refactor: rename ScadaLink → ZB.MOM.WW.ScadaBridge (code + projects + namespaces)

Solution + 23 src projects + 26 test projects renamed; folders, csproj,
namespaces, and ScadaLinkDbContext/ScadaBridgeDbContext class updated.
ActorSystem "scadalink" → "scadabridge", Akka seed-node URLs migrated.
SQL roles/logins, LDAP domains, CLI command name, and CLI config dir
(~/.scadalink → ~/.scadabridge) also renamed.

Build green; 5 Host.Tests fail awaiting SQL login rename in next commit.
Pre-existing StaleTagMonitor timing flakes unchanged.

Rename script committed at tools/rename-to-scadabridge.sh.

tests/ZB.MOM.WW.ScadaBridge.NotificationService.Tests/MailKitSmtpClientWrapperTests.cs

@@ -0,0 +1,81 @@
+using System.Text;
+using MailKit.Security;
+
+namespace ZB.MOM.WW.ScadaBridge.NotificationService.Tests;
+
+/// <summary>
+/// NS-016: <see cref="MailKitSmtpClientWrapper.AuthenticateAsync"/> must never
+/// silently skip authentication for a misconfigured SMTP config — a missing
+/// credential, an unrecognised auth type, or an unparseable Basic credential
+/// must be a hard, surfaced error rather than an unauthenticated send.
+/// NS-021: the OAuth2 (XOAUTH2) branch must carry a non-empty user identity
+/// (the SMTP From address) — an empty user is rejected by M365 with `535 5.7.3`.
+/// </summary>
+public class MailKitSmtpClientWrapperTests
+{
+    [Fact]
+    public async Task Authenticate_EmptyCredentials_Throws()
+    {
+        // An AuthType of "basic"/"oauth2" with a null/empty Credentials value is a
+        // misconfigured row; the wrapper used to "return" and send unauthenticated.
+        var wrapper = new MailKitSmtpClientWrapper();
+
+        await Assert.ThrowsAsync<SmtpPermanentException>(
+            () => wrapper.AuthenticateAsync("basic", null));
+        await Assert.ThrowsAsync<SmtpPermanentException>(
+            () => wrapper.AuthenticateAsync("oauth2", ""));
+    }
+
+    [Fact]
+    public async Task Authenticate_UnknownAuthType_Throws()
+    {
+        // The switch had cases only for "basic"/"oauth2" and no default — any other
+        // value (typo, future "ntlm") fell through and sent unauthenticated.
+        var wrapper = new MailKitSmtpClientWrapper();
+
+        await Assert.ThrowsAsync<SmtpPermanentException>(
+            () => wrapper.AuthenticateAsync("ntlm", "user:pass"));
+    }
+
+    [Fact]
+    public async Task Authenticate_BasicCredentialWithoutColon_Throws()
+    {
+        // A "basic" credential string that does not split into exactly two parts was
+        // silently skipped — the connection then sent unauthenticated.
+        var wrapper = new MailKitSmtpClientWrapper();
+
+        await Assert.ThrowsAsync<SmtpPermanentException>(
+            () => wrapper.AuthenticateAsync("basic", "nocolon"));
+    }
+
+    [Fact]
+    public async Task Authenticate_OAuth2WithoutUserName_Throws()
+    {
+        // NS-021: passing an OAuth2 access token but no user identity (FromAddress)
+        // used to construct `new SaslMechanismOAuth2("", credentials)`, which M365
+        // rejects with `535 5.7.3`. The wrapper now refuses upfront so the caller
+        // sees a clean configuration error rather than a confusing server reject.
+        var wrapper = new MailKitSmtpClientWrapper();
+
+        await Assert.ThrowsAsync<SmtpPermanentException>(
+            () => wrapper.AuthenticateAsync("oauth2", "access-token", oauth2UserName: null));
+        await Assert.ThrowsAsync<SmtpPermanentException>(
+            () => wrapper.AuthenticateAsync("oauth2", "access-token", oauth2UserName: ""));
+    }
+
+    [Fact]
+    public void XOAuth2InitialResponse_CarriesUserAndBearer()
+    {
+        // NS-021 regression guard: independent of the wrapper, prove that MailKit's
+        // SaslMechanismOAuth2 puts `user=<userName>` into the initial-response bytes
+        // — i.e. wiring the wrapper to pass `FromAddress` is sufficient to fix the
+        // M365 handshake. If MailKit ever changes the framing this test will catch it.
+        var sasl = new SaslMechanismOAuth2("noreply@example.com", "tok-xyz");
+
+        var initial = sasl.Challenge(string.Empty);
+        var asString = Encoding.UTF8.GetString(Convert.FromBase64String(initial));
+
+        Assert.Contains("user=noreply@example.com", asString);
+        Assert.Contains("auth=Bearer tok-xyz", asString);
+    }
+}