fix(security): enforce disable_* alarm-type settings server-side (#236)

[hokiepokedad2]

Summary

Closes #236.

disable_* alarm-type site settings only hid navigation in the SPA — every alarm controller was reachable via direct API calls regardless of the toggle, and several service-to-service paths (quick-pick apply, profile duplicate/import, cleaning toggle) wrote alarms past the controller layer entirely.

This PR enforces the toggles server-side with defense-in-depth across three layers — controller filter, service-layer guard, and global exception handler — so no future caller can accidentally bypass the gate. Frontend also gets a route guard, a 403 interceptor refinement, and the admin no longer sees disabled nav items (the original bug was a UI/API mismatch — leaving one in place for admins would have recreated it in miniature).

What's in here

Backend gating

• New IFeatureGate (Core/Pgan.PoracleWebNet.Core.Abstractions/Services/IFeatureGate.cs) wrapping ISiteSettingService.GetBoolAsync with IsEnabledAsync / EnsureEnabledAsync. The latter throws FeatureDisabledException. Logs at Info for an audit trail.
• New DisableFeatureKeys (Core/Pgan.PoracleWebNet.Core.Models/) — single source of truth for the 9 disable keys plus a tracking-type→key map used by ProfileOverviewService and TestAlertController.
• [RequireFeatureEnabled] resource filter on all 10 alarm controllers. TestAlertController does the same check inline since the alarm type is a path parameter.
• Service-layer EnsureEnabledAsync calls in every alarm service's CreateAsync, BulkCreateAsync, and UpdateAsync — closes the bypasses found by review (QuickPickService → MonsterService.CreateAsync, etc.). CleaningService.ToggleCleanAsync and ProfileOverviewService.{DuplicateProfile,ImportAlarms}Async pre-validate before any state mutation so a partial copy can't fail mid-loop.
• Global FeatureDisabledExceptionFilter maps any service-thrown exception to HTTP 403; both response paths share FeatureDisabledResponse.Create(disableKey) so the wire format can't drift.

Frontend follow-through

• disabledFeatureGuard(disableKey) factory applied to all 9 alarm routes. Wraps loadOnce() in try/catch — if settings load fails, allows navigation since the backend still enforces.
• 403 interceptor inspects error.error?.disableKey and routes feature-disabled responses through a clearer toast + redirect to /dashboard instead of leaving the user on a broken page.
• Left nav now hides disabled items for admins too. Empty alarm-group label and divider are also suppressed.
• ERROR.FEATURE_DISABLED translation added to all 11 locales.

Performance

• SiteSettingService.GetByKeyAsync wrapped in IMemoryCache (5-min TTL, explicit invalidation on writes). Without this the dashboard would add ~10 MySQL roundtrips per page load (one gate check per alarm endpoint).

Hygiene

• disable_fort_changes was missing from SettingsMigrationService.BooleanKeys and CategoryMap (pre-existing oversight) — now seeded.
• New Feature Gating subsection in CLAUDE.md documenting the pattern for future contributors.

Behavioral changes admins should know

• The toggle now applies to admins too. Previously the SPA admin-bypassed the nav filter. Now if you disable a feature it disappears for everyone, including you. To use it again, flip the toggle off in Admin → Settings.
• No disable_eggs setting. Eggs share the raid disable toggle (they share the raid UI in the SPA). EggService and EggController use DisableFeatureKeys.Raids with explicit comments.
• Existing alarms remain in the DB. This PR blocks new create/update/clean operations against a disabled type — it doesn't delete pre-existing rows or stop PoracleNG from firing alerts on them. If you want to fully retire an alarm type, ask users to delete (or use a future bulk-purge tool).

Test plan

• Backend: dotnet test — 1013 passed (added ~30 tests across FeatureGateTests, FeatureDisabledExceptionFilterTests, RequireFeatureEnabledAttributeTests, per-service disable tests on MonsterService and CleaningService, ProfileOverviewService pre-validation tests, ProfileOverviewController exception-propagation tests).
• Frontend: npm test — 627 passed (new disabled-feature.guard.spec.ts including loadOnce-fails fallback; 403-with-disableKey case in error.interceptor.spec.ts).
• Lint: npm run lint clean.
• Prettier: npm run prettier-check clean.
• dotnet format --verify-no-changes reports zero new violations from this PR.
• Docker image rebuilt locally and container recreated; healthy.
• Smoke-test in browser:
  • Toggle disable_mons=true as admin. Confirm the Pokemon nav item disappears for both admin and non-admin sessions.
  • Try POST /api/monsters with curl as a non-admin → 403 with { disableKey: "disable_mons" }.
  • Try applying the "Standard Pokemon" quick pick → 403.
  • Try duplicating a profile that has monster alarms → 403 with no partial state.
  • Try the test-alert button on an existing pokemon alarm → 403.
  • Browse to /pokemon directly → guard redirects to /dashboard with toast.
  • Toggle off; confirm everything works again.

[hokiepokedad2]

Independent Review

Reviewed as if seeing this for the first time, walking every code path that creates / updates / clean-toggles an alarm.

