feat(api): UDT-004 dominio + repositorio + application roles (tdd)

- Migraciones V003 (tabla Rol + 8 seeds canonicos) y V004 (drop CK + FK Usuario.Rol)
- Dominio: Rol entity + 3 excepciones (RolNotFound/AlreadyExists/InUse)
- Infraestructura: RolRepository (Dapper) con List/Get/ExistsActive/Add/Update/HasActiveUsuarios
- Application: CRUD queries y commands (List, Get, Create, Update, Deactivate) + validators (codigo regex ^[a-z][a-z0-9_]*$)
- Validator UDT-003: whitelist alineada a codigos canonicos (full IRolRepository lookup diferido a Phase 5.1)
- Tests: 169 application + 15 api (todos verdes). Respawn configurado para re-seedear Rol canonical post-reset.
- Estricto TDD: RED/GREEN/TRIANGULATE en todos los handlers nuevos.

tests/SIGCM2.Application.Tests/Roles/Create/CreateRolCommandHandlerTests.cs

@@ -0,0 +1,86 @@
+using NSubstitute;
+using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Roles.Create;
+using SIGCM2.Domain.Entities;
+using SIGCM2.Domain.Exceptions;
+
+namespace SIGCM2.Application.Tests.Roles.Create;
+
+public class CreateRolCommandHandlerTests
+{
+    private readonly IRolRepository _repository = Substitute.For<IRolRepository>();
+    private readonly CreateRolCommandHandler _handler;
+
+    private static CreateRolCommand ValidCommand() => new("cajero_senior", "Cajero Senior", "Con más permisos");
+
+    public CreateRolCommandHandlerTests()
+    {
+        _handler = new CreateRolCommandHandler(_repository);
+    }
+
+    [Fact]
+    public async Task Handle_CodigoDuplicado_ThrowsRolAlreadyExistsException()
+    {
+        var now = new DateTime(2026, 4, 15, 10, 0, 0, DateTimeKind.Utc);
+        _repository.GetByCodigoAsync("cajero_senior")
+            .Returns(new Rol(99, "cajero_senior", "Cajero Senior", null, true, now, null));
+
+        var ex = await Assert.ThrowsAsync<RolAlreadyExistsException>(
+            () => _handler.Handle(ValidCommand()));
+
+        Assert.Equal("cajero_senior", ex.Codigo);
+    }
+
+    [Fact]
+    public async Task Handle_CodigoDuplicado_DoesNotCallAddAsync()
+    {
+        var now = new DateTime(2026, 4, 15, 10, 0, 0, DateTimeKind.Utc);
+        _repository.GetByCodigoAsync(Arg.Any<string>())
+            .Returns(new Rol(1, "cajero_senior", "X", null, true, now, null));
+
+        try { await _handler.Handle(ValidCommand()); } catch (RolAlreadyExistsException) { }
+
+        await _repository.DidNotReceive().AddAsync(Arg.Any<Rol>(), Arg.Any<CancellationToken>());
+    }
+
+    [Fact]
+    public async Task Handle_Happy_AddsAndReturnsDtoWithId()
+    {
+        _repository.GetByCodigoAsync(Arg.Any<string>()).Returns((Rol?)null);
+        _repository.AddAsync(Arg.Any<Rol>(), Arg.Any<CancellationToken>()).Returns(42);
+
+        var result = await _handler.Handle(ValidCommand());
+
+        Assert.Equal(42, result.Id);
+        Assert.Equal("cajero_senior", result.Codigo);
+        Assert.Equal("Cajero Senior", result.Nombre);
+        Assert.Equal("Con más permisos", result.Descripcion);
+        Assert.True(result.Activo);
+    }
+
+    [Fact]
+    public async Task Handle_Happy_CallsAddAsyncOnce()
+    {
+        _repository.GetByCodigoAsync(Arg.Any<string>()).Returns((Rol?)null);
+        _repository.AddAsync(Arg.Any<Rol>(), Arg.Any<CancellationToken>()).Returns(5);
+
+        await _handler.Handle(ValidCommand());
+
+        await _repository.Received(1).AddAsync(
+            Arg.Is<Rol>(r => r.Codigo == "cajero_senior" && r.Nombre == "Cajero Senior" && r.Activo),
+            Arg.Any<CancellationToken>());
+    }
+
+    [Fact]
+    public async Task Handle_Happy_WithNullDescripcion_PassesNullToRepository()
+    {
+        _repository.GetByCodigoAsync(Arg.Any<string>()).Returns((Rol?)null);
+        _repository.AddAsync(Arg.Any<Rol>(), Arg.Any<CancellationToken>()).Returns(1);
+
+        await _handler.Handle(new CreateRolCommand("nuevo_rol", "Nuevo", null));
+
+        await _repository.Received(1).AddAsync(
+            Arg.Is<Rol>(r => r.Descripcion == null),
+            Arg.Any<CancellationToken>());
+    }
+}

