fix(central-ui): resolve CentralUI-007..014 — nav authz, UTC date filters, disposal guards, N+1 fix, async script analysis

tests/ScadaLink.CentralUI.Tests/Admin/SitesPageTests.cs

@@ -0,0 +1,105 @@
+using System.Security.Claims;
+using Bunit;
+using Microsoft.AspNetCore.Components.Authorization;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using NSubstitute;
+using ScadaLink.CentralUI.Components.Shared;
+using ScadaLink.Commons.Entities.Sites;
+using ScadaLink.Commons.Interfaces.Repositories;
+using ScadaLink.Commons.Interfaces.Services;
+using ScadaLink.Communication;
+using ScadaLink.DeploymentManager;
+using SitesPage = ScadaLink.CentralUI.Components.Pages.Admin.Sites;
+
+namespace ScadaLink.CentralUI.Tests.Admin;
+
+/// <summary>
+/// Regression tests for CentralUI-012. The Sites page loaded all sites and then
+/// issued <c>GetDataConnectionsBySiteIdAsync</c> once per site (N+1 database
+/// round-trips on every load and post-delete refresh). The fix fetches all
+/// data connections in a single <c>GetAllDataConnectionsAsync</c> call and
+/// groups them client-side.
+/// </summary>
+public class SitesPageTests : BunitContext
+{
+    private readonly ISiteRepository _siteRepo = Substitute.For<ISiteRepository>();
+
+    private void RegisterServices()
+    {
+        Services.AddSingleton(_siteRepo);
+
+        var comms = new CommunicationService(
+            Options.Create(new CommunicationOptions()),
+            NullLogger<CommunicationService>.Instance);
+        Services.AddSingleton(comms);
+
+        var artifactSvc = new ArtifactDeploymentService(
+            _siteRepo,
+            Substitute.For<IDeploymentManagerRepository>(),
+            Substitute.For<ITemplateEngineRepository>(),
+            Substitute.For<IExternalSystemRepository>(),
+            Substitute.For<INotificationRepository>(),
+            comms,
+            Substitute.For<IAuditService>(),
+            Options.Create(new DeploymentManagerOptions()),
+            NullLogger<ArtifactDeploymentService>.Instance);
+        Services.AddSingleton(artifactSvc);
+
+        Services.AddSingleton<IDialogService>(Substitute.For<IDialogService>());
+
+        var identity = new ClaimsIdentity(
+            new[] { new Claim(ClaimTypes.Name, "admin") }, "TestCookie");
+        var authState = new AuthenticationState(new ClaimsPrincipal(identity));
+        Services.AddSingleton<AuthenticationStateProvider>(
+            new StubAuthStateProvider(authState));
+    }
+
+    private sealed class StubAuthStateProvider : AuthenticationStateProvider
+    {
+        private readonly AuthenticationState _state;
+        public StubAuthStateProvider(AuthenticationState state) => _state = state;
+        public override Task<AuthenticationState> GetAuthenticationStateAsync()
+            => Task.FromResult(_state);
+    }
+
+    private static List<Site> Sites(params int[] ids)
+        => ids.Select(id => new Site($"Site{id}", $"SITE-{id}") { Id = id }).ToList();
+
+    private static DataConnection Conn(int siteId, string name)
+        => new(name, "OpcUa", siteId);
+
+    [Fact]
+    public void LoadData_FetchesAllConnectionsInOneQuery_NoPerSiteQueries()
+    {
+        RegisterServices();
+        _siteRepo.GetAllSitesAsync().Returns(Sites(1, 2, 3));
+        _siteRepo.GetAllDataConnectionsAsync().Returns(new List<DataConnection>
+        {
+            Conn(1, "c1"), Conn(2, "c2"), Conn(3, "c3"),
+        });
+
+        Render<SitesPage>();
+
+        // Regression: exactly one bulk query, and zero per-site queries.
+        _siteRepo.Received(1).GetAllDataConnectionsAsync();
+        _siteRepo.DidNotReceive().GetDataConnectionsBySiteIdAsync(Arg.Any<int>());
+    }
+
+    [Fact]
+    public void LoadData_GroupsConnectionsBySite_AndRendersThem()
+    {
+        RegisterServices();
+        _siteRepo.GetAllSitesAsync().Returns(Sites(1, 2));
+        _siteRepo.GetAllDataConnectionsAsync().Returns(new List<DataConnection>
+        {
+            Conn(1, "alpha-conn"), Conn(2, "beta-conn"),
+        });
+
+        var cut = Render<SitesPage>();
+
+        Assert.Contains("alpha-conn", cut.Markup);
+        Assert.Contains("beta-conn", cut.Markup);
+    }
+}

