refactor(identity): split UserService into focused partial files

Split the 682-line UserService.cs into smaller, focused partial class files:

- UserService.cs (~80 lines) - Core class with constructor and shared helpers
- UserService.Registration.cs (~220 lines) - RegisterAsync, GetOrCreateFromPrincipalAsync
- UserService.Profile.cs (~100 lines) - GetAsync, GetListAsync, UpdateAsync, existence checks
- UserService.Lifecycle.cs (~115 lines) - DeleteAsync, ToggleStatusAsync
- UserService.Roles.cs (~85 lines) - AssignRolesAsync, GetUserRolesAsync
- UserService.Confirmation.cs (~50 lines) - ConfirmEmailAsync, ConfirmPhoneNumberAsync

Existing partial files kept unchanged:
- UserService.Password.cs (87 lines)
- UserService.Permissions.cs (53 lines)

No interface or method signature changes. Build verified with 0 errors, 0 warnings.

Author: jarvis

src/Modules/Identity/Modules.Identity/Services/UserService.Confirmation.cs

@@ -0,0 +1,46 @@
+using FSH.Framework.Core.Exceptions;
+using Microsoft.AspNetCore.WebUtilities;
+using Microsoft.EntityFrameworkCore;
+using System.Globalization;
+using System.Text;
+
+namespace FSH.Modules.Identity.Services;
+
+internal sealed partial class UserService
+{
+    public async Task<string> ConfirmEmailAsync(string userId, string code, string tenant, CancellationToken cancellationToken)
+    {
+        EnsureValidTenant();
+
+        var user = await userManager.Users
+            .Where(u => u.Id == userId && !u.EmailConfirmed)
+            .FirstOrDefaultAsync(cancellationToken);
+
+        _ = user ?? throw new CustomException("An error occurred while confirming E-Mail.");
+
+        code = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(code));
+        var result = await userManager.ConfirmEmailAsync(user, code);
+
+        return result.Succeeded
+            ? string.Format(CultureInfo.InvariantCulture, "Account Confirmed for E-Mail {0}. You can now use the /api/tokens endpoint to generate JWT.", user.Email)
+            : throw new CustomException(string.Format(CultureInfo.InvariantCulture, "An error occurred while confirming {0}", user.Email));
+    }
+
+    public async Task<string> ConfirmPhoneNumberAsync(string userId, string code)
+    {
+        EnsureValidTenant();
+
+        var user = await userManager.Users
+            .Where(u => u.Id == userId && !u.PhoneNumberConfirmed)
+            .FirstOrDefaultAsync();
+
+        _ = user ?? throw new CustomException("An error occurred while confirming phone number.");
+
+        code = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(code));
+        var result = await userManager.ChangePhoneNumberAsync(user, user.PhoneNumber!, code);
+
+        return result.Succeeded
+            ? string.Format(CultureInfo.InvariantCulture, "Phone number {0} confirmed successfully.", user.PhoneNumber)
+            : throw new CustomException(string.Format(CultureInfo.InvariantCulture, "An error occurred while confirming phone number {0}", user.PhoneNumber));
+    }
+}

