feat(auth): add IGroupRoleMapper<string> seam (Task 1.1)

src/ZB.MOM.WW.ScadaBridge.Security/ServiceCollectionExtensions.cs

@@ -3,6 +3,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using ZB.MOM.WW.Auth.Abstractions.Roles;
 
 namespace ZB.MOM.WW.ScadaBridge.Security;
 
@@ -18,6 +19,14 @@ public static class ServiceCollectionExtensions
         services.AddScoped<JwtTokenService>();
         services.AddScoped<RoleMapper>();
 
+        // Auth-adoption Task 1.1: register the shared IGroupRoleMapper<string>
+        // seam additively, wrapping RoleMapper to reuse its DB-backed mapping +
+        // site-scope union semantics. Scoped to match RoleMapper's lifetime (it
+        // depends on the Scoped ISecurityRepository). The existing RoleMapper
+        // registration and its call sites are left untouched — login is rewired
+        // to consume this seam in a later task.
+        services.AddScoped<IGroupRoleMapper<string>, ScadaBridgeGroupRoleMapper>();
+
         // Security-020: register the IValidateOptions<SecurityOptions> so a
         // missing/empty LdapServer or LdapSearchBase fails fast at startup
         // with a clear, key-naming message rather than a generic LDAP error