tests/ScadaLink.CentralUI.Tests/Deployment/DebugViewDisposalTests.cs

@@ -0,0 +1,104 @@
+using System.Reflection;
+using System.Security.Claims;
+using Bunit;
+using Microsoft.AspNetCore.Components.Authorization;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using NSubstitute;
+using ScadaLink.CentralUI.Auth;
+using ScadaLink.Commons.Entities.Sites;
+using ScadaLink.Commons.Interfaces.Repositories;
+using ScadaLink.Communication;
+using ScadaLink.Communication.Grpc;
+using DebugViewPage = ScadaLink.CentralUI.Components.Pages.Deployment.DebugView;
+
+namespace ScadaLink.CentralUI.Tests.Deployment;
+
+/// <summary>
+/// Regression tests for CentralUI-009. The <c>DebugView</c> stream callbacks
+/// (<c>onEvent</c>/<c>onTerminated</c>) run on an Akka/gRPC thread and capture
+/// <c>this</c> and <c>_toast</c>. If the user navigates away, an in-flight
+/// callback could still call <c>_toast.ShowError(...)</c> /
+/// <c>InvokeAsync(StateHasChanged)</c> on a disposed component. The fix adds a
+/// <c>_disposed</c> flag checked at the top of every callback, set in
+/// <c>Dispose()</c> before the stream is stopped.
+/// <para>
+/// The Akka-thread timing race itself is not deterministically reproducible in
+/// a unit test (<see cref="DebugStreamService"/> is a non-virtual concrete
+/// class with no seam to inject and later fire the callbacks). These tests pin
+/// the observable parts of the fix: the component exposes a disposal guard, and
+/// disposal is clean and idempotent.
+/// </para>
+/// </summary>
+public class DebugViewDisposalTests : BunitContext
+{
+    private void RegisterServices()
+    {
+        // DebugView touches localStorage on render; let bUnit answer loosely.
+        JSInterop.Mode = JSRuntimeMode.Loose;
+
+        var repo = Substitute.For<ITemplateEngineRepository>();
+        var siteRepo = Substitute.For<ISiteRepository>();
+        siteRepo.GetAllSitesAsync().Returns(new List<Site>());
+        Services.AddSingleton(repo);
+        Services.AddSingleton(siteRepo);
+
+        var comms = new CommunicationService(
+            Options.Create(new CommunicationOptions()),
+            NullLogger<CommunicationService>.Instance);
+        Services.AddSingleton(comms);
+
+        var grpcFactory = new SiteStreamGrpcClientFactory(NullLoggerFactory.Instance);
+        var debugStream = new DebugStreamService(
+            comms, Services.BuildServiceProvider(), grpcFactory,
+            NullLogger<DebugStreamService>.Instance);
+        Services.AddSingleton(debugStream);
+
+        var identity = new ClaimsIdentity(
+            new[] { new Claim(ClaimTypes.Name, "deployer") }, "TestCookie");
+        var authState = new AuthenticationState(new ClaimsPrincipal(identity));
+        var stubAuth = new StubAuthStateProvider(authState);
+        Services.AddSingleton<AuthenticationStateProvider>(stubAuth);
+        Services.AddScoped(_ => new SiteScopeService(stubAuth));
+    }
+
+    private sealed class StubAuthStateProvider : AuthenticationStateProvider
+    {
+        private readonly AuthenticationState _state;
+        public StubAuthStateProvider(AuthenticationState state) => _state = state;
+        public override Task<AuthenticationState> GetAuthenticationStateAsync()
+            => Task.FromResult(_state);
+    }
+
+    [Fact]
+    public void DebugView_HasDisposalGuardField()
+    {
+        // The fix introduces a `_disposed` flag that every stream callback
+        // checks before touching component state.
+        var field = typeof(DebugViewPage).GetField(
+            "_disposed", BindingFlags.Instance | BindingFlags.NonPublic);
+
+        Assert.NotNull(field);
+        Assert.Equal(typeof(bool), field!.FieldType);
+    }
+
+    [Fact]
+    public void DebugView_Dispose_SetsDisposedFlag_AndIsIdempotent()
+    {
+        RegisterServices();
+        var cut = Render<DebugViewPage>();
+
+        var field = typeof(DebugViewPage).GetField(
+            "_disposed", BindingFlags.Instance | BindingFlags.NonPublic)!;
+        Assert.False((bool)field.GetValue(cut.Instance)!);
+
+        cut.Instance.Dispose();
+        Assert.True((bool)field.GetValue(cut.Instance)!,
+            "Dispose() must set the guard so in-flight callbacks no-op.");
+
+        // Disposing again must not throw (idempotent).
+        var ex = Record.Exception(() => cut.Instance.Dispose());
+        Assert.Null(ex);
+    }
+}