tests/SIGCM2.Application.Tests/Roles/Create/CreateRolCommandValidatorTests.cs

@@ -0,0 +1,97 @@
+using FluentValidation.TestHelper;
+using SIGCM2.Application.Roles.Create;
+
+namespace SIGCM2.Application.Tests.Roles.Create;
+
+public class CreateRolCommandValidatorTests
+{
+    private static CreateRolCommandValidator BuildValidator() => new();
+    private static CreateRolCommand Valid() => new("cajero_senior", "Cajero Senior", "Cajero con permisos extendidos");
+
+    // ── Happy path ─────────────────────────────────────────────────────────
+
+    [Fact]
+    public void Validate_Valid_NoErrors()
+    {
+        BuildValidator().TestValidate(Valid()).ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Validate_NullDescripcion_IsValid()
+    {
+        BuildValidator().TestValidate(Valid() with { Descripcion = null }).ShouldNotHaveAnyValidationErrors();
+    }
+
+    // ── Codigo ─────────────────────────────────────────────────────────────
+
+    [Fact]
+    public void Validate_EmptyCodigo_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Codigo = "" })
+            .ShouldHaveValidationErrorFor(c => c.Codigo);
+    }
+
+    [Fact]
+    public void Validate_CodigoTooShort_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Codigo = "ab" })
+            .ShouldHaveValidationErrorFor(c => c.Codigo);
+    }
+
+    [Fact]
+    public void Validate_CodigoTooLong_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Codigo = new string('a', 31) })
+            .ShouldHaveValidationErrorFor(c => c.Codigo);
+    }
+
+    [Theory]
+    [InlineData("abc")]              // boundary short
+    [InlineData("cajero")]
+    [InlineData("operador_ctacte")]
+    [InlineData("jefe_publicidad")]
+    [InlineData("a1b2")]
+    public void Validate_CodigoValidFormats_NoError(string codigo)
+    {
+        BuildValidator().TestValidate(Valid() with { Codigo = codigo })
+            .ShouldNotHaveValidationErrorFor(c => c.Codigo);
+    }
+
+    [Theory]
+    [InlineData("Cajero")]           // uppercase
+    [InlineData("1cajero")]          // starts with digit
+    [InlineData("_cajero")]          // starts with underscore
+    [InlineData("cajero senior")]    // space
+    [InlineData("cajero-senior")]    // dash
+    [InlineData("cajero.senior")]    // dot
+    public void Validate_CodigoInvalidFormats_HasError(string codigo)
+    {
+        BuildValidator().TestValidate(Valid() with { Codigo = codigo })
+            .ShouldHaveValidationErrorFor(c => c.Codigo);
+    }
+
+    // ── Nombre ─────────────────────────────────────────────────────────────
+
+    [Fact]
+    public void Validate_EmptyNombre_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Nombre = "" })
+            .ShouldHaveValidationErrorFor(c => c.Nombre);
+    }
+
+    [Fact]
+    public void Validate_NombreTooLong_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Nombre = new string('a', 61) })
+            .ShouldHaveValidationErrorFor(c => c.Nombre);
+    }
+
+    // ── Descripcion ────────────────────────────────────────────────────────
+
+    [Fact]
+    public void Validate_DescripcionTooLong_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Descripcion = new string('a', 251) })
+            .ShouldHaveValidationErrorFor(c => c.Descripcion);
+    }
+}

tests/SIGCM2.Application.Tests/Roles/Deactivate/DeactivateRolCommandHandlerTests.cs

