feat(audit): ScadaBridge IAuditActorAccessor + wire audit Actor from Auth principal at authenticated emit sites (Phase 3)

2026-06-02 15:33:01 -04:00
parent bc0e5bfd37
commit b3de8408fa
9 changed files with 463 additions and 30 deletions
@@ -0,0 +1,31 @@
+namespace ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
+
+/// <summary>
+/// Resolves the <c>Actor</c> for an audit row from the current authenticated
+/// principal (Phase 3 of the audit re-architecture). User-facing emit sites
+/// (the inbound API middleware on a cookie/LDAP-authenticated request) read
+/// <see cref="CurrentActor"/> so the canonical <c>AuditEvent.Actor</c> records
+/// the real authenticated user, rather than a generic system/identity fallback.
+/// </summary>
+/// <remarks>
+/// <para>The seam is deliberately ASP.NET-free (a plain <c>string?</c>) so it can
+/// live in Commons and be consumed by any project without pulling an HTTP
+/// dependency. The HTTP-backed implementation
+/// (<c>ZB.MOM.WW.ScadaBridge.Security.HttpAuditActorAccessor</c>) reads the
+/// authenticated principal off <c>IHttpContextAccessor.HttpContext?.User</c>.</para>
+/// <para>This seam is for the <em>authenticated, interactive</em> actor only.
+/// System-originated emitters (script/notification/db-outbound) keep their own
+/// system actor/fallback and do NOT consult this accessor — there is no
+/// interactive principal to read in those flows.</para>
+/// </remarks>
+public interface IAuditActorAccessor
+{
+    /// <summary>
+    /// The actor string for the currently authenticated principal, or
+    /// <c>null</c> when there is no authenticated interactive user (no ambient
+    /// request, or an unauthenticated / auth-failure request). A null result
+    /// signals the caller to fall back to its existing actor (API-key name,
+    /// "system", etc.) — an unauthenticated principal is never echoed back.
+    /// </summary>
+    string? CurrentActor { get; }
+}
@@ -33,14 +33,18 @@ namespace ZB.MOM.WW.ScadaBridge.InboundAPI.Middleware;
 /// </para>
 ///
 /// <para>
-/// <b>Actor resolution.</b> Inbound API auth runs inside the endpoint handler
+/// <b>Actor resolution.</b> The API-key auth path runs inside the endpoint handler
 /// (no <c>UseAuthentication</c>-backed scheme populates <see cref="HttpContext.User"/>
-/// for X-API-Key callers), so the handler stashes the resolved API key name on
+/// for Bearer API-key callers), so the handler stashes the resolved API key name on
 /// <see cref="HttpContext.Items"/> under <see cref="AuditActorItemKey"/> after
 /// <c>IApiKeyVerifier.VerifyAsync</c> succeeds. The middleware reads it in
-/// its <c>finally</c> block — on auth failures the key remains absent and
-/// <see cref="AuditEvent.Actor"/> stays null (we never echo back an
-/// unauthenticated principal).
+/// its <c>finally</c> block. Phase 3: when no API-key name is stashed, the actor is
+/// sourced from the authenticated <em>interactive</em> principal via
+/// <see cref="IAuditActorAccessor"/> (a cookie/LDAP-authenticated inbound user,
+/// keyed off the canonical username claim). On auth failures (401/403) the actor is
+/// forced null before resolution runs, and the accessor itself returns null for an
+/// unauthenticated principal — so <see cref="AuditEvent.Actor"/> stays null and we
+/// never echo back an unauthenticated principal.
 /// </para>
 ///
 /// <para>
@@ -90,6 +94,7 @@ public sealed class AuditWriteMiddleware
    private readonly ICentralAuditWriter _auditWriter;
    private readonly ILogger<AuditWriteMiddleware> _logger;
    private readonly IOptionsMonitor<AuditLogOptions> _options;
+    private readonly IAuditActorAccessor? _actorAccessor;

