feat(auth): ScadaBridge full canonical claims (ZbClaimTypes role/scope) + ZbCookieDefaults, keep cookie name (Task 1.5)

src/ZB.MOM.WW.ScadaBridge.CentralUI/Auth/AuthEndpoints.cs

@@ -91,7 +91,18 @@ public static class AuthEndpoints
                 }
             }
 
-            var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
+            // Task 1.5: name the role/name claim types explicitly so the cookie
+            // principal's IsInRole / [Authorize(Roles=…)] resolve against the same
+            // canonical types we mint (JwtTokenService.RoleClaimType = ZbClaimTypes.Role,
+            // ClaimTypes.Name = ZbClaimTypes.Name). The policies use
+            // RequireClaim(RoleClaimType, …) which checks type+value directly, but
+            // pinning roleType keeps IsInRole-style checks consistent and survives the
+            // cookie serialize/round-trip.
+            var identity = new ClaimsIdentity(
+                claims,
+                authenticationType: CookieAuthenticationDefaults.AuthenticationScheme,
+                nameType: ClaimTypes.Name,
+                roleType: JwtTokenService.RoleClaimType);
             var principal = new ClaimsPrincipal(identity);
 
             await context.SignInAsync(