feat(idp): add keycloak-first support with authentik fallback

backend/app/api/admin_catalog.py

@@ -136,12 +136,12 @@ def _generate_api_key() -> str:
 def _sync_member_to_authentik(
     *,
     user_sub: str | None,
-    idp_user_id: int | None,
+    idp_user_id: str | None,
     username: str | None,
     email: str | None,
     display_name: str | None,
     is_active: bool,
-) -> dict[str, str | int]:
+) -> dict[str, str]:
     if not email:
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="email_required_for_authentik_sync")
     settings = get_settings()
@@ -602,7 +602,7 @@ def upsert_member(
             display_name=payload.display_name,
             is_active=payload.is_active,
         )
-        idp_user_id = int(sync["idp_user_id"])
+        idp_user_id = str(sync["idp_user_id"])
         if sync.get("user_sub"):
             resolved_sub = str(sync["user_sub"])
     if not resolved_sub:
@@ -651,7 +651,7 @@ def update_member(
             display_name=next_display_name,
             is_active=next_is_active,
         )
-        idp_user_id = int(sync["idp_user_id"])
+        idp_user_id = str(sync["idp_user_id"])
 
     row = users_repo.upsert_by_sub(
         user_sub=row.user_sub,