    /// <summary>
    /// Initializes the middleware with its required dependencies.
@@ -98,16 +103,25 @@ public sealed class AuditWriteMiddleware
    /// <param name="auditWriter">Central audit writer used to persist inbound API audit events.</param>
    /// <param name="logger">Logger for this middleware.</param>
    /// <param name="options">Live-reloadable audit log options, read per-request.</param>
+    /// <param name="actorAccessor">
+    /// Phase 3 (optional): resolves the audit <see cref="AuditEvent.Actor"/> from the
+    /// authenticated principal on a cookie/LDAP-authenticated inbound request. Optional
+    /// so existing tests (and any composition without the accessor registered) still
+    /// construct the middleware; when absent, actor resolution falls back to the
+    /// stashed API-key name only.
+    /// </param>
    public AuditWriteMiddleware(
        RequestDelegate next,
        ICentralAuditWriter auditWriter,
        ILogger<AuditWriteMiddleware> logger,
-        IOptionsMonitor<AuditLogOptions> options)
+        IOptionsMonitor<AuditLogOptions> options,
+        IAuditActorAccessor? actorAccessor = null)
    {
        _next = next ?? throw new ArgumentNullException(nameof(next));
        _auditWriter = auditWriter ?? throw new ArgumentNullException(nameof(auditWriter));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _actorAccessor = actorAccessor;
    }

    /// <summary>
@@ -472,13 +486,24 @@ public sealed class AuditWriteMiddleware
    }

    /// <summary>
-    /// Reads the API key name the endpoint handler stashed on
-    /// <see cref="HttpContext.Items"/> after successful auth. Falls back to
-    /// the authenticated user name when an ASP.NET scheme has populated
-    /// <see cref="HttpContext.User"/> (defensive — currently unused for inbound
-    /// API but cheap and forward-compatible).
+    /// Resolves the audit <see cref="AuditEvent.Actor"/> for a non-auth-failure
+    /// inbound request:
+    /// <list type="number">
+    /// <item><description>the API key name the endpoint handler stashed on
+    /// <see cref="HttpContext.Items"/> after successful key auth (the
+    /// key-authenticated path — the canonical identity of an API-key caller);</description></item>
+    /// <item><description>otherwise the authenticated <em>interactive</em> principal
+    /// resolved through <see cref="IAuditActorAccessor"/> (Phase 3 — a
+    /// cookie/LDAP-authenticated inbound user, sourced from the canonical username
+    /// claim). The accessor reads the ambient <see cref="HttpContext.User"/>, so the
+    /// fall-through here only fires when no API-key name was stashed;</description></item>
+    /// <item><description>otherwise <c>null</c> — never echo an unauthenticated
+    /// principal back as an actor.</description></item>
+    /// </list>
+    /// The accessor is optional (constructor default <c>null</c>); when absent only
+    /// the stashed API-key name is consulted, preserving the pre-Phase-3 behaviour.
    /// </summary>
-    private static string? ResolveActor(HttpContext ctx)
+    private string? ResolveActor(HttpContext ctx)
    {
        if (ctx.Items.TryGetValue(AuditActorItemKey, out var stashed)
            && stashed is string name
@@ -487,13 +512,11 @@ public sealed class AuditWriteMiddleware
            return name;
        }

-        var user = ctx.User;
-        if (user?.Identity is { IsAuthenticated: true, Name: { Length: > 0 } userName })
-        {
-            return userName;
-        }
-
-        return null;
+        // Phase 3: an interactive cookie/LDAP-authenticated inbound user records
+        // their real identity as Actor. Returns null for the key-authenticated
+        // and auth-failure paths (no authenticated interactive principal), so the
+        // existing API-key/auth-failure behaviour is preserved.
+        return _actorAccessor?.CurrentActor;
    }