tests/ScadaLink.CentralUI.Tests/Design/TestRunWarningTests.cs

@@ -0,0 +1,58 @@
+namespace ScadaLink.CentralUI.Tests.Design;
+
+/// <summary>
+/// Regression tests for CentralUI-014. Test Run wires <c>External</c>,
+/// <c>Database</c>, and <c>Notify</c> to central's real services, so a Test Run
+/// has production-equivalent side effects. The finding asked, at minimum, that
+/// this blast radius be surfaced to the user. The Test Run panels in
+/// <c>SharedScriptForm</c> and <c>TemplateEdit</c> carry a prominent
+/// <c>Real I/O</c> badge and an <c>alert-warning</c> block stating the side
+/// effects are real and permanent; <c>ApiMethodForm</c> (Inbound API kind) has
+/// no real-I/O surface at all and correctly omits the badge. These tests pin
+/// that warning so it cannot silently regress.
+/// </summary>
+public class TestRunWarningTests
+{
+    private static string SrcRoot
+    {
+        get
+        {
+            // tests/ScadaLink.CentralUI.Tests/bin/Debug/net10.0 → repo root.
+            var dir = AppContext.BaseDirectory;
+            for (var i = 0; i < 6 && dir is not null; i++)
+                dir = Directory.GetParent(dir)?.FullName;
+            return Path.Combine(dir!, "src", "ScadaLink.CentralUI",
+                "Components", "Pages", "Design");
+        }
+    }
+
+    private static string Read(string fileName)
+        => File.ReadAllText(Path.Combine(SrcRoot, fileName));
+
+    [Theory]
+    [InlineData("SharedScriptForm.razor")]
+    [InlineData("TemplateEdit.razor")]
+    public void TestRunPanel_WithRealIoSurface_ShowsRealIoBadgeAndWarning(string razorFile)
+    {
+        var markup = Read(razorFile);
+
+        // The "Real I/O" badge on the Test Run panel header.
+        Assert.Contains("Real I/O", markup);
+        // The explicit warning that side effects hit real systems and are permanent.
+        Assert.Contains("alert-warning", markup);
+        Assert.Contains("fire for real", markup);
+        Assert.Contains("Side effects are permanent", markup);
+    }
+
+    [Fact]
+    public void ApiMethodForm_TestRun_HasNoRealIoBadge_BecauseInboundApiHasNoSideEffectSurface()
+    {
+        // The Inbound API sandbox host exposes only Parameters / Route (Route
+        // throws) — there is no External/Database/Notify, so no "Real I/O".
+        var markup = Read("ApiMethodForm.razor");
+
+        Assert.DoesNotContain("Real I/O", markup);
+        // It still warns that Route calls throw.
+        Assert.Contains("alert-warning", markup);
+    }
+}

