diag(gis): /api/gis/me proxy → surface Authentik claims for scope debugging

f9bf2ca4 has 25 enrichment keys in gis_core.GisFeature but
parcela.get returns only 10 — all PII (NR_CF, ADRESA, PROPRIETARI)
redacted. Symptom of enrichment_scope=basic. Plan 003 §Faza B says
Arhitecti LDAP group should get full. Need to verify the mapping.

Calls gisApi.me() and returns the claims. Logs them server-side
(truncated to 500 chars). Marius hits the URL once, we see what
enrichment_scope his JWT actually carries.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/api/gis/me/route.ts

@@ -0,0 +1,37 @@
+import { NextResponse } from "next/server";
+import { getAuthSession } from "@/core/auth/require-auth";
+import { gisApi, GisApiError } from "@/lib/gis-api-client";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+// Diagnostic proxy → gis-api /api/v1/me. Returns the claims Authentik
+// minted into the access_token, as gis-api sees them. Useful for
+// verifying that the Beletage LDAP group → enrichment_scope=full mapping
+// is actually firing for the pilot user.
+export async function GET() {
+  const session = await getAuthSession();
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  try {
+    const data = await gisApi.me();
+    console.log(
+      "[gis-me] claims=%s",
+      JSON.stringify((data as { claims?: unknown }).claims ?? data).slice(0, 500),
+    );
+    return NextResponse.json(data);
+  } catch (err) {
+    if (err instanceof GisApiError) {
+      return NextResponse.json(
+        { error: err.code, status: err.status, body: err.body },
+        { status: err.status },
+      );
+    }
+    const msg = err instanceof Error ? err.message : String(err);
+    return NextResponse.json(
+      { error: "internal_error", hint: msg.slice(0, 200) },
+      { status: 500 },
+    );
+  }
+}