feat(security): RoleMapper.Merge — additive DB-backed role grants

src/Server/ZB.MOM.WW.OtOpcUa.Security/Ldap/RoleMapper.cs

@@ -1,3 +1,5 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
 namespace ZB.MOM.WW.OtOpcUa.Security.Ldap;
 
 /// <summary>
@@ -24,4 +26,21 @@ public static class RoleMapper
         }
         return [.. roles];
     }
+
+    /// <summary>
+    ///     Merge the appsettings-derived baseline roles with system-wide DB grants. DB rows are
+    ///     additive; cluster-scoped rows (IsSystemWide == false) are ignored under the global model.
+    /// </summary>
+    /// <param name="baselineRoles">Roles already resolved from appsettings (or the dev stub).</param>
+    /// <param name="dbRows">LdapGroupRoleMapping rows for the user's groups (from GetByGroupsAsync).</param>
+    public static IReadOnlyList<string> Merge(
+        IReadOnlyCollection<string> baselineRoles,
+        IReadOnlyCollection<LdapGroupRoleMapping> dbRows)
+    {
+        var roles = new HashSet<string>(baselineRoles, StringComparer.OrdinalIgnoreCase);
+        foreach (var row in dbRows)
+            if (row.IsSystemWide)
+                roles.Add(row.Role.ToString());
+        return [.. roles];
+    }
 }