    /// <summary>
@@ -0,0 +1,65 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+using ZB.MOM.WW.Auth.AspNetCore;
+using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
+
+namespace ZB.MOM.WW.ScadaBridge.Security;
+
+/// <summary>
+/// HTTP-backed <see cref="IAuditActorAccessor"/> (Phase 3): resolves the audit
+/// <c>Actor</c> from the authenticated principal on the ambient
+/// <see cref="IHttpContextAccessor.HttpContext"/>. Used by the user-facing
+/// inbound API audit path so a cookie/LDAP-authenticated request records the
+/// real user as <c>AuditEvent.Actor</c>.
+/// </summary>
+/// <remarks>
+/// <para>The username is sourced from the canonical
+/// <see cref="ZbClaimTypes.Username"/> claim (= <see cref="JwtTokenService.UsernameClaimType"/>,
+/// minted by <see cref="JwtTokenService"/> and by the cookie login path), falling
+/// back to <see cref="System.Security.Principal.IIdentity.Name"/> (which
+/// <see cref="JwtTokenService"/> pins to <see cref="ZbClaimTypes.Name"/> via its
+/// token-validation <c>NameClaimType</c>).
+/// When there is no ambient request, the principal is unauthenticated, or no
+/// usable name claim is present, <see cref="CurrentActor"/> returns <c>null</c> so
+/// the caller keeps its existing actor/fallback — an unauthenticated principal is
+/// never echoed back as an actor.</para>
+/// </remarks>
+public sealed class HttpAuditActorAccessor : IAuditActorAccessor
+{
+    private readonly IHttpContextAccessor _httpContextAccessor;
+
+    /// <summary>Initializes a new instance of <see cref="HttpAuditActorAccessor"/>.</summary>
+    /// <param name="httpContextAccessor">Accessor for the ambient HTTP context.</param>
+    public HttpAuditActorAccessor(IHttpContextAccessor httpContextAccessor)
+    {
+        _httpContextAccessor = httpContextAccessor
+            ?? throw new ArgumentNullException(nameof(httpContextAccessor));
+    }
+
+    /// <inheritdoc />
+    public string? CurrentActor
+    {
+        get
+        {
+            var user = _httpContextAccessor.HttpContext?.User;
+            if (user?.Identity is not { IsAuthenticated: true })
+            {
+                // No ambient request, or the principal is unauthenticated — never
+                // echo an unauthenticated identity back as an actor.
+                return null;
+            }
+
+            // Prefer the canonical username claim (the value JwtTokenService and
+            // the cookie login path mint); fall back to Identity.Name (pinned to
+            // ZbClaimTypes.Name by JwtTokenService.NameClaimType).
+            var username = user.FindFirst(JwtTokenService.UsernameClaimType)?.Value;
+            if (!string.IsNullOrWhiteSpace(username))
+            {
+                return username;
+            }
+
+            var name = user.Identity?.Name;
+            return string.IsNullOrWhiteSpace(name) ? null : name;
+        }
+    }
+}
@@ -4,6 +4,7 @@ using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using ZB.MOM.WW.Auth.Abstractions.Roles;
 using ZB.MOM.WW.Auth.AspNetCore;
+using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;

 namespace ZB.MOM.WW.ScadaBridge.Security;

@@ -49,6 +50,18 @@ public static class ServiceCollectionExtensions
        services.AddScoped<JwtTokenService>();
        services.AddScoped<RoleMapper>();

+        // Audit Actor wiring (Phase 3): the user-facing inbound API audit path
+        // sources AuditEvent.Actor from the authenticated principal via this
+        // seam. HttpAuditActorAccessor reads IHttpContextAccessor.HttpContext?.User
+        // (canonical username claim, Identity.Name fallback) and returns null when
+        // there is no authenticated interactive user — so the caller keeps its
+        // existing actor/fallback (API-key name, "system"). Registered as a
+        // singleton (it is stateless and only dereferences the ambient request);
+        // AddHttpContextAccessor is idempotent (TryAdd-based) so calling it here
+        // is safe even though the Host's AddCentralUI also registers it.
+        services.AddHttpContextAccessor();
+        services.AddSingleton<IAuditActorAccessor, HttpAuditActorAccessor>();
+
        // Auth-adoption Task 1.1: register the shared IGroupRoleMapper<string>
        // seam additively, wrapping RoleMapper to reuse its DB-backed mapping +
        // site-scope union semantics. Scoped to match RoleMapper's lifetime (it
@@ -8,10 +8,15 @@
  </PropertyGroup>

