feat(security): RoleMapper.Merge — additive DB-backed role grants

tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/RoleMapperTests.cs

@@ -1,5 +1,7 @@
 using Shouldly;
 using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
 using ZB.MOM.WW.OtOpcUa.Security.Ldap;
 
 namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
@@ -59,4 +61,22 @@ public sealed class RoleMapperTests
 
         roles.ShouldBe(new[] { "FleetAdmin" });
     }
+
+    [Fact]
+    public void Merge_unions_baseline_and_systemwide_db_roles()
+    {
+        var rows = new[]
+        {
+            new LdapGroupRoleMapping { LdapGroup = "g1", Role = AdminRole.FleetAdmin, IsSystemWide = true },
+            new LdapGroupRoleMapping { LdapGroup = "g2", Role = AdminRole.ConfigEditor, IsSystemWide = false, ClusterId = "SITE-A" },
+        };
+        var result = RoleMapper.Merge(["ConfigViewer"], rows);
+        result.ShouldContain("ConfigViewer");
+        result.ShouldContain("FleetAdmin");
+        result.ShouldNotContain("ConfigEditor");   // cluster-scoped row ignored (global-only)
+    }
+
+    [Fact]
+    public void Merge_with_no_db_rows_returns_baseline()
+        => RoleMapper.Merge(["FleetAdmin"], []).ShouldBe(["FleetAdmin"]);
 }