feat(security): OperationalAudit + AuditExport permissions for Audit Log surface (#23 M7)

Bundle G (#23 M7-T15): replace the temporary Admin-only gate on the Audit
Log surface with two new permission policies — OperationalAudit (read) and
AuditExport (bulk-export) — so the read path and the forensic-export path
can be delegated independently.

ScadaLink.Security
- AuthorizationPolicies: add OperationalAudit + AuditExport policy
  constants; register them via RequireClaim with an explicit role allow-list
  (OperationalAuditRoles, AuditExportRoles) so the role-to-permission
  mapping is documented in one place.
- Default mapping: Admin and Audit roles grant both policies; AuditReadOnly
  grants OperationalAudit only (read access without bulk export); Design
  and Deployment grant neither.

ScadaLink.CentralUI
- AuditLogPage: switch the page-level [Authorize] to the OperationalAudit
  policy and wrap the Export-CSV button in an AuthorizeView gated on
  AuditExport so an OperationalAudit-only operator still sees the page +
  filters but cannot trigger the CSV pull.
- ConfigurationAuditLog: switch from RequireAdmin to OperationalAudit so
  both pages under the Audit nav group share the same gate.
- NavMenu: the Audit nav group now gates on OperationalAudit so the
  section header + both child links match the per-page policies.
- AuditExportEndpoints: switch RequireAuthorization from RequireAdmin to
  AuditExport — this is the authoritative gate; the AuthorizeView on the
  button is just a UX affordance.

Tests
- New AuditLogPagePermissionTests covers the 5 brief-mandated cases plus
  defence-in-depth for Admin-alone and AuditReadOnly users on the endpoint.
- SecurityTests: add policy-level coverage for the new role→permission
  matrix (Theory rows pin every role/policy combination).
- AuditExportEndpointsTests: switch to AddScadaLinkAuthorization() so the
  test host exercises the real production wiring under the new gate.
- AuditLogPageScaffoldTests: wrap the page render in a
  CascadingAuthenticationState so the new in-page AuthorizeView resolves
  the principal.

tests/ScadaLink.CentralUI.Tests/Audit/AuditExportEndpointsTests.cs

@@ -71,18 +71,18 @@ public class AuditExportEndpointsTests
                 web.ConfigureServices(services =>
                 {
                     services.AddRouting();
-                    // The endpoint is admin-gated; the tests run as
-                    // pre-authenticated principals built by FakeAuthHandler
-                    // (everyone has the Admin role) so the RequireAdmin policy
-                    // succeeds.
+                    // The endpoint is AuditExport-gated (#23 M7-T15 Bundle G);
+                    // the tests run as pre-authenticated principals built by
+                    // FakeAuthHandler (everyone has the Admin role), which is
+                    // one of AuditExportRoles, so the policy succeeds.
                     services.AddAuthentication(FakeAuthHandler.SchemeName)
                         .AddScheme<Microsoft.AspNetCore.Authentication.AuthenticationSchemeOptions, FakeAuthHandler>(
                             FakeAuthHandler.SchemeName, _ => { });
-                    services.AddAuthorization(options =>
-                    {
-                        options.AddPolicy(AuthorizationPolicies.RequireAdmin, policy =>
-                            policy.RequireClaim(JwtTokenService.RoleClaimType, "Admin"));
-                    });
+                    // Use the real production policy wiring so the endpoint's
+                    // updated AuditExport gate (#23 M7-T15 Bundle G) is what
+                    // the tests exercise. The fake principal carries the
+                    // "Admin" role, which AuditExportRoles permits.
+                    services.AddScadaLinkAuthorization();
                     services.AddSingleton(repo);
                     services.AddScoped<IAuditLogExportService, AuditLogExportService>();
                 });
@@ -224,8 +224,8 @@ public class AuditExportEndpointsTests
 
