Invalidate stale tokens after role changes
Validated locally with Docker JDK 17: mvn -ntp -f backend/pom.xml -pl auth-service,employee-service,attendance-service -am test. Adds Keycloak logout on role changes plus tokens-valid-after validation for HRM resource servers.