src/Modules/Identity/Modules.Identity/Services/UserService.Lifecycle.cs

@@ -0,0 +1,124 @@
+using FSH.Framework.Core.Exceptions;
+using FSH.Framework.Shared.Constants;
+using FSH.Modules.Auditing.Contracts;
+using Microsoft.EntityFrameworkCore;
+
+namespace FSH.Modules.Identity.Services;
+
+internal sealed partial class UserService
+{
+    public async Task DeleteAsync(string userId)
+    {
+        var user = await userManager.FindByIdAsync(userId);
+
+        _ = user ?? throw new NotFoundException("User Not Found.");
+
+        user.IsActive = false;
+        var result = await userManager.UpdateAsync(user);
+
+        if (!result.Succeeded)
+        {
+            var errors = result.Errors.Select(error => error.Description).ToList();
+            throw new CustomException("Delete profile failed", errors);
+        }
+    }
+
+    public async Task ToggleStatusAsync(bool activateUser, string userId, CancellationToken cancellationToken)
+    {
+        EnsureValidTenant();
+
+        var actorId = _currentUser.GetUserId();
+        if (actorId == Guid.Empty)
+        {
+            throw new UnauthorizedException("authenticated user required to toggle status");
+        }
+
+        var actor = await userManager.FindByIdAsync(actorId.ToString());
+        _ = actor ?? throw new UnauthorizedException("current user not found");
+
+        async ValueTask AuditPolicyFailureAsync(string reason, CancellationToken ct)
+        {
+            var tenant = multiTenantContextAccessor?.MultiTenantContext?.TenantInfo?.Id ?? "unknown";
+            var claims = new Dictionary<string, object?>
+            {
+                ["actorId"] = actorId.ToString(),
+                ["targetUserId"] = userId,
+                ["tenant"] = tenant,
+                ["action"] = activateUser ? "activate" : "deactivate"
+            };
+
+            await _auditClient.WriteSecurityAsync(
+                SecurityAction.PolicyFailed,
+                subjectId: actorId.ToString(),
+                reasonCode: reason,
+                claims: claims,
+                severity: AuditSeverity.Warning,
+                source: "Identity",
+                ct: ct).ConfigureAwait(false);
+        }
+
+        if (!await userManager.IsInRoleAsync(actor, RoleConstants.Admin))
+        {
+            await AuditPolicyFailureAsync("ActorNotAdmin", cancellationToken);
+            throw new CustomException("Only administrators can toggle user status.");
+        }
+
+        if (!activateUser && string.Equals(actor.Id, userId, StringComparison.Ordinal))
+        {
+            await AuditPolicyFailureAsync("SelfDeactivationBlocked", cancellationToken);
+            throw new CustomException("Users cannot deactivate themselves.");
+        }
+
+        var user = await userManager.Users.Where(u => u.Id == userId).FirstOrDefaultAsync(cancellationToken);
+        _ = user ?? throw new NotFoundException("User Not Found.");
+
+        bool targetIsAdmin = await userManager.IsInRoleAsync(user, RoleConstants.Admin);
+        if (targetIsAdmin)
+        {
+            await AuditPolicyFailureAsync("AdminDeactivationBlocked", cancellationToken);
+            throw new CustomException("Administrators cannot be deactivated.");
+        }
+
+        if (!activateUser)
+        {
+            var activeAdmins = await userManager.GetUsersInRoleAsync(RoleConstants.Admin);
+            int activeAdminCount = activeAdmins.Count(u => u.IsActive);
+            if (activeAdminCount == 0)
+            {
+                await AuditPolicyFailureAsync("NoActiveAdmins", cancellationToken);
+                throw new CustomException("Tenant must have at least one active administrator.");
+            }
+        }
+
+        var tenantId = multiTenantContextAccessor?.MultiTenantContext?.TenantInfo?.Id;
+        if (activateUser)
+        {
+            user.Activate(actorId.ToString(), tenantId);
+        }
+        else
+        {
+            user.Deactivate(actorId.ToString(), "Status toggled by administrator", tenantId);
+        }
+
+        var result = await userManager.UpdateAsync(user);
+        if (!result.Succeeded)
+        {
+            var errors = result.Errors.Select(error => error.Description).ToList();
+            throw new CustomException("Toggle status failed", errors);
+        }
+
+        await _auditClient.WriteActivityAsync(
+            ActivityKind.Command,
+            name: "ToggleUserStatus",
+            statusCode: 204,
+            durationMs: 0,
+            captured: BodyCapture.None,
+            requestSize: 0,
+            responseSize: 0,
+            requestPreview: new { actorId = actorId.ToString(), targetUserId = userId, action = activateUser ? "activate" : "deactivate", tenant = tenantId ?? "unknown" },
+            responsePreview: new { outcome = "success" },
+            severity: AuditSeverity.Information,
+            source: "Identity",
+            ct: cancellationToken).ConfigureAwait(false);
+    }
+}

