feat: auto-sync permissions ACL for Jira and Confluence connectors

[junaiddshaukat]

Summary

Adds a third knowledge-source visibility mode, Auto-sync permissions, that extracts per-document ACL from Jira and Confluence during sync and enforces it at query time via query_knowledge_sources. Each document is filtered against the caller's identity (email) so users only see results they can already read upstream.

• Schema: extends KnowledgeSourceVisibilitySchema with auto-sync-permissions (no DB migration — column is text).
• Per-document ACL: extended buildDocumentAccessControlList to derive org:* / user_email:<email> / group:<id> entries from ConnectorDocument.permissions.
• Sync pipeline: connector-sync computes per-doc ACL when visibility is auto-sync, otherwise reuses the connector-wide ACL. refreshConnectorDocumentAccessControlLists skips auto-sync connectors so a visibility flip doesn't flatten per-document ACLs.
• Connector contract: new extractPermissions?: boolean param on Connector.sync. BaseConnector.buildDocumentPermissions normalizes/dedupes upstream user + group payloads so future connectors plug in without duplication.
• Jira resolver: per-project cache of role actors via /project/{key}/role/{id}. Emails resolved via /user/search?query=<displayName> because Atlassian

Cloud no longer returns emails from accountId-based endpoints even when profile visibility is "Anyone".

• Confluence resolver: per-page /restriction/byOperation/read with fallback to space permissions. Email resolution via /api/user/bulk first, then /api/user.
• Gating: backend (REST + MCP create/update handlers) and frontend selector reject auto-sync-permissions for unsupported connector types and require ARCHESTRA_ENTERPRISE_LICENSE_KNOWLEDGE_BASE_ACTIVATED.
• Tests: unit tests for both resolvers (mocked SDKs) plus integration coverage for the per-doc ACL builder, refresh skip, license gate, and connector-type gate.
• Docs: new "Auto-sync permissions" section in platform-knowledge-connectors.md covering identity mapping, ACL sources per connector, group-sync limitation, and fail-closed behavior.

Demo video

demo-1.mp4

The video shows three browser sessions (admin, user1, user2) running the same prompt against the same agent. Each user only sees results they can read upstream in Jira/Confluence:

• admin — knowledgeSource:admin bypass, sees every ticket and page.
• user1 (rhondachamb...) — added to DEMO project role only; sees Plan Q3 roadmap, Fix login bug, Architecture Review 2026, Ship feature X; gets no SECRET project results.
• user2 (billyroberts...) — added to SECRET project role only; sees Acquisition target ACME, Layoff plan, Confidential pricing; gets no DEMO results.

Confluence space and page restrictions follow the same pattern. ACL refresh on every sync was verified by removing user1 from the DEMO Jira role, re-syncing, and re-running the user1 query — DEMO results disappeared within one sync cycle.

Closes #3218

/claim #3218

[junaiddshaukat]

@joeyorlando have a look on this pr when you got time, thanks