feat(audit): ScadaBridge IAuditActorAccessor + wire audit Actor from Auth principal at authenticated emit sites (Phase 3)

src/ZB.MOM.WW.ScadaBridge.Security/HttpAuditActorAccessor.cs

@@ -0,0 +1,65 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+using ZB.MOM.WW.Auth.AspNetCore;
+using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
+
+namespace ZB.MOM.WW.ScadaBridge.Security;
+
+/// <summary>
+/// HTTP-backed <see cref="IAuditActorAccessor"/> (Phase 3): resolves the audit
+/// <c>Actor</c> from the authenticated principal on the ambient
+/// <see cref="IHttpContextAccessor.HttpContext"/>. Used by the user-facing
+/// inbound API audit path so a cookie/LDAP-authenticated request records the
+/// real user as <c>AuditEvent.Actor</c>.
+/// </summary>
+/// <remarks>
+/// <para>The username is sourced from the canonical
+/// <see cref="ZbClaimTypes.Username"/> claim (= <see cref="JwtTokenService.UsernameClaimType"/>,
+/// minted by <see cref="JwtTokenService"/> and by the cookie login path), falling
+/// back to <see cref="System.Security.Principal.IIdentity.Name"/> (which
+/// <see cref="JwtTokenService"/> pins to <see cref="ZbClaimTypes.Name"/> via its
+/// token-validation <c>NameClaimType</c>).
+/// When there is no ambient request, the principal is unauthenticated, or no
+/// usable name claim is present, <see cref="CurrentActor"/> returns <c>null</c> so
+/// the caller keeps its existing actor/fallback — an unauthenticated principal is
+/// never echoed back as an actor.</para>
+/// </remarks>
+public sealed class HttpAuditActorAccessor : IAuditActorAccessor
+{
+    private readonly IHttpContextAccessor _httpContextAccessor;
+
+    /// <summary>Initializes a new instance of <see cref="HttpAuditActorAccessor"/>.</summary>
+    /// <param name="httpContextAccessor">Accessor for the ambient HTTP context.</param>
+    public HttpAuditActorAccessor(IHttpContextAccessor httpContextAccessor)
+    {
+        _httpContextAccessor = httpContextAccessor
+            ?? throw new ArgumentNullException(nameof(httpContextAccessor));
+    }
+
+    /// <inheritdoc />
+    public string? CurrentActor
+    {
+        get
+        {
+            var user = _httpContextAccessor.HttpContext?.User;
+            if (user?.Identity is not { IsAuthenticated: true })
+            {
+                // No ambient request, or the principal is unauthenticated — never
+                // echo an unauthenticated identity back as an actor.
+                return null;
+            }
+
+            // Prefer the canonical username claim (the value JwtTokenService and
+            // the cookie login path mint); fall back to Identity.Name (pinned to
+            // ZbClaimTypes.Name by JwtTokenService.NameClaimType).
+            var username = user.FindFirst(JwtTokenService.UsernameClaimType)?.Value;
+            if (!string.IsNullOrWhiteSpace(username))
+            {
+                return username;
+            }
+
+            var name = user.Identity?.Name;
+            return string.IsNullOrWhiteSpace(name) ? null : name;
+        }
+    }
+}

src/ZB.MOM.WW.ScadaBridge.Security/ServiceCollectionExtensions.cs

@@ -4,6 +4,7 @@ using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using ZB.MOM.WW.Auth.Abstractions.Roles;
 using ZB.MOM.WW.Auth.AspNetCore;
+using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
 
 namespace ZB.MOM.WW.ScadaBridge.Security;
 
@@ -49,6 +50,18 @@ public static class ServiceCollectionExtensions
         services.AddScoped<JwtTokenService>();
         services.AddScoped<RoleMapper>();
 
+        // Audit Actor wiring (Phase 3): the user-facing inbound API audit path
+        // sources AuditEvent.Actor from the authenticated principal via this
+        // seam. HttpAuditActorAccessor reads IHttpContextAccessor.HttpContext?.User
+        // (canonical username claim, Identity.Name fallback) and returns null when
+        // there is no authenticated interactive user — so the caller keeps its
+        // existing actor/fallback (API-key name, "system"). Registered as a
+        // singleton (it is stateless and only dereferences the ambient request);
+        // AddHttpContextAccessor is idempotent (TryAdd-based) so calling it here
+        // is safe even though the Host's AddCentralUI also registers it.
+        services.AddHttpContextAccessor();
+        services.AddSingleton<IAuditActorAccessor, HttpAuditActorAccessor>();
+
         // Auth-adoption Task 1.1: register the shared IGroupRoleMapper<string>
         // seam additively, wrapping RoleMapper to reuse its DB-backed mapping +
         // site-scope union semantics. Scoped to match RoleMapper's lifetime (it

src/ZB.MOM.WW.ScadaBridge.Security/ZB.MOM.WW.ScadaBridge.Security.csproj

@@ -8,10 +8,15 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
-    <PackageReference Include="Microsoft.Extensions.Options" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
-    <PackageReference Include="Microsoft.AspNetCore.Authorization" />
+    <!-- HttpAuditActorAccessor (Phase 3) + AddHttpContextAccessor read the
+         authenticated principal off IHttpContextAccessor.HttpContext.User to
+         source the audit Actor. The cookie-auth wiring in AddSecurity already
+         lives here, so this is the natural home for the HTTP-backed
+         principal-to-actor seam. The shared framework supplies IHttpContextAccessor
+         / HttpContext (and the AddHttpContextAccessor DI helper); it also supplies
+         the Extensions.* + AspNetCore.Authentication/Authorization assemblies that
+         were previously listed as PackageReferences (now pruned — NU1510). -->
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
     <PackageReference Include="Novell.Directory.Ldap.NETStandard" />
     <PackageReference Include="ZB.MOM.WW.Auth.Abstractions" />