fix(auth): OtOpcUa 1.2 review fixes — startup insecure-transport guard + Ldaps in prod overlays, test fidelity, 0.1.1 pin

src/Server/ZB.MOM.WW.OtOpcUa.Security/Endpoints/AuthEndpoints.cs

@@ -103,6 +103,12 @@ public static class AuthEndpoints
         {
             // A DB hiccup (or any mapper fault) must never block sign-in — fall back to the
             // pre-resolved baseline roles (empty on the real path, FleetAdmin under DevStub).
+            // This is intentionally FAIL-CLOSED on the real LDAP path: result.Roles is empty there
+            // (the library returns groups, never roles — the mapper is the sole role source), so a
+            // mapper fault signs the user in AUTHENTICATED but with ZERO role claims. They can prove
+            // identity but are denied every role-gated action until the mapper recovers — strictly
+            // safer than failing open with a stale/guessed role set. (See AuthEndpoints test
+            // Login_when_role_mapper_throws_signs_in_with_no_role_claims.)
             http.RequestServices.GetService<ILoggerFactory>()?
                 .CreateLogger("ZB.MOM.WW.OtOpcUa.Security.AuthEndpoints")
                 .LogWarning(ex, "Role-map lookup failed for {User}; using pre-resolved baseline roles", username);