src/Modules/Identity/Modules.Identity/Services/UserService.Profile.cs

@@ -0,0 +1,108 @@
+using FSH.Framework.Core.Exceptions;
+using FSH.Framework.Shared.Storage;
+using FSH.Framework.Storage;
+using FSH.Modules.Identity.Contracts.DTOs;
+using FSH.Modules.Identity.Domain;
+using Microsoft.EntityFrameworkCore;
+
+namespace FSH.Modules.Identity.Services;
+
+internal sealed partial class UserService
+{
+    public async Task<UserDto> GetAsync(string userId, CancellationToken cancellationToken)
+    {
+        var user = await userManager.Users
+            .AsNoTracking()
+            .Where(u => u.Id == userId)
+            .FirstOrDefaultAsync(cancellationToken);
+
+        _ = user ?? throw new NotFoundException("user not found");
+
+        return new UserDto
+        {
+            Id = user.Id,
+            Email = user.Email,
+            UserName = user.UserName,
+            FirstName = user.FirstName,
+            LastName = user.LastName,
+            ImageUrl = ResolveImageUrl(user.ImageUrl),
+            IsActive = user.IsActive
+        };
+    }
+
+    public Task<int> GetCountAsync(CancellationToken cancellationToken) =>
+        userManager.Users.AsNoTracking().CountAsync(cancellationToken);
+
+    public async Task<List<UserDto>> GetListAsync(CancellationToken cancellationToken)
+    {
+        var users = await userManager.Users.AsNoTracking().ToListAsync(cancellationToken);
+        var result = new List<UserDto>(users.Count);
+        foreach (var user in users)
+        {
+            result.Add(new UserDto
+            {
+                Id = user.Id,
+                Email = user.Email,
+                UserName = user.UserName,
+                FirstName = user.FirstName,
+                LastName = user.LastName,
+                ImageUrl = ResolveImageUrl(user.ImageUrl),
+                IsActive = user.IsActive
+            });
+        }
+
+        return result;
+    }
+
+    public async Task UpdateAsync(string userId, string firstName, string lastName, string phoneNumber, FileUploadRequest image, bool deleteCurrentImage)
+    {
+        var user = await userManager.FindByIdAsync(userId);
+
+        _ = user ?? throw new NotFoundException("user not found");
+
+        Uri imageUri = user.ImageUrl ?? null!;
+        if (image.Data != null || deleteCurrentImage)
+        {
+            var imageString = await storageService.UploadAsync<FshUser>(image, FileType.Image);
+            user.ImageUrl = new Uri(imageString, UriKind.RelativeOrAbsolute);
+            if (deleteCurrentImage && imageUri != null)
+            {
+                await storageService.RemoveAsync(imageUri.ToString());
+            }
+        }
+
+        user.FirstName = firstName;
+        user.LastName = lastName;
+        string? currentPhoneNumber = await userManager.GetPhoneNumberAsync(user);
+        if (phoneNumber != currentPhoneNumber)
+        {
+            await userManager.SetPhoneNumberAsync(user, phoneNumber);
+        }
+
+        var result = await userManager.UpdateAsync(user);
+        await signInManager.RefreshSignInAsync(user);
+
+        if (!result.Succeeded)
+        {
+            throw new CustomException("Update profile failed");
+        }
+    }
+
+    public async Task<bool> ExistsWithEmailAsync(string email, string? exceptId = null)
+    {
+        EnsureValidTenant();
+        return await userManager.FindByEmailAsync(email.Normalize()) is FshUser user && user.Id != exceptId;
+    }
+
+    public async Task<bool> ExistsWithNameAsync(string name)
+    {
+        EnsureValidTenant();
+        return await userManager.FindByNameAsync(name) is not null;
+    }
+
+    public async Task<bool> ExistsWithPhoneNumberAsync(string phoneNumber, string? exceptId = null)
+    {
+        EnsureValidTenant();
+        return await userManager.Users.FirstOrDefaultAsync(x => x.PhoneNumber == phoneNumber) is FshUser user && user.Id != exceptId;
+    }
+}