config outside
prod block so dev/test get ENV values.

config/runtime.exs

@@ -89,6 +89,11 @@ if System.get_env("PHX_SERVER") do
   config :mv, MvWeb.Endpoint, server: true
 end
 
+# OIDC group → Admin role sync: read from ENV in all environments (dev/test/prod)
+config :mv, :oidc_role_sync,
+  admin_group_name: System.get_env("OIDC_ADMIN_GROUP_NAME"),
+  groups_claim: System.get_env("OIDC_GROUPS_CLAIM") || "groups"
+
 if config_env() == :prod do
   database_url = build_database_url.()
 
@@ -153,11 +158,6 @@ if config_env() == :prod do
     client_secret: client_secret,
     redirect_uri: System.get_env("OIDC_REDIRECT_URI") || default_redirect_uri
 
-  # OIDC group → Admin role sync (optional). Groups claim default "groups".
-  config :mv, :oidc_role_sync,
-    admin_group_name: System.get_env("OIDC_ADMIN_GROUP_NAME"),
-    groups_claim: System.get_env("OIDC_GROUPS_CLAIM") || "groups"
-
   # Token signing secret from environment variable
   # This overrides the placeholder value set in prod.exs
   # Supports TOKEN_SIGNING_SECRET or TOKEN_SIGNING_SECRET_FILE for Docker secrets.