feat(audit): ScadaBridge IAuditActorAccessor + wire audit Actor from Auth principal at authenticated emit sites (Phase 3)

2026-06-02 15:33:01 -04:00
parent bc0e5bfd37
commit b3de8408fa
9 changed files with 463 additions and 30 deletions
@@ -0,0 +1,31 @@
 namespace ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
 /// <summary>
 /// Resolves the <c>Actor</c> for an audit row from the current authenticated
 /// principal (Phase 3 of the audit re-architecture). User-facing emit sites
 /// (the inbound API middleware on a cookie/LDAP-authenticated request) read
 /// <see cref="CurrentActor"/> so the canonical <c>AuditEvent.Actor</c> records
 /// the real authenticated user, rather than a generic system/identity fallback.
 /// </summary>
 /// <remarks>
 /// <para>The seam is deliberately ASP.NET-free (a plain <c>string?</c>) so it can
 /// live in Commons and be consumed by any project without pulling an HTTP
 /// dependency. The HTTP-backed implementation
 /// (<c>ZB.MOM.WW.ScadaBridge.Security.HttpAuditActorAccessor</c>) reads the
 /// authenticated principal off <c>IHttpContextAccessor.HttpContext?.User</c>.</para>
 /// <para>This seam is for the <em>authenticated, interactive</em> actor only.
 /// System-originated emitters (script/notification/db-outbound) keep their own
 /// system actor/fallback and do NOT consult this accessor — there is no
 /// interactive principal to read in those flows.</para>
 /// </remarks>
 public interface IAuditActorAccessor
 {
    /// <summary>
    /// The actor string for the currently authenticated principal, or
    /// <c>null</c> when there is no authenticated interactive user (no ambient
    /// request, or an unauthenticated / auth-failure request). A null result
    /// signals the caller to fall back to its existing actor (API-key name,
    /// "system", etc.) — an unauthenticated principal is never echoed back.
    /// </summary>
    string? CurrentActor { get; }
 }
@@ -33,14 +33,18 @@ namespace ZB.MOM.WW.ScadaBridge.InboundAPI.Middleware;
 /// </para>
 ///
 /// <para>
-/// <b>Actor resolution.</b> Inbound API auth runs inside the endpoint handler
+/// <b>Actor resolution.</b> The API-key auth path runs inside the endpoint handler
 /// (no <c>UseAuthentication</c>-backed scheme populates <see cref="HttpContext.User"/>
-/// for X-API-Key callers), so the handler stashes the resolved API key name on
+/// for Bearer API-key callers), so the handler stashes the resolved API key name on
 /// <see cref="HttpContext.Items"/> under <see cref="AuditActorItemKey"/> after
 /// <c>IApiKeyVerifier.VerifyAsync</c> succeeds. The middleware reads it in
-/// its <c>finally</c> block — on auth failures the key remains absent and
+/// its <c>finally</c> block. Phase 3: when no API-key name is stashed, the actor is
-/// <see cref="AuditEvent.Actor"/> stays null (we never echo back an
+/// sourced from the authenticated <em>interactive</em> principal via
-/// unauthenticated principal).
+/// <see cref="IAuditActorAccessor"/> (a cookie/LDAP-authenticated inbound user,
 /// keyed off the canonical username claim). On auth failures (401/403) the actor is
 /// forced null before resolution runs, and the accessor itself returns null for an
 /// unauthenticated principal — so <see cref="AuditEvent.Actor"/> stays null and we
 /// never echo back an unauthenticated principal.
 /// </para>
 ///
 /// <para>
@@ -90,6 +94,7 @@ public sealed class AuditWriteMiddleware
    private readonly ICentralAuditWriter _auditWriter;
    private readonly ILogger<AuditWriteMiddleware> _logger;
    private readonly IOptionsMonitor<AuditLogOptions> _options;
    private readonly IAuditActorAccessor? _actorAccessor;
    /// <summary>
    /// Initializes the middleware with its required dependencies.
@@ -98,16 +103,25 @@ public sealed class AuditWriteMiddleware
    /// <param name="auditWriter">Central audit writer used to persist inbound API audit events.</param>
    /// <param name="logger">Logger for this middleware.</param>
    /// <param name="options">Live-reloadable audit log options, read per-request.</param>
    /// <param name="actorAccessor">
    /// Phase 3 (optional): resolves the audit <see cref="AuditEvent.Actor"/> from the
    /// authenticated principal on a cookie/LDAP-authenticated inbound request. Optional
    /// so existing tests (and any composition without the accessor registered) still
    /// construct the middleware; when absent, actor resolution falls back to the
    /// stashed API-key name only.