  <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
-    <PackageReference Include="Microsoft.Extensions.Options" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
-    <PackageReference Include="Microsoft.AspNetCore.Authorization" />
+    <!-- HttpAuditActorAccessor (Phase 3) + AddHttpContextAccessor read the
+         authenticated principal off IHttpContextAccessor.HttpContext.User to
+         source the audit Actor. The cookie-auth wiring in AddSecurity already
+         lives here, so this is the natural home for the HTTP-backed
+         principal-to-actor seam. The shared framework supplies IHttpContextAccessor
+         / HttpContext (and the AddHttpContextAccessor DI helper); it also supplies
+         the Extensions.* + AspNetCore.Authentication/Authorization assemblies that
+         were previously listed as PackageReferences (now pruned — NU1510). -->
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
    <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
    <PackageReference Include="Novell.Directory.Ldap.NETStandard" />
    <PackageReference Include="ZB.MOM.WW.Auth.Abstractions" />
@@ -0,0 +1,64 @@
+using ZB.MOM.WW.ScadaBridge.Commons.Types.Audit;
+using ZB.MOM.WW.ScadaBridge.Commons.Types.Enums;
+
+namespace ZB.MOM.WW.ScadaBridge.Commons.Tests.Types.Audit;
+
+/// <summary>
+/// Phase 3 (wire audit Actor from the Auth principal): the
+/// <see cref="ScadaBridgeAuditEventFactory"/> is the single construction point and
+/// records the <c>actor</c> the CALLER passes in — it never injects a principal of
+/// its own. These tests pin that contract so the per-emit-site decision holds:
+/// authenticated emit sites pass the principal's actor (sourced via
+/// <c>IAuditActorAccessor</c> at the inbound middleware), while system-originated
+/// emitters (notification / script DB-outbound) keep passing their own system/script
+/// actor unchanged. The factory does not blur the two.
+/// </summary>
+public class ScadaBridgeAuditEventFactoryActorTests
+{
+    [Theory]
+    // Mirrors the literal system actors the outbound emitters pass:
+    // NotificationOutboxActor → "system"; AuditingDbCommand → the source script.
+    [InlineData("system")]
+    [InlineData("order-sync.caspx")]
+    public void SystemOriginatedEmit_PreservesCallerActor_Verbatim(string systemActor)
+    {
+        var evt = ScadaBridgeAuditEventFactory.Create(
+            channel: AuditChannel.Notification,
+            kind: AuditKind.NotifyDeliver,
+            status: AuditStatus.Delivered,
+            actor: systemActor);
+
+        // The system emit keeps its system/script actor — the factory does not
+        // overwrite it with any authenticated principal.
+        Assert.Equal(systemActor, evt.Actor);
+    }
+
+    [Fact]
+    public void AuthenticatedEmit_PreservesCallerActor_Verbatim()
+    {
+        // An authenticated emit site (e.g. the inbound middleware) passes the
+        // principal's actor; the factory records it as-is.
+        var evt = ScadaBridgeAuditEventFactory.Create(
+            channel: AuditChannel.ApiInbound,
+            kind: AuditKind.InboundRequest,
+            status: AuditStatus.Delivered,
+            actor: "alice");
+
+        Assert.Equal("alice", evt.Actor);
+    }
+
+    [Fact]
+    public void NullActor_MapsToEmptyString_OnCanonicalRecord()
+    {
+        // The canonical AuditEvent.Actor is a non-null string; a null actor (no
+        // authenticated principal AND no system fallback supplied) maps to empty.
+        // AuditRowProjection then surfaces empty as null at the row boundary.
+        var evt = ScadaBridgeAuditEventFactory.Create(
+            channel: AuditChannel.ApiInbound,
+            kind: AuditKind.InboundAuthFailure,
+            status: AuditStatus.Failed,
+            actor: null);
+
+        Assert.Equal(string.Empty, evt.Actor);
+    }
+}
@@ -85,12 +85,26 @@ public class AuditWriteMiddlewareTests
    private static AuditWriteMiddleware CreateMiddleware(
        RequestDelegate next,
        ICentralAuditWriter writer,
-        AuditLogOptions? options = null) =>
+        AuditLogOptions? options = null,
+        IAuditActorAccessor? actorAccessor = null) =>
        new(
            next,
            writer,
            NullLogger<AuditWriteMiddleware>.Instance,
-            new StaticAuditLogOptionsMonitor(options ?? new AuditLogOptions()));
+            new StaticAuditLogOptionsMonitor(options ?? new AuditLogOptions()),
+            actorAccessor);
+
+    /// <summary>
+    /// File-local <see cref="IAuditActorAccessor"/> test double returning a fixed
+    /// actor string — stands in for the HTTP-backed accessor that reads the
+    /// authenticated principal off the ambient request (Phase 3).
+    /// </summary>
+    private sealed class StubAuditActorAccessor : IAuditActorAccessor
+    {
+        public StubAuditActorAccessor(string? currentActor) => CurrentActor = currentActor;
+
+        public string? CurrentActor { get; }
+    }

