feat(auth): cut OtOpcUa over to ZB.MOM.WW.Auth.Ldap; preserve DevStubMode; route roles via IGroupRoleMapper (Task 1.2/1.4)

src/Server/ZB.MOM.WW.OtOpcUa.Security/ServiceCollectionExtensions.cs

@@ -36,11 +36,13 @@ public static class ServiceCollectionExtensions
         services.AddOptions<LdapOptions>().Bind(configuration.GetSection(LdapOptions.SectionName));
 
         services.AddSingleton<JwtTokenService>();
-        // Singleton — LdapAuthService is stateless (creates an LdapConnection per call) and
-        // must be consumable by the Singleton LdapOpcUaUserAuthenticator on driver-role nodes.
-        // TryAdd so a fused admin+driver node (which also registers it in Program.cs for the
+        // Singleton — OtOpcUaLdapAuthService is stateless (the shared-library directory client it
+        // wraps opens/disposes an LdapConnection per call) and must be consumable by the Singleton
+        // LdapOpcUaUserAuthenticator on driver-role nodes. This is the app's ILdapAuthService: it
+        // adds the Enabled master switch + DevStubMode bypass on top of the shared ZB.MOM.WW.Auth.Ldap
+        // service. TryAdd so a fused admin+driver node (which also registers it in Program.cs for the
         // driver path) ends up with exactly one descriptor regardless of registration order.
-        services.TryAddSingleton<ILdapAuthService, LdapAuthService>();
+        services.TryAddSingleton<ILdapAuthService, OtOpcUaLdapAuthService>();
 
         // Shared ZB.MOM.WW.Auth group→role mapper seam (Task 1.1, additive). Wraps the existing
         // RoleMapper.Map + RoleMapper.Merge logic; the login flow is rewired to consume it in a