feat(auth): OtOpcUa adopt ZbClaimTypes + ZbCookieDefaults, keep cookie name (Task 1.5)

Add ZB.MOM.WW.Auth.AspNetCore package ref to Security project (version 0.1.1
from central PM). Alias JwtTokenService.UsernameClaimType and DisplayNameClaimType
to ZbClaimTypes.Username ("zb:username") and ZbClaimTypes.DisplayName ("zb:displayname")
so every mint/read site inherits the canonical spelling. AuthEndpoints login path now
emits ZbClaimTypes.Name (= ClaimTypes.Name, populates Identity.Name) instead of
ClaimTypes.NameIdentifier (no other read site used it), and references ZbClaimTypes.Role
(= ClaimTypes.Role) for role claims so [Authorize(Roles=...)] continues to resolve.
Cookie hardening now flows through ZbCookieDefaults.Apply (sets HttpOnly, SameSite=Strict,
SlidingExpiration, SecurePolicy, ExpireTimeSpan) followed by opts.Cookie.Name = v.Name to
preserve the OtOpcUa-specific "ZB.MOM.WW.OtOpcUa.Auth" cookie name. Two new tests added
to AuthEndpointsIntegrationTests assert canonical ZbClaimTypes on the cookie principal and
canonical zb: keys in the JWT payload; all 35 security tests green.

tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/AuthEndpointsIntegrationTests.cs

@@ -1,6 +1,8 @@
 using System.Net;
 using System.Net.Http.Json;
+using System.Security.Claims;
 using System.Text.Json;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
@@ -11,6 +13,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Shouldly;
 using Xunit;
+using ZB.MOM.WW.Auth.AspNetCore;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
 using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
@@ -83,6 +86,15 @@ public sealed class AuthEndpointsIntegrationTests : IAsyncLifetime
                         // Protected root used by AuthChallengeTests below — exercises the cookie
                         // scheme's challenge heuristic without depending on the full Razor host.
                         e.MapGet("/", () => Results.Ok("authenticated")).RequireAuthorization();
+                        // Canonical-claims probe: returns all claim types+values from the cookie
+                        // principal so tests can assert the canonical ZbClaimTypes vocabulary.
+                        e.MapGet("/auth/whoami", (HttpContext ctx) =>
+                        {
+                            var claims = ctx.User.Claims
+                                .Select(c => new { c.Type, c.Value })
+                                .ToArray();
+                            return Results.Ok(claims);
+                        }).RequireAuthorization();
                     });
                 });
             })
@@ -251,6 +263,20 @@ public sealed class AuthEndpointsIntegrationTests : IAsyncLifetime
         roles.ShouldBeEmpty();
     }
 
+    /// <summary>Parses the payload segment of a JWT and returns it as a <see cref="JsonElement"/>.</summary>
+    private static JsonElement JwtPayloadJson(string jwt)
+    {
+        var payloadSegment = jwt.Split('.')[1];
+        var padded = payloadSegment.Replace('-', '+').Replace('_', '/');
+        padded = (padded.Length % 4) switch
+        {
+            2 => padded + "==",
+            3 => padded + "=",
+            _ => padded,
+        };
+        return JsonDocument.Parse(Convert.FromBase64String(padded)).RootElement;
+    }
+
     /// <summary>Extracts the "Role" claim values from a JWT's payload segment.</summary>
     private static IReadOnlyList<string> JwtRoleClaims(string jwt)
     {
@@ -268,6 +294,110 @@ public sealed class AuthEndpointsIntegrationTests : IAsyncLifetime
             : [roleProp.GetString()!];
     }
 
