feat(application): LoginCommandHandler usa PermisoResolver para permisos efectivos [UDT-009]

src/api/SIGCM2.Application/Auth/Login/LoginCommandHandler.cs

@@ -2,6 +2,7 @@ using Microsoft.Extensions.Logging;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Common;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
 using SIGCM2.Domain.Security;
@@ -75,10 +76,12 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
             _logger.LogWarning(ex, "Failed to update UltimoLogin for usuario {Id} — login proceeds", usuario.Id);
         }
 
-        // UDT-006: permisos vienen de RolPermiso, no de Usuario.PermisosJson
-        // Usuario.PermisosJson queda reservado para UDT-009 (overrides por usuario)
-        var permisoEntities = await _rolPermisoRepository.GetByRolCodigoAsync(usuario.Rol);
-        var permisos = permisoEntities.Select(p => p.Codigo).ToArray();
+        // UDT-009: permisos efectivos = (rol ∪ grant) \ deny via PermisoResolver
+        var rolPermisoEntities = await _rolPermisoRepository.GetByRolCodigoAsync(usuario.Rol);
+        var rolPermisos = rolPermisoEntities.Select(p => p.Codigo);
+        var overrides = PermisosOverride.FromJson(usuario.PermisosJson);
+        var effective = PermisoResolver.Resolve(rolPermisos, overrides);
+        var permisos = effective.OrderBy(p => p, StringComparer.Ordinal).ToArray();
 
         return new LoginResponseDto(
             AccessToken: accessToken,