fix(central-ui): resolve CentralUI-007..014 — nav authz, UTC date filters, disposal guards, N+1 fix, async script analysis

tests/ScadaLink.CentralUI.Tests/Monitoring/MonitoringAuthorizationTests.cs

@@ -0,0 +1,50 @@
+using Microsoft.AspNetCore.Authorization;
+using ScadaLink.CentralUI.Components.Pages.Monitoring;
+using ScadaLink.Security;
+
+namespace ScadaLink.CentralUI.Tests.Monitoring;
+
+/// <summary>
+/// Regression tests for CentralUI-007. The design doc classifies the Site Event
+/// Log Viewer and Parked Message Management as <b>Deployment Role</b>, but both
+/// pages were annotated only <c>[Authorize]</c> (any authenticated user) — a
+/// non-Deployment user who followed the nav link could query event logs and
+/// retry/discard parked messages. The Health Dashboard is intentionally
+/// all-roles per the design.
+/// </summary>
+public class MonitoringAuthorizationTests
+{
+    private static AuthorizeAttribute? AuthorizeOf<TPage>()
+        => typeof(TPage)
+            .GetCustomAttributes(typeof(AuthorizeAttribute), true)
+            .Cast<AuthorizeAttribute>()
+            .FirstOrDefault();
+
+    [Fact]
+    public void EventLogsPage_RequiresDeploymentPolicy()
+    {
+        var attr = AuthorizeOf<EventLogs>();
+
+        Assert.NotNull(attr);
+        Assert.Equal(AuthorizationPolicies.RequireDeployment, attr!.Policy);
+    }
+
+    [Fact]
+    public void ParkedMessagesPage_RequiresDeploymentPolicy()
+    {
+        var attr = AuthorizeOf<ParkedMessages>();
+
+        Assert.NotNull(attr);
+        Assert.Equal(AuthorizationPolicies.RequireDeployment, attr!.Policy);
+    }
+
+    [Fact]
+    public void HealthDashboard_IsIntentionallyAllAuthenticatedRoles()
+    {
+        // Health Dashboard stays all-roles (no policy) per the design doc.
+        var attr = AuthorizeOf<Health>();
+
+        Assert.NotNull(attr);
+        Assert.Null(attr!.Policy);
+    }
+}