dashboard: role-based LDAP auth + hub bearer scheme, drop PathBase

Restructure dashboard auth around LDAP-driven Admin/Viewer roles, add a
bearer scheme so SignalR hubs (next commit) can authenticate without
forwarding the HttpOnly browser cookie, and mount the dashboard at the
host root instead of a configurable `/dashboard` prefix.

Configuration changes (breaking):
- `MxGateway:Dashboard:PathBase` removed — the dashboard now serves at `/`.
- `MxGateway:Dashboard:RequireAdminScope` removed — role checks replace
  the single admin-scope claim.
- `MxGateway:Ldap:RequiredGroup` removed — replaced by `MxGateway:Dashboard:GroupToRole`,
  a map from LDAP group name to dashboard role. Legal role values:
  `Admin` and `Viewer`. Users whose LDAP groups don't intersect this
  map are rejected at login (the existing fail-closed contract).
- appsettings.json ships a default mapping `{ GwAdmin: Admin, GwReader: Viewer }`.

Auth model:
- DashboardRoles: new static class with `Admin` and `Viewer` constants.
- DashboardAuthenticator.AuthenticateAsync: after LDAP bind, maps the
  user's groups through `DashboardOptions.GroupToRole` and emits one
  `ClaimTypes.Role` claim per resolved role. Empty result → login fails.
- DashboardAuthorizationRequirement now carries `RequiredRoles`; static
  presets `AnyDashboardRole` (Viewer ∨ Admin) and `AdminOnly`.
- DashboardAuthorizationHandler checks `IsInRole` against the
  requirement's role list instead of the old scope claim. The
  `AuthenticationMode.Disabled` and `AllowAnonymousLocalhost` bypasses
  are preserved.
- DashboardApiKeyAuthorization.CanManage now requires the `Admin` role
  (was: required LDAP group membership). The constructor's IOptions
  parameter is gone.

Policies / schemes:
- DashboardAuthenticationDefaults gains `ViewerPolicy`, `AdminPolicy`,
  `HubClientsPolicy`, and `HubAuthenticationScheme`. The legacy
  `AuthorizationPolicy` and `ScopeClaimType` constants are removed.
- DashboardServiceCollectionExtensions registers all three policies,
  adds the cookie scheme and the HubToken bearer scheme side by side,
  calls `AddSignalR()`, and hard-codes the cookie's login/logout/denied
  paths to root-relative `/login` etc.

Hub bearer infrastructure (no hubs wired yet — next commit):
- HubTokenService: mints time-limited data-protected JSON tokens
  carrying the user's name, NameIdentifier, and roles. 30-minute
  lifetime, purpose `ZB.MOM.WW.MxGateway.Dashboard.HubToken.v1`.
- HubTokenAuthenticationHandler: validates the token from
  `Authorization: Bearer …` or `?access_token=…` (WebSocket upgrade
  query string) and rebuilds the principal.

Endpoint mapping:
- DashboardEndpointRouteBuilderExtensions drops the `MapGroup(pathBase)`
  wrapper. Login/logout/denied and Razor component routes are now
  mounted at `/`. The login form posts to `/login`. Razor components
  require the new `ViewerPolicy`.
- All page `@page "/dashboard/X"` dual-route directives are removed —
  pages live at their canonical roots (`@page "/"`, `@page "/sessions"`, …).
- App.razor and DashboardLayout.razor drop their PathBase computations.

EffectiveLdapConfiguration drops `RequiredGroup`; EffectiveDashboardConfiguration
drops `PathBase`/`RequireAdminScope` and gains `GroupToRole`. SettingsPage
renders the role mapping in place of the retired fields.