tests/ScadaLink.CentralUI.Tests/Monitoring/BrowserTimeTests.cs

@@ -0,0 +1,67 @@
+using ScadaLink.CentralUI.Components;
+
+namespace ScadaLink.CentralUI.Tests.Monitoring;
+
+/// <summary>
+/// Regression tests for CentralUI-008. <c>&lt;input type="datetime-local"&gt;</c>
+/// yields the value the user typed in their <i>browser-local</i> time zone. The
+/// audit-log filter converted it with <c>new DateTimeOffset(value, TimeSpan.Zero)</c>
+/// — relabelling the local wall-clock value as UTC, shifting the query window by
+/// the user's offset. <see cref="BrowserTime.LocalInputToUtc"/> performs the
+/// correct conversion: it applies the browser offset from <c>getTimezoneOffset()</c>.
+/// </summary>
+public class BrowserTimeTests
+{
+    [Fact]
+    public void LocalInputToUtc_Null_ReturnsNull()
+    {
+        Assert.Null(BrowserTime.LocalInputToUtc(null, 0));
+    }
+
+    [Fact]
+    public void LocalInputToUtc_UtcBrowser_LeavesTimeUnchanged()
+    {
+        // getTimezoneOffset() == 0 for a UTC browser.
+        var local = new DateTime(2026, 5, 16, 9, 30, 0);
+
+        var utc = BrowserTime.LocalInputToUtc(local, 0);
+
+        Assert.Equal(new DateTimeOffset(2026, 5, 16, 9, 30, 0, TimeSpan.Zero), utc);
+    }
+
+    [Fact]
+    public void LocalInputToUtc_PositiveUtcOffsetBrowser_SubtractsOffset()
+    {
+        // A browser at UTC+2 reports getTimezoneOffset() == -120.
+        // The user typing 09:30 local means 07:30 UTC.
+        var local = new DateTime(2026, 5, 16, 9, 30, 0);
+
+        var utc = BrowserTime.LocalInputToUtc(local, -120);
+
+        Assert.Equal(new DateTimeOffset(2026, 5, 16, 7, 30, 0, TimeSpan.Zero), utc);
+    }
+
+    [Fact]
+    public void LocalInputToUtc_NegativeUtcOffsetBrowser_AddsOffset()
+    {
+        // A browser at UTC-5 (US Eastern, standard time) reports getTimezoneOffset() == 300.
+        // The user typing 09:30 local means 14:30 UTC.
+        var local = new DateTime(2026, 5, 16, 9, 30, 0);
+
+        var utc = BrowserTime.LocalInputToUtc(local, 300);
+
+        Assert.Equal(new DateTimeOffset(2026, 5, 16, 14, 30, 0, TimeSpan.Zero), utc);
+    }
+
+    [Fact]
+    public void LocalInputToUtc_NonUtcBrowser_DoesNotEqualNaiveRelabelling()
+    {
+        // The pre-fix bug: naive new DateTimeOffset(value, TimeSpan.Zero).
+        var local = new DateTime(2026, 5, 16, 9, 30, 0);
+        var naive = new DateTimeOffset(local, TimeSpan.Zero);
+
+        var correct = BrowserTime.LocalInputToUtc(local, 300);
+
+        Assert.NotEqual(naive, correct);
+    }
+}

