feat(auth)!: OtOpcUa canonical control-plane roles + config-DB migration (Task 1.7)

Standardize the control-plane admin role VALUES on the canonical six
(ZB.MOM.WW.Auth CanonicalRole). OtOpcUa uses four:
  ConfigViewer   -> Viewer
  ConfigEditor   -> Designer
  FleetAdmin     -> Administrator
  DriverOperator -> Operator   (appsettings-only string role)

This is a rename, not a permission change: enforcement semantics are
preserved (whoever could deploy/administer/operate before still can).

- AdminRole enum members renamed (persisted as string names via
  HasConversion<string>); RoleGrants.razor dropdown default updated.
- EF DATA migration CanonicalizeAdminRoles rewrites existing
  LdapGroupRoleMapping.Role rows old->new (Up) and back (Down); schema /
  model snapshot byte-identical (no pending model changes).
- Enforcement role STRINGS canonicalized:
  * Security policies keep their NAMES ("DriverOperator"/"FleetAdmin")
    but require canonical roles: RequireRole("Operator","Administrator")
    and RequireRole("Administrator").
  * Deployments.razor [Authorize(Roles="Administrator,Designer")].
  * DevStub now grants "Administrator"; LdapOptions/doc-comment examples
    canonicalized.
- Data-plane authorization (NodePermissions/NodeAcl/IPermissionEvaluator/
  TriePermissionEvaluator/UserAuthorizationState) UNTOUCHED.
- New CanonicalAdminRolesTests pins canonical claim values end-to-end and
  the real registered policies; existing role-string tests updated.

src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Deployments.razor

@@ -9,7 +9,7 @@
 @using ZB.MOM.WW.OtOpcUa.Configuration.Enums
 @using ZB.MOM.WW.OtOpcUa.ControlPlane.AdminOperations
 
-@attribute [Authorize(Roles = "FleetAdmin,ConfigEditor")]
+@attribute [Authorize(Roles = "Administrator,Designer")]
 
 @inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
 @inject IAdminOperationsClient AdminOps

src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/RoleGrants.razor

@@ -108,7 +108,7 @@
     private LdapOptions? _options;
     private IReadOnlyList<LdapGroupRoleMapping> _rows = [];
     private string _newGroup = "";
-    private AdminRole _newRole = AdminRole.ConfigViewer;
+    private AdminRole _newRole = AdminRole.Viewer;
     private string? _error;
     private bool _busy;
 
@@ -134,7 +134,7 @@
                 LdapGroup = _newGroup.Trim(), Role = _newRole, IsSystemWide = true, ClusterId = null,
             }, default);
             _newGroup = "";
-            _newRole = AdminRole.ConfigViewer;
+            _newRole = AdminRole.Viewer;
             await ReloadAsync();
         }
         catch (Exception ex) { _error = ex.Message; }

src/Server/ZB.MOM.WW.OtOpcUa.Security/Ldap/LdapOptions.cs

@@ -44,7 +44,7 @@ public sealed class LdapOptions
 
     /// <summary>
     ///     Dev-only stub: when <c>true</c>, <see cref="OtOpcUaLdapAuthService"/> bypasses the real LDAP
-    ///     bind and accepts any non-empty username/password, returning a single FleetAdmin role
+    ///     bind and accepts any non-empty username/password, returning a single Administrator role
     ///     so the operator can navigate the full Admin UI. MUST be <c>false</c> in production.
     /// </summary>
     public bool DevStubMode { get; set; }
@@ -76,8 +76,9 @@ public sealed class LdapOptions
 
     /// <summary>
     ///     Maps LDAP group name → Admin role. Group match is case-insensitive. A user gets every
-    ///     role whose source group is in their membership list. Example dev mapping:
-    ///     <code>"ReadOnly":"ConfigViewer","ReadWrite":"ConfigEditor","AlarmAck":"FleetAdmin"</code>
+    ///     role whose source group is in their membership list. Values are the canonical control-plane
+    ///     roles (Task 1.7). Example dev mapping:
+    ///     <code>"ReadOnly":"Viewer","ReadWrite":"Designer","AlarmAck":"Administrator"</code>
     /// </summary>
     public Dictionary<string, string> GroupToRole { get; set; } = new(StringComparer.OrdinalIgnoreCase);
 

