Phase 1 WP-2–10: Repositories, audit service, security & auth (LDAP, JWT, roles, policies, data protection)

- WP-2: SecurityRepository + CentralUiRepository with audit log queries
- WP-3: AuditService with transactional guarantee (same SaveChangesAsync)
- WP-4: Optimistic concurrency tests (deployment records vs template last-write-wins)
- WP-5: Seed data (SCADA-Admins → Admin role mapping)
- WP-6: LdapAuthService (direct bind, TLS enforcement, group query)
- WP-7: JwtTokenService (HMAC-SHA256, 15-min refresh, 30-min idle timeout)
- WP-8: RoleMapper (LDAP groups → roles with site-scoped deployment)
- WP-9: Authorization policies (Admin/Design/Deployment + site scope handler)
- WP-10: Shared Data Protection keys via EF Core
141 tests pass, zero warnings.

src/ScadaLink.Security/AuthorizationPolicies.cs

@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace ScadaLink.Security;
+
+public static class AuthorizationPolicies
+{
+    public const string RequireAdmin = "RequireAdmin";
+    public const string RequireDesign = "RequireDesign";
+    public const string RequireDeployment = "RequireDeployment";
+
+    public static IServiceCollection AddScadaLinkAuthorization(this IServiceCollection services)
+    {
+        services.AddAuthorization(options =>
+        {
+            options.AddPolicy(RequireAdmin, policy =>
+                policy.RequireClaim(JwtTokenService.RoleClaimType, "Admin"));
+
+            options.AddPolicy(RequireDesign, policy =>
+                policy.RequireClaim(JwtTokenService.RoleClaimType, "Design"));
+
+            options.AddPolicy(RequireDeployment, policy =>
+                policy.RequireClaim(JwtTokenService.RoleClaimType, "Deployment"));
+        });
+
+        services.AddSingleton<IAuthorizationHandler, SiteScopeAuthorizationHandler>();
+
+        return services;
+    }
+}