fix(gateway): preserve raw client correlation id in denial audit DetailsJson + add wiring test (§1.2)

src/ZB.MOM.WW.MxGateway.Tests/Security/Authorization/ConstraintEnforcerTests.cs

@@ -1,3 +1,4 @@
+using System.Text.Json;
 using ZB.MOM.WW.Audit;
 using ZB.MOM.WW.MxGateway.Contracts.Proto.Galaxy;
 using ZB.MOM.WW.MxGateway.Contracts.Proto;
@@ -102,9 +103,12 @@ public sealed class ConstraintEnforcerTests
         Assert.Equal(correlationId, auditEvent.CorrelationId);
     }
 
-    /// <summary>A denial with a non-GUID correlation id leaves the audit correlation id null.</summary>
+    /// <summary>
+    ///     A denial with a non-GUID correlation id leaves the typed audit correlation id null but
+    ///     still preserves the raw client correlation id in DetailsJson so it is not lost.
+    /// </summary>
     [Fact]
-    public async Task RecordDenialAsync_WithNonGuidCorrelationId_LeavesCorrelationIdNull()
+    public async Task RecordDenialAsync_WithNonGuidCorrelationId_LeavesCorrelationIdNullButPreservesRawInDetails()
     {
         ConstraintEnforcer enforcer = CreateEnforcer(out FakeAuditWriter auditWriter);
 
@@ -113,11 +117,17 @@ public sealed class ConstraintEnforcerTests
             "Read",
             "Secret.Tag",
             new ConstraintFailure("read_scope", "Tag is outside the API key read scope."),
-            "cli-xyz",
+            "rust-client-Write-7",
             CancellationToken.None);
 
         AuditEvent auditEvent = Assert.Single(auditWriter.Events);
         Assert.Null(auditEvent.CorrelationId);
+        Assert.NotNull(auditEvent.DetailsJson);
+
+        Dictionary<string, string>? details =
+            JsonSerializer.Deserialize<Dictionary<string, string>>(auditEvent.DetailsJson);
+        Assert.NotNull(details);
+        Assert.Equal("rust-client-Write-7", details["clientCorrelationId"]);
     }
 
     /// <summary>A denial with no identity records the canonical "anonymous" actor.</summary>