feat(auth): extend LoginResponse with username + mustChangePassword + ultimoLogin [UDT-008]

src/api/SIGCM2.Application/Abstractions/Persistence/IUsuarioRepository.cs

@@ -1,3 +1,4 @@
+using SIGCM2.Application.Common;
 using SIGCM2.Domain.Entities;
 
 namespace SIGCM2.Application.Abstractions.Persistence;
@@ -8,4 +9,12 @@ public interface IUsuarioRepository
     Task<Usuario?> GetByIdAsync(int id, CancellationToken ct = default);
     Task<bool> ExistsByUsernameAsync(string username, CancellationToken ct = default);
     Task<int> AddAsync(Usuario usuario, CancellationToken ct = default);
+
+    // UDT-008
+    Task UpdateUltimoLoginAsync(int id, DateTime utcNow, CancellationToken ct = default);
+    Task<PagedResult<UsuarioListItem>> GetPagedAsync(UsuariosQuery query, CancellationToken ct = default);
+    Task<Usuario?> GetDetailAsync(int id, CancellationToken ct = default);
+    Task UpdateAsync(int id, UpdateUsuarioFields fields, DateTime fechaModificacion, CancellationToken ct = default);
+    Task UpdatePasswordAsync(int id, string passwordHash, bool mustChangePassword, CancellationToken ct = default);
+    Task<int> CountActiveAdminsAsync(CancellationToken ct = default);
 }

src/api/SIGCM2.Application/Auth/Login/LoginCommandHandler.cs

@@ -1,3 +1,4 @@
+using Microsoft.Extensions.Logging;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
@@ -17,6 +18,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
     private readonly IClientContext _clientContext;
     private readonly AuthOptions _authOptions;
     private readonly IRolPermisoRepository _rolPermisoRepository;
+    private readonly ILogger<LoginCommandHandler> _logger;
 
     public LoginCommandHandler(
         IUsuarioRepository repository,
@@ -26,7 +28,8 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
         IRefreshTokenGenerator refreshGenerator,
         IClientContext clientContext,
         AuthOptions authOptions,
-        IRolPermisoRepository rolPermisoRepository)
+        IRolPermisoRepository rolPermisoRepository,
+        ILogger<LoginCommandHandler> logger)
     {
         _repository = repository;
         _hasher = hasher;
@@ -36,6 +39,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
         _clientContext = clientContext;
         _authOptions = authOptions;
         _rolPermisoRepository = rolPermisoRepository;
+        _logger = logger;
     }
 
     public async Task<LoginResponseDto> Handle(LoginCommand command)
@@ -61,8 +65,18 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
             _clientContext.Ip, _clientContext.UserAgent);
         await _refreshRepository.AddAsync(entity);
 
+        // UDT-008: update UltimoLogin best-effort — never block login on this
+        try
+        {
+            await _repository.UpdateUltimoLoginAsync(usuario.Id, now);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Failed to update UltimoLogin for usuario {Id} — login proceeds", usuario.Id);
+        }
+
         // UDT-006: permisos vienen de RolPermiso, no de Usuario.PermisosJson
-        // Usuario.PermisosJson queda reservado para UDT-008 (overrides por usuario)
+        // Usuario.PermisosJson queda reservado para UDT-009 (overrides por usuario)
         var permisoEntities = await _rolPermisoRepository.GetByRolCodigoAsync(usuario.Rol);
         var permisos = permisoEntities.Select(p => p.Codigo).ToArray();
 
@@ -72,9 +86,11 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
             ExpiresIn: _authOptions.AccessTokenMinutes * 60,
             Usuario: new UsuarioDto(
                 Id: usuario.Id,
+                Username: usuario.Username,
                 Nombre: $"{usuario.Nombre} {usuario.Apellido}".Trim(),
                 Rol: usuario.Rol,
-                Permisos: permisos
+                Permisos: permisos,
+                MustChangePassword: usuario.MustChangePassword
             )
         );
     }

src/api/SIGCM2.Application/Auth/Login/LoginResponseDto.cs

@@ -9,7 +9,9 @@ public sealed record LoginResponseDto(
 
 public sealed record UsuarioDto(
     int Id,
+    string Username,        // UDT-008
     string Nombre,
     string Rol,
-    string[] Permisos
+    string[] Permisos,
+    bool MustChangePassword // UDT-008
 );

src/api/SIGCM2.Application/Common/PagedResult.cs

@@ -0,0 +1,9 @@
+namespace SIGCM2.Application.Common;
+
+/// <summary>Generic paged result for list queries.</summary>
+public sealed record PagedResult<T>(
+    IReadOnlyList<T> Items,
+    int Page,
+    int PageSize,
+    int Total
+);

src/api/SIGCM2.Application/Common/UpdateUsuarioFields.cs

@@ -0,0 +1,10 @@
+namespace SIGCM2.Application.Common;
+
+/// <summary>Mutable fields for updating a usuario profile. Username and PasswordHash are immutable.</summary>
+public sealed record UpdateUsuarioFields(
+    string Nombre,
+    string Apellido,
+    string? Email,
+    string Rol,
+    bool Activo
+);

src/api/SIGCM2.Application/Common/UsuarioListItem.cs

@@ -0,0 +1,14 @@
+namespace SIGCM2.Application.Common;
+
+/// <summary>Light projection of a usuario for list views.</summary>
+public sealed record UsuarioListItem(
+    int Id,
+    string Username,
+    string Nombre,
+    string Apellido,
+    string? Email,
+    string Rol,
+    bool Activo,
+    DateTime? UltimoLogin,
+    DateTime? FechaModificacion
+);

src/api/SIGCM2.Application/Common/UsuariosQuery.cs

@@ -0,0 +1,10 @@
+namespace SIGCM2.Application.Common;
+
+/// <summary>Query parameters for listing usuarios with optional filters and paging.</summary>
+public sealed record UsuariosQuery(
+    int Page,
+    int PageSize,
+    string? Rol,
+    bool? Activo,
+    string? Search
+);