rename: prefix gateway projects/namespaces with ZB.MOM.WW + sln→slnx

Apply the ZB.MOM.WW. prefix to all gateway-side projects, folders,
.csproj/.sln contents, C# namespaces, using directives, generated proto
C# (csharp_namespace + checked-in generated files), InternalsVisibleTo
attributes, project-name string literals (LoadProject, .sln lookups,
worker exe paths, staticwebassets manifest), and the install/script/doc
references that point at any of the above. Migrate the solution from
.sln to .slnx via `dotnet sln migrate` and delete the old file.

External-runtime identifiers are intentionally NOT prefixed so external
configuration keeps working:
- GatewayMetrics.cs MeterName ("MxGateway.Server")
- DashboardAuthenticationDefaults Scheme/Policy ("MxGateway.Dashboard")
- GatewayRequestLoggingMiddleware logger category ("MxGateway.Request")
- StaRuntime thread name ("MxGateway.Worker.STA")
- appsettings.json root section "MxGateway" + env-var prefix
  MxGateway__... and secret-name MxGateway:ApiKeyPepper
- C:\ProgramData\MxGateway\ data dir paths

Also fixes two tests that were not rename-related but became visible
while validating the rename:

- WorkerLiveMxAccessSmokeTests.ShutDownAsync: cancellation that the
  gateway service correctly maps to RpcException(Cancelled) per gRPC
  convention was being misclassified as a stream fault. Added a sibling
  catch on RpcException with StatusCode.Cancelled.

- IntegrationTestEnvironment.ResolveRepositoryRoot: extracted IsRepositoryRoot
  and made it accept either a .git marker OR a .sln/.slnx next to src/
  so the worker-exe walker works in non-git working copies.

clients/proto/proto-inputs.json's protoRoot updated to point at
src/ZB.MOM.WW.MxGateway.Contracts/Protos.

Verified by `dotnet build` and a full `dotnet test` of the .slnx with
MXGATEWAY_RUN_LIVE_{MXACCESS,LDAP,GALAXY}_TESTS=1:
  Tests: 472/472 pass
  Worker.Tests: 280/280 pass (4 dev-rig [Fact(Skip=...)] skipped)
  IntegrationTests: 18/18 pass

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/GatewayDashboardDesign.md

@@ -34,7 +34,7 @@ SignalR circuit. Bootstrap is sufficient for a basic dashboard.
 
 ## Hosting Model
 
-The dashboard is hosted by `MxGateway.Server` alongside the gRPC API. When
+The dashboard is hosted by `ZB.MOM.WW.MxGateway.Server` alongside the gRPC API. When
 `MxGateway:Dashboard:Enabled` is `true`, `MapGatewayDashboard()` maps the
 configured `Dashboard:PathBase` to the Blazor Server app and maps the login,
 logout, and access-denied HTTP endpoints beside it. When dashboard hosting is
@@ -49,6 +49,7 @@ Endpoint layout:
 /dashboard/workers
 /dashboard/events
 /dashboard/galaxy
+/dashboard/apikeys
 /dashboard/settings
 /dashboard/_blazor
 ```
@@ -68,7 +69,7 @@ dashboard as the default web page. Otherwise leave gRPC/API hosting unaffected.
 ## High-Level Components
 
 ```text
-MxGateway.Server
+ZB.MOM.WW.MxGateway.Server
   Dashboard/
     Components/
       App.razor
@@ -83,6 +84,7 @@ MxGateway.Server
         SessionDetailsPage.razor
         WorkersPage.razor
         EventsPage.razor
+        ApiKeysPage.razor
         SettingsPage.razor
       Shared/
         MetricCard.razor
@@ -91,6 +93,9 @@ MxGateway.Server
     DashboardSnapshotService.cs
     DashboardAuthorizationHandler.cs
     DashboardAuthenticator.cs
+    DashboardApiKeyAuthorization.cs
+    DashboardApiKeyManagementService.cs
+    DashboardApiKeySummary.cs
     DashboardSnapshot.cs
     DashboardSessionSummary.cs
     DashboardWorkerSummary.cs
@@ -249,6 +254,99 @@ Show aggregate event diagnostics:
 Do not display full tag values by default. If value display is later added, make
 it opt-in and redacted.
 
