dashboard: role-based LDAP auth + hub bearer scheme, drop PathBase

Restructure dashboard auth around LDAP-driven Admin/Viewer roles, add a
bearer scheme so SignalR hubs (next commit) can authenticate without
forwarding the HttpOnly browser cookie, and mount the dashboard at the
host root instead of a configurable `/dashboard` prefix.

Configuration changes (breaking):
- `MxGateway:Dashboard:PathBase` removed — the dashboard now serves at `/`.
- `MxGateway:Dashboard:RequireAdminScope` removed — role checks replace
  the single admin-scope claim.
- `MxGateway:Ldap:RequiredGroup` removed — replaced by `MxGateway:Dashboard:GroupToRole`,
  a map from LDAP group name to dashboard role. Legal role values:
  `Admin` and `Viewer`. Users whose LDAP groups don't intersect this
  map are rejected at login (the existing fail-closed contract).
- appsettings.json ships a default mapping `{ GwAdmin: Admin, GwReader: Viewer }`.

Auth model:
- DashboardRoles: new static class with `Admin` and `Viewer` constants.
- DashboardAuthenticator.AuthenticateAsync: after LDAP bind, maps the
  user's groups through `DashboardOptions.GroupToRole` and emits one
  `ClaimTypes.Role` claim per resolved role. Empty result → login fails.
- DashboardAuthorizationRequirement now carries `RequiredRoles`; static
  presets `AnyDashboardRole` (Viewer ∨ Admin) and `AdminOnly`.
- DashboardAuthorizationHandler checks `IsInRole` against the
  requirement's role list instead of the old scope claim. The
  `AuthenticationMode.Disabled` and `AllowAnonymousLocalhost` bypasses
  are preserved.
- DashboardApiKeyAuthorization.CanManage now requires the `Admin` role
  (was: required LDAP group membership). The constructor's IOptions
  parameter is gone.

Policies / schemes:
- DashboardAuthenticationDefaults gains `ViewerPolicy`, `AdminPolicy`,
  `HubClientsPolicy`, and `HubAuthenticationScheme`. The legacy
  `AuthorizationPolicy` and `ScopeClaimType` constants are removed.
- DashboardServiceCollectionExtensions registers all three policies,
  adds the cookie scheme and the HubToken bearer scheme side by side,
  calls `AddSignalR()`, and hard-codes the cookie's login/logout/denied
  paths to root-relative `/login` etc.

Hub bearer infrastructure (no hubs wired yet — next commit):
- HubTokenService: mints time-limited data-protected JSON tokens
  carrying the user's name, NameIdentifier, and roles. 30-minute
  lifetime, purpose `ZB.MOM.WW.MxGateway.Dashboard.HubToken.v1`.
- HubTokenAuthenticationHandler: validates the token from
  `Authorization: Bearer …` or `?access_token=…` (WebSocket upgrade
  query string) and rebuilds the principal.

Endpoint mapping:
- DashboardEndpointRouteBuilderExtensions drops the `MapGroup(pathBase)`
  wrapper. Login/logout/denied and Razor component routes are now
  mounted at `/`. The login form posts to `/login`. Razor components
  require the new `ViewerPolicy`.
- All page `@page "/dashboard/X"` dual-route directives are removed —
  pages live at their canonical roots (`@page "/"`, `@page "/sessions"`, …).
- App.razor and DashboardLayout.razor drop their PathBase computations.

EffectiveLdapConfiguration drops `RequiredGroup`; EffectiveDashboardConfiguration
drops `PathBase`/`RequireAdminScope` and gains `GroupToRole`. SettingsPage
renders the role mapping in place of the retired fields.

