feat(api): UDT-004 dominio + repositorio + application roles (tdd)

- Migraciones V003 (tabla Rol + 8 seeds canonicos) y V004 (drop CK + FK Usuario.Rol)
- Dominio: Rol entity + 3 excepciones (RolNotFound/AlreadyExists/InUse)
- Infraestructura: RolRepository (Dapper) con List/Get/ExistsActive/Add/Update/HasActiveUsuarios
- Application: CRUD queries y commands (List, Get, Create, Update, Deactivate) + validators (codigo regex ^[a-z][a-z0-9_]*$)
- Validator UDT-003: whitelist alineada a codigos canonicos (full IRolRepository lookup diferido a Phase 5.1)
- Tests: 169 application + 15 api (todos verdes). Respawn configurado para re-seedear Rol canonical post-reset.
- Estricto TDD: RED/GREEN/TRIANGULATE en todos los handlers nuevos.

tests/SIGCM2.Application.Tests/Roles/Update/UpdateRolCommandHandlerTests.cs

@@ -0,0 +1,64 @@
+using NSubstitute;
+using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Roles.Update;
+using SIGCM2.Domain.Entities;
+using SIGCM2.Domain.Exceptions;
+
+namespace SIGCM2.Application.Tests.Roles.Update;
+
+public class UpdateRolCommandHandlerTests
+{
+    private readonly IRolRepository _repository = Substitute.For<IRolRepository>();
+    private readonly UpdateRolCommandHandler _handler;
+
+    public UpdateRolCommandHandlerTests()
+    {
+        _handler = new UpdateRolCommandHandler(_repository);
+    }
+
+    [Fact]
+    public async Task Handle_NonExistentCodigo_ThrowsRolNotFoundException()
+    {
+        _repository.UpdateAsync("missing", Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<bool>(), Arg.Any<CancellationToken>())
+            .Returns(false);
+
+        var ex = await Assert.ThrowsAsync<RolNotFoundException>(
+            () => _handler.Handle(new UpdateRolCommand("missing", "X", null, true)));
+
+        Assert.Equal("missing", ex.Codigo);
+    }
+
+    [Fact]
+    public async Task Handle_Happy_ReturnsDtoWithUpdatedFields()
+    {
+        var fechaCreacion = new DateTime(2026, 4, 10, 9, 0, 0, DateTimeKind.Utc);
+        var fechaModificacion = new DateTime(2026, 4, 15, 12, 0, 0, DateTimeKind.Utc);
+
+        _repository.UpdateAsync("cajero", "Cajero V2", "Desc V2", true, Arg.Any<CancellationToken>())
+            .Returns(true);
+        _repository.GetByCodigoAsync("cajero")
+            .Returns(new Rol(10, "cajero", "Cajero V2", "Desc V2", true, fechaCreacion, fechaModificacion));
+
+        var dto = await _handler.Handle(new UpdateRolCommand("cajero", "Cajero V2", "Desc V2", true));
+
+        Assert.Equal(10, dto.Id);
+        Assert.Equal("Cajero V2", dto.Nombre);
+        Assert.Equal("Desc V2", dto.Descripcion);
+        Assert.True(dto.Activo);
+        Assert.Equal(fechaModificacion, dto.FechaModificacion);
+    }
+
+    [Fact]
+    public async Task Handle_Happy_CallsUpdateAsyncWithExactFields()
+    {
+        var now = new DateTime(2026, 4, 15, 12, 0, 0, DateTimeKind.Utc);
+        _repository.UpdateAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<bool>(), Arg.Any<CancellationToken>())
+            .Returns(true);
+        _repository.GetByCodigoAsync("cajero")
+            .Returns(new Rol(1, "cajero", "X", null, false, now, now));
+
+        await _handler.Handle(new UpdateRolCommand("cajero", "X", null, false));
+
+        await _repository.Received(1).UpdateAsync("cajero", "X", null, false, Arg.Any<CancellationToken>());
+    }
+}

tests/SIGCM2.Application.Tests/Roles/Update/UpdateRolCommandValidatorTests.cs

@@ -0,0 +1,51 @@
+using FluentValidation.TestHelper;
+using SIGCM2.Application.Roles.Update;
+
+namespace SIGCM2.Application.Tests.Roles.Update;
+
+public class UpdateRolCommandValidatorTests
+{
+    private static UpdateRolCommandValidator BuildValidator() => new();
+    private static UpdateRolCommand Valid() => new("cajero", "Cajero Updated", "Desc updated", true);
+
+    [Fact]
+    public void Validate_Valid_NoErrors()
+    {
+        BuildValidator().TestValidate(Valid()).ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Validate_EmptyCodigo_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Codigo = "" })
+            .ShouldHaveValidationErrorFor(c => c.Codigo);
+    }
+
+    [Fact]
+    public void Validate_EmptyNombre_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Nombre = "" })
+            .ShouldHaveValidationErrorFor(c => c.Nombre);
+    }
+
+    [Fact]
+    public void Validate_NombreTooLong_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Nombre = new string('a', 61) })
+            .ShouldHaveValidationErrorFor(c => c.Nombre);
+    }
+
+    [Fact]
+    public void Validate_NullDescripcion_Allowed()
+    {
+        BuildValidator().TestValidate(Valid() with { Descripcion = null })
+            .ShouldNotHaveValidationErrorFor(c => c.Descripcion);
+    }
+
+    [Fact]
+    public void Validate_DescripcionTooLong_HasError()
+    {
+        BuildValidator().TestValidate(Valid() with { Descripcion = new string('a', 251) })
+            .ShouldHaveValidationErrorFor(c => c.Descripcion);
+    }
+}