tests/ScadaLink.CentralUI.Tests/Monitoring/MonitoringAuthorizationTests.cs

@@ -0,0 +1,50 @@
+using Microsoft.AspNetCore.Authorization;
+using ScadaLink.CentralUI.Components.Pages.Monitoring;
+using ScadaLink.Security;
+
+namespace ScadaLink.CentralUI.Tests.Monitoring;
+
+/// <summary>
+/// Regression tests for CentralUI-007. The design doc classifies the Site Event
+/// Log Viewer and Parked Message Management as <b>Deployment Role</b>, but both
+/// pages were annotated only <c>[Authorize]</c> (any authenticated user) — a
+/// non-Deployment user who followed the nav link could query event logs and
+/// retry/discard parked messages. The Health Dashboard is intentionally
+/// all-roles per the design.
+/// </summary>
+public class MonitoringAuthorizationTests
+{
+    private static AuthorizeAttribute? AuthorizeOf<TPage>()
+        => typeof(TPage)
+            .GetCustomAttributes(typeof(AuthorizeAttribute), true)
+            .Cast<AuthorizeAttribute>()
+            .FirstOrDefault();
+
+    [Fact]
+    public void EventLogsPage_RequiresDeploymentPolicy()
+    {
+        var attr = AuthorizeOf<EventLogs>();
+
+        Assert.NotNull(attr);
+        Assert.Equal(AuthorizationPolicies.RequireDeployment, attr!.Policy);
+    }
+
+    [Fact]
+    public void ParkedMessagesPage_RequiresDeploymentPolicy()
+    {
+        var attr = AuthorizeOf<ParkedMessages>();
+
+        Assert.NotNull(attr);
+        Assert.Equal(AuthorizationPolicies.RequireDeployment, attr!.Policy);
+    }
+
+    [Fact]
+    public void HealthDashboard_IsIntentionallyAllAuthenticatedRoles()
+    {
+        // Health Dashboard stays all-roles (no policy) per the design doc.
+        var attr = AuthorizeOf<Health>();
+
+        Assert.NotNull(attr);
+        Assert.Null(attr!.Policy);
+    }
+}

tests/ScadaLink.CentralUI.Tests/ScriptAnalysis/ScriptAnalysisAsyncResolveTests.cs

