Apply technical-light design system to the gateway dashboard

Restyles the Blazor dashboard onto a portable token-based theme so it
reads like an instrument panel: warm-paper background, hairline-ruled
panels, IBM Plex type, monospace tabular numerics, and status carried by
colour chips. Vendors theme.css + IBM Plex fonts, rewrites dashboard.css
as a thin token-driven view layer, and swaps the Bootstrap navbar and
status badges for the design-system app bar and chips.

Also includes pending API-key management, Galaxy hierarchy projection,
and constraint-enforcement work with their tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/MxGateway.Tests/Gateway/Dashboard/DashboardApiKeyAuthorizationTests.cs

@@ -0,0 +1,65 @@
+using System.Security.Claims;
+using Microsoft.Extensions.Options;
+using MxGateway.Server.Configuration;
+using MxGateway.Server.Dashboard;
+
+namespace MxGateway.Tests.Gateway.Dashboard;
+
+public sealed class DashboardApiKeyAuthorizationTests
+{
+    [Fact]
+    public void CanManage_AuthenticatedUserWithShortRequiredGroupClaim_ReturnsTrue()
+    {
+        DashboardApiKeyAuthorization authorization = CreateAuthorization();
+        ClaimsPrincipal user = CreatePrincipal("GwAdmin");
+
+        Assert.True(authorization.CanManage(user));
+    }
+
+    [Fact]
+    public void CanManage_AuthenticatedUserWithRequiredGroupDnClaim_ReturnsTrue()
+    {
+        DashboardApiKeyAuthorization authorization = CreateAuthorization();
+        ClaimsPrincipal user = CreatePrincipal("ou=GwAdmin,ou=groups,dc=lmxopcua,dc=local");
+
+        Assert.True(authorization.CanManage(user));
+    }
+
+    [Fact]
+    public void CanManage_AnonymousUser_ReturnsFalse()
+    {
+        DashboardApiKeyAuthorization authorization = CreateAuthorization();
+        ClaimsPrincipal user = new(new ClaimsIdentity());
+
+        Assert.False(authorization.CanManage(user));
+    }
+
+    [Fact]
+    public void CanManage_AuthenticatedUserWithoutRequiredGroup_ReturnsFalse()
+    {
+        DashboardApiKeyAuthorization authorization = CreateAuthorization();
+        ClaimsPrincipal user = CreatePrincipal("ReadOnly");
+
+        Assert.False(authorization.CanManage(user));
+    }
+
+    private static DashboardApiKeyAuthorization CreateAuthorization()
+    {
+        return new DashboardApiKeyAuthorization(Options.Create(new GatewayOptions
+        {
+            Ldap = new LdapOptions
+            {
+                RequiredGroup = "GwAdmin",
+            },
+        }));
+    }
+
+    private static ClaimsPrincipal CreatePrincipal(string group)
+    {
+        ClaimsIdentity identity = new(
+            [new Claim(DashboardAuthenticationDefaults.LdapGroupClaimType, group)],
+            DashboardAuthenticationDefaults.AuthenticationScheme);
+
+        return new ClaimsPrincipal(identity);
+    }
+}