Tests updated:
- DashboardAuthenticatorTests: covers the new GroupToRole mapping
  (short name + DN + multi-role).
- DashboardAuthorizationHandlerTests: split into Viewer-policy and
  Admin-policy cases.
- DashboardApiKeyAuthorizationTests, DashboardApiKeyManagementServiceTests:
  authorized principal now carries the `Admin` role claim.
- DashboardCookieOptionsTests: expects root-relative login/logout paths.
- GatewayApplicationTests: dashboard component routes registered at `/`,
  `/sessions`, … and gated by `ViewerPolicy`. Filter on
  `ComponentTypeMetadata` to ignore minimal-API endpoints sharing `/`.
- GatewayOptionsTests + Validator: drop PathBase / RequireAdminScope /
  RequiredGroup assertions; add a `GroupToRole` value-validation case.
- DashboardLdapLiveTests: provides the default `GwAdmin` → `Admin`
  mapping so the live LDAP bind resolves to a role.

Verification: 473 server tests, 275 worker tests (+9 dev-rig skips), 18
integration tests (live MxAccess + LDAP + Galaxy) all pass.

This commit is intentionally UI-neutral. The sidebar layout and the
SignalR hubs that consume the new HubToken scheme land in a follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.MxGateway.Tests/Gateway/GatewayApplicationTests.cs

@@ -44,11 +44,11 @@ public sealed class GatewayApplicationTests
         await using WebApplication app = GatewayApplication.Build([]);
         IReadOnlyList<RouteEndpoint> endpoints = GetRouteEndpoints(app);
 
-        Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == "/dashboard/");
-        Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == "/dashboard/sessions");
-        Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == "/dashboard/workers");
-        Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == "/dashboard/events");
-        Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == "/dashboard/settings");
+        Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == "/");
+        Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == "/sessions");
+        Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == "/workers");
+        Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == "/events");
+        Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == "/settings");
         Assert.Contains(endpoints, endpoint =>
             endpoint.Metadata.GetMetadata<IEndpointNameMetadata>()?.EndpointName == "DashboardLogin");
         Assert.Contains(endpoints, endpoint =>
@@ -74,19 +74,22 @@ public sealed class GatewayApplicationTests
         }
     }
 
-    /// <summary>Verifies that dashboard Razor component routes require the dashboard authorization policy.</summary>
+    /// <summary>Verifies that dashboard Razor component routes require the dashboard viewer policy.</summary>
     [Fact]
     public async Task Build_WhenDashboardEnabled_ComponentRoutesRequireAuthorization()
     {
         await using WebApplication app = GatewayApplication.Build([]);
         IReadOnlyList<RouteEndpoint> endpoints = GetRouteEndpoints(app);
 
-        string[] componentRoutes =
-            ["/dashboard/", "/dashboard/sessions", "/dashboard/workers", "/dashboard/events", "/dashboard/settings"];
+        // Razor-component endpoints are distinguished from minimal-API
+        // endpoints registered at the same path by the presence of
+        // ComponentTypeMetadata. Filter to those before checking auth.
+        string[] componentRoutes = ["/", "/sessions", "/workers", "/events", "/settings"];
         foreach (string route in componentRoutes)
         {
             RouteEndpoint[] matches = endpoints
-                .Where(endpoint => endpoint.RoutePattern.RawText == route)
+                .Where(endpoint => endpoint.RoutePattern.RawText == route
+                    && endpoint.Metadata.GetMetadata<Microsoft.AspNetCore.Components.Endpoints.ComponentTypeMetadata>() is not null)
                 .ToArray();
 
             Assert.NotEmpty(matches);
@@ -94,51 +97,32 @@ public sealed class GatewayApplicationTests
             {
                 IAuthorizeData? authorize = endpoint.Metadata.GetMetadata<IAuthorizeData>();
                 Assert.NotNull(authorize);
-                Assert.Equal(DashboardAuthenticationDefaults.AuthorizationPolicy, authorize.Policy);
+                Assert.Equal(DashboardAuthenticationDefaults.ViewerPolicy, authorize.Policy);
             });
         }
     }
 
