rename: prefix gateway projects/namespaces with ZB.MOM.WW + sln→slnx

Apply the ZB.MOM.WW. prefix to all gateway-side projects, folders,
.csproj/.sln contents, C# namespaces, using directives, generated proto
C# (csharp_namespace + checked-in generated files), InternalsVisibleTo
attributes, project-name string literals (LoadProject, .sln lookups,
worker exe paths, staticwebassets manifest), and the install/script/doc
references that point at any of the above. Migrate the solution from
.sln to .slnx via `dotnet sln migrate` and delete the old file.

External-runtime identifiers are intentionally NOT prefixed so external
configuration keeps working:
- GatewayMetrics.cs MeterName ("MxGateway.Server")
- DashboardAuthenticationDefaults Scheme/Policy ("MxGateway.Dashboard")
- GatewayRequestLoggingMiddleware logger category ("MxGateway.Request")
- StaRuntime thread name ("MxGateway.Worker.STA")
- appsettings.json root section "MxGateway" + env-var prefix
  MxGateway__... and secret-name MxGateway:ApiKeyPepper
- C:\ProgramData\MxGateway\ data dir paths

Also fixes two tests that were not rename-related but became visible
while validating the rename:

- WorkerLiveMxAccessSmokeTests.ShutDownAsync: cancellation that the
  gateway service correctly maps to RpcException(Cancelled) per gRPC
  convention was being misclassified as a stream fault. Added a sibling
  catch on RpcException with StatusCode.Cancelled.

- IntegrationTestEnvironment.ResolveRepositoryRoot: extracted IsRepositoryRoot
  and made it accept either a .git marker OR a .sln/.slnx next to src/
  so the worker-exe walker works in non-git working copies.

clients/proto/proto-inputs.json's protoRoot updated to point at
src/ZB.MOM.WW.MxGateway.Contracts/Protos.

Verified by `dotnet build` and a full `dotnet test` of the .slnx with
MXGATEWAY_RUN_LIVE_{MXACCESS,LDAP,GALAXY}_TESTS=1:
  Tests: 472/472 pass
  Worker.Tests: 280/280 pass (4 dev-rig [Fact(Skip=...)] skipped)
  IntegrationTests: 18/18 pass

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.MxGateway.Tests/Diagnostics/GatewayLogRedactorTests.cs

@@ -0,0 +1,90 @@
+using ZB.MOM.WW.MxGateway.Server.Diagnostics;
+
+namespace ZB.MOM.WW.MxGateway.Tests.Diagnostics;
+
+public sealed class GatewayLogRedactorTests
+{
+    /// <summary>Verifies that RedactApiKey preserves the key ID and removes the secret.</summary>
+    [Fact]
+    public void RedactApiKey_PreservesKeyIdAndRemovesSecret()
+    {
+        string? redacted = GatewayLogRedactor.RedactApiKey("Bearer mxgw_operator01_super-secret");
+
+        Assert.Equal("Bearer mxgw_operator01_[redacted]", redacted);
+        Assert.DoesNotContain("super-secret", redacted);
+    }
+
+    /// <summary>Verifies that RedactApiKey removes secrets containing underscores.</summary>
+    [Fact]
+    public void RedactApiKey_RemovesSecretContainingUnderscores()
+    {
+        string? redacted = GatewayLogRedactor.RedactApiKey("Bearer mxgw_operator01_super_secret_value");
+
+        Assert.Equal("Bearer mxgw_operator01_[redacted]", redacted);
+        Assert.DoesNotContain("super_secret_value", redacted);
+    }
+
+    /// <summary>Verifies that IsCredentialBearingCommand identifies credential-bearing MXAccess commands.</summary>
+    /// <param name="commandMethod">Name of the MXAccess command method.</param>
+    [Theory]
+    [InlineData("AuthenticateUser")]
+    [InlineData("WriteSecured")]
+    [InlineData("WriteSecured2")]
+    public void IsCredentialBearingCommand_IdentifiesSensitiveMxAccessCommands(string commandMethod)
+    {
+        Assert.True(GatewayLogRedactor.IsCredentialBearingCommand(commandMethod));
+    }
+
+    /// <summary>Verifies that RedactCommandValue does not log raw values by default.</summary>
+    [Fact]
+    public void RedactCommandValue_DoesNotLogRawValuesByDefault()
+    {
+        object? redacted = GatewayLogRedactor.RedactCommandValue("Write", "plaintext-tag-value");
+
+        Assert.Equal("[redacted]", redacted);
+    }
+
+    /// <summary>Verifies that RedactCommandValue redacts secured writes even when value logging is enabled.</summary>
+    [Fact]
+    public void RedactCommandValue_RedactsSecuredWriteEvenWhenValueLoggingIsEnabled()
+    {
+        object? redacted = GatewayLogRedactor.RedactCommandValue(
+            "WriteSecured",
+            "credential-bearing-value",
+            valueLoggingEnabled: true);
+
+        Assert.Equal("[redacted]", redacted);
+    }
+
+    /// <summary>Verifies that RedactCommandValue allows non-sensitive values only when value logging is enabled.</summary>
+    [Fact]
+    public void RedactCommandValue_AllowsNonSensitiveValueOnlyWhenValueLoggingIsEnabled()
+    {
+        object? redacted = GatewayLogRedactor.RedactCommandValue(
+            "Write",
+            "diagnostic-value",
+            valueLoggingEnabled: true);
+
+        Assert.Equal("diagnostic-value", redacted);
+    }
+
+    /// <summary>Verifies that LogScope redacts client identity before scope state is created.</summary>
+    [Fact]
+    public void LogScope_RedactsClientIdentityBeforeScopeStateIsCreated()
+    {
+        GatewayLogScope scope = new(
+            SessionId: "session-1",
+            WorkerProcessId: 1234,
+            CorrelationId: 99,
+            CommandMethod: "AuthenticateUser",
+            ClientIdentity: "Bearer mxgw_admin_secret");
+
+        IReadOnlyDictionary<string, object?> values = scope.ToDictionary();
+
+        Assert.Equal("session-1", values["SessionId"]);
+        Assert.Equal(1234, values["WorkerProcessId"]);
+        Assert.Equal((ulong)99, values["CorrelationId"]);
+        Assert.Equal("AuthenticateUser", values["CommandMethod"]);
+        Assert.Equal("Bearer mxgw_admin_[redacted]", values["ClientIdentity"]);
+    }
+}