Tests updated:
- DashboardAuthenticatorTests: covers the new GroupToRole mapping
  (short name + DN + multi-role).
- DashboardAuthorizationHandlerTests: split into Viewer-policy and
  Admin-policy cases.
- DashboardApiKeyAuthorizationTests, DashboardApiKeyManagementServiceTests:
  authorized principal now carries the `Admin` role claim.
- DashboardCookieOptionsTests: expects root-relative login/logout paths.
- GatewayApplicationTests: dashboard component routes registered at `/`,
  `/sessions`, … and gated by `ViewerPolicy`. Filter on
  `ComponentTypeMetadata` to ignore minimal-API endpoints sharing `/`.
- GatewayOptionsTests + Validator: drop PathBase / RequireAdminScope /
  RequiredGroup assertions; add a `GroupToRole` value-validation case.
- DashboardLdapLiveTests: provides the default `GwAdmin` → `Admin`
  mapping so the live LDAP bind resolves to a role.

Verification: 473 server tests, 275 worker tests (+9 dev-rig skips), 18
integration tests (live MxAccess + LDAP + Galaxy) all pass.

This commit is intentionally UI-neutral. The sidebar layout and the
SignalR hubs that consume the new HubToken scheme land in a follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.MxGateway.Server/Configuration/DashboardOptions.cs

@@ -5,12 +5,6 @@ public sealed class DashboardOptions
     /// <summary>Gets whether the dashboard is enabled.</summary>
     public bool Enabled { get; init; } = true;
 
-    /// <summary>Gets the dashboard URL path base.</summary>
-    public string PathBase { get; init; } = "/dashboard";
-
-    /// <summary>Gets whether dashboard access requires admin scope.</summary>
-    public bool RequireAdminScope { get; init; } = true;
-
     /// <summary>Gets whether anonymous localhost access to dashboard is allowed.</summary>
     public bool AllowAnonymousLocalhost { get; init; } = true;
 
@@ -25,4 +19,11 @@ public sealed class DashboardOptions
 
     /// <summary>Gets whether to show full tag values in the dashboard.</summary>
     public bool ShowTagValues { get; init; }
+
+    /// <summary>
+    /// LDAP group → dashboard role mapping. Values must be one of
+    /// <see cref="DashboardRoles.Admin"/> or <see cref="DashboardRoles.Viewer"/>.
+    /// Users with no matching group are rejected at login.
+    /// </summary>
+    public Dictionary<string, string> GroupToRole { get; init; } = new(StringComparer.OrdinalIgnoreCase);
 }

src/ZB.MOM.WW.MxGateway.Server/Configuration/EffectiveDashboardConfiguration.cs

@@ -2,10 +2,9 @@ namespace ZB.MOM.WW.MxGateway.Server.Configuration;
 
 public sealed record EffectiveDashboardConfiguration(
     bool Enabled,
-    string PathBase,
-    bool RequireAdminScope,
     bool AllowAnonymousLocalhost,
     int SnapshotIntervalMilliseconds,
     int RecentFaultLimit,
     int RecentSessionLimit,
-    bool ShowTagValues);
+    bool ShowTagValues,
+    IReadOnlyDictionary<string, string> GroupToRole);

src/ZB.MOM.WW.MxGateway.Server/Configuration/EffectiveLdapConfiguration.cs

@@ -11,5 +11,4 @@ public sealed record EffectiveLdapConfiguration(
     string ServiceAccountPassword,
     string UserNameAttribute,
     string DisplayNameAttribute,
-    string GroupAttribute,
-    string RequiredGroup);
+    string GroupAttribute);