@@ -0,0 +1,98 @@
+using NSubstitute;
+using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Roles.Deactivate;
+using SIGCM2.Domain.Entities;
+using SIGCM2.Domain.Exceptions;
+
+namespace SIGCM2.Application.Tests.Roles.Deactivate;
+
+public class DeactivateRolCommandHandlerTests
+{
+    private readonly IRolRepository _repository = Substitute.For<IRolRepository>();
+    private readonly DeactivateRolCommandHandler _handler;
+
+    private static Rol RolActive(string codigo, int id = 10)
+    {
+        var now = new DateTime(2026, 4, 15, 10, 0, 0, DateTimeKind.Utc);
+        return new Rol(id, codigo, "Nombre", "Desc", true, now, null);
+    }
+
+    public DeactivateRolCommandHandlerTests()
+    {
+        _handler = new DeactivateRolCommandHandler(_repository);
+    }
+
+    [Fact]
+    public async Task Handle_NonExistentCodigo_ThrowsRolNotFoundException()
+    {
+        _repository.GetByCodigoAsync("missing").Returns((Rol?)null);
+
+        var ex = await Assert.ThrowsAsync<RolNotFoundException>(
+            () => _handler.Handle(new DeactivateRolCommand("missing")));
+
+        Assert.Equal("missing", ex.Codigo);
+    }
+
+    [Fact]
+    public async Task Handle_CodigoConUsuariosActivos_ThrowsRolInUseException()
+    {
+        _repository.GetByCodigoAsync("cajero").Returns(RolActive("cajero"));
+        _repository.HasActiveUsuariosAsync("cajero").Returns(true);
+
+        var ex = await Assert.ThrowsAsync<RolInUseException>(
+            () => _handler.Handle(new DeactivateRolCommand("cajero")));
+
+        Assert.Equal("cajero", ex.Codigo);
+    }
+
+    [Fact]
+    public async Task Handle_RolInUse_DoesNotCallUpdateAsync()
+    {
+        _repository.GetByCodigoAsync("cajero").Returns(RolActive("cajero"));
+        _repository.HasActiveUsuariosAsync("cajero").Returns(true);
+
+        try { await _handler.Handle(new DeactivateRolCommand("cajero")); } catch (RolInUseException) { }
+
+        await _repository.DidNotReceive().UpdateAsync(
+            Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<bool>(), Arg.Any<CancellationToken>());
+    }
+
+    [Fact]
+    public async Task Handle_Happy_SetsActivoFalseAndReturnsDto()
+    {
+        var now = new DateTime(2026, 4, 15, 10, 0, 0, DateTimeKind.Utc);
+        var afterDeactivation = new DateTime(2026, 4, 15, 13, 0, 0, DateTimeKind.Utc);
+
+        _repository.GetByCodigoAsync("reportes")
+            .Returns(
+                RolActive("reportes", 20),
+                new Rol(20, "reportes", "Nombre", "Desc", false, now, afterDeactivation));
+        _repository.HasActiveUsuariosAsync("reportes").Returns(false);
+        _repository.UpdateAsync("reportes", "Nombre", "Desc", false, Arg.Any<CancellationToken>())
+            .Returns(true);
+
+        var dto = await _handler.Handle(new DeactivateRolCommand("reportes"));
+
+        Assert.Equal(20, dto.Id);
+        Assert.False(dto.Activo);
+        Assert.Equal(afterDeactivation, dto.FechaModificacion);
+    }
+
+    [Fact]
+    public async Task Handle_Happy_CallsUpdateAsyncWithActivoFalse()
+    {
+        var now = new DateTime(2026, 4, 15, 10, 0, 0, DateTimeKind.Utc);
+
+        _repository.GetByCodigoAsync("reportes")
+            .Returns(
+                RolActive("reportes"),
+                new Rol(10, "reportes", "Nombre", "Desc", false, now, now));
+        _repository.HasActiveUsuariosAsync("reportes").Returns(false);
+        _repository.UpdateAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<bool>(), Arg.Any<CancellationToken>())
+            .Returns(true);
+
+        await _handler.Handle(new DeactivateRolCommand("reportes"));
+
+        await _repository.Received(1).UpdateAsync("reportes", "Nombre", "Desc", false, Arg.Any<CancellationToken>());
+    }
+}