    /// <summary>
    /// File-local <see cref="IOptionsMonitor{TOptions}"/> test double — returns the
@@ -278,6 +292,105 @@ public class AuditWriteMiddlewareTests
        Assert.Equal("integration-svc", evt.Actor);
    }

+    // ---------------------------------------------------------------------
+    // 5b. Phase 3 — Actor from the authenticated principal. When no API-key
+    //     name was stashed, the actor is sourced from IAuditActorAccessor
+    //     (the authenticated interactive cookie/LDAP user). The API-key stash
+    //     still takes precedence, and auth-failure / no-principal paths stay
+    //     null — never echo an unauthenticated principal back.
+    // ---------------------------------------------------------------------
+
+    [Fact]
+    public async Task AuthenticatedUser_FromAccessor_RecordedAsActor_WhenNoApiKeyStash()
+    {
+        var writer = new RecordingAuditWriter();
+        var ctx = BuildContext();
+        var mw = CreateMiddleware(
+            _ =>
+            {
+                // No API-key name stashed — this is an interactive cookie/LDAP
+                // authenticated inbound user, surfaced via the accessor.
+                ctx.Response.StatusCode = 200;
+                return Task.CompletedTask;
+            },
+            writer,
+            actorAccessor: new StubAuditActorAccessor("alice"));
+
+        await mw.InvokeAsync(ctx);
+
+        var evt = Assert.Single(writer.Events);
+        Assert.Equal("alice", evt.Actor);
+    }
+
+    [Fact]
+    public async Task ApiKeyStash_TakesPrecedence_OverAuthenticatedPrincipal()
+    {
+        // A key-authenticated caller: the endpoint handler stashed the API key
+        // name. Even if an accessor would resolve a principal, the API-key
+        // identity is the canonical actor for the key-authenticated path.
+        var writer = new RecordingAuditWriter();
+        var ctx = BuildContext();
+        var mw = CreateMiddleware(
+            _ =>
+            {
+                ctx.Items[AuditWriteMiddleware.AuditActorItemKey] = "integration-svc";
+                ctx.Response.StatusCode = 200;
+                return Task.CompletedTask;
+            },
+            writer,
+            actorAccessor: new StubAuditActorAccessor("should-not-win"));
+
+        await mw.InvokeAsync(ctx);
+
+        var evt = Assert.Single(writer.Events);
+        Assert.Equal("integration-svc", evt.Actor);
+    }
+
+    [Fact]
+    public async Task AuthFailure_KeepsActorNull_EvenWhenAccessorResolvesPrincipal()
+    {
+        // 401/403 force the actor null BEFORE resolution — an auth failure must
+        // never echo a principal back, even one the accessor could produce.
+        var writer = new RecordingAuditWriter();
+        var ctx = BuildContext();
+        var mw = CreateMiddleware(
+            _ =>
+            {
+                ctx.Response.StatusCode = 401;
+                return Task.CompletedTask;
+            },
+            writer,
+            actorAccessor: new StubAuditActorAccessor("attacker"));
+
+        await mw.InvokeAsync(ctx);
+
+        var evt = Assert.Single(writer.Events);
+        Assert.Equal(AuditKind.InboundAuthFailure, evt.Kind);
+        Assert.Null(evt.Actor);
+    }
+
+    [Fact]
