fix(cli): resolve CLI-008..013 — format validation, exit-code semantics, debug-stream cancellation/disposal, test coverage

src/ScadaLink.CLI/Commands/CommandHelpers.cs

@@ -132,7 +132,24 @@ internal static class CommandHelpers
         var error = response.Error ?? "Unknown error";
 
         OutputFormatter.WriteError(error, errorCode);
-        return response.StatusCode == 403 ? 2 : 1;
+        return IsAuthorizationFailure(response) ? 2 : 1;
+    }
+
+    /// <summary>
+    /// Determines whether an error response represents an authorization failure
+    /// (insufficient role), which the documented exit-code table maps to exit code 2.
+    /// An HTTP 403 status is the primary signal; the server may also signal it via an
+    /// <c>UNAUTHORIZED</c> / <c>FORBIDDEN</c> error code on a different HTTP status, so
+    /// both channels are honoured. (Authentication failure — HTTP 401 / bad credentials
+    /// — is deliberately <em>not</em> treated as authorization failure; it is exit 1.)
+    /// </summary>
+    private static bool IsAuthorizationFailure(ManagementResponse response)
+    {
+        if (response.StatusCode == 403)
+            return true;
+
+        return string.Equals(response.ErrorCode, "FORBIDDEN", StringComparison.OrdinalIgnoreCase)
+            || string.Equals(response.ErrorCode, "UNAUTHORIZED", StringComparison.OrdinalIgnoreCase);
     }
 
     private static void WriteAsTable(string json)