fix(auth): ScadaBridge 1.2 review fixes — secret-test repoint, checklist, Scope guard, 0.1.1 pin

src/ZB.MOM.WW.ScadaBridge.CentralUI/Auth/AuthEndpoints.cs

@@ -51,7 +51,17 @@ public static class AuthEndpoints
             // system-wide flag — is carried in the mapping's opaque Scope so the
             // site-scope→SiteId claims below are built exactly as before.
             var roleMapping = await roleMapper.MapAsync(authResult.Groups, context.RequestAborted);
-            var scope = (RoleMappingResult)roleMapping.Scope!;
+
+            // The ScadaBridge mapper carries the full RoleMappingResult in the seam's
+            // opaque Scope (see ScadaBridgeGroupRoleMapper). Guard the unwrap (review I4):
+            // a future/alternate IGroupRoleMapper<string> could leave Scope null or set a
+            // different type. Rather than throw InvalidCastException mid-login, fall back to
+            // the most restrictive interpretation — not a system-wide deployment and no
+            // permitted sites — so no SiteId claims are stamped (deny-by-omission). The real
+            // ScadaBridge mapper always supplies a RoleMappingResult, so behaviour is unchanged.
+            var scope = roleMapping.Scope is RoleMappingResult mapped
+                ? mapped
+                : new RoleMappingResult(roleMapping.Roles, [], IsSystemWideDeployment: false);
 
             // Build claims from LDAP auth + role mapping.
             // CentralUI-005: no fixed "expires_at" absolute-cap claim is stamped
@@ -116,7 +126,13 @@ public static class AuthEndpoints
             }
 
             var roleMapping = await roleMapper.MapAsync(authResult.Groups, context.RequestAborted);
-            var scope = (RoleMappingResult)roleMapping.Scope!;
+
+            // Guard the opaque-Scope unwrap (review I4); see the matching note on
+            // /auth/login. Fall back to no site-scope rather than throwing if a future
+            // mapper leaves Scope null or sets a different type.
+            var scope = roleMapping.Scope is RoleMappingResult mapped
+                ? mapped
+                : new RoleMappingResult(roleMapping.Roles, [], IsSystemWideDeployment: false);
 
             var displayName = string.IsNullOrEmpty(authResult.DisplayName) ? username : authResult.DisplayName;
             var resolvedUsername = string.IsNullOrEmpty(authResult.Username) ? username : authResult.Username;