tests/SIGCM2.Application.Tests/Roles/Get/GetRolByCodigoQueryHandlerTests.cs

@@ -0,0 +1,43 @@
+using NSubstitute;
+using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Roles.Get;
+using SIGCM2.Domain.Entities;
+using SIGCM2.Domain.Exceptions;
+
+namespace SIGCM2.Application.Tests.Roles.Get;
+
+public class GetRolByCodigoQueryHandlerTests
+{
+    private readonly IRolRepository _repository = Substitute.For<IRolRepository>();
+    private readonly GetRolByCodigoQueryHandler _handler;
+
+    public GetRolByCodigoQueryHandlerTests()
+    {
+        _handler = new GetRolByCodigoQueryHandler(_repository);
+    }
+
+    [Fact]
+    public async Task Handle_ExistingCodigo_ReturnsDto()
+    {
+        var now = new DateTime(2026, 4, 15, 10, 0, 0, DateTimeKind.Utc);
+        _repository.GetByCodigoAsync("cajero").Returns(new Rol(5, "cajero", "Cajero", "Desc", true, now, null));
+
+        var dto = await _handler.Handle(new GetRolByCodigoQuery("cajero"));
+
+        Assert.Equal(5, dto.Id);
+        Assert.Equal("cajero", dto.Codigo);
+        Assert.Equal("Cajero", dto.Nombre);
+        Assert.True(dto.Activo);
+    }
+
+    [Fact]
+    public async Task Handle_NonExistentCodigo_ThrowsRolNotFoundException()
+    {
+        _repository.GetByCodigoAsync("missing").Returns((Rol?)null);
+
+        var ex = await Assert.ThrowsAsync<RolNotFoundException>(
+            () => _handler.Handle(new GetRolByCodigoQuery("missing")));
+
+        Assert.Equal("missing", ex.Codigo);
+    }
+}

tests/SIGCM2.Application.Tests/Roles/List/ListRolesQueryHandlerTests.cs

@@ -0,0 +1,62 @@
+using NSubstitute;
+using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Roles.List;
+using SIGCM2.Domain.Entities;
+
+namespace SIGCM2.Application.Tests.Roles.List;
+
+public class ListRolesQueryHandlerTests
+{
+    private readonly IRolRepository _repository = Substitute.For<IRolRepository>();
+    private readonly ListRolesQueryHandler _handler;
+
+    public ListRolesQueryHandlerTests()
+    {
+        _handler = new ListRolesQueryHandler(_repository);
+    }
+
+    [Fact]
+    public async Task Handle_ReturnsAllRolesFromRepositoryAsDtos()
+    {
+        var now = new DateTime(2026, 4, 15, 10, 0, 0, DateTimeKind.Utc);
+        _repository.ListAsync().Returns(new List<Rol>
+        {
+            new(1, "admin", "Administrador", "Desc admin", true, now, null),
+            new(2, "cajero", "Cajero", "Desc cajero", true, now, null),
+        });
+
+        var result = await _handler.Handle(new ListRolesQuery());
+
+        Assert.Equal(2, result.Count);
+        Assert.Equal("admin", result[0].Codigo);
+        Assert.Equal("Administrador", result[0].Nombre);
+        Assert.Equal("cajero", result[1].Codigo);
+    }
+
+    [Fact]
+    public async Task Handle_IncludesInactiveRoles()
+    {
+        var now = new DateTime(2026, 4, 15, 10, 0, 0, DateTimeKind.Utc);
+        _repository.ListAsync().Returns(new List<Rol>
+        {
+            new(1, "active_code", "Activo", null, true, now, null),
+            new(2, "inactive_code", "Inactivo", null, false, now, null),
+        });
+
+        var result = await _handler.Handle(new ListRolesQuery());
+
+        Assert.Equal(2, result.Count);
+        Assert.True(result[0].Activo);
+        Assert.False(result[1].Activo);
+    }
+
+    [Fact]
+    public async Task Handle_EmptyRepository_ReturnsEmptyList()
+    {
+        _repository.ListAsync().Returns(new List<Rol>());
+
+        var result = await _handler.Handle(new ListRolesQuery());
+
+        Assert.Empty(result);
+    }
+}

