Function compute_group_sync_diff 

pub fn compute_group_sync_diff(
    member_id: RoleId,
    current_membership: &BTreeMap<RoleId, RoleId>,
    target_role_ids: &BTreeSet<RoleId>,
) -> GroupSyncDiff

Computes the grant/revoke operations needed to sync a user’s role memberships with their JWT group claims.

Arguments

• member_id: The user’s role ID.
• current_membership: The user’s current RoleMembership.map (role_id → grantor_id).
• target_role_ids: Role IDs resolved from the JWT group names via case-insensitive catalog lookup.

Semantics

• Only roles granted by the JWT sync sentinel (MZ_JWT_SYNC_ROLE_ID) are managed by this function.
• Manually-granted roles (grantor != sentinel) are never revoked.
• If a target role is already manually granted, it is skipped — the manual grant takes precedence and we don’t overwrite the grantor.