@@ -0,0 +1,91 @@
+using Microsoft.Extensions.Caching.Memory;
+using NSubstitute;
+using ScadaLink.CentralUI.ScriptAnalysis;
+using ScadaLink.TemplateEngine;
+
+namespace ScadaLink.CentralUI.Tests.ScriptAnalysis;
+
+/// <summary>
+/// Regression tests for CentralUI-013. <c>ResolveCalledShape</c> resolved shared
+/// script shapes with <c>_sharedScripts.GetShapesAsync().GetAwaiter().GetResult()</c>
+/// — a sync-over-async block on a request thread that risks thread-pool
+/// starvation and deadlock. <c>Hover</c> and <c>SignatureHelp</c> were synchronous
+/// purely to accommodate that block. The fix makes both methods async and
+/// <c>await</c>s the catalog.
+/// </summary>
+public class ScriptAnalysisAsyncResolveTests
+{
+    private readonly ISharedScriptCatalog _catalog = Substitute.For<ISharedScriptCatalog>();
+    private readonly IMemoryCache _cache = new MemoryCache(new MemoryCacheOptions { SizeLimit = 100 });
+    private readonly IServiceProvider _services = Substitute.For<IServiceProvider>();
+    private readonly ScriptAnalysisService _svc;
+
+    public ScriptAnalysisAsyncResolveTests()
+    {
+        _catalog.GetShapesAsync().Returns(Array.Empty<ScriptShape>());
+        _svc = new ScriptAnalysisService(_catalog, _cache, _services);
+    }
+
+    private static ScriptShape Shape(string name, params ParameterShape[] ps) => new(name, ps, null);
+    private static ParameterShape Param(string name, string type) => new(name, type, true);
+
+    [Fact]
+    public async Task HoverAsync_OnSharedCallName_AwaitsCatalog_AndResolvesShape()
+    {
+        // The catalog only completes after yielding — a truly asynchronous
+        // source. The fixed Hover awaits it instead of blocking.
+        _catalog.GetShapesAsync().Returns(async _ =>
+        {
+            await Task.Yield();
+            return (IReadOnlyList<ScriptShape>)new[]
+            {
+                Shape("Aggregate", Param("window", "Integer")),
+            };
+        });
+
+        var resp = await _svc.Hover(new HoverRequest(
+            CodeText: "var r = Scripts.CallShared(\"Aggregate\");",
+            Line: 1,
+            Column: 30));
+
+        Assert.NotNull(resp.Markdown);
+        Assert.Contains("shared script", resp.Markdown);
+        Assert.Contains("Aggregate", resp.Markdown);
+    }
+
+    [Fact]
+    public async Task SignatureHelpAsync_InsideSharedCall_AwaitsCatalog_AndResolvesParameters()
+    {
+        _catalog.GetShapesAsync().Returns(async _ =>
+        {
+            await Task.Yield();
+            return (IReadOnlyList<ScriptShape>)new[]
+            {
+                Shape("Aggregate", Param("window", "Integer"), Param("mode", "String")),
+            };
+        });
+
+        var resp = await _svc.SignatureHelp(new SignatureHelpRequest(
+            CodeText: "var r = Scripts.CallShared(\"Aggregate\", ",
+            Line: 1,
+            Column: 41));
+
+        Assert.NotNull(resp.Label);
+        Assert.Contains("Aggregate", resp.Label!);
+        Assert.Equal(2, resp.Parameters!.Count);
+    }
+
+    [Fact]
+    public void HoverAndSignatureHelp_AreAsync_NotSyncOverAsync()
+    {
+        // Structural guard: the methods must return Task so the catalog can be
+        // awaited rather than blocked with .GetAwaiter().GetResult().
+        var hover = typeof(ScriptAnalysisService).GetMethod(nameof(ScriptAnalysisService.Hover));
+        var sigHelp = typeof(ScriptAnalysisService).GetMethod(nameof(ScriptAnalysisService.SignatureHelp));
+
+        Assert.NotNull(hover);
+        Assert.NotNull(sigHelp);
+        Assert.Equal(typeof(Task<HoverResponse>), hover!.ReturnType);
+        Assert.Equal(typeof(Task<SignatureHelpResponse>), sigHelp!.ReturnType);
+    }
+}

tests/ScadaLink.CentralUI.Tests/ScriptAnalysis/ScriptAnalysisServiceTests.cs

@@ -200,11 +200,11 @@ public class ScriptAnalysisServiceTests
     // ── Hover ─────────────────────────────────────────────────────────────
 
     [Fact]
-    public void Hover_OnSiblingName_ReturnsSignature()
+    public async Task Hover_OnSiblingName_ReturnsSignature()
     {
         var siblings = new[] { Shape("Calc", Param("x", "Integer"), Param("y", "Float")) };
         // Cursor inside the "Calc" name literal of Instance.CallScript("Calc", ...).
-        var resp = _svc.Hover(new HoverRequest(
+        var resp = await _svc.Hover(new HoverRequest(
             CodeText: "var r = Instance.CallScript(\"Calc\", 1, 2);",
             Line: 1,
             Column: 32,
@@ -215,9 +215,9 @@ public class ScriptAnalysisServiceTests
     }
 
     [Fact]
-    public void Hover_OnUnrelatedToken_ReturnsNull()
+    public async Task Hover_OnUnrelatedToken_ReturnsNull()
     {
-        var resp = _svc.Hover(new HoverRequest(
+        var resp = await _svc.Hover(new HoverRequest(
             CodeText: "var r = 1 + 2;",
             Line: 1,
             Column: 5));
@@ -227,10 +227,10 @@ public class ScriptAnalysisServiceTests
     // ── Signature help ────────────────────────────────────────────────────
 
