Caveat identified during SZ-77 implementation.

Currently nothing prevents an external user (CUSTOMER, PARTNER, GUEST, COMMUNITY) from being assigned the ADMIN or PROJECT_MANAGER role. This creates an inconsistent state where ExternalUserPolicy blocks them at the API level but Spring Security's @PreAuthorize role checks may behave unexpectedly. Proposed fix: Enforce in UserService at save time — strip ADMIN and PROJECT_MANAGER roles when userType is non-INTERNAL. Also validate in the Create/Edit User UI.

Risk until fixed: Low — requires deliberate admin action to create this state. No known exploit path in current UI. Estimate: 1 hour.