tests/SIGCM2.Application.Tests/Roles/Update/UpdateRolCommandHandlerTests.cs

@@ -0,0 +1,64 @@
+using NSubstitute;
+using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Roles.Update;
+using SIGCM2.Domain.Entities;
+using SIGCM2.Domain.Exceptions;
+
+namespace SIGCM2.Application.Tests.Roles.Update;
+
+public class UpdateRolCommandHandlerTests
+{
+    private readonly IRolRepository _repository = Substitute.For<IRolRepository>();
+    private readonly UpdateRolCommandHandler _handler;
+
+    public UpdateRolCommandHandlerTests()
+    {
+        _handler = new UpdateRolCommandHandler(_repository);
+    }
+
+    [Fact]
+    public async Task Handle_NonExistentCodigo_ThrowsRolNotFoundException()
+    {
+        _repository.UpdateAsync("missing", Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<bool>(), Arg.Any<CancellationToken>())
+            .Returns(false);
+
+        var ex = await Assert.ThrowsAsync<RolNotFoundException>(
+            () => _handler.Handle(new UpdateRolCommand("missing", "X", null, true)));
+
+        Assert.Equal("missing", ex.Codigo);
+    }
+
+    [Fact]
+    public async Task Handle_Happy_ReturnsDtoWithUpdatedFields()
+    {
+        var fechaCreacion = new DateTime(2026, 4, 10, 9, 0, 0, DateTimeKind.Utc);
+        var fechaModificacion = new DateTime(2026, 4, 15, 12, 0, 0, DateTimeKind.Utc);
+
+        _repository.UpdateAsync("cajero", "Cajero V2", "Desc V2", true, Arg.Any<CancellationToken>())
+            .Returns(true);
+        _repository.GetByCodigoAsync("cajero")
+            .Returns(new Rol(10, "cajero", "Cajero V2", "Desc V2", true, fechaCreacion, fechaModificacion));
+
+        var dto = await _handler.Handle(new UpdateRolCommand("cajero", "Cajero V2", "Desc V2", true));
+
+        Assert.Equal(10, dto.Id);
+        Assert.Equal("Cajero V2", dto.Nombre);
+        Assert.Equal("Desc V2", dto.Descripcion);
+        Assert.True(dto.Activo);
+        Assert.Equal(fechaModificacion, dto.FechaModificacion);
+    }
+
+    [Fact]
+    public async Task Handle_Happy_CallsUpdateAsyncWithExactFields()
+    {
+        var now = new DateTime(2026, 4, 15, 12, 0, 0, DateTimeKind.Utc);
+        _repository.UpdateAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<bool>(), Arg.Any<CancellationToken>())
+            .Returns(true);
+        _repository.GetByCodigoAsync("cajero")
+            .Returns(new Rol(1, "cajero", "X", null, false, now, now));
+
+        await _handler.Handle(new UpdateRolCommand("cajero", "X", null, false));
+
+        await _repository.Received(1).UpdateAsync("cajero", "X", null, false, Arg.Any<CancellationToken>());
+    }
+}

tests/SIGCM2.Application.Tests/Roles/Update/UpdateRolCommandValidatorTests.cs

@@ -0,0 +1,51 @@
+using FluentValidation.TestHelper;
+using SIGCM2.Application.Roles.Update;
+
+namespace SIGCM2.Application.Tests.Roles.Update;
+
+public class UpdateRolCommandValidatorTests
+{
+    private static UpdateRolCommandValidator BuildValidator() => new();
+    private static UpdateRolCommand Valid() => new("cajero", "Cajero Updated", "Desc updated", true);
+
+    [Fact]
+    public void Validate_Valid_NoErrors()
+    {
+        BuildValidator().TestValidate(Valid()).ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Validate_EmptyCodigo_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Codigo = "" })
+            .ShouldHaveValidationErrorFor(c => c.Codigo);
+    }
+
+    [Fact]
+    public void Validate_EmptyNombre_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Nombre = "" })
+            .ShouldHaveValidationErrorFor(c => c.Nombre);
+    }
+
+    [Fact]
+    public void Validate_NombreTooLong_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Nombre = new string('a', 61) })
+            .ShouldHaveValidationErrorFor(c => c.Nombre);
+    }
+
+    [Fact]
+    public void Validate_NullDescripcion_Allowed()
+    {
+        BuildValidator().TestValidate(Valid() with { Descripcion = null })
+            .ShouldNotHaveValidationErrorFor(c => c.Descripcion);
+    }
+
+    [Fact]
+    public void Validate_DescripcionTooLong_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Descripcion = new string('a', 251) })
+            .ShouldHaveValidationErrorFor(c => c.Descripcion);
+    }
+}