dashboard: role-based LDAP auth + hub bearer scheme, drop PathBase

Restructure dashboard auth around LDAP-driven Admin/Viewer roles, add a
bearer scheme so SignalR hubs (next commit) can authenticate without
forwarding the HttpOnly browser cookie, and mount the dashboard at the
host root instead of a configurable `/dashboard` prefix.

Configuration changes (breaking):
- `MxGateway:Dashboard:PathBase` removed — the dashboard now serves at `/`.
- `MxGateway:Dashboard:RequireAdminScope` removed — role checks replace
  the single admin-scope claim.
- `MxGateway:Ldap:RequiredGroup` removed — replaced by `MxGateway:Dashboard:GroupToRole`,
  a map from LDAP group name to dashboard role. Legal role values:
  `Admin` and `Viewer`. Users whose LDAP groups don't intersect this
  map are rejected at login (the existing fail-closed contract).
- appsettings.json ships a default mapping `{ GwAdmin: Admin, GwReader: Viewer }`.

Auth model:
- DashboardRoles: new static class with `Admin` and `Viewer` constants.
- DashboardAuthenticator.AuthenticateAsync: after LDAP bind, maps the
  user's groups through `DashboardOptions.GroupToRole` and emits one
  `ClaimTypes.Role` claim per resolved role. Empty result → login fails.
- DashboardAuthorizationRequirement now carries `RequiredRoles`; static
  presets `AnyDashboardRole` (Viewer ∨ Admin) and `AdminOnly`.
- DashboardAuthorizationHandler checks `IsInRole` against the
  requirement's role list instead of the old scope claim. The
  `AuthenticationMode.Disabled` and `AllowAnonymousLocalhost` bypasses
  are preserved.
- DashboardApiKeyAuthorization.CanManage now requires the `Admin` role
  (was: required LDAP group membership). The constructor's IOptions
  parameter is gone.

Policies / schemes:
- DashboardAuthenticationDefaults gains `ViewerPolicy`, `AdminPolicy`,
  `HubClientsPolicy`, and `HubAuthenticationScheme`. The legacy
  `AuthorizationPolicy` and `ScopeClaimType` constants are removed.
- DashboardServiceCollectionExtensions registers all three policies,
  adds the cookie scheme and the HubToken bearer scheme side by side,
  calls `AddSignalR()`, and hard-codes the cookie's login/logout/denied
  paths to root-relative `/login` etc.

Hub bearer infrastructure (no hubs wired yet — next commit):
- HubTokenService: mints time-limited data-protected JSON tokens
  carrying the user's name, NameIdentifier, and roles. 30-minute
  lifetime, purpose `ZB.MOM.WW.MxGateway.Dashboard.HubToken.v1`.
- HubTokenAuthenticationHandler: validates the token from
  `Authorization: Bearer …` or `?access_token=…` (WebSocket upgrade
  query string) and rebuilds the principal.

Endpoint mapping:
- DashboardEndpointRouteBuilderExtensions drops the `MapGroup(pathBase)`
  wrapper. Login/logout/denied and Razor component routes are now
  mounted at `/`. The login form posts to `/login`. Razor components
  require the new `ViewerPolicy`.
- All page `@page "/dashboard/X"` dual-route directives are removed —
  pages live at their canonical roots (`@page "/"`, `@page "/sessions"`, …).
- App.razor and DashboardLayout.razor drop their PathBase computations.

EffectiveLdapConfiguration drops `RequiredGroup`; EffectiveDashboardConfiguration
drops `PathBase`/`RequireAdminScope` and gains `GroupToRole`. SettingsPage
renders the role mapping in place of the retired fields.

Tests updated:
- DashboardAuthenticatorTests: covers the new GroupToRole mapping
  (short name + DN + multi-role).
- DashboardAuthorizationHandlerTests: split into Viewer-policy and
  Admin-policy cases.
- DashboardApiKeyAuthorizationTests, DashboardApiKeyManagementServiceTests:
  authorized principal now carries the `Admin` role claim.
- DashboardCookieOptionsTests: expects root-relative login/logout paths.
- GatewayApplicationTests: dashboard component routes registered at `/`,
  `/sessions`, … and gated by `ViewerPolicy`. Filter on
  `ComponentTypeMetadata` to ignore minimal-API endpoints sharing `/`.
- GatewayOptionsTests + Validator: drop PathBase / RequireAdminScope /
  RequiredGroup assertions; add a `GroupToRole` value-validation case.
- DashboardLdapLiveTests: provides the default `GwAdmin` → `Admin`
  mapping so the live LDAP bind resolves to a role.

Verification: 473 server tests, 275 worker tests (+9 dev-rig skips), 18
integration tests (live MxAccess + LDAP + Galaxy) all pass.

