fix(security): remediate CodeQL HIGH access-control, IDOR, and log-forging findings

[JerrettDavis]

Access control & IDOR (HIGH, alerts #4 and #5)

• Add [Authorize] to IntegrationsController to enforce authentication on all
  management endpoints, including the unprotected DELETE at line 171 that triggered
  both cs/web/missing-function-level-access-control and
  cs/web/insecure-direct-object-reference.
• Register authentication middleware (UseAuthentication) in the pipeline so the
  [Authorize] attribute is honoured at runtime.
• Wire JWT Bearer auth when Auth:Authority is configured; fall back to a
  dev-only no-op handler (DevNoOpAuthHandler) that must be replaced before
  exposing to untrusted networks.
• Add Microsoft.AspNetCore.Authentication.JwtBearer package reference.

Log-forging (MEDIUM, alerts #1 #2 #152-155 #156-162 #197)

• Sanitize all user-controlled strings before they reach log calls by stripping
  CR/LF characters (SanitizeForLog helper added to each affected class):
  • QuickApiMapper.Web/Program.cs: inputBody passed to LogDebug
  • Management.Api/Controllers/MessagesController.cs: messageId in LogWarning
  • Demo.JsonApi/Program.cs: statusUpdate.Notes in LogInformation
  • Demo.JsonApi/Services/InMemoryOrderService.cs: orderId x2
  • Demo.SoapApi/Services/WarehouseService.cs: OrderNumber / ConfirmationNumber x4
  • Demo.SoapApi/Storage/InMemoryFulfillmentRepository.cs: ConfirmationNumber / OrderNumber
  • QuickApiMapper.Designer.Web/Services/IntegrationApiClient.cs: url

CodeQL workflow

• Switch queries from security-and-quality to security-extended to eliminate
  the 14 medium + 57 warning + 177 note quality-rule noise from future scans.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

src/QuickApiMapper.Management.Api/QuickApiMapper.Management.Api.csproj

Package	Version	License	Issue Type
Microsoft.AspNetCore.Authentication.JwtBearer	>= 0	Null	Unknown License

Denied Licenses:

GPL-2.0, GPL-3.0, AGPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
nuget/Microsoft.AspNetCore.Authentication.JwtBearer	>= 0	Unknown	Unknown

Scanned Files

• src/QuickApiMapper.Management.Api/QuickApiMapper.Management.Api.csproj

[github-actions]

Test Results

118 tests  ±0   118 ✅ ±0   5s ⏱️ ±0s
  2 suites ±0     0 💤 ±0 
  2 files   ±0     0 ❌ ±0 

Results for commit 92e062b. ± Comparison against base commit c789e3c.

[github-actions]

🔍 PR Validation Results

Version: 0.0.0-gc312b79ae7

📦 Detected NuGet Packages (17)

• Demo.JsonApi
• Demo.SoapApi
• QuickApiMapper.Application
• QuickApiMapper.Behaviors
• QuickApiMapper.Contracts
• QuickApiMapper.CustomTransformers
• QuickApiMapper.Extensions.RabbitMQ
• QuickApiMapper.Extensions.ServiceBus
• QuickApiMapper.Extensions.gRPC
• QuickApiMapper.Management.Contracts
• QuickApiMapper.MessageCapture.Abstractions
• QuickApiMapper.MessageCapture.InMemory
• QuickApiMapper.Persistence.Abstractions
• QuickApiMapper.Persistence.PostgreSQL
• QuickApiMapper.Persistence.SQLite
• QuickApiMapper.StandardTransformers
• QuickApiMapper.Tools.Migrator

🚀 Detected Executables (2)

• QuickApiMapper.Host.AppHost
• QuickApiMapper.Tools.Migrator

✅ Validation Steps

• Build solution
• Run unit tests
• Run integration tests
• Dry-run NuGet packaging
• Dry-run executable publishing

📊 Artifacts

Dry-run artifacts have been uploaded and will be available for 7 days.

---

This comment was automatically generated by the PR validation workflow.