    /// </param>
    public AuditWriteMiddleware(
        RequestDelegate next,
        ICentralAuditWriter auditWriter,
        ILogger<AuditWriteMiddleware> logger,
-        IOptionsMonitor<AuditLogOptions> options)
+        IOptionsMonitor<AuditLogOptions> options,
        IAuditActorAccessor? actorAccessor = null)
    {
        _next = next ?? throw new ArgumentNullException(nameof(next));
        _auditWriter = auditWriter ?? throw new ArgumentNullException(nameof(auditWriter));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
        _options = options ?? throw new ArgumentNullException(nameof(options));
        _actorAccessor = actorAccessor;
    }
    /// <summary>
@@ -472,13 +486,24 @@ public sealed class AuditWriteMiddleware
    }
    /// <summary>
-    /// Reads the API key name the endpoint handler stashed on
+    /// Resolves the audit <see cref="AuditEvent.Actor"/> for a non-auth-failure
-    /// <see cref="HttpContext.Items"/> after successful auth. Falls back to
+    /// inbound request:
-    /// the authenticated user name when an ASP.NET scheme has populated
+    /// <list type="number">
-    /// <see cref="HttpContext.User"/> (defensive — currently unused for inbound
+    /// <item><description>the API key name the endpoint handler stashed on
-    /// API but cheap and forward-compatible).
+    /// <see cref="HttpContext.Items"/> after successful key auth (the
    /// key-authenticated path — the canonical identity of an API-key caller);</description></item>
    /// <item><description>otherwise the authenticated <em>interactive</em> principal
    /// resolved through <see cref="IAuditActorAccessor"/> (Phase 3 — a
    /// cookie/LDAP-authenticated inbound user, sourced from the canonical username
    /// claim). The accessor reads the ambient <see cref="HttpContext.User"/>, so the
    /// fall-through here only fires when no API-key name was stashed;</description></item>
    /// <item><description>otherwise <c>null</c> — never echo an unauthenticated
    /// principal back as an actor.</description></item>
    /// </list>
    /// The accessor is optional (constructor default <c>null</c>); when absent only
    /// the stashed API-key name is consulted, preserving the pre-Phase-3 behaviour.
    /// </summary>
-    private static string? ResolveActor(HttpContext ctx)
+    private string? ResolveActor(HttpContext ctx)
    {
        if (ctx.Items.TryGetValue(AuditActorItemKey, out var stashed)
            && stashed is string name
@@ -487,13 +512,11 @@ public sealed class AuditWriteMiddleware
            return name;
        }
-        var user = ctx.User;
+        // Phase 3: an interactive cookie/LDAP-authenticated inbound user records
-        if (user?.Identity is { IsAuthenticated: true, Name: { Length: > 0 } userName })
+        // their real identity as Actor. Returns null for the key-authenticated
-        {
+        // and auth-failure paths (no authenticated interactive principal), so the
-            return userName;
+        // existing API-key/auth-failure behaviour is preserved.
-        }
+        return _actorAccessor?.CurrentActor;
        return null;
    }
    /// <summary>
@@ -0,0 +1,65 @@
 using System.Security.Claims;
 using Microsoft.AspNetCore.Http;
 using ZB.MOM.WW.Auth.AspNetCore;
 using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
 namespace ZB.MOM.WW.ScadaBridge.Security;
 /// <summary>
 /// HTTP-backed <see cref="IAuditActorAccessor"/> (Phase 3): resolves the audit
 /// <c>Actor</c> from the authenticated principal on the ambient
 /// <see cref="IHttpContextAccessor.HttpContext"/>. Used by the user-facing
 /// inbound API audit path so a cookie/LDAP-authenticated request records the
 /// real user as <c>AuditEvent.Actor</c>.
 /// </summary>
 /// <remarks>
 /// <para>The username is sourced from the canonical
 /// <see cref="ZbClaimTypes.Username"/> claim (= <see cref="JwtTokenService.UsernameClaimType"/>,
 /// minted by <see cref="JwtTokenService"/> and by the cookie login path), falling
 /// back to <see cref="System.Security.Principal.IIdentity.Name"/> (which
 /// <see cref="JwtTokenService"/> pins to <see cref="ZbClaimTypes.Name"/> via its
 /// token-validation <c>NameClaimType</c>).