+### Browse page
+
+`/dashboard/browse` lets an operator explore the Galaxy tag hierarchy and watch
+live values. The tree is built in-process by `DashboardBrowseTreeBuilder` from
+`IGalaxyHierarchyCache.Current` — the same cache the Galaxy page reads — so a
+render costs no gRPC call and no SQL round-trip. Each node shows its child
+objects and, when expanded, its attributes with attribute name, data type
+(including array dimension), and the alarm / historized flags. Galaxy SQL
+carries no attribute description, so none is shown. A filter box switches the
+tree to a flat list of matching attributes.
+
+Right-clicking an attribute (or double-clicking it) adds it to the subscription
+panel. The panel shows each subscribed tag's live value, MXAccess data type,
+quality and source timestamp, refreshed every two seconds. The subscription
+panel is the explicit opt-in tag-value surface: it always shows values
+regardless of `Dashboard:ShowTagValues`, which continues to govern only the
+diagnostic session/worker views.
+
+### Alarms page
+
+`/dashboard/alarms` lists the alarms the gateway's central alarm monitor
+currently holds as Active or ActiveAcked, refreshed every three seconds. It
+defaults to showing unacknowledged `Active` alarms; filters add acknowledged
+alarms and narrow by area, severity range, and a reference/source/description
+text search. Cleared alarms are not retained — the gateway holds no
+alarm-history store, so the page reflects only the live active set. The page is
+read-only; it does not acknowledge alarms. If `MxGateway:Alarms:Enabled` is
+false the central monitor never starts, and the page says so instead of showing
+an empty list with no explanation.
+
+### Live data source
+
+Both the Browse subscription panel and the Alarms page read live MXAccess data
+through `IDashboardLiveDataService` (`DashboardLiveDataService`). For tag data
+it owns one shared gateway session for the whole dashboard, opened lazily on
+first use via `ISessionManager` and re-opened transparently when it faults or
+its lease expires. One session means one worker process backs every dashboard
+circuit; all access is serialised so the worker sees one in-flight command at a
+time. Tag reads go through `GatewaySession.SubscribeBulkAsync` / `ReadBulkAsync`.
+
+The Alarms page does **not** use the dashboard session: alarm data comes from
+the gateway's always-on central monitor. `QueryAlarmsAsync` reads
+`IGatewayAlarmService.CurrentAlarms` — the monitor's in-process cache — so the
+dashboard sees the same active-alarm set as every `StreamAlarms` client, with
+no per-dashboard alarm subscription. When `MxGateway:Alarms:Enabled` is false
+the monitor never starts and the cache stays empty.
+
+### API keys page
+
+`/dashboard/apikeys` lists the gateway's API keys and, for authorized
+operators, manages them. It reads key metadata through the same
+`IApiKeyAdminStore` the `apikey` CLI uses, so the dashboard and the CLI act
+on one source of truth.
+
+The table shows one row per key:
+
+- key id,
+- status (`Active` or `Revoked`),
+- display name,
+- scopes,
+- constraints (rendered as `unconstrained` when none are set),
+- created timestamp,
+- last-used timestamp.
+
+Key secrets are never listed. Only the peppered hash is stored, and the page
+never reconstructs a key. See [Authorization](./Authorization.md#constraint-enforcement)
+for what each constraint means and how it is enforced on the gRPC path.
+
+#### Management actions
+
+Create, Rotate, and Revoke controls render only when the signed-in user is
+authorized. `DashboardApiKeyAuthorization.CanManage` requires an authenticated
+principal that is a member of the LDAP `MxGateway:Ldap:RequiredGroup` — the
+same group the dashboard login enforces. An anonymous localhost viewer can read
+the table but sees no action controls.
+
+- **Create** opens a dialog for the key id, display name, scope checkboxes
+  (the `GatewayScopes` catalog), and the optional constraint fields: read and
+  write subtrees, read and write tag globs, browse subtrees, max write
+  classification, and the read-alarm-only / read-historized-only flags.
+- **Rotate** issues a new secret for an existing key id and invalidates the
+  old one.
+- **Revoke** marks a key revoked; a revoked key cannot be un-revoked.
+
+Create and Rotate return the assembled `mxgw_<keyId>_<secret>` token **once**,
+in a one-time banner. It is never shown again, so the operator must copy it
+immediately. This mirrors the `apikey create-key` / `rotate-key` CLI.
+
+Every management action appends an `api_key_audit` entry
+(`dashboard-create-key`, `dashboard-rotate-key`, `dashboard-revoke-key`) with
+the key id and the caller's remote address. Secrets and pepper values are never
+logged.
+
 ### Settings page
 
 Show read-only effective configuration:
@@ -330,8 +428,8 @@ Suggested configuration:
 ## Styling
 
 The dashboard serves Bootstrap 5.3.3 assets from
-`src/MxGateway.Server/wwwroot/lib/bootstrap/` and local layout/status styling
-from `src/MxGateway.Server/wwwroot/css/dashboard.css`.
+`src/ZB.MOM.WW.MxGateway.Server/wwwroot/lib/bootstrap/` and local layout/status styling
+from `src/ZB.MOM.WW.MxGateway.Server/wwwroot/css/dashboard.css`.
 
 Recommended visual language:
 
@@ -377,7 +475,7 @@ Integration tests should verify:
 
 The first dashboard slice implements:
 
-1. Blazor Server hosting in `MxGateway.Server`.
+1. Blazor Server hosting in `ZB.MOM.WW.MxGateway.Server`.
 2. local Bootstrap static assets.
 3. dashboard configuration binding.
 4. dashboard auth using API key login and HTTP-only cookie.