fix(management-service): resolve ManagementService-005,008,010,011 — supervision strategy, configured command timeout, remove stale ResolveRoles path; ManagementService-012 deferred

tests/ScadaLink.ManagementService.Tests/ManagementActorTests.cs

@@ -715,6 +715,33 @@ public class ManagementActorTests : TestKit, IDisposable
     // continuation rather than escaping or being silently dropped.
     // ========================================================================
 
+    // ========================================================================
+    // ResolveRolesCommand dead-code removal (finding ManagementService-011 / -008)
+    //
+    // The two-step ResolveRoles + command flow is retired: the HTTP endpoint does
+    // LDAP auth and role resolution itself. The actor must no longer dispatch
+    // ResolveRolesCommand — a stray ClusterClient sender hitting it gets a uniform
+    // ManagementError rather than an unauthenticated role-mapping enumeration.
+    // ========================================================================
+
+    [Fact]
+    public void ResolveRolesCommand_IsNoLongerDispatched_ReturnsManagementError()
+    {
+        var secRepo = Substitute.For<ISecurityRepository>();
+        _services.AddScoped(_ => secRepo);
+
+        var actor = CreateActor();
+        var envelope = Envelope(new ResolveRolesCommand(new[] { "cn=admins" }));
+
+        actor.Tell(envelope);
+
+        var response = ExpectMsg<ManagementError>(TimeSpan.FromSeconds(5));
+        Assert.Equal(envelope.CorrelationId, response.CorrelationId);
+        Assert.Equal("COMMAND_FAILED", response.ErrorCode);
+        // No role-mapping data is enumerated/leaked back to the caller.
+        secRepo.DidNotReceiveWithAnyArgs().GetAllMappingsAsync(default);
+    }
+
     [Fact]
     public void UnknownCommandType_FaultMappedToManagementError()
     {