fix(auth): C3 review — surface seam not-found (no silent success), partial-reconcile-failure guidance, create validation order, concurrent-edit reconciler test

tests/ZB.MOM.WW.ScadaBridge.CentralUI.Tests/Services/ApiMethodKeyScopeReconcilerTests.cs

@@ -115,4 +115,28 @@ public sealed class ApiMethodKeyScopeReconcilerTests
         Assert.Empty(result.Updates);
         Assert.Empty(result.EmptyScopeKeyNames);
     }
+
+    /// <summary>
+    /// Concurrent-edit guard: if selected == initial (no diff), the reconciler must produce
+    /// ZERO updates even when the live store shows different scopes on that key. The reconciler
+    /// only acts on keys that appear in the diff (added or removed relative to <c>initialKeyIds</c>)
+    /// — it must never touch keys that are not in the diff, regardless of what their current
+    /// live scopes look like.
+    /// </summary>
+    [Fact]
+    public void NoDiff_ProducesNoUpdates_EvenWhenLiveScopesDiffer()
+    {
+        // k1 was approved at load time and is still approved — no diff.
+        // However, a concurrent edit changed k1's live scopes to include an extra method.
+        var result = ApiMethodKeyScopeReconciler.Reconcile(
+            methodName: "PlaceOrder",
+            selectedKeyIds: new HashSet<string> { "k1" },
+            initialKeyIds: new HashSet<string> { "k1" },
+            currentMethodsByKey: Current(("k1", new[] { "PlaceOrder", "OtherMethod" })),
+            keyNamesById: Names(("k1", "Key One")));
+
+        // k1 is not in the diff → reconciler must not touch it.
+        Assert.Empty(result.Updates);
+        Assert.Empty(result.EmptyScopeKeyNames);
+    }
 }