Merge origin/main with local pending work and update AGENTS.md references

- Resolve 14 conflicts from popping local stash on top of origin's
  eed1e88 + 8d3352f doc-comment additions (11 mechanical, plus
  version.rs, DashboardAuthenticatorTests.cs, DashboardGalaxyProjector.cs)
- Fix 4 test files that used AGENTS.md as the repo-root sentinel
  (now use CLAUDE.md, since AGENTS.md was removed in 4731ab5)
- Redirect 10 doc citations from AGENTS.md to the matching gateway.md
  sections (Value Model, Status Model, Security, STA Worker Thread
  Model, gRPC Layer rule, cancellation rule)

Verified: solution build clean, x86 worker build clean, 266/266
gateway tests passing, 121/121 worker tests passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/MxGateway.Tests/Gateway/Dashboard/DashboardAuthenticatorTests.cs

@@ -1,135 +1,74 @@
-using System.Security.Claims;
+using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using MxGateway.Server.Configuration;
 using MxGateway.Server.Dashboard;
-using MxGateway.Server.Security.Authentication;
-using MxGateway.Server.Security.Authorization;
 
 namespace MxGateway.Tests.Gateway.Dashboard;
 
-/// <summary>
-/// Tests for dashboard authentication using API keys.
-/// </summary>
 public sealed class DashboardAuthenticatorTests
 {
-    /// <summary>
-    /// Verifies an admin-scoped key produces a valid cookie principal.
-    /// </summary>
     [Fact]
-    public async Task AuthenticateAsync_AdminKey_ReturnsCookiePrincipal()
+    public void EscapeLdapFilter_EscapesSpecialCharacters()
     {
-        FakeApiKeyVerifier verifier = new(SuccessWithScopes(GatewayScopes.Admin));
-        DashboardAuthenticator authenticator = CreateAuthenticator(verifier);
+        string escaped = DashboardAuthenticator.EscapeLdapFilter("a\\b*c(d)e\0f");
 
-        DashboardAuthenticationResult result = await authenticator.AuthenticateAsync(
-            "mxgw_operator01_super-secret",
-            CancellationToken.None);
-
-        Assert.True(result.Succeeded);
-        Assert.NotNull(result.Principal);
-        Assert.Equal("operator01", result.Principal.FindFirst(ClaimTypes.NameIdentifier)?.Value);
-        Assert.Equal("Operator Key", result.Principal.FindFirst(ClaimTypes.Name)?.Value);
-        Assert.Contains(result.Principal.Claims, claim =>
-            claim.Type == DashboardAuthenticationDefaults.ScopeClaimType
-            && claim.Value == GatewayScopes.Admin);
-        Assert.Equal("Bearer mxgw_operator01_super-secret", verifier.LastAuthorizationHeader);
+        Assert.Equal("a\\5cb\\2ac\\28d\\29e\\00f", escaped);
     }
 
-    /// <summary>
-    /// Verifies a non-admin key fails authentication without exposing the API key.
-    /// </summary>
-    [Fact]
-    public async Task AuthenticateAsync_NonAdminKey_ReturnsFailureWithoutRawApiKey()
+    [Theory]
+    [InlineData("GwAdmin", true)]
+    [InlineData("gwadmin", true)]
+    [InlineData("ou=GwAdmin,ou=groups,dc=lmxopcua,dc=local", true)]
+    [InlineData("OtherGroup", false)]
+    public void IsMemberOfRequiredGroup_MatchesShortNameAndDistinguishedName(
+        string requiredGroup,
+        bool expected)
     {
-        DashboardAuthenticator authenticator = CreateAuthenticator(new FakeApiKeyVerifier(
-            SuccessWithScopes(GatewayScopes.EventsRead)));
+        string[] groups =
+        [
+            "ou=ReadOnly,ou=groups,dc=lmxopcua,dc=local",
+            "ou=GwAdmin,ou=groups,dc=lmxopcua,dc=local"
+        ];
+
+        bool result = DashboardAuthenticator.IsMemberOfRequiredGroup(groups, requiredGroup);
+
+        Assert.Equal(expected, result);
+    }
+
+    [Fact]
+    public void ExtractFirstRdnValue_ReturnsLeadingRdnValue()
+    {
+        string result = DashboardAuthenticator.ExtractFirstRdnValue(
+            "CN=Gateway Admins,OU=Groups,DC=example,DC=com");
+
+        Assert.Equal("Gateway Admins", result);
+    }
+
+    [Fact]
+    public async Task AuthenticateAsync_LdapDisabled_ReturnsFailureWithoutRawCredentials()
+    {
+        DashboardAuthenticator authenticator = CreateAuthenticator(new GatewayOptions
+        {
+            Ldap = new LdapOptions
+            {
+                Enabled = false,
+            },
+        });
 
