feat(auth): add IGroupRoleMapper<string> seam (Task 1.1)

src/Server/ZB.MOM.WW.OtOpcUa.Security/ServiceCollectionExtensions.cs

@@ -7,6 +7,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using ZB.MOM.WW.Auth.Abstractions.Roles;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Security.Jwt;
 using ZB.MOM.WW.OtOpcUa.Security.Ldap;
@@ -41,6 +42,12 @@ public static class ServiceCollectionExtensions
         // driver path) ends up with exactly one descriptor regardless of registration order.
         services.TryAddSingleton<ILdapAuthService, LdapAuthService>();
 
+        // Shared ZB.MOM.WW.Auth group→role mapper seam (Task 1.1, additive). Wraps the existing
+        // RoleMapper.Map + RoleMapper.Merge logic; the login flow is rewired to consume it in a
+        // later task. Scoped to match ILdapGroupRoleMappingService (DbContext-backed, registered
+        // Scoped) — a singleton here would capture the scoped DB service.
+        services.TryAddScoped<IGroupRoleMapper<string>, OtOpcUaGroupRoleMapper>();
+
         services.AddDataProtection()
             .PersistKeysToDbContext<OtOpcUaConfigDbContext>()
             .SetApplicationName("OtOpcUa");