fix(central-ui): resolve CentralUI-002/003/004 — site-scope enforcement, per-circuit console capture, cached auth state

src/ScadaLink.CentralUI/Components/Pages/Deployment/InstanceConfigure.razor

@@ -11,6 +11,7 @@
 @attribute [Authorize(Policy = AuthorizationPolicies.RequireDeployment)]
 @inject ITemplateEngineRepository TemplateEngineRepository
 @inject ISiteRepository SiteRepository
+@inject ScadaLink.CentralUI.Auth.SiteScopeService SiteScope
 @inject InstanceService InstanceService
 @inject IFlatteningPipeline FlatteningPipeline
 @inject AuthenticationStateProvider AuthStateProvider
@@ -377,6 +378,17 @@
                 return;
             }
 
+            // Site scoping (CentralUI-002): a scoped Deployment user must not be
+            // able to configure or deploy an instance on a site outside their
+            // grant by navigating straight to its URL.
+            if (!await SiteScope.IsSiteAllowedAsync(_instance.SiteId))
+            {
+                _instance = null;
+                _errorMessage = "You are not permitted to manage instances on this site.";
+                _loading = false;
+                return;
+            }
+
             // Identity
             var template = await TemplateEngineRepository.GetTemplateByIdAsync(_instance.TemplateId);
             _templateName = template?.Name ?? $"#{_instance.TemplateId}";