     /// <summary>
     /// Test-only authentication handler that signs every request in as an Admin.
-    /// Lets the endpoint's <c>RequireAdmin</c> policy pass without spinning up
-    /// the real cookie + LDAP pipeline.
+    /// Admin is in <c>AuditExportRoles</c>, so the endpoint's AuditExport policy
+    /// passes without spinning up the real cookie + LDAP pipeline.
     /// </summary>
     private sealed class FakeAuthHandler : AuthenticationHandler<AuthenticationSchemeOptions>
     {

tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPagePermissionTests.cs

@@ -0,0 +1,323 @@
+using System.Net;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using Bunit;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Components;
+using Microsoft.AspNetCore.Components.Authorization;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using NSubstitute;
+using ScadaLink.CentralUI.Audit;
+using ScadaLink.CentralUI.Services;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Repositories;
+using ScadaLink.Commons.Types.Audit;
+using ScadaLink.Commons.Types.Enums;
+using ScadaLink.Security;
+using AuditLogPage = ScadaLink.CentralUI.Components.Pages.Audit.AuditLogPage;
+
+namespace ScadaLink.CentralUI.Tests.Pages;
+
+/// <summary>
+/// Permission-gating tests for the Audit Log surface (#23 M7-T15 / Bundle G).
+///
+/// <para>
+/// Bundle G introduces two new policies:
+/// <list type="bullet">
+///   <item><c>OperationalAudit</c> — read access to the Audit Log page +
+///   Configuration Audit Log page + nav group.</item>
+///   <item><c>AuditExport</c> — additional gate on the Export-CSV button and
+///   the streaming export endpoint.</item>
+/// </list>
+/// Both policies are satisfied by the <c>Audit</c> role and (defence in depth)
+/// the <c>Admin</c> role — admins see everything by convention in this
+/// codebase. The tests pin both the page-level + endpoint-level enforcement,
+/// and the Export-button visibility split.
+/// </para>
+/// </summary>
+public class AuditLogPagePermissionTests : BunitContext
+{
+    private static ClaimsPrincipal BuildPrincipal(params string[] roles)
+    {
+        var claims = new List<Claim> { new("Username", "tester") };
+        claims.AddRange(roles.Select(r => new Claim(JwtTokenService.RoleClaimType, r)));
+        return new ClaimsPrincipal(new ClaimsIdentity(claims, "TestAuth"));
+    }
+
+    private void WireUpPageDependencies()
+    {
+        // The page hosts AuditFilterBar + AuditResultsGrid which depend on
+        // ISiteRepository and IAuditLogQueryService — provide stand-ins so
+        // a permitted render is exercised end-to-end.
+        Services.AddSingleton(Substitute.For<ISiteRepository>());
+        Services.AddSingleton(Substitute.For<IAuditLogQueryService>());
+    }
+
+    private IRenderedComponent<AuditLogPage> RenderAuditLogPage(params string[] roles)
+    {
+        var user = BuildPrincipal(roles);
+        Services.AddSingleton<AuthenticationStateProvider>(new TestAuthStateProvider(user));
+        Services.AddAuthorizationCore();
+        AuthorizationPolicies.AddScadaLinkAuthorization(Services);
+        Services.AddSingleton<IAuthorizationService, DefaultAuthorizationService>();
+        WireUpPageDependencies();
+
+        // Page-level [Authorize(Policy=...)] is enforced by the router in a
+        // live app. bUnit renders the component directly, so we wrap the
+        // page in a CascadingAuthenticationState so the in-page
+        // AuthorizeView for the Export button can read the principal.
+        var host = Render<CascadingAuthenticationState>(parameters => parameters
+            .Add(p => p.ChildContent, (RenderFragment)(builder =>
+            {
+                builder.OpenComponent<AuditLogPage>(0);
+                builder.CloseComponent();
+            })));
+
+        return host.FindComponent<AuditLogPage>();
+    }
+
+    // ─────────────────────────────────────────────────────────────────────
+    // Test 1: WithoutOperationalAudit_PageReturns403_OrHidden
+    // ─────────────────────────────────────────────────────────────────────
+    //
+    // Page-level enforcement is the [Authorize(Policy = "OperationalAudit")]
+    // attribute on the .razor page. We can't easily smoke-test routing here,
+    // so we verify the attribute is present + the policy denies a principal
+    // that holds none of the permitting roles.
+
+    [Fact]
+    public async Task WithoutOperationalAudit_PolicyDenies()
+    {
+        // A Design-only user (no Audit, no Admin) must NOT satisfy the
