fix(code-review): resolve Batch 1 open findings (AdminUI auth, AlarmHistorian dispose guards, docs)

- AdminUI-001: gate Script editor pages at Administrator,Designer + loosen ScriptAnalysis backend to match
- AdminUI-004: explicit [Authorize] on FleetStatus/Alert/ScriptLog hubs
- Core.AlarmHistorian-014: ObjectDisposedException guards on GetStatus/RetryDeadLettered (+ regression test)
- Core.Scripting.Abstractions-004/-007: Deadband tolerance doc + stale ScriptedAlarms.md path
- Host-003: correct config-overlay precedence in ServiceHosting.md
- Configuration-014: LdapGroupRoleMapping collation-dependency doc
- Driver.TwinCAT.Contracts-002: Structure enum doc (discovery-only sentinel)

code-reviews/AdminUI/findings.md

@@ -7,7 +7,7 @@
 | Review date | 2026-06-19 |
 | Commit reviewed | `7286d320` |
 | Status | Reviewed |
-| Open findings | 2 |
+| Open findings | 0 |
 
 ## Checklist coverage
 
@@ -33,7 +33,7 @@
 | Severity | Medium |
 | Category | Security |
 | Location | `Components/Pages/ScriptEdit.razor:5`, `Components/Pages/Scripts.razor` |
-| Status | Open |
+| Status | Resolved |
 
 **Description:** The Script CRUD surface (`/scripts/new`, `/scripts/{id}`, and the `/scripts` list) is
 gated by only `[Authorize]` (any authenticated user), whereas the *same editor's* Roslyn-analysis
@@ -50,7 +50,14 @@ and `Scripts` with `Authorize(Roles = "Administrator,Designer")` (matching `/dep
 confirm the intended tier with the security owner, since it changes who can reach the editor. Left Open
 pending that decision (an authorization-policy decision, not a self-contained bug fix).
 
-**Resolution:** _(open)_
+**Resolution:** Resolved 2026-06-20 — `ScriptEdit.razor:5` and `Scripts.razor:2` changed from
+`[Authorize]` to `[Authorize(Roles = "Administrator,Designer")]` (namespace-qualified form, matching
+`Deployments.razor`). `ScriptAnalysisEndpoints.cs` MapGroup changed from `.RequireAuthorization("FleetAdmin")`
+to `.RequireAuthorization(new AuthorizeAttribute { Roles = "Administrator,Designer" })` so the
+IntelliSense backend matches the page gate (Designer was previously 403'd by the FleetAdmin policy).
+`using Microsoft.AspNetCore.Authorization;` added to `ScriptAnalysisEndpoints.cs`. Build-verified:
+`dotnet build ZB.MOM.WW.OtOpcUa.AdminUI.csproj` — 0 errors. Live page-gating verification deferred
+to docker-dev `/run`.
 
 ### AdminUI-002
 
@@ -107,7 +114,7 @@ CTS (and its timer) is disposed when the handler returns. Razor-behavioural chan
 | Severity | Low |
 | Category | Security |
 | Location | `Hubs/FleetStatusHub.cs`, `Hubs/AlertHub.cs`, `Hubs/ScriptLogHub.cs` (vs `Hubs/DriverStatusHub.cs:12`) |
-| Status | Open |
+| Status | Resolved |
 
 **Description:** Of the four SignalR hubs mapped by `MapOtOpcUaHubs`, only `DriverStatusHub` carries an
 explicit `[Authorize]` attribute. `FleetStatusHub`, `AlertHub`, and `ScriptLogHub` (which broadcast
@@ -124,7 +131,11 @@ host's fallback policy. Low-risk (the fallback already requires auth, so observa
 unchanged) but left Open because hub authorization is a cross-cutting concern worth confirming with the
 Host/Security owners rather than silently changing in a single-module pass.
 
-**Resolution:** _(open)_
+**Resolution:** Resolved 2026-06-20 — `[Authorize]` added to `FleetStatusHub`, `AlertHub`, and
+`ScriptLogHub`, each with `using Microsoft.AspNetCore.Authorization;`, mirroring the exact form used by
+`DriverStatusHub`. Observable behaviour is unchanged (the global FallbackPolicy already required auth);
+authorization is now explicit and hub-local. Build-verified: `dotnet build ZB.MOM.WW.OtOpcUa.AdminUI.csproj`
+— 0 errors.
 
 ### AdminUI-005