     [Fact]
-    public void SignatureHelp_InsideCallScript_ReturnsParameterStrip()
+    public async Task SignatureHelp_InsideCallScript_ReturnsParameterStrip()
     {
         var siblings = new[] { Shape("Calc", Param("x", "Integer"), Param("y", "Float")) };
-        var resp = _svc.SignatureHelp(new SignatureHelpRequest(
+        var resp = await _svc.SignatureHelp(new SignatureHelpRequest(
             CodeText: "var r = Instance.CallScript(\"Calc\", 1, ",
             Line: 1,
             Column: 40,
@@ -243,9 +243,9 @@ public class ScriptAnalysisServiceTests
     }
 
     [Fact]
-    public void SignatureHelp_OutsideCall_ReturnsNull()
+    public async Task SignatureHelp_OutsideCall_ReturnsNull()
     {
-        var resp = _svc.SignatureHelp(new SignatureHelpRequest(
+        var resp = await _svc.SignatureHelp(new SignatureHelpRequest(
             CodeText: "var r = 1 + 2;",
             Line: 1,
             Column: 5));
@@ -394,9 +394,9 @@ public class ScriptAnalysisServiceTests
     // ── Hover on Parameters["name"] ───────────────────────────────────────
 
     [Fact]
-    public void Hover_OnParametersKey_ShowsDeclaredType()
+    public async Task Hover_OnParametersKey_ShowsDeclaredType()
     {
-        var resp = _svc.Hover(new HoverRequest(
+        var resp = await _svc.Hover(new HoverRequest(
             CodeText: "var x = Parameters[\"name\"];",
             Line: 1,
             Column: 22,

tests/ScadaLink.CentralUI.Tests/Shared/DiffDialogTests.cs

@@ -0,0 +1,60 @@
+using Bunit;
+using ScadaLink.CentralUI.Components.Shared;
+
+namespace ScadaLink.CentralUI.Tests.Shared;
+
+/// <summary>
+/// Regression tests for CentralUI-011. <c>DiffDialog.OpenAsync</c> returns the
+/// <c>TaskCompletionSource</c>'s task, completed only by <c>Close()</c>. If the
+/// user navigated away while the dialog was open, <c>DisposeAsync</c> ran but
+/// never completed the TCS — the awaiting caller was suspended forever and any
+/// cleanup after the await was skipped. The fix completes the TCS in
+/// <c>DisposeAsync</c>.
+/// </summary>
+public class DiffDialogTests : BunitContext
+{
+    [Fact]
+    public async Task DisposeAsync_WhileOpen_CompletesPendingTask()
+    {
+        var cut = Render<DiffDialog>();
+
+        // Open the dialog; the returned task represents the caller's await.
+        // Block-bodied lambda so InvokeAsync sees a void delegate — it must NOT
+        // await the dialog's own (deliberately long-lived) task.
+        Task<bool> pending = null!;
+        await cut.InvokeAsync(
+            () => { pending = cut.Instance.ShowAsync("Compare", "before", "after"); });
+
+        Assert.False(pending.IsCompleted, "Dialog task should be pending while open.");
+
+        // Simulate navigating away while the dialog is still open.
+        await cut.InvokeAsync(async () => await cut.Instance.DisposeAsync());
+
+        // The awaiter must complete deterministically rather than hang forever.
+        var completed = await Task.WhenAny(pending, Task.Delay(TimeSpan.FromSeconds(2)));
+        Assert.Same(pending, completed);
+        Assert.True(pending.IsCompletedSuccessfully);
+        var result = await pending;
+        Assert.False(result, "Dismiss-on-dispose should resolve to false (not confirmed).");
+    }
+
+    [Fact]
+    public async Task Close_CompletesPendingTaskWithTrue()
+    {
+        var cut = Render<DiffDialog>();
+
+        // Block-bodied lambda so InvokeAsync sees a void delegate — it must NOT
+        // await the dialog's own (deliberately long-lived) task.
+        Task<bool> pending = null!;
+        await cut.InvokeAsync(
+            () => { pending = cut.Instance.ShowAsync("Compare", "before", "after"); });
+
+        // Closing via the Close button completes the task with true.
+        await cut.InvokeAsync(() => cut.Find("button.btn-secondary").Click());
+
+        var completed = await Task.WhenAny(pending, Task.Delay(TimeSpan.FromSeconds(2)));
+        Assert.Same(pending, completed);
+        var result = await pending;
+        Assert.True(result);
+    }
+}