+    public async Task NoApiKey_NoAuthenticatedPrincipal_LeavesActorNull()
+    {
+        // Accessor present but returns null (no authenticated interactive user)
+        // and no API-key stash — the actor stays null rather than empty/echoed.
+        var writer = new RecordingAuditWriter();
+        var ctx = BuildContext();
+        var mw = CreateMiddleware(
+            _ =>
+            {
+                ctx.Response.StatusCode = 200;
+                return Task.CompletedTask;
+            },
+            writer,
+            actorAccessor: new StubAuditActorAccessor(currentActor: null));
+
+        await mw.InvokeAsync(ctx);
+
+        var evt = Assert.Single(writer.Events);
+        Assert.Null(evt.Actor);
+    }
+
    // ---------------------------------------------------------------------
    // 6. Writer failure must NEVER alter the HTTP response
    // ---------------------------------------------------------------------
@@ -0,0 +1,114 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+using ZB.MOM.WW.Auth.AspNetCore;
+using ZB.MOM.WW.ScadaBridge.Security;
+
+namespace ZB.MOM.WW.ScadaBridge.Security.Tests;
+
+/// <summary>
+/// Phase 3 (wire audit Actor from the Auth principal): unit tests for
+/// <see cref="HttpAuditActorAccessor"/>. The accessor resolves the audit
+/// <c>Actor</c> from the authenticated principal on the ambient
+/// <see cref="IHttpContextAccessor.HttpContext"/> — the canonical username claim
+/// with an <see cref="System.Security.Principal.IIdentity.Name"/> fallback — and
+/// returns <c>null</c> whenever there is no authenticated interactive user, so the
+/// caller keeps its existing actor/fallback rather than echoing an unauthenticated
+/// principal.
+/// </summary>
+public class HttpAuditActorAccessorTests
+{
+    /// <summary>
+    /// Minimal <see cref="IHttpContextAccessor"/> test double returning a fixed
+    /// (possibly null) <see cref="HttpContext"/>.
+    /// </summary>
+    private sealed class StubHttpContextAccessor : IHttpContextAccessor
+    {
+        public HttpContext? HttpContext { get; set; }
+    }
+
+    private static HttpContext AuthenticatedContext(params Claim[] claims)
+    {
+        var ctx = new DefaultHttpContext
+        {
+            User = new ClaimsPrincipal(new ClaimsIdentity(claims, authenticationType: "TestAuth")),
+        };
+        return ctx;
+    }
+
+    [Fact]
+    public void CurrentActor_Authenticated_ReturnsUsernameClaim()
+    {
+        var ctx = AuthenticatedContext(
+            new Claim(JwtTokenService.UsernameClaimType, "alice"),
+            // A different Identity.Name proves the username claim is preferred.
+            new Claim(ClaimTypes.Name, "Alice Liddell"));
+        var accessor = new HttpAuditActorAccessor(
+            new StubHttpContextAccessor { HttpContext = ctx });
+
+        Assert.Equal("alice", accessor.CurrentActor);
+    }
+
+    [Fact]
+    public void CurrentActor_Authenticated_NoUsernameClaim_FallsBackToIdentityName()
+    {
+        // No canonical username claim; Identity.Name (pinned to ZbClaimTypes.Name)
+        // is the documented fallback. DefaultHttpContext maps the ClaimTypes.Name
+        // claim onto Identity.Name.
+        var ctx = AuthenticatedContext(new Claim(ClaimTypes.Name, "bob"));