         DashboardAuthenticationResult result = await authenticator.AuthenticateAsync(
-            "mxgw_operator01_super-secret",
+            "admin",
+            "admin123",
             CancellationToken.None);
 
         Assert.False(result.Succeeded);
         Assert.Null(result.Principal);
-        Assert.DoesNotContain("super-secret", result.FailureMessage, StringComparison.Ordinal);
+        Assert.DoesNotContain("admin123", result.FailureMessage, StringComparison.Ordinal);
     }
 
-    /// <summary>
-    /// Verifies that when admin scope is not required, any authenticated key is accepted.
-    /// </summary>
-    [Fact]
-    public async Task AuthenticateAsync_RequireAdminScopeFalse_AllowsAuthenticatedKey()
-    {
-        DashboardAuthenticator authenticator = CreateAuthenticator(
-            new FakeApiKeyVerifier(SuccessWithScopes(GatewayScopes.EventsRead)),
-            requireAdminScope: false);
-
-        DashboardAuthenticationResult result = await authenticator.AuthenticateAsync(
-            "mxgw_operator01_secret",
-            CancellationToken.None);
-
-        Assert.True(result.Succeeded);
-        Assert.NotNull(result.Principal);
-    }
-
-    /// <summary>
-    /// Verifies an invalid key returns a generic failure message.
-    /// </summary>
-    [Fact]
-    public async Task AuthenticateAsync_InvalidKey_ReturnsGenericFailure()
-    {
-        DashboardAuthenticator authenticator = CreateAuthenticator(new FakeApiKeyVerifier(
-            ApiKeyVerificationResult.Fail(ApiKeyVerificationFailure.SecretMismatch)));
-
-        DashboardAuthenticationResult result = await authenticator.AuthenticateAsync(
-            "mxgw_operator01_super-secret",
-            CancellationToken.None);
-
-        Assert.False(result.Succeeded);
-        Assert.DoesNotContain("super-secret", result.FailureMessage, StringComparison.Ordinal);
-    }
-
-    private static DashboardAuthenticator CreateAuthenticator(
-        IApiKeyVerifier verifier,
-        bool requireAdminScope = true)
+    private static DashboardAuthenticator CreateAuthenticator(GatewayOptions options)
     {
         return new DashboardAuthenticator(
-            verifier,
-            Options.Create(new GatewayOptions
-            {
-                Dashboard = new DashboardOptions
-                {
-                    RequireAdminScope = requireAdminScope
-                }
-            }));
-    }
-
-    private static ApiKeyVerificationResult SuccessWithScopes(params string[] scopes)
-    {
-        return ApiKeyVerificationResult.Success(new ApiKeyIdentity(
-            KeyId: "operator01",
-            KeyPrefix: "mxgw_operator01",
-            DisplayName: "Operator Key",
-            Scopes: new HashSet<string>(scopes, StringComparer.Ordinal)));
-    }
-
-    /// <summary>
-    /// Test implementation that records the authorization header for verification.
-    /// </summary>
-    private sealed class FakeApiKeyVerifier(ApiKeyVerificationResult result) : IApiKeyVerifier
-    {
-        /// <summary>
-        /// The authorization header that was last verified.
-        /// </summary>
-        public string? LastAuthorizationHeader { get; private set; }
-
-        /// <inheritdoc />
-        public Task<ApiKeyVerificationResult> VerifyAsync(
-            string? authorizationHeader,
-            CancellationToken cancellationToken)
-        {
-            LastAuthorizationHeader = authorizationHeader;
-
-            return Task.FromResult(result);
-        }
+            Options.Create(options),
+            NullLogger<DashboardAuthenticator>.Instance);
     }
 }