 /// When there is no ambient request, the principal is unauthenticated, or no
 /// usable name claim is present, <see cref="CurrentActor"/> returns <c>null</c> so
 /// the caller keeps its existing actor/fallback — an unauthenticated principal is
 /// never echoed back as an actor.</para>
 /// </remarks>
 public sealed class HttpAuditActorAccessor : IAuditActorAccessor
 {
    private readonly IHttpContextAccessor _httpContextAccessor;
    /// <summary>Initializes a new instance of <see cref="HttpAuditActorAccessor"/>.</summary>
    /// <param name="httpContextAccessor">Accessor for the ambient HTTP context.</param>
    public HttpAuditActorAccessor(IHttpContextAccessor httpContextAccessor)
    {
        _httpContextAccessor = httpContextAccessor
            ?? throw new ArgumentNullException(nameof(httpContextAccessor));
    }
    /// <inheritdoc />
    public string? CurrentActor
    {
        get
        {
            var user = _httpContextAccessor.HttpContext?.User;
            if (user?.Identity is not { IsAuthenticated: true })
            {
                // No ambient request, or the principal is unauthenticated — never
                // echo an unauthenticated identity back as an actor.
                return null;
            }
            // Prefer the canonical username claim (the value JwtTokenService and
            // the cookie login path mint); fall back to Identity.Name (pinned to
            // ZbClaimTypes.Name by JwtTokenService.NameClaimType).
            var username = user.FindFirst(JwtTokenService.UsernameClaimType)?.Value;
            if (!string.IsNullOrWhiteSpace(username))
            {
                return username;
            }
            var name = user.Identity?.Name;
            return string.IsNullOrWhiteSpace(name) ? null : name;
        }
    }
 }
@@ -4,6 +4,7 @@ using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using ZB.MOM.WW.Auth.Abstractions.Roles;
 using ZB.MOM.WW.Auth.AspNetCore;
 using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
 namespace ZB.MOM.WW.ScadaBridge.Security;
@@ -49,6 +50,18 @@ public static class ServiceCollectionExtensions
        services.AddScoped<JwtTokenService>();
        services.AddScoped<RoleMapper>();
        // Audit Actor wiring (Phase 3): the user-facing inbound API audit path
        // sources AuditEvent.Actor from the authenticated principal via this
        // seam. HttpAuditActorAccessor reads IHttpContextAccessor.HttpContext?.User
        // (canonical username claim, Identity.Name fallback) and returns null when
        // there is no authenticated interactive user — so the caller keeps its
        // existing actor/fallback (API-key name, "system"). Registered as a
        // singleton (it is stateless and only dereferences the ambient request);
        // AddHttpContextAccessor is idempotent (TryAdd-based) so calling it here
        // is safe even though the Host's AddCentralUI also registers it.
        services.AddHttpContextAccessor();
        services.AddSingleton<IAuditActorAccessor, HttpAuditActorAccessor>();
        // Auth-adoption Task 1.1: register the shared IGroupRoleMapper<string>
        // seam additively, wrapping RoleMapper to reuse its DB-backed mapping +
        // site-scope union semantics. Scoped to match RoleMapper's lifetime (it
@@ -8,10 +8,15 @@
  </PropertyGroup>
  <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
+    <!-- HttpAuditActorAccessor (Phase 3) + AddHttpContextAccessor read the
-    <PackageReference Include="Microsoft.Extensions.Options" />
+         authenticated principal off IHttpContextAccessor.HttpContext.User to
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
+         source the audit Actor. The cookie-auth wiring in AddSecurity already
-    <PackageReference Include="Microsoft.AspNetCore.Authorization" />
+         lives here, so this is the natural home for the HTTP-backed
         principal-to-actor seam. The shared framework supplies IHttpContextAccessor
         / HttpContext (and the AddHttpContextAccessor DI helper); it also supplies
         the Extensions.* + AspNetCore.Authentication/Authorization assemblies that
         were previously listed as PackageReferences (now pruned — NU1510). -->
    <FrameworkReference Include="Microsoft.AspNetCore.App" />
    <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
    <PackageReference Include="Novell.Directory.Ldap.NETStandard" />
    <PackageReference Include="ZB.MOM.WW.Auth.Abstractions" />
@@ -0,0 +1,64 @@
 using ZB.MOM.WW.ScadaBridge.Commons.Types.Audit;
 using ZB.MOM.WW.ScadaBridge.Commons.Types.Enums;
 namespace ZB.MOM.WW.ScadaBridge.Commons.Tests.Types.Audit;
 /// <summary>
 /// Phase 3 (wire audit Actor from the Auth principal): the
 /// <see cref="ScadaBridgeAuditEventFactory"/> is the single construction point and
 /// records the <c>actor</c> the CALLER passes in — it never injects a principal of
 /// its own. These tests pin that contract so the per-emit-site decision holds:
 /// authenticated emit sites pass the principal's actor (sourced via
 /// <c>IAuditActorAccessor</c> at the inbound middleware), while system-originated
 /// emitters (notification / script DB-outbound) keep passing their own system/script
 /// actor unchanged. The factory does not blur the two.
