fix(security): M2.19 review nits — idle/refresh config guard + adapter tests + dead-var/doc cleanup (#15)

- Add SecurityOptionsValidator (IValidateOptions<SecurityOptions>) enforcing
  RoleRefreshThresholdMinutes < IdleTimeoutMinutes; registered with ValidateOnStart in
  AddSecurity — startup FAILS if threshold >= idle, so the invariant cannot be silently
  misconfigured away.
- Update SecurityOptions XML-docs: class-level summary distinguishes JWT Bearer path
  (JwtSigningKey/JwtExpiryMinutes) from Blazor cookie session path (IdleTimeoutMinutes/
  RoleRefreshThresholdMinutes); both time fields document the ~45-min effective idle window
  and the new cross-field constraint.
- Remove dead jwtService variable from /auth/login lambda in AuthEndpoints.cs (resolved
  but never used since login moved to SessionClaimBuilder).
- Extract ApplyValidationResultAsync helper from OnValidatePrincipalAsync (pure
  decision-application step); add 3 adapter tests covering Reject → RejectPrincipal +
  SignOutAsync; Replace → ReplacePrincipal + ShouldRenew; Keep → no-op.
- Fix inaccurate TryRefreshAsync comment (dropped "OR last-activity needs advancing" —
  the code only returns non-null when roleRefreshDue).
- Add InternalsVisibleTo for Security.Tests in Security.csproj.
- Add IsRoleRefreshDue tests: missing claim → due; unparsable claim → due; plus integration
  test covering the full ValidateAsync path for a principal missing zb:lastrolerefresh
  (triggers refresh + re-stamps anchor rather than keeping stale principal forever).
- Add SecurityOptionsValidatorConfigGuardTests: default succeeds; equal fails; greater fails;
  boundary (idle-1) succeeds; wiring confirmed via AddSecurity container.

src/ZB.MOM.WW.ScadaBridge.Security/SecurityOptions.cs

@@ -1,10 +1,21 @@
 namespace ZB.MOM.WW.ScadaBridge.Security;
 
 /// <summary>
-/// Non-LDAP security configuration: the cookie-embedded JWT signing/lifetime
-/// settings and the session idle-timeout / cookie-security policy.
+/// Non-LDAP security configuration for the ScadaBridge Central UI.
 /// </summary>
 /// <remarks>
+/// <para>
+/// <b>JWT Bearer path (<c>/auth/token</c>)</b>: <see cref="JwtSigningKey"/> and
+/// <see cref="JwtExpiryMinutes"/> govern the short-lived Bearer token issued to
+/// the CLI / Inbound API. They have no effect on the Blazor cookie session.
+/// </para>
+/// <para>
+/// <b>Blazor cookie session</b>: <see cref="IdleTimeoutMinutes"/> and
+/// <see cref="RoleRefreshThresholdMinutes"/> govern the cookie-only session used by
+/// the Blazor Server UI. There is no embedded JWT in this path — the cookie is
+/// HttpOnly/Secure and managed entirely by ASP.NET Core cookie authentication.
+/// </para>
+/// <para>
 /// Task 1.2/1.4 cutover: the LDAP connection settings that used to live here as
 /// flat <c>Ldap*</c> keys (server, port, transport, search base, service account,
 /// attributes, timeout) moved into a nested <c>ScadaBridge:Security:Ldap</c>
@@ -12,6 +23,7 @@ namespace ZB.MOM.WW.ScadaBridge.Security;
 /// and registered via <c>AddZbLdapAuth</c>. This is a BREAKING config-key change —
 /// see CHANGELOG. The non-LDAP fields below are unchanged and still bound from
 /// <c>ScadaBridge:Security</c>.
+/// </para>
 /// </remarks>
 public class SecurityOptions
 {
@@ -27,7 +39,19 @@ public class SecurityOptions
     public const int MinJwtSigningKeyBytes = 32;
     /// <summary>Cookie-embedded JWT lifetime in minutes before it must be refreshed.</summary>
     public int JwtExpiryMinutes { get; set; } = 15;
-    /// <summary>Session idle timeout in minutes; sessions inactive beyond this are expired.</summary>
+    /// <summary>
+    /// Session idle timeout in minutes for the Blazor cookie session; sessions inactive
+    /// beyond this are expired and the user is redirected to <c>/login</c>. Default: <b>30</b>.
+    /// </summary>
+    /// <remarks>
+    /// Because <see cref="RoleRefreshThresholdMinutes"/> is the only operation that advances
+    /// the <c>LastActivity</c> anchor, the effective maximum idle window before a session is
+    /// guaranteed to be rejected is approximately
+    /// <c>IdleTimeoutMinutes + RoleRefreshThresholdMinutes</c> (~45 minutes with defaults).
+    /// This is intentional and mirrors the cookie middleware's own <c>SlidingExpiration</c>
+    /// fuzziness. Must be strictly greater than <see cref="RoleRefreshThresholdMinutes"/>
+    /// (enforced at startup by <see cref="SecurityOptionsValidator"/>).
+    /// </remarks>
     public int IdleTimeoutMinutes { get; set; } = 30;
 