tests/ScadaLink.CentralUI.Tests/Shared/ToastNotificationTests.cs

@@ -0,0 +1,80 @@
+using Bunit;
+using ScadaLink.CentralUI.Components.Shared;
+
+namespace ScadaLink.CentralUI.Tests.Shared;
+
+/// <summary>
+/// Regression tests for CentralUI-010. <c>ToastNotification.AddToast</c>
+/// scheduled <c>Task.Delay(dismissMs).ContinueWith(...)</c> with the result
+/// discarded; the continuation called <c>InvokeAsync(StateHasChanged)</c>. When
+/// the host page is disposed before the delay elapses, the continuation ran
+/// against a disposed component and threw <c>ObjectDisposedException</c> on a
+/// thread-pool thread with no catch (an unobserved task exception). The fix
+/// holds a <c>CancellationTokenSource</c> cancelled in <c>Dispose()</c>.
+/// </summary>
+public class ToastNotificationTests : BunitContext
+{
+    [Fact]
+    public async Task ShowToast_AfterDisposal_IsNoOp_AndSchedulesNothing()
+    {
+        // Regression: the pre-fix AddToast always added the toast and scheduled
+        // a Task.Delay continuation, even after Dispose() — the continuation
+        // then ran InvokeAsync(StateHasChanged) against the disposed component.
+        // The fix short-circuits AddToast once the disposal token is cancelled.
+        var cut = Render<ToastNotification>();
+
+        await cut.InvokeAsync(() => cut.Instance.Dispose());
+        await cut.InvokeAsync(() => cut.Instance.ShowError("after dispose", autoDismissMs: 20));
+
+        Assert.Equal(0, cut.Instance.ToastCount);
+    }
+
+    [Fact]
+    public async Task AutoDismiss_AfterDisposal_DoesNotThrowUnobservedException()
+    {
+        var unobserved = new List<Exception>();
+        void Handler(object? s, UnobservedTaskExceptionEventArgs e)
+        {
+            unobserved.Add(e.Exception);
+            e.SetObserved();
+        }
+        TaskScheduler.UnobservedTaskException += Handler;
+        try
+        {
+            var cut = Render<ToastNotification>();
+            // Auto-dismiss after a very short delay so the continuation is
+            // guaranteed to fire well after we dispose the component.
+            await cut.InvokeAsync(() => cut.Instance.ShowSuccess("hello", autoDismissMs: 20));
+
+            // Dispose the component while the auto-dismiss is still pending.
+            await cut.InvokeAsync(() => cut.Instance.Dispose());
+
+            // Give the (now-cancelled) auto-dismiss well past its delay.
+            await Task.Delay(250);
+            GC.Collect();
+            GC.WaitForPendingFinalizers();
+            GC.Collect();
+        }
+        finally
+        {
+            TaskScheduler.UnobservedTaskException -= Handler;
+        }
+
+        Assert.Empty(unobserved);
+    }
+
+    [Fact]
+    public async Task AutoDismiss_BeforeDisposal_StillRemovesToast()
+    {
+        var cut = Render<ToastNotification>();
+        await cut.InvokeAsync(() => cut.Instance.ShowInfo("transient", autoDismissMs: 20));
+
+        // The toast is visible immediately.
+        Assert.Contains("transient", cut.Markup);
+
+        // After the dismiss delay it is removed (auto-dismiss still works).
+        cut.WaitForAssertion(
+            () => Assert.DoesNotContain("transient", cut.Markup),
+            timeout: TimeSpan.FromSeconds(2));
+    }
+}