fix(central-ui): resolve CentralUI-007..014 — nav authz, UTC date filters, disposal guards, N+1 fix, async script analysis

tests/ScadaLink.CentralUI.Tests/Monitoring/BrowserTimeTests.cs

@@ -0,0 +1,67 @@
+using ScadaLink.CentralUI.Components;
+
+namespace ScadaLink.CentralUI.Tests.Monitoring;
+
+/// <summary>
+/// Regression tests for CentralUI-008. <c>&lt;input type="datetime-local"&gt;</c>
+/// yields the value the user typed in their <i>browser-local</i> time zone. The
+/// audit-log filter converted it with <c>new DateTimeOffset(value, TimeSpan.Zero)</c>
+/// — relabelling the local wall-clock value as UTC, shifting the query window by
+/// the user's offset. <see cref="BrowserTime.LocalInputToUtc"/> performs the
+/// correct conversion: it applies the browser offset from <c>getTimezoneOffset()</c>.
+/// </summary>
+public class BrowserTimeTests
+{
+    [Fact]
+    public void LocalInputToUtc_Null_ReturnsNull()
+    {
+        Assert.Null(BrowserTime.LocalInputToUtc(null, 0));
+    }
+
+    [Fact]
+    public void LocalInputToUtc_UtcBrowser_LeavesTimeUnchanged()
+    {
+        // getTimezoneOffset() == 0 for a UTC browser.
+        var local = new DateTime(2026, 5, 16, 9, 30, 0);
+
+        var utc = BrowserTime.LocalInputToUtc(local, 0);
+
+        Assert.Equal(new DateTimeOffset(2026, 5, 16, 9, 30, 0, TimeSpan.Zero), utc);
+    }
+
+    [Fact]
+    public void LocalInputToUtc_PositiveUtcOffsetBrowser_SubtractsOffset()
+    {
+        // A browser at UTC+2 reports getTimezoneOffset() == -120.
+        // The user typing 09:30 local means 07:30 UTC.
+        var local = new DateTime(2026, 5, 16, 9, 30, 0);
+
+        var utc = BrowserTime.LocalInputToUtc(local, -120);
+
+        Assert.Equal(new DateTimeOffset(2026, 5, 16, 7, 30, 0, TimeSpan.Zero), utc);
+    }
+
+    [Fact]
+    public void LocalInputToUtc_NegativeUtcOffsetBrowser_AddsOffset()
+    {
+        // A browser at UTC-5 (US Eastern, standard time) reports getTimezoneOffset() == 300.
+        // The user typing 09:30 local means 14:30 UTC.
+        var local = new DateTime(2026, 5, 16, 9, 30, 0);
+
+        var utc = BrowserTime.LocalInputToUtc(local, 300);
+
+        Assert.Equal(new DateTimeOffset(2026, 5, 16, 14, 30, 0, TimeSpan.Zero), utc);
+    }
+
+    [Fact]
+    public void LocalInputToUtc_NonUtcBrowser_DoesNotEqualNaiveRelabelling()
+    {
+        // The pre-fix bug: naive new DateTimeOffset(value, TimeSpan.Zero).
+        var local = new DateTime(2026, 5, 16, 9, 30, 0);
+        var naive = new DateTimeOffset(local, TimeSpan.Zero);
+
+        var correct = BrowserTime.LocalInputToUtc(local, 300);
+
+        Assert.NotEqual(naive, correct);
+    }
+}

tests/ScadaLink.CentralUI.Tests/Monitoring/MonitoringAuthorizationTests.cs

@@ -0,0 +1,50 @@
+using Microsoft.AspNetCore.Authorization;
+using ScadaLink.CentralUI.Components.Pages.Monitoring;
+using ScadaLink.Security;
+
+namespace ScadaLink.CentralUI.Tests.Monitoring;
+
+/// <summary>
+/// Regression tests for CentralUI-007. The design doc classifies the Site Event
+/// Log Viewer and Parked Message Management as <b>Deployment Role</b>, but both
+/// pages were annotated only <c>[Authorize]</c> (any authenticated user) — a
+/// non-Deployment user who followed the nav link could query event logs and
+/// retry/discard parked messages. The Health Dashboard is intentionally
+/// all-roles per the design.
+/// </summary>
+public class MonitoringAuthorizationTests
+{
+    private static AuthorizeAttribute? AuthorizeOf<TPage>()
+        => typeof(TPage)
+            .GetCustomAttributes(typeof(AuthorizeAttribute), true)
+            .Cast<AuthorizeAttribute>()
+            .FirstOrDefault();
+
+    [Fact]
+    public void EventLogsPage_RequiresDeploymentPolicy()
+    {
+        var attr = AuthorizeOf<EventLogs>();
+
+        Assert.NotNull(attr);
+        Assert.Equal(AuthorizationPolicies.RequireDeployment, attr!.Policy);
+    }
+
+    [Fact]
+    public void ParkedMessagesPage_RequiresDeploymentPolicy()
+    {
+        var attr = AuthorizeOf<ParkedMessages>();
+
+        Assert.NotNull(attr);
+        Assert.Equal(AuthorizationPolicies.RequireDeployment, attr!.Policy);
+    }
+
+    [Fact]
+    public void HealthDashboard_IsIntentionallyAllAuthenticatedRoles()
+    {
+        // Health Dashboard stays all-roles (no policy) per the design doc.
+        var attr = AuthorizeOf<Health>();
+
+        Assert.NotNull(attr);
+        Assert.Null(attr!.Policy);
+    }
+}