-    /// <summary>
-    ///     Server-020 reversal regression guard. The original Server-020 finding
-    ///     incorrectly concluded that the duplicate <c>@page "/dashboard/X"</c>
-    ///     directives were redundant because <c>MapGroup("/dashboard")</c>
-    ///     would prepend the prefix to all dashboard Razor pages. In practice
-    ///     Blazor SSR's <c>RouteTableFactory</c> matches against the raw
-    ///     <c>@page</c> template values (not against the endpoint-route
-    ///     prefix), so removing <c>@page "/dashboard/X"</c> left the dashboard
-    ///     unreachable at runtime (every page returned HTTP 500 with "Unable
-    ///     to find the provided template '/dashboard/'"). The duplicate
-    ///     <c>@page</c> directives are restored, and as a side effect the
-    ///     endpoint route table DOES carry the doubled <c>/dashboard/dashboard/X</c>
-    ///     shape (because <c>MapGroup("/dashboard")</c> prefixes the already-prefixed
-    ///     <c>@page "/dashboard/X"</c>). Those doubled endpoints are harmless —
-    ///     no client requests <c>/dashboard/dashboard/X</c> — and removing them
-    ///     requires either dropping <c>MapGroup</c> or the <c>@page</c>
-    ///     prefix. This test asserts only the positive contract: every
-    ///     dashboard page IS reachable under the canonical <c>/dashboard/X</c>
-    ///     route, which is what the Blazor router actually serves.
-    /// </summary>
     [Fact]
-    public async Task Build_WhenDashboardEnabled_RegistersCanonicalDashboardRoutes()
+    public async Task Build_WhenDashboardEnabled_RegistersDashboardRoutesAtRoot()
     {
         await using WebApplication app = GatewayApplication.Build([]);
         IReadOnlyList<RouteEndpoint> endpoints = GetRouteEndpoints(app);
 
         string[] canonicalRoutes =
         [
-            "/dashboard/",
-            "/dashboard/sessions",
-            "/dashboard/workers",
-            "/dashboard/events",
-            "/dashboard/settings",
-            "/dashboard/galaxy",
-            "/dashboard/apikeys",
-            "/dashboard/sessions/{SessionId}",
+            "/",
+            "/sessions",
+            "/workers",
+            "/events",
+            "/settings",
+            "/galaxy",
+            "/apikeys",
+            "/sessions/{SessionId}",
         ];
         foreach (string canonical in canonicalRoutes)
         {
-            Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == canonical);
+            Assert.Contains(endpoints, endpoint => endpoint.RoutePattern.RawText == canonical
+                && endpoint.Metadata.GetMetadata<Microsoft.AspNetCore.Components.Endpoints.ComponentTypeMetadata>() is not null);
         }
     }
 
@@ -148,8 +132,6 @@ public sealed class GatewayApplicationTests
         await using WebApplication app = GatewayApplication.Build(["--MxGateway:Dashboard:Enabled=false"]);
         IReadOnlyList<RouteEndpoint> endpoints = GetRouteEndpoints(app);
 
-        Assert.DoesNotContain(endpoints, endpoint =>
-            endpoint.RoutePattern.RawText?.StartsWith("/dashboard", StringComparison.Ordinal) == true);
         Assert.DoesNotContain(endpoints, endpoint =>
             endpoint.Metadata.GetMetadata<IEndpointNameMetadata>()?.EndpointName?.StartsWith(
                 "Dashboard",
@@ -174,13 +156,9 @@ public sealed class GatewayApplicationTests
         "",
         "MxGateway:Authentication:PepperSecretName is required")]
     [InlineData(
-        "MxGateway:Dashboard:PathBase",
-        "dashboard",
-        "MxGateway:Dashboard:PathBase must start with '/'.")]
-    [InlineData(
-        "MxGateway:Ldap:RequiredGroup",
-        "",
-        "MxGateway:Ldap:RequiredGroup is required when LDAP login is enabled.")]
+        "MxGateway:Dashboard:GroupToRole:GwAdmin",
+        "BogusRole",
+        "MxGateway:Dashboard:GroupToRole['GwAdmin'] must be 'Admin' or 'Viewer'.")]
     [InlineData(
         "MxGateway:Ldap:AllowInsecureLdap",
         "false",