+        // OperationalAudit policy.
+        var services = new ServiceCollection();
+        services.AddLogging();
+        services.AddScadaLinkAuthorization();
+        using var provider = services.BuildServiceProvider();
+        var authService = provider.GetRequiredService<IAuthorizationService>();
+
+        var principal = BuildPrincipal("Design");
+        var result = await authService.AuthorizeAsync(
+            principal, null, AuthorizationPolicies.OperationalAudit);
+
+        Assert.False(result.Succeeded);
+    }
+
+    [Fact]
+    public void AuditLogPage_HasOperationalAuditAuthorizeAttribute()
+    {
+        // Sanity-pin the attribute so the page-level gate can't regress to
+        // [Authorize] (any-authenticated) by accident.
+        var attributes = typeof(AuditLogPage)
+            .GetCustomAttributes(typeof(AuthorizeAttribute), inherit: true)
+            .Cast<AuthorizeAttribute>()
+            .ToList();
+
+        Assert.Contains(attributes, a => a.Policy == AuthorizationPolicies.OperationalAudit);
+    }
+
+    [Fact]
+    public void ConfigurationAuditLogPage_HasOperationalAuditAuthorizeAttribute()
+    {
+        // ConfigurationAuditLog mirrors the gate — both Audit-group pages
+        // share the OperationalAudit permission so the nav-group policy
+        // remains coherent with the per-page gates.
+        var configType = typeof(ScadaLink.CentralUI.Components.Pages.Audit.ConfigurationAuditLog);
+        var attributes = configType
+            .GetCustomAttributes(typeof(AuthorizeAttribute), inherit: true)
+            .Cast<AuthorizeAttribute>()
+            .ToList();
+
+        Assert.Contains(attributes, a => a.Policy == AuthorizationPolicies.OperationalAudit);
+    }
+
+    // ─────────────────────────────────────────────────────────────────────
+    // Test 2 + 3: Export button visibility split.
+    // ─────────────────────────────────────────────────────────────────────
+
+    [Fact]
+    public void WithOperationalAudit_NoAuditExport_PageRenders_ExportButtonHidden()
+    {
+        // The "Audit" role grants OperationalAudit + AuditExport in the
+        // default mapping, so we test the split by handing the user ONLY
+        // an extra-narrow role that we map ONLY to OperationalAudit: a
+        // fresh "AuditReadOnly" role (see AuthorizationPolicies).
+        var cut = RenderAuditLogPage("AuditReadOnly");
+
+        cut.WaitForAssertion(() =>
+        {
+            // The page rendered (heading + container present) but the
+            // Export-CSV anchor is gone because AuditExport is denied.
+            Assert.Contains("Audit Log", cut.Markup);
+            Assert.DoesNotContain("Export CSV", cut.Markup);
+        });
+    }
+
+    [Fact]
+    public void WithOperationalAudit_AndAuditExport_PageRenders_ExportButtonVisible()
+    {
+        var cut = RenderAuditLogPage("Audit");
+
+        cut.WaitForAssertion(() =>
+        {
+            Assert.Contains("Audit Log", cut.Markup);
+            Assert.Contains("Export CSV", cut.Markup);
+        });
+    }
+
+    [Fact]
+    public void AdminUser_SeesPage_AndExportButton()
+    {
+        // Admin holds every permission by convention — both policies must
+        // succeed for a plain Admin user.
+        var cut = RenderAuditLogPage("Admin");
+
+        cut.WaitForAssertion(() =>
+        {
+            Assert.Contains("Audit Log", cut.Markup);
+            Assert.Contains("Export CSV", cut.Markup);
+        });
+    }
+
+    // ─────────────────────────────────────────────────────────────────────
+    // Test 4 + 5: Endpoint-level enforcement.
+    // ─────────────────────────────────────────────────────────────────────
+
+    [Fact]
+    public async Task AuditExportEndpoint_WithoutAuditExport_Returns403()
+    {
+        // A user holding only Design must NOT be able to call the export
+        // endpoint. Live wiring re-uses AuthorizationPolicies.AuditExport.
+        var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Design" });
+        using (host)
+        {
+            var response = await client.GetAsync("/api/centralui/audit/export");
+            Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+        }
+    }
+
+    [Fact]
+    public async Task AuditExportEndpoint_WithAuditExport_Returns200()
+    {
+        var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Audit" });
+        using (host)
+        {
+            var response = await client.GetAsync("/api/centralui/audit/export");