src/Server/ZB.MOM.WW.OtOpcUa.Security/Ldap/OtOpcUaLdapAuthService.cs

@@ -13,7 +13,7 @@ namespace ZB.MOM.WW.OtOpcUa.Security.Ldap;
 ///     library deliberately does not model:
 ///     <list type="number">
 ///         <item>the <see cref="LdapOptions.Enabled"/> master switch (disabled ⇒ deny, no bind); and</item>
-///         <item><see cref="LdapOptions.DevStubMode"/> — the dev bypass that grants a FleetAdmin
+///         <item><see cref="LdapOptions.DevStubMode"/> — the dev bypass that grants an Administrator
 ///             session WITHOUT touching the network, so an operator can navigate the full Admin UI
 ///             against a machine with no directory.</item>
 ///     </list>
@@ -24,12 +24,13 @@ namespace ZB.MOM.WW.OtOpcUa.Security.Ldap;
 ///     both the login endpoint and the OPC UA data-plane authenticator call with the returned
 ///     <see cref="LdapAuthResult.Groups"/>. The only path that pre-populates
 ///     <see cref="LdapAuthResult.Roles"/> is the DevStub success; consumers union that pre-resolved
-///     set with the mapper output so the dev FleetAdmin grant survives the move to the mapper.
+///     set with the mapper output so the dev Administrator grant survives the move to the mapper.
 /// </summary>
 /// <remarks>
 ///     Fail-closed: the library never throws, and this wrapper adds no new throwing paths. The
-///     DevStub result mirrors the legacy bespoke service exactly (group <c>"dev"</c>, role
-///     <c>"FleetAdmin"</c>) so behaviour is preserved bit-for-bit on dev nodes.
+///     DevStub result grants the canonical <c>"Administrator"</c> control-plane role (group
+///     <c>"dev"</c>) so the dev session can navigate the full Admin UI (Task 1.7 renamed the prior
+///     <c>"FleetAdmin"</c> to the canonical <c>"Administrator"</c>).
 /// </remarks>
 public sealed class OtOpcUaLdapAuthService : ILdapAuthService
 {
@@ -77,12 +78,13 @@ public sealed class OtOpcUaLdapAuthService : ILdapAuthService
 
         if (_options.DevStubMode)
         {
-            // Dev bypass: accept any non-empty credentials and grant FleetAdmin WITHOUT a real bind.
+            // Dev bypass: accept any non-empty credentials and grant Administrator WITHOUT a real bind.
             // Pre-populated Roles are unioned with the mapper output by both consumers, so the grant
-            // survives the move to IGroupRoleMapper. Mirrors the legacy bespoke service exactly.
+            // survives the move to IGroupRoleMapper. (Task 1.7 canonicalized the role string from the
+            // prior "FleetAdmin" to "Administrator".)
             _logger.LogWarning(
                 "OtOpcUaLdapAuthService: DevStubMode bypass — accepting {User} without a real LDAP bind", username);
-            return new(true, username, username, ["dev"], ["FleetAdmin"], null);
+            return new(true, username, username, ["dev"], ["Administrator"], null);
         }
 
         // Fail closed on a plaintext transport unless explicitly opted in. The bespoke service

src/Server/ZB.MOM.WW.OtOpcUa.Security/ServiceCollectionExtensions.cs

@@ -103,14 +103,17 @@ public static class ServiceCollectionExtensions
                 .RequireAuthenticatedUser()
                 .Build();
 
-            // DriverOperator: may issue Reconnect/Restart commands against live driver instances
-            // from the Admin UI DriverStatusPanel. Map LDAP group → role via GroupToRole in
-            // appsettings (e.g. "ot-driver-operator": "DriverOperator").
+            // DriverOperator (policy NAME kept stable): may issue Reconnect/Restart commands against
+            // live driver instances from the Admin UI DriverStatusPanel. The role STRINGS it requires
+            // are the canonical control-plane roles (Task 1.7): Operator (was DriverOperator) and
+            // Administrator (was FleetAdmin). Map LDAP group → role via GroupToRole in appsettings
+            // (e.g. "ot-driver-operator": "Operator").
             o.AddPolicy("DriverOperator", policy =>
-                policy.RequireRole("DriverOperator", "FleetAdmin"));
+                policy.RequireRole("Operator", "Administrator"));
 
-            // FleetAdmin: full administrative access; gates fleet-wide pages such as RoleGrants.
-            o.AddPolicy("FleetAdmin", policy => policy.RequireRole("FleetAdmin"));
+            // FleetAdmin (policy NAME kept stable): full administrative access; gates fleet-wide pages
+            // such as RoleGrants. Requires the canonical Administrator role (was FleetAdmin).
+            o.AddPolicy("FleetAdmin", policy => policy.RequireRole("Administrator"));
         });
 
         return services;