src/ZB.MOM.WW.MxGateway.Server/Configuration/GatewayConfigurationProvider.cs

@@ -30,8 +30,7 @@ public sealed class GatewayConfigurationProvider(IOptions<GatewayOptions> option
                 ServiceAccountPassword: RedactedValue,
                 UserNameAttribute: value.Ldap.UserNameAttribute,
                 DisplayNameAttribute: value.Ldap.DisplayNameAttribute,
-                GroupAttribute: value.Ldap.GroupAttribute,
-                RequiredGroup: value.Ldap.RequiredGroup),
+                GroupAttribute: value.Ldap.GroupAttribute),
             Worker: new EffectiveWorkerConfiguration(
                 ExecutablePath: value.Worker.ExecutablePath,
                 WorkingDirectory: value.Worker.WorkingDirectory,
@@ -53,13 +52,12 @@ public sealed class GatewayConfigurationProvider(IOptions<GatewayOptions> option
                 BackpressurePolicy: value.Events.BackpressurePolicy.ToString()),
             Dashboard: new EffectiveDashboardConfiguration(
                 Enabled: value.Dashboard.Enabled,
-                PathBase: value.Dashboard.PathBase,
-                RequireAdminScope: value.Dashboard.RequireAdminScope,
                 AllowAnonymousLocalhost: value.Dashboard.AllowAnonymousLocalhost,
                 SnapshotIntervalMilliseconds: value.Dashboard.SnapshotIntervalMilliseconds,
                 RecentFaultLimit: value.Dashboard.RecentFaultLimit,
                 RecentSessionLimit: value.Dashboard.RecentSessionLimit,
-                ShowTagValues: value.Dashboard.ShowTagValues),
+                ShowTagValues: value.Dashboard.ShowTagValues,
+                GroupToRole: value.Dashboard.GroupToRole),
             Protocol: new EffectiveProtocolConfiguration(
                 value.Protocol.WorkerProtocolVersion,
                 value.Protocol.MaxGrpcMessageBytes));

src/ZB.MOM.WW.MxGateway.Server/Configuration/GatewayOptionsValidator.cs

@@ -86,10 +86,6 @@ public sealed class GatewayOptionsValidator : IValidateOptions<GatewayOptions>
             options.GroupAttribute,
             "MxGateway:Ldap:GroupAttribute is required when LDAP login is enabled.",
             failures);
-        AddIfBlank(
-            options.RequiredGroup,
-            "MxGateway:Ldap:RequiredGroup is required when LDAP login is enabled.",
-            failures);
         AddIfNotPositive(options.Port, "MxGateway:Ldap:Port must be greater than zero.", failures);
 
         if (!options.UseTls && !options.AllowInsecureLdap)
@@ -206,12 +202,23 @@ public sealed class GatewayOptionsValidator : IValidateOptions<GatewayOptions>
 
     private static void ValidateDashboard(DashboardOptions options, List<string> failures)
     {
-        if (options.Enabled)
+        // GroupToRole shape is validated even when the dashboard is disabled so
+        // misconfiguration surfaces at startup; emptiness is allowed, with the
+        // consequence that no LDAP user can sign in (login returns "no roles
+        // mapped"). Operators who disable the dashboard or want a closed
+        // deployment can ship without a mapping.
+        foreach (KeyValuePair<string, string> entry in options.GroupToRole)
         {
-            AddIfBlank(options.PathBase, "MxGateway:Dashboard:PathBase is required when the dashboard is enabled.", failures);
-            if (!string.IsNullOrWhiteSpace(options.PathBase) && !options.PathBase.StartsWith('/'))
+            if (string.IsNullOrWhiteSpace(entry.Key))
             {
-                failures.Add("MxGateway:Dashboard:PathBase must start with '/'.");
+                failures.Add("MxGateway:Dashboard:GroupToRole keys (LDAP group names) must be non-blank.");
+            }
+
+            if (!string.Equals(entry.Value, Dashboard.DashboardRoles.Admin, StringComparison.Ordinal)
+                && !string.Equals(entry.Value, Dashboard.DashboardRoles.Viewer, StringComparison.Ordinal))
+            {
+                failures.Add(
+                    $"MxGateway:Dashboard:GroupToRole['{entry.Key}'] must be '{Dashboard.DashboardRoles.Admin}' or '{Dashboard.DashboardRoles.Viewer}'.");
             }
         }
 

src/ZB.MOM.WW.MxGateway.Server/Configuration/LdapOptions.cs

@@ -23,6 +23,4 @@ public sealed class LdapOptions
     public string DisplayNameAttribute { get; init; } = "cn";
 
     public string GroupAttribute { get; init; } = "memberOf";
-
-    public string RequiredGroup { get; init; } = "GwAdmin";
 }