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        }
+    }
+
+    [Fact]
+    public async Task AuditExportEndpoint_AdminAlone_Returns200()
+    {
+        // Admin alone (no Audit role) must still pass — defence in depth.
+        var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Admin" });
+        using (host)
+        {
+            var response = await client.GetAsync("/api/centralui/audit/export");
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        }
+    }
+
+    [Fact]
+    public async Task AuditExportEndpoint_AuditReadOnly_Returns403()
+    {
+        // AuditReadOnly grants OperationalAudit but NOT AuditExport, so the
+        // endpoint must refuse — the page is readable but the bulk export
+        // path is gated separately.
+        var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "AuditReadOnly" });
+        using (host)
+        {
+            var response = await client.GetAsync("/api/centralui/audit/export");
+            Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+        }
+    }
+
+    // ─────────────────────────────────────────────────────────────────────
+    // Helper: tiny in-process host with the real AuthorizationPolicies.
+    // ─────────────────────────────────────────────────────────────────────
+
+    private static async Task<(HttpClient Client, IAuditLogRepository Repo, IHost Host)> BuildEndpointHostAsync(
+        string[] roles)
+    {
+        var repo = Substitute.For<IAuditLogRepository>();
+        repo.QueryAsync(Arg.Any<AuditLogQueryFilter>(), Arg.Any<AuditLogPaging>(), Arg.Any<CancellationToken>())
+            .Returns(
+                Task.FromResult<IReadOnlyList<AuditEvent>>(Array.Empty<AuditEvent>()),
+                Task.FromResult<IReadOnlyList<AuditEvent>>(Array.Empty<AuditEvent>()));
+
+        var hostBuilder = new HostBuilder()
+            .ConfigureWebHost(web =>
+            {
+                web.UseTestServer();
+                web.ConfigureServices(services =>
+                {
+                    services.AddRouting();
+                    services.AddAuthentication(FakeAuthHandler.SchemeName)
+                        .AddScheme<FakeAuthHandlerOptions, FakeAuthHandler>(
+                            FakeAuthHandler.SchemeName, opts => opts.Roles = roles);
+                    // Real policies — the whole point of these tests is to
+                    // exercise the production AddScadaLinkAuthorization wiring.
+                    services.AddScadaLinkAuthorization();
+                    services.AddSingleton(repo);
+                    services.AddScoped<IAuditLogExportService, AuditLogExportService>();
+                });
+                web.Configure(app =>
+                {
+                    app.UseRouting();
+                    app.UseAuthentication();
+                    app.UseAuthorization();
+                    app.UseEndpoints(endpoints =>
+                    {
+                        endpoints.MapAuditExportEndpoints();
+                    });
+                });
+            });
+
+        var host = await hostBuilder.StartAsync();
+        var client = host.GetTestClient();
+        return (client, repo, host);
+    }
+
+    /// <summary>
+    /// Test-only authentication handler that signs every request in with
+    /// the configured set of roles.
+    /// </summary>
+    private sealed class FakeAuthHandler : AuthenticationHandler<FakeAuthHandlerOptions>
+    {
+        public const string SchemeName = "FakeAuth";
+
+        public FakeAuthHandler(
+            IOptionsMonitor<FakeAuthHandlerOptions> options,
+            ILoggerFactory logger,
+            UrlEncoder encoder)
+            : base(options, logger, encoder) { }
+
+        protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            var claims = new List<Claim> { new(ClaimTypes.Name, "test-user") };
+            foreach (var role in Options.Roles)
+            {
+                claims.Add(new Claim(JwtTokenService.RoleClaimType, role));
+            }
+            var identity = new ClaimsIdentity(claims, SchemeName);
+            var principal = new ClaimsPrincipal(identity);
+            var ticket = new AuthenticationTicket(principal, SchemeName);
+            return Task.FromResult(AuthenticateResult.Success(ticket));
+        }
+    }
+
+    private sealed class FakeAuthHandlerOptions : AuthenticationSchemeOptions
+    {
+        public string[] Roles { get; set; } = Array.Empty<string>();
+    }
+}

tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPageScaffoldTests.cs

@@ -61,7 +61,19 @@ public class AuditLogPageScaffoldTests : BunitContext
             nav.NavigateTo($"/audit/log?{query}");
         }
 
-        return Render<AuditLogPage>();
+        // Bundle G (#23 M7-T15): the page now hosts an in-component
+        // AuthorizeView around the Export-CSV button, so the page MUST
+        // render inside a CascadingAuthenticationState. The router supplies
+        // this in production; bUnit hosts the page directly so we wrap it
+        // here.
+        var host = Render<CascadingAuthenticationState>(parameters => parameters
+            .Add(p => p.ChildContent, (RenderFragment)(builder =>
+            {
+                builder.OpenComponent<AuditLogPage>(0);
+                builder.CloseComponent();
+            })));
+
+        return host.FindComponent<AuditLogPage>();
     }
 
     private IRenderedComponent<NavMenu> RenderNavMenu(params string[] roles)

tests/ScadaLink.Security.Tests/SecurityTests.cs

@@ -1077,6 +1077,59 @@ public class AuthorizationPolicyTests
         Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireAdmin, principal));
         Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireDesign, principal));
         Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireDeployment, principal));
+        Assert.False(await EvaluatePolicy(AuthorizationPolicies.OperationalAudit, principal));
+        Assert.False(await EvaluatePolicy(AuthorizationPolicies.AuditExport, principal));
+    }
+
+    // ─────────────────────────────────────────────────────────────────────
+    // Audit Log #23 — OperationalAudit + AuditExport policies (M7-T15).
+    // Default mapping (see AuthorizationPolicies XML doc):
+    //   Admin         → OperationalAudit + AuditExport
+    //   Audit         → OperationalAudit + AuditExport
+    //   AuditReadOnly → OperationalAudit only
+    //   Design        → neither
+    //   Deployment    → neither
+    // ─────────────────────────────────────────────────────────────────────
+
+    [Theory]
+    [InlineData("Admin")]
+    [InlineData("Audit")]
+    [InlineData("AuditReadOnly")]
+    public async Task OperationalAuditPolicy_GrantedRoles_Succeed(string role)
+    {
+        var principal = CreatePrincipal(new[] { role });
+        Assert.True(await EvaluatePolicy(AuthorizationPolicies.OperationalAudit, principal));
+    }
+
+    [Theory]
+    [InlineData("Design")]
+    [InlineData("Deployment")]
+    public async Task OperationalAuditPolicy_UngrantedRoles_Fail(string role)
+    {
+        var principal = CreatePrincipal(new[] { role });
+        Assert.False(await EvaluatePolicy(AuthorizationPolicies.OperationalAudit, principal));
+    }
+
+    [Theory]
+    [InlineData("Admin")]
+    [InlineData("Audit")]
+    public async Task AuditExportPolicy_GrantedRoles_Succeed(string role)
+    {
+        var principal = CreatePrincipal(new[] { role });
+        Assert.True(await EvaluatePolicy(AuthorizationPolicies.AuditExport, principal));
+    }
+
+    [Theory]
+    [InlineData("AuditReadOnly")]
+    [InlineData("Design")]
+    [InlineData("Deployment")]
+    public async Task AuditExportPolicy_UngrantedRoles_Fail(string role)
+    {
+        // AuditReadOnly is the load-bearing case: it grants OperationalAudit
+        // (read) but NOT AuditExport (bulk export) — the split that lets a
+        // triage operator drill in without exfiltrating the table.
+        var principal = CreatePrincipal(new[] { role });
+        Assert.False(await EvaluatePolicy(AuthorizationPolicies.AuditExport, principal));
     }
 
     [Fact]