feat(auth)!: ScadaBridge canonical roles + SoD collapse (Audit→Administrator, AuditReadOnly→Viewer) + config-DB migration (Task 1.7)

Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
  Admin        -> Administrator
  Design       -> Designer
  Deployment   -> Deployer
  Audit        -> Administrator   (COLLAPSE; accepted privilege escalation)
  AuditReadOnly-> Viewer          (COLLAPSE; keeps audit-read, no export)

SoD: OperationalAuditRoles = { Administrator, Viewer },
     AuditExportRoles      = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).

Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
  honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
  admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
  is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
  dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
  Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
  operator-added rows. Down is lossy on the collapse (documented in-file).
  No pending model changes.

Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.

CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.

tests/ZB.MOM.WW.ScadaBridge.ConfigurationDatabase.Tests/RepositoryTests.cs

@@ -38,21 +38,21 @@ public class SecurityRepositoryTests : IDisposable
     [Fact]
     public async Task AddMapping_AndGetById_ReturnsMapping()
     {
-        var mapping = new LdapGroupMapping("CN=Admins,DC=test", "Admin");
+        var mapping = new LdapGroupMapping("CN=Admins,DC=test", "Administrator");
         await _repository.AddMappingAsync(mapping);
         await _repository.SaveChangesAsync();
 
         var loaded = await _repository.GetMappingByIdAsync(mapping.Id);
         Assert.NotNull(loaded);
         Assert.Equal("CN=Admins,DC=test", loaded.LdapGroupName);
-        Assert.Equal("Admin", loaded.Role);
+        Assert.Equal("Administrator", loaded.Role);
     }
 
     [Fact]
     public async Task GetAllMappings_ReturnsAll()
     {
-        await _repository.AddMappingAsync(new LdapGroupMapping("Group1", "Admin"));
-        await _repository.AddMappingAsync(new LdapGroupMapping("Group2", "Design"));
+        await _repository.AddMappingAsync(new LdapGroupMapping("Group1", "Administrator"));
+        await _repository.AddMappingAsync(new LdapGroupMapping("Group2", "Designer"));
         await _repository.SaveChangesAsync();
 
         // +1 for seed data
@@ -63,12 +63,12 @@ public class SecurityRepositoryTests : IDisposable
     [Fact]
     public async Task GetMappingsByRole_FiltersCorrectly()
     {
-        await _repository.AddMappingAsync(new LdapGroupMapping("Designers", "Design"));
-        await _repository.AddMappingAsync(new LdapGroupMapping("Deployers", "Deployment"));
+        await _repository.AddMappingAsync(new LdapGroupMapping("Designers", "Designer"));
+        await _repository.AddMappingAsync(new LdapGroupMapping("Deployers", "Deployer"));
         await _repository.SaveChangesAsync();
 
-        var designMappings = await _repository.GetMappingsByRoleAsync("Design");
-        // Seed data includes "SCADA-Designers" with role "Design", plus the one we added
+        var designMappings = await _repository.GetMappingsByRoleAsync("Designer");
+        // Seed data includes "SCADA-Designers" with role "Designer", plus the one we added
         Assert.Equal(2, designMappings.Count);
         Assert.Contains(designMappings, m => m.LdapGroupName == "Designers");
     }
@@ -76,23 +76,23 @@ public class SecurityRepositoryTests : IDisposable
     [Fact]
     public async Task UpdateMapping_PersistsChange()
     {
-        var mapping = new LdapGroupMapping("OldGroup", "Admin");
+        var mapping = new LdapGroupMapping("OldGroup", "Administrator");
         await _repository.AddMappingAsync(mapping);
         await _repository.SaveChangesAsync();
 
-        mapping.Role = "Design";
+        mapping.Role = "Designer";
         await _repository.UpdateMappingAsync(mapping);
         await _repository.SaveChangesAsync();
 
         _context.ChangeTracker.Clear();
         var loaded = await _repository.GetMappingByIdAsync(mapping.Id);
-        Assert.Equal("Design", loaded!.Role);
+        Assert.Equal("Designer", loaded!.Role);
     }
 
     [Fact]
     public async Task DeleteMapping_RemovesEntity()
     {
-        var mapping = new LdapGroupMapping("ToDelete", "Admin");
+        var mapping = new LdapGroupMapping("ToDelete", "Administrator");
         await _repository.AddMappingAsync(mapping);
         await _repository.SaveChangesAsync();
 
@@ -108,7 +108,7 @@ public class SecurityRepositoryTests : IDisposable
     {
         var site = new Site("Site1", "SITE-001");
         _context.Sites.Add(site);
-        var mapping = new LdapGroupMapping("Deployers", "Deployment");
+        var mapping = new LdapGroupMapping("Deployers", "Deployer");
         await _repository.AddMappingAsync(mapping);
         await _repository.SaveChangesAsync();
 
@@ -126,7 +126,7 @@ public class SecurityRepositoryTests : IDisposable
     {
         var site = new Site("Site1", "SITE-001");
         _context.Sites.Add(site);
-        var mapping = new LdapGroupMapping("Group", "Deployment");
+        var mapping = new LdapGroupMapping("Group", "Deployer");
         await _repository.AddMappingAsync(mapping);
         await _repository.SaveChangesAsync();
 
@@ -145,7 +145,7 @@ public class SecurityRepositoryTests : IDisposable
         var site1 = new Site("Site1", "SITE-001");
         var site2 = new Site("Site2", "SITE-002");
         _context.Sites.AddRange(site1, site2);
-        var mapping = new LdapGroupMapping("Group", "Deployment");
+        var mapping = new LdapGroupMapping("Group", "Deployer");
         await _repository.AddMappingAsync(mapping);
         await _repository.SaveChangesAsync();
 
@@ -167,7 +167,7 @@ public class SecurityRepositoryTests : IDisposable
     {
         var site = new Site("Site1", "SITE-001");
         _context.Sites.Add(site);
-        var mapping = new LdapGroupMapping("Group", "Deployment");
+        var mapping = new LdapGroupMapping("Group", "Deployer");
         await _repository.AddMappingAsync(mapping);
         await _repository.SaveChangesAsync();
 

tests/ZB.MOM.WW.ScadaBridge.ConfigurationDatabase.Tests/SeedDataTests.cs

@@ -31,7 +31,8 @@ public class SeedDataTests : IDisposable
             .SingleOrDefaultAsync(m => m.LdapGroupName == "SCADA-Admins");
 
         Assert.NotNull(adminMapping);
-        Assert.Equal("Admin", adminMapping.Role);
+        // Role VALUE canonicalized to "Administrator" (Task 1.7); group NAME unchanged.
+        Assert.Equal("Administrator", adminMapping.Role);
         Assert.Equal(1, adminMapping.Id);
     }
 }

tests/ZB.MOM.WW.ScadaBridge.ConfigurationDatabase.Tests/UnitTest1.cs

@@ -253,7 +253,7 @@ public class DbContextTests : IDisposable
         _context.Sites.Add(site);
         _context.SaveChanges();
 
-        var mapping = new LdapGroupMapping("CN=Admins,DC=example,DC=com", "Admin");
+        var mapping = new LdapGroupMapping("CN=Admins,DC=example,DC=com", "Administrator");
         _context.LdapGroupMappings.Add(mapping);
         _context.SaveChanges();