This commit is intentionally UI-neutral. The sidebar layout and the
SignalR hubs that consume the new HubToken scheme land in a follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.MxGateway.Server/Dashboard/DashboardServiceCollectionExtensions.cs

@@ -1,7 +1,6 @@
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authorization;
-using Microsoft.Extensions.Options;
-using ZB.MOM.WW.MxGateway.Server.Configuration;
 
 namespace ZB.MOM.WW.MxGateway.Server.Dashboard;
 
@@ -21,46 +20,51 @@ public static class DashboardServiceCollectionExtensions
         services.AddSingleton<IDashboardAuthenticator, DashboardAuthenticator>();
         services.AddSingleton<DashboardApiKeyAuthorization>();
         services.AddSingleton<IDashboardApiKeyManagementService, DashboardApiKeyManagementService>();
+        services.AddSingleton<HubTokenService>();
         services.AddHttpContextAccessor();
         services.AddAntiforgery();
         services.AddCascadingAuthenticationState();
         services.AddRazorComponents()
             .AddInteractiveServerComponents();
+        services.AddSignalR();
+
         services
             .AddAuthentication(DashboardAuthenticationDefaults.AuthenticationScheme)
-            .AddCookie(DashboardAuthenticationDefaults.AuthenticationScheme);
-        services.AddOptions<CookieAuthenticationOptions>(DashboardAuthenticationDefaults.AuthenticationScheme)
-            .Configure<IOptions<GatewayOptions>>(ConfigureCookieOptions);
-        services.AddAuthorization(options =>
+            .AddCookie(DashboardAuthenticationDefaults.AuthenticationScheme, cookieOptions =>
+            {
+                cookieOptions.Cookie.Name = DashboardAuthenticationDefaults.CookieName;
+                cookieOptions.Cookie.HttpOnly = true;
+                cookieOptions.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+                cookieOptions.Cookie.SameSite = SameSiteMode.Strict;
+                cookieOptions.Cookie.Path = "/";
+                cookieOptions.LoginPath = "/login";
+                cookieOptions.LogoutPath = "/logout";
+                cookieOptions.AccessDeniedPath = "/denied";
+                cookieOptions.ExpireTimeSpan = TimeSpan.FromHours(8);
+                cookieOptions.SlidingExpiration = true;
+            })
+            .AddScheme<AuthenticationSchemeOptions, HubTokenAuthenticationHandler>(
+                DashboardAuthenticationDefaults.HubAuthenticationScheme,
+                _ => { });
+
+        services.AddAuthorization(authorization =>
         {
-            options.AddPolicy(
-                DashboardAuthenticationDefaults.AuthorizationPolicy,
-                policy => policy.AddRequirements(new DashboardAuthorizationRequirement()));
+            authorization.AddPolicy(
+                DashboardAuthenticationDefaults.ViewerPolicy,
+                policy => policy.AddRequirements(DashboardAuthorizationRequirement.AnyDashboardRole));
+            authorization.AddPolicy(
+                DashboardAuthenticationDefaults.AdminPolicy,
+                policy => policy.AddRequirements(DashboardAuthorizationRequirement.AdminOnly));
+            authorization.AddPolicy(
+                DashboardAuthenticationDefaults.HubClientsPolicy,
+                policy => policy
+                    .AddAuthenticationSchemes(
+                        DashboardAuthenticationDefaults.AuthenticationScheme,
+                        DashboardAuthenticationDefaults.HubAuthenticationScheme)
+                    .AddRequirements(DashboardAuthorizationRequirement.AnyDashboardRole));
         });
         services.AddSingleton<IAuthorizationHandler, DashboardAuthorizationHandler>();
 
         return services;
     }
-
-    private static void ConfigureCookieOptions(
-        CookieAuthenticationOptions cookieOptions,
-        IOptions<GatewayOptions> gatewayOptions)
-    {
-        string pathBase = gatewayOptions.Value.Dashboard.PathBase.TrimEnd('/');
-        if (string.IsNullOrWhiteSpace(pathBase))
-        {
-            pathBase = "/dashboard";
-        }
-
-        cookieOptions.Cookie.Name = DashboardAuthenticationDefaults.CookieName;
-        cookieOptions.Cookie.HttpOnly = true;
-        cookieOptions.Cookie.SecurePolicy = CookieSecurePolicy.Always;
-        cookieOptions.Cookie.SameSite = SameSiteMode.Strict;
-        cookieOptions.Cookie.Path = "/";
-        cookieOptions.LoginPath = $"{pathBase}/login";
-        cookieOptions.LogoutPath = $"{pathBase}/logout";
-        cookieOptions.AccessDeniedPath = $"{pathBase}/denied";
-        cookieOptions.ExpireTimeSpan = TimeSpan.FromHours(8);
-        cookieOptions.SlidingExpiration = true;
-    }
 }