Add automatic role assignment for new and existing users

- Implemented auto-assignment of the 'private' role for new users upon first login, ensuring they have access to products.
- Added a safety check to assign the 'private' role to existing users without roles during login.
- Updated relevant documentation to reflect these changes in role management and visibility patterns.

CLAUDE.md

@@ -499,6 +499,50 @@ export async function submitOrderToXAPI(payload: XAPIOrderPayload) {
 
 ## Role-based Product Visibility Patterns (MVP)
 
+### Auto-Assignment of 'private' Role (MVP)
+
+**Requirement**: All users must have at least one role to see products. New users automatically receive the `private` role on first login.
+
+**Implementation** in `server/api/auth/login.post.ts`:
+
+```typescript
+if (!user) {
+  // First time login - create user profile
+  const [newUser] = await db.insert(users).values({
+    experimentaId: cidaasUser.sub,
+    email: cidaasUser.email,
+    firstName: cidaasUser.given_name || '',
+    lastName: cidaasUser.family_name || '',
+  }).returning()
+
+  user = newUser
+
+  // Auto-assign 'private' role on first login
+  await assignRoleToUser(newUser.id, 'private', {
+    adminNotes: 'Auto-assigned on first login',
+  })
+} else {
+  // Update last login timestamp
+  await db.update(users)
+    .set({ updatedAt: new Date() })
+    .where(eq(users.id, user.id))
+
+  // Safety check: If existing user has no roles, assign 'private' role
+  const userRoleCodes = await getUserApprovedRoleCodes(user.id)
+  if (userRoleCodes.length === 0) {
+    await assignRoleToUser(user.id, 'private', {
+      adminNotes: 'Auto-assigned for existing user without roles',
+    })
+  }
+}
+```
+
+**Key Points:**
+- ✅ New users → `private` role automatically assigned
+- ✅ Existing users without roles → `private` role assigned (safety check)
+- ✅ Status always `approved` (no approval workflow in MVP)
+- ✅ Admin notes track auto-assignment source
+
 ### Role-based Filtering Pattern
 
 ```typescript