+    /// <summary>
+    /// Task 1.5 — canonical claims contract: after a successful cookie login the authenticated
+    /// principal MUST carry the canonical ZbClaimTypes vocabulary:
+    /// <list type="bullet">
+    ///   <item><see cref="ZbClaimTypes.Name"/> (= ClaimTypes.Name) so Identity.Name resolves.</item>
+    ///   <item><see cref="ZbClaimTypes.Username"/> (= "zb:username") — login username.</item>
+    ///   <item><see cref="ZbClaimTypes.DisplayName"/> (= "zb:displayname") — human-friendly name.</item>
+    ///   <item><see cref="ZbClaimTypes.Role"/> (= ClaimTypes.Role) — at least one role claim.</item>
+    /// </list>
+    /// Also asserts that the old short-name literals "Username" and "DisplayName" are NOT emitted
+    /// (the pre-Task-1.5 strings that would indicate the migration was incomplete).
+    /// </summary>
+    [Fact]
+    public async Task Login_emits_canonical_ZbClaimTypes_on_cookie_principal()
+    {
+        // Arrange — seed a DB role so the mapper produces a role claim.
+        _roleMappings.Rows.Add(new LdapGroupRoleMapping
+        {
+            Id = Guid.NewGuid(),
+            LdapGroup = "ReadOnly",
+            Role = AdminRole.FleetAdmin,
+            IsSystemWide = true,
+            ClusterId = null,
+        });
+
+        var client = NewClient();
+
+        // Act — login.
+        var loginResp = await client.PostAsJsonAsync("/auth/login",
+            new AuthEndpoints.LoginRequest("alice", "valid-password"), Ct);
+        loginResp.StatusCode.ShouldBe(HttpStatusCode.NoContent);
+
+        // Call the whoami probe to read back the cookie principal's claims.
+        var whoamiReq = new HttpRequestMessage(HttpMethod.Get, "/auth/whoami");
+        AttachCookies(whoamiReq, loginResp);
+        var whoamiResp = await client.SendAsync(whoamiReq, Ct);
+        whoamiResp.StatusCode.ShouldBe(HttpStatusCode.OK);
+
+        var claims = (await whoamiResp.Content.ReadFromJsonAsync<ClaimDto[]>(Ct))!;
+
+        // Assert — canonical name claim (ClaimTypes.Name URI) so Identity.Name resolves.
+        claims.ShouldContain(c => c.Type == ZbClaimTypes.Name && c.Value == "alice",
+            $"Expected {ZbClaimTypes.Name} claim with value 'alice'");
+
+        // Assert — canonical username claim ("zb:username").
+        claims.ShouldContain(c => c.Type == ZbClaimTypes.Username && c.Value == "alice",
+            $"Expected {ZbClaimTypes.Username} claim with value 'alice'");
+
+        // Assert — canonical display-name claim ("zb:displayname").
+        claims.ShouldContain(c => c.Type == ZbClaimTypes.DisplayName && c.Value == "Alice User",
+            $"Expected {ZbClaimTypes.DisplayName} claim with value 'Alice User'");
+
+        // Assert — at least one role claim using canonical ZbClaimTypes.Role (= ClaimTypes.Role).
+        claims.ShouldContain(c => c.Type == ZbClaimTypes.Role,
+            $"Expected at least one {ZbClaimTypes.Role} claim");
+
+        // Assert — old pre-Task-1.5 short literals must NOT appear.
+        claims.ShouldNotContain(c => c.Type == "Username",
+            "Old 'Username' literal must not be emitted after Task 1.5 migration");
+        claims.ShouldNotContain(c => c.Type == "DisplayName",
+            "Old 'DisplayName' literal must not be emitted after Task 1.5 migration");
+    }
+
+    /// <summary>
+    /// Task 1.5 — JWT payload uses canonical claim keys: after login and token issue the JWT
+    /// payload segment MUST contain "zb:username" and "zb:displayname" keys (not the old short
+    /// "Username"/"DisplayName" strings).
+    /// </summary>
+    [Fact]
+    public async Task Token_payload_uses_canonical_zb_claim_keys()
+    {
+        var client = NewClient();
+
+        var loginResp = await client.PostAsJsonAsync("/auth/login",
+            new AuthEndpoints.LoginRequest("alice", "valid-password"), Ct);
+        loginResp.EnsureSuccessStatusCode();
+
+        var tokenReq = new HttpRequestMessage(HttpMethod.Post, "/auth/token");
+        AttachCookies(tokenReq, loginResp);
+        var tokenResp = await client.SendAsync(tokenReq, Ct);
+        tokenResp.StatusCode.ShouldBe(HttpStatusCode.OK);
+
+        var payload = await tokenResp.Content.ReadFromJsonAsync<JsonElement>(Ct);
+        var jwt = payload.GetProperty("token").GetString()!;
+
+        var payloadJson = JwtPayloadJson(jwt);
+
+        // Canonical "zb:username" key must be present.
+        payloadJson.TryGetProperty("zb:username", out var usernameEl).ShouldBeTrue(
+            "JWT payload must carry 'zb:username' claim (canonical ZbClaimTypes.Username)");
+        usernameEl.GetString().ShouldBe("alice");
+
+        // Canonical "zb:displayname" key must be present.
+        payloadJson.TryGetProperty("zb:displayname", out var displayNameEl).ShouldBeTrue(
+            "JWT payload must carry 'zb:displayname' claim (canonical ZbClaimTypes.DisplayName)");
+        displayNameEl.GetString().ShouldBe("Alice User");
+
+        // Old short-name literals must NOT be present.
+        payloadJson.TryGetProperty("Username", out _).ShouldBeFalse(
+            "JWT payload must not carry old 'Username' key after Task 1.5 migration");
+        payloadJson.TryGetProperty("DisplayName", out _).ShouldBeFalse(
+            "JWT payload must not carry old 'DisplayName' key after Task 1.5 migration");
+    }
+
     /// <summary>Tests that logout clears the cookie.</summary>
     [Fact]
     public async Task Logout_clears_the_cookie()
@@ -392,4 +522,10 @@ public sealed class AuthEndpointsIntegrationTests : IAsyncLifetime
         public Task DeleteAsync(Guid id, CancellationToken cancellationToken) =>
             throw new NotSupportedException();
     }
+
+    /// <summary>
+    /// DTO for deserialising the /auth/whoami claim list.
+    /// Must match the anonymous projection in the whoami endpoint.
+    /// </summary>
+    private sealed record ClaimDto(string Type, string Value);
 }