 /// </summary>
 public class ScadaBridgeAuditEventFactoryActorTests
 {
    [Theory]
    // Mirrors the literal system actors the outbound emitters pass:
    // NotificationOutboxActor → "system"; AuditingDbCommand → the source script.
    [InlineData("system")]
    [InlineData("order-sync.caspx")]
    public void SystemOriginatedEmit_PreservesCallerActor_Verbatim(string systemActor)
    {
        var evt = ScadaBridgeAuditEventFactory.Create(
            channel: AuditChannel.Notification,
            kind: AuditKind.NotifyDeliver,
            status: AuditStatus.Delivered,
            actor: systemActor);
        // The system emit keeps its system/script actor — the factory does not
        // overwrite it with any authenticated principal.
        Assert.Equal(systemActor, evt.Actor);
    }
    [Fact]
    public void AuthenticatedEmit_PreservesCallerActor_Verbatim()
    {
        // An authenticated emit site (e.g. the inbound middleware) passes the
        // principal's actor; the factory records it as-is.
        var evt = ScadaBridgeAuditEventFactory.Create(
            channel: AuditChannel.ApiInbound,
            kind: AuditKind.InboundRequest,
            status: AuditStatus.Delivered,
            actor: "alice");
        Assert.Equal("alice", evt.Actor);
    }
    [Fact]
    public void NullActor_MapsToEmptyString_OnCanonicalRecord()
    {
        // The canonical AuditEvent.Actor is a non-null string; a null actor (no
        // authenticated principal AND no system fallback supplied) maps to empty.
        // AuditRowProjection then surfaces empty as null at the row boundary.
        var evt = ScadaBridgeAuditEventFactory.Create(
            channel: AuditChannel.ApiInbound,
            kind: AuditKind.InboundAuthFailure,
            status: AuditStatus.Failed,
            actor: null);
        Assert.Equal(string.Empty, evt.Actor);
    }
 }
@@ -85,12 +85,26 @@ public class AuditWriteMiddlewareTests
    private static AuditWriteMiddleware CreateMiddleware(
        RequestDelegate next,
        ICentralAuditWriter writer,
-        AuditLogOptions? options = null) =>
+        AuditLogOptions? options = null,
        IAuditActorAccessor? actorAccessor = null) =>
        new(
            next,
            writer,
            NullLogger<AuditWriteMiddleware>.Instance,
-            new StaticAuditLogOptionsMonitor(options ?? new AuditLogOptions()));
+            new StaticAuditLogOptionsMonitor(options ?? new AuditLogOptions()),
            actorAccessor);
    /// <summary>
    /// File-local <see cref="IAuditActorAccessor"/> test double returning a fixed
    /// actor string — stands in for the HTTP-backed accessor that reads the
    /// authenticated principal off the ambient request (Phase 3).
    /// </summary>
    private sealed class StubAuditActorAccessor : IAuditActorAccessor
    {
        public StubAuditActorAccessor(string? currentActor) => CurrentActor = currentActor;
        public string? CurrentActor { get; }
    }
    /// <summary>
    /// File-local <see cref="IOptionsMonitor{TOptions}"/> test double — returns the
@@ -278,6 +292,105 @@ public class AuditWriteMiddlewareTests
        Assert.Equal("integration-svc", evt.Actor);
    }
    // ---------------------------------------------------------------------
    // 5b. Phase 3 — Actor from the authenticated principal. When no API-key
    //     name was stashed, the actor is sourced from IAuditActorAccessor
    //     (the authenticated interactive cookie/LDAP user). The API-key stash
    //     still takes precedence, and auth-failure / no-principal paths stay
    //     null — never echo an unauthenticated principal back.
