fix(central-ui): resolve CentralUI-002/003/004 — site-scope enforcement, per-circuit console capture, cached auth state

src/ScadaLink.CentralUI/Components/Pages/Deployment/DebugView.razor

@@ -11,6 +11,7 @@
 @attribute [Authorize(Policy = AuthorizationPolicies.RequireDeployment)]
 @inject ITemplateEngineRepository TemplateEngineRepository
 @inject ISiteRepository SiteRepository
+@inject ScadaLink.CentralUI.Auth.SiteScopeService SiteScope
 @inject DebugStreamService DebugStreamService
 @inject IJSRuntime JS
 @implements IDisposable
@@ -296,7 +297,9 @@
     {
         try
         {
-            _sites = (await SiteRepository.GetAllSitesAsync()).ToList();
+            // Site scoping (CentralUI-002): a scoped Deployment user may only
+            // debug sites they are permitted on.
+            _sites = await SiteScope.FilterSitesAsync(await SiteRepository.GetAllSitesAsync());
         }
         catch (Exception ex)
         {
@@ -358,6 +361,14 @@
         _siteInstances.Clear();
         _selectedInstanceId = 0;
         if (_selectedSiteId == 0) return;
+        // Site scoping (CentralUI-002): re-check the claim server-side — a query
+        // string or stale localStorage value could name a site outside the grant.
+        if (!await SiteScope.IsSiteAllowedAsync(_selectedSiteId))
+        {
+            _selectedSiteId = 0;
+            _toast.ShowError("You are not permitted to debug instances on that site.");
+            return;
+        }
         try
         {
             _siteInstances = (await TemplateEngineRepository.GetInstancesBySiteIdAsync(_selectedSiteId))