+        var accessor = new HttpAuditActorAccessor(
+            new StubHttpContextAccessor { HttpContext = ctx });
+
+        Assert.Equal("bob", accessor.CurrentActor);
+    }
+
+    [Fact]
+    public void CurrentActor_Authenticated_PrefersUsernameOverZbName()
+    {
+        // Both the canonical username and the canonical name claim present — the
+        // username claim wins.
+        var ctx = AuthenticatedContext(
+            new Claim(JwtTokenService.UsernameClaimType, "svc-user"),
+            new Claim(ZbClaimTypes.Name, "Service User"));
+        var accessor = new HttpAuditActorAccessor(
+            new StubHttpContextAccessor { HttpContext = ctx });
+
+        Assert.Equal("svc-user", accessor.CurrentActor);
+    }
+
+    [Fact]
+    public void CurrentActor_Unauthenticated_ReturnsNull()
+    {
+        // An anonymous identity (no authenticationType) is NOT authenticated —
+        // never echo it back as an actor even if a name claim is somehow present.
+        var ctx = new DefaultHttpContext
+        {
+            User = new ClaimsPrincipal(
+                new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, "ghost") })),
+        };
+        var accessor = new HttpAuditActorAccessor(
+            new StubHttpContextAccessor { HttpContext = ctx });
+
+        Assert.Null(accessor.CurrentActor);
+    }
+
+    [Fact]
+    public void CurrentActor_NoAmbientHttpContext_ReturnsNull()
+    {
+        var accessor = new HttpAuditActorAccessor(
+            new StubHttpContextAccessor { HttpContext = null });
+
+        Assert.Null(accessor.CurrentActor);
+    }
+
+    [Fact]
+    public void CurrentActor_AuthenticatedButNoUsableName_ReturnsNull()
+    {
+        // Authenticated identity carrying only an unrelated claim (no username,
+        // no name) — there is nothing usable to record, so fall back to null.
+        var ctx = AuthenticatedContext(new Claim(ZbClaimTypes.Role, "Administrator"));
+        var accessor = new HttpAuditActorAccessor(
+            new StubHttpContextAccessor { HttpContext = ctx });
+
+        Assert.Null(accessor.CurrentActor);
+    }
+}
@@ -8,14 +8,19 @@
    <IsPackable>false</IsPackable>
  </PropertyGroup>

+  <ItemGroup>
+    <!-- HttpAuditActorAccessorTests construct DefaultHttpContext + an
+         IHttpContextAccessor stub to drive the principal-to-actor seam. -->
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
+  </ItemGroup>
+
  <ItemGroup>
    <PackageReference Include="coverlet.collector" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
-    <PackageReference Include="Microsoft.Extensions.Logging" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
-    <PackageReference Include="Microsoft.Extensions.Options" />
-    <PackageReference Include="Microsoft.AspNetCore.Authorization" />
+    <!-- Microsoft.Extensions.* and Microsoft.AspNetCore.Authorization are provided
+         by the Microsoft.AspNetCore.App shared framework referenced above (added so
+         HttpAuditActorAccessorTests can build DefaultHttpContext), so they are no
+         longer listed as PackageReferences here (NU1510). -->
    <PackageReference Include="Microsoft.NET.Test.Sdk" />
    <PackageReference Include="xunit" />
    <PackageReference Include="xunit.runner.visualstudio" />