feat(security): cookie session idle-timeout + LDAP-free role-mapping refresh (#15, M2.19)

Spike outcome: the shared ILdapAuthService (ZB.MOM.WW.Auth.Abstractions, an external
NuGet package) exposes ONLY AuthenticateAsync(username, password, ct) — no passwordless
service-account group-search. A live LDAP group re-query for an active session therefore
requires a new lib method and is OUT OF SCOPE (cannot modify the external package).
Implemented the always-achievable layers (cookie-only; no embedded JWT for cookie principals):

- /auth/login now stores the user's raw LDAP groups (one zb:group claim each) plus a
  zb:lastrolerefresh anchor (login time, UTC), seeding the LastActivity idle anchor too.
- SessionClaimBuilder: single shared DRY claim-builder used by BOTH /auth/login AND the
  refresh path, so the two claim shapes cannot drift (canonical identity/role/scope claims
  with nameType/roleType pinned, plus the M2.19 group + refresh-anchor additions).
- CookieSessionValidator (TimeProvider-injected, unit-testable) + a thin
  CookieAuthenticationEvents.OnValidatePrincipal adapter:
    * idle-timeout: a session past IdleTimeoutMinutes (default 30) is RejectPrincipal+SignOut;
      consistent with the cookie ExpireTimeSpan+SlidingExpiration window (same value).
    * role refresh WITHOUT LDAP: when older than RoleRefreshThresholdMinutes (new option,
      default 15) the DB-backed RoleMapper re-runs on the STORED groups, claims are rebuilt
      via the shared builder, the anchor advances, principal is replaced + cookie renewed.
      Revoked DB mappings drop the user's roles mid-session.
    * fail-soft: any refresh error KEEPS the existing principal (no sign-out, never throws)
      — mirrors the documented "LDAP failure: active sessions continue with current roles".
- Documented residual limitation in Component-Security.md: central role-mapping/scope
  changes apply within ~15 min without LDAP; live directory group-membership changes are
  picked up only at next login (needs a passwordless group-search on the external
  ZB.MOM.WW.Auth.Ldap lib — tracked follow-up).

Tests (Security.Tests, all green): CookieSessionValidatorTests + SessionClaimBuilderParityTests
— idle reject/keep, LDAP-free remap-from-stored-groups, revoked-roles loss, sub-threshold
no-refresh, refresh-throws-keeps-session, and login/refresh claim-parity.

src/ZB.MOM.WW.ScadaBridge.CentralUI/Auth/AuthEndpoints.cs

@@ -1,4 +1,3 @@
-using System.Security.Claims;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Builder;
@@ -72,39 +71,23 @@ public static class AuthEndpoints
             // the documented sliding-refresh policy.
             var displayName = string.IsNullOrEmpty(authResult.DisplayName) ? username : authResult.DisplayName;
             var resolvedUsername = string.IsNullOrEmpty(authResult.Username) ? username : authResult.Username;
-            var claims = new List<Claim>
-            {
-                new(ClaimTypes.Name, resolvedUsername),
-                new(JwtTokenService.DisplayNameClaimType, displayName),
-                new(JwtTokenService.UsernameClaimType, resolvedUsername),
-            };
 
-            foreach (var role in roleMapping.Roles)
-            {
-                claims.Add(new Claim(JwtTokenService.RoleClaimType, role));
-            }
-
-            if (!scope.IsSystemWideDeployment)
-            {
-                foreach (var siteId in scope.PermittedSiteIds)
-                {
-                    claims.Add(new Claim(JwtTokenService.SiteIdClaimType, siteId));
-                }
-            }
-
-            // Task 1.5: name the role/name claim types explicitly so the cookie
-            // principal's IsInRole / [Authorize(Roles=…)] resolve against the same
-            // canonical types we mint (JwtTokenService.RoleClaimType = ZbClaimTypes.Role,
-            // ClaimTypes.Name = ZbClaimTypes.Name). The policies use
-            // RequireClaim(RoleClaimType, …) which checks type+value directly, but
-            // pinning roleType keeps IsInRole-style checks consistent and survives the
-            // cookie serialize/round-trip.
-            var identity = new ClaimsIdentity(
-                claims,
-                authenticationType: CookieAuthenticationDefaults.AuthenticationScheme,
-                nameType: ClaimTypes.Name,
-                roleType: JwtTokenService.RoleClaimType);
-            var principal = new ClaimsPrincipal(identity);
+            // M2.19 (#15): build the cookie principal through the shared
+            // SessionClaimBuilder — the SINGLE source of truth that the mid-session
+            // OnValidatePrincipal role-refresh path ALSO uses, so login and refresh can
+            // never drift. It stamps the canonical identity/role/scope claims (with
+            // roleType/nameType pinned for IsInRole), PLUS the M2.19 additions: one
+            // zb:group claim per raw LDAP group (the durable input the mid-session
+            // RoleMapper re-run consumes) and a zb:lastrolerefresh anchor (login time,
+            // UTC) that also seeds the LastActivity idle anchor. The refresh timestamp is
+            // the login instant, so the first role refresh is due RoleRefreshThresholdMinutes
+            // later — not immediately.
+            var principal = SessionClaimBuilder.Build(
+                resolvedUsername,
+                displayName,
+                authResult.Groups,
+                scope,
+                DateTimeOffset.UtcNow);
 
             await context.SignInAsync(
                 CookieAuthenticationDefaults.AuthenticationScheme,