    // ---------------------------------------------------------------------
    [Fact]
    public async Task AuthenticatedUser_FromAccessor_RecordedAsActor_WhenNoApiKeyStash()
    {
        var writer = new RecordingAuditWriter();
        var ctx = BuildContext();
        var mw = CreateMiddleware(
            _ =>
            {
                // No API-key name stashed — this is an interactive cookie/LDAP
                // authenticated inbound user, surfaced via the accessor.
                ctx.Response.StatusCode = 200;
                return Task.CompletedTask;
            },
            writer,
            actorAccessor: new StubAuditActorAccessor("alice"));
        await mw.InvokeAsync(ctx);
        var evt = Assert.Single(writer.Events);
        Assert.Equal("alice", evt.Actor);
    }
    [Fact]
    public async Task ApiKeyStash_TakesPrecedence_OverAuthenticatedPrincipal()
    {
        // A key-authenticated caller: the endpoint handler stashed the API key
        // name. Even if an accessor would resolve a principal, the API-key
        // identity is the canonical actor for the key-authenticated path.
        var writer = new RecordingAuditWriter();
        var ctx = BuildContext();
        var mw = CreateMiddleware(
            _ =>
            {
                ctx.Items[AuditWriteMiddleware.AuditActorItemKey] = "integration-svc";
                ctx.Response.StatusCode = 200;
                return Task.CompletedTask;
            },
            writer,
            actorAccessor: new StubAuditActorAccessor("should-not-win"));
        await mw.InvokeAsync(ctx);
        var evt = Assert.Single(writer.Events);
        Assert.Equal("integration-svc", evt.Actor);
    }
    [Fact]
    public async Task AuthFailure_KeepsActorNull_EvenWhenAccessorResolvesPrincipal()
    {
        // 401/403 force the actor null BEFORE resolution — an auth failure must
        // never echo a principal back, even one the accessor could produce.
        var writer = new RecordingAuditWriter();
        var ctx = BuildContext();
        var mw = CreateMiddleware(
            _ =>
            {
                ctx.Response.StatusCode = 401;
                return Task.CompletedTask;
            },
            writer,
            actorAccessor: new StubAuditActorAccessor("attacker"));
        await mw.InvokeAsync(ctx);
        var evt = Assert.Single(writer.Events);
        Assert.Equal(AuditKind.InboundAuthFailure, evt.Kind);
        Assert.Null(evt.Actor);
    }
    [Fact]
    public async Task NoApiKey_NoAuthenticatedPrincipal_LeavesActorNull()
    {
        // Accessor present but returns null (no authenticated interactive user)
        // and no API-key stash — the actor stays null rather than empty/echoed.
        var writer = new RecordingAuditWriter();
        var ctx = BuildContext();
        var mw = CreateMiddleware(
            _ =>
            {
                ctx.Response.StatusCode = 200;
                return Task.CompletedTask;
            },
            writer,
            actorAccessor: new StubAuditActorAccessor(currentActor: null));
        await mw.InvokeAsync(ctx);
        var evt = Assert.Single(writer.Events);
        Assert.Null(evt.Actor);
    }
    // ---------------------------------------------------------------------
    // 6. Writer failure must NEVER alter the HTTP response
    // ---------------------------------------------------------------------
@@ -0,0 +1,114 @@
 using System.Security.Claims;
 using Microsoft.AspNetCore.Http;
 using ZB.MOM.WW.Auth.AspNetCore;
 using ZB.MOM.WW.ScadaBridge.Security;
 namespace ZB.MOM.WW.ScadaBridge.Security.Tests;
 /// <summary>
 /// Phase 3 (wire audit Actor from the Auth principal): unit tests for
 /// <see cref="HttpAuditActorAccessor"/>. The accessor resolves the audit
 /// <c>Actor</c> from the authenticated principal on the ambient
 /// <see cref="IHttpContextAccessor.HttpContext"/> — the canonical username claim
 /// with an <see cref="System.Security.Principal.IIdentity.Name"/> fallback — and
 /// returns <c>null</c> whenever there is no authenticated interactive user, so the
 /// caller keeps its existing actor/fallback rather than echoing an unauthenticated
 /// principal.
 /// </summary>
 public class HttpAuditActorAccessorTests
 {
    /// <summary>
    /// Minimal <see cref="IHttpContextAccessor"/> test double returning a fixed
    /// (possibly null) <see cref="HttpContext"/>.