     /// <summary>
@@ -38,15 +62,23 @@ public class SecurityOptions
     /// <summary>
     /// M2.19 (#15): how long a cookie session's role-mapping projection may be stale
     /// before <c>OnValidatePrincipal</c> re-runs the DB-backed <c>RoleMapper</c> on the
-    /// session's stored LDAP group claims and rebuilds the role/scope claims (default
-    /// <b>15 minutes</b>, matching the documented sliding-refresh cadence). This is a
-    /// purely central (database) refresh — it picks up LDAP-group→role mapping changes
-    /// and scope-rule changes WITHOUT contacting LDAP, so revoked roles take effect
+    /// session's stored LDAP group claims and rebuilds the role/scope claims. Default:
+    /// <b>15 minutes</b>, matching the documented sliding-refresh cadence.
+    /// </summary>
+    /// <remarks>
+    /// This is a purely central (database) refresh — it picks up LDAP-group→role mapping
+    /// changes and scope-rule changes WITHOUT contacting LDAP, so revoked roles take effect
     /// within this window. It does NOT pick up live LDAP group-membership changes (the
     /// shared LDAP library exposes no passwordless group-search; that remains a
-    /// next-login refresh — see Component-Security.md). Kept &lt;= the cookie idle
-    /// window so a refresh never outlives the session it refreshes.
-    /// </summary>
+    /// next-login refresh — see Component-Security.md).
+    /// <para>
+    /// Because a role-refresh is also the only operation that advances the
+    /// <c>LastActivity</c> anchor, the effective maximum idle window is approximately
+    /// <c><see cref="IdleTimeoutMinutes"/> + RoleRefreshThresholdMinutes</c> (~45 minutes
+    /// with defaults). Must be strictly less than <see cref="IdleTimeoutMinutes"/>
+    /// (enforced at startup by <see cref="SecurityOptionsValidator"/>).
+    /// </para>
+    /// </remarks>
     public int RoleRefreshThresholdMinutes { get; set; } = 15;
 
     /// <summary>
@@ -73,3 +105,38 @@ public class SecurityOptions
     /// </summary>
     public string CookieName { get; set; } = DefaultCookieName;
 }
+
+/// <summary>
+/// M2.19 (#15): startup validator for <see cref="SecurityOptions"/>. Fails fast at boot
+/// on any configuration that would defeat idle-timeout enforcement.
+/// </summary>
+/// <remarks>
+/// Registered with <c>ValidateOnStart()</c> by
+/// <see cref="ServiceCollectionExtensions.AddSecurity"/> so a misconfigured appsettings
+/// section is caught at application startup rather than silently misapplied at runtime.
+/// </remarks>
+public sealed class SecurityOptionsValidator : Microsoft.Extensions.Options.IValidateOptions<SecurityOptions>
+{
+    /// <inheritdoc/>
+    public Microsoft.Extensions.Options.ValidateOptionsResult Validate(string? name, SecurityOptions options)
+    {
+        // SECURITY: RoleRefreshThresholdMinutes must be strictly less than IdleTimeoutMinutes.
+        // The role-refresh cycle is the ONLY operation that advances the LastActivity anchor,
+        // so a single un-refreshed cycle must not be able to exhaust the entire idle window.
+        // If threshold >= idle, a user who triggers exactly one refresh at t=0 would have
+        // their anchor advanced to t=threshold while the idle check only fires at t>idle —
+        // meaning t=threshold >= t=idle is already past (or at) the expiry, defeating enforcement.
+        if (options.RoleRefreshThresholdMinutes >= options.IdleTimeoutMinutes)
+        {
+            return Microsoft.Extensions.Options.ValidateOptionsResult.Fail(
+                $"{nameof(SecurityOptions.RoleRefreshThresholdMinutes)} " +
+                $"({options.RoleRefreshThresholdMinutes}) must be strictly less than " +
+                $"{nameof(SecurityOptions.IdleTimeoutMinutes)} " +
+                $"({options.IdleTimeoutMinutes}). " +
+                $"A single refresh cycle must not equal or exceed the idle window or idle " +
+                $"enforcement is defeated.");
+        }
+
+        return Microsoft.Extensions.Options.ValidateOptionsResult.Success;
+    }
+}