Security correctness — clean

All paths gated:

Path	Gate
10 alarm controllers	[RequireFeatureEnabled(DisableFeatureKeys.X)] ✓
10 alarm services × Create / BulkCreate / Update	_featureGate.EnsureEnabledAsync(...) first line ✓
CleaningService.ToggleCleanAsync	Resolves type→key via DisableFeatureKeys.ByTrackingType, gates before fetch ✓
ProfileOverviewService.{DuplicateProfile,ImportAlarms}Async	EnsureNoDisabledTypesAsync pre-validates entire payload before any state mutation — no half-populated profiles ✓
QuickPickService.ApplyAsync	Inherits gates via per-type alarm services ✓
TestAlertController.SendTestAlert	Inline check (type is path param) ✓
FeatureDisabledExceptionFilter (global)	Catches anything thrown from deeper layers and maps to 403; both paths share FeatureDisabledResponse.Create so wire format can't drift ✓

Architecture

• IFeatureGate indirection earns its keep — centralizes the inverted-boolean semantics so 10+ callers don't repeat it. Dual API (IsEnabledAsync for boolean checks, EnsureEnabledAsync for control flow) is justified.
• DisableFeatureKeys dual layout (const string fields + ByTrackingType dict) is a thoughtful typo-prevention pattern.
• Throwing for control flow is acceptable here — it fires at most once per blocked request, not in tight loops, and the alternative (return-bool + duplicate checks at every call site) recreates the original UI/API mismatch class of bug.

Performance

• 5-min IMemoryCache on SiteSettingService.GetByKeyAsync with explicit invalidation on writes — without this the dashboard would add ~10 MySQL roundtrips per page load.
• TOCTOU window documented in code (slow read overlapping a write can leak stale data for up to TTL). Acceptable for admin-rare toggles, self-heals.
• Cache key prefix site_setting: — collision-safe.

Frontend

• disabledFeatureGuard on all 9 alarm routes; gracefully allows navigation if loadOnce fails (backend still enforces).
• 403 interceptor distinguishes feature-disabled (has disableKey) from generic permission-denied — different toast + redirect.
• ERROR.FEATURE_DISABLED in all 11 locales.
• Admin no longer sees disabled nav items (the original bug was a UI/API mismatch — leaving one in for admins would have recreated it in miniature).

Test coverage

~30 new tests: FeatureGateTests, RequireFeatureEnabledAttributeTests, FeatureDisabledExceptionFilterTests, per-service disable tests on MonsterService and CleaningService (representative), ProfileOverviewService pre-validation tests, ProfileOverviewController exception-propagation tests, frontend disabled-feature.guard.spec.ts (including loadOnce-fails fallback), 403-with-disableKey case in error.interceptor.spec.ts. All 1013 backend + 627 frontend tests pass.

Backward compat

• No breaking API surface changes (gates are additive).
• Existing alarms remain queryable when feature is enabled.
• disable_eggs deliberately doesn't exist (eggs share raid UI) — documented in EggService and DisableFeatureKeys.
• disable_fort_changes was missing from SettingsMigrationService (pre-existing oversight) — fixed.

Findings

• [praise] Defense-in-depth across three layers + unified response contract is the right shape for this bug class.
• [praise] Pre-validation in ProfileOverviewService prevents half-populated profiles on mid-loop disable.
• [praise] Audit logging at both controller and service layers gives admins symmetric visibility into blocked attempts.
• [minor] TestAlertController keeps its own type→key dictionary instead of reusing DisableFeatureKeys.ByTrackingType. Acceptable since the type whitelist is small and validated, but worth deduplicating on next touch.
• [nit] Per-service disable tests exist only for MonsterService and CleaningService (representative). The other 8 services share the gate via IFeatureGate so the pattern is identical, but one or two more would close the coverage matrix.
• [nit] No app.spec.ts covering the nav-filter logic itself — disabledFeatureGuard is tested in isolation but the alarmNavItems/settingsNavItems computeds aren't.

Recommendation: APPROVE

No blockers. Security correctness is solid, architecture is clean, perf trade-offs are documented, tests are substantial, docs (CHANGELOG + CLAUDE.md Feature Gating subsection) are thorough. Minor / nit items are low-risk given pattern consistency.

[hokiepokedad2]

Closed all 3 review items in commit da9dddc:

• [minor → fixed] TestAlertController now reuses DisableFeatureKeys.ByTrackingType and routes through IFeatureGate.EnsureEnabledAsync (the existing global FeatureDisabledExceptionFilter maps the throw to 403). One less duplicated mapping to drift.
• [nit → fixed] Per-service disable tests added for the 9 remaining alarm services (Raid, Egg, Quest, Invasion, Lure, Nest, Gym, MaxBattle, FortChange). Each verifies CreateAsync and BulkCreateAsync short-circuit at the gate. +18 tests.
• [nit → fixed] New src/app/app.spec.ts covers alarmNavItems / settingsNavItems filter logic, parameterized over all 9 alarm disable keys, including explicit "admin nav also hides disabled items" cases. +23 tests.

Verification: backend 1031 passing, frontend 650 passing (was 1013 / 627), dotnet format, npm run lint, npm run prettier-check all clean.