    /// </summary>
    private sealed class StubHttpContextAccessor : IHttpContextAccessor
    {
        public HttpContext? HttpContext { get; set; }
    }
    private static HttpContext AuthenticatedContext(params Claim[] claims)
    {
        var ctx = new DefaultHttpContext
        {
            User = new ClaimsPrincipal(new ClaimsIdentity(claims, authenticationType: "TestAuth")),
        };
        return ctx;
    }
    [Fact]
    public void CurrentActor_Authenticated_ReturnsUsernameClaim()
    {
        var ctx = AuthenticatedContext(
            new Claim(JwtTokenService.UsernameClaimType, "alice"),
            // A different Identity.Name proves the username claim is preferred.
            new Claim(ClaimTypes.Name, "Alice Liddell"));
        var accessor = new HttpAuditActorAccessor(
            new StubHttpContextAccessor { HttpContext = ctx });
        Assert.Equal("alice", accessor.CurrentActor);
    }
    [Fact]
    public void CurrentActor_Authenticated_NoUsernameClaim_FallsBackToIdentityName()
    {
        // No canonical username claim; Identity.Name (pinned to ZbClaimTypes.Name)
        // is the documented fallback. DefaultHttpContext maps the ClaimTypes.Name
        // claim onto Identity.Name.
        var ctx = AuthenticatedContext(new Claim(ClaimTypes.Name, "bob"));
        var accessor = new HttpAuditActorAccessor(
            new StubHttpContextAccessor { HttpContext = ctx });
        Assert.Equal("bob", accessor.CurrentActor);
    }
    [Fact]
    public void CurrentActor_Authenticated_PrefersUsernameOverZbName()
    {
        // Both the canonical username and the canonical name claim present — the
        // username claim wins.
        var ctx = AuthenticatedContext(
            new Claim(JwtTokenService.UsernameClaimType, "svc-user"),
            new Claim(ZbClaimTypes.Name, "Service User"));
        var accessor = new HttpAuditActorAccessor(
            new StubHttpContextAccessor { HttpContext = ctx });
        Assert.Equal("svc-user", accessor.CurrentActor);
    }
    [Fact]
    public void CurrentActor_Unauthenticated_ReturnsNull()
    {
        // An anonymous identity (no authenticationType) is NOT authenticated —
        // never echo it back as an actor even if a name claim is somehow present.
        var ctx = new DefaultHttpContext
        {
            User = new ClaimsPrincipal(
                new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, "ghost") })),
        };
        var accessor = new HttpAuditActorAccessor(
            new StubHttpContextAccessor { HttpContext = ctx });
        Assert.Null(accessor.CurrentActor);
    }
    [Fact]
    public void CurrentActor_NoAmbientHttpContext_ReturnsNull()
    {
        var accessor = new HttpAuditActorAccessor(
            new StubHttpContextAccessor { HttpContext = null });
        Assert.Null(accessor.CurrentActor);
    }
    [Fact]
    public void CurrentActor_AuthenticatedButNoUsableName_ReturnsNull()
    {
        // Authenticated identity carrying only an unrelated claim (no username,
        // no name) — there is nothing usable to record, so fall back to null.
        var ctx = AuthenticatedContext(new Claim(ZbClaimTypes.Role, "Administrator"));
        var accessor = new HttpAuditActorAccessor(
            new StubHttpContextAccessor { HttpContext = ctx });
        Assert.Null(accessor.CurrentActor);
    }
 }
@@ -8,14 +8,19 @@
    <IsPackable>false</IsPackable>
  </PropertyGroup>
  <ItemGroup>
    <!-- HttpAuditActorAccessorTests construct DefaultHttpContext + an
         IHttpContextAccessor stub to drive the principal-to-actor seam. -->
    <FrameworkReference Include="Microsoft.AspNetCore.App" />
  </ItemGroup>
  <ItemGroup>
    <PackageReference Include="coverlet.collector" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection" />
+    <!-- Microsoft.Extensions.* and Microsoft.AspNetCore.Authorization are provided
-    <PackageReference Include="Microsoft.Extensions.Logging" />
+         by the Microsoft.AspNetCore.App shared framework referenced above (added so
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
+         HttpAuditActorAccessorTests can build DefaultHttpContext), so they are no
-    <PackageReference Include="Microsoft.Extensions.Options" />
+         longer listed as PackageReferences here (NU1510). -->
    <PackageReference Include="Microsoft.AspNetCore.Authorization" />
    <PackageReference Include="Microsoft.NET.Test.Sdk" />
    <PackageReference Include="xunit" />
    <PackageReference Include="xunit.runner.visualstudio" />