fix(scim-users): use SCIM filter path when updating email

[yamitzky]

Summary

• sladm scim-users update --email ... was failing against Slack's SCIM API with:

  SCIM API error (400): Multi-valued attributes can not have more than one primary element
  

• The culprit is how the PATCH is built: replace with path: "emails" and an array value containing primary: true.
• RFC 7644 §3.5.2 says replace on a multi-valued attribute replaces the whole array, but Slack's implementation appears to treat it as an add/merge. Switching to the filter path emails[primary eq true].value (which is also RFC-compliant) updates only the primary email's value and is accepted.
• Verified against a live Enterprise Grid workspace.

Why only `emails`?

Only `emails` hits all three conditions (multi-valued + `primary` flag + `replace` with whole-array value). Other multi-valued PATCH sites are fine:

• `scim-groups update` already uses filter paths for `remove` and only `add` for add.
• `scim-users create` sends `emails` in a POST body (new resource, no primary collision).

Test plan

• `bun test tests/commands/scim-users/update.test.ts` — new case covers the filter-path payload
• `bun test` — 191/191 pass
• `bun run lint` — clean
• Manually verified against a real Enterprise Grid workspace (primary email replaced successfully, 200)

🤖 Generated with Claude Code