fix: DSRM membership endpoint expects member_names, not role_names

Root cause: dsrmPath() emitted ?role_names=<r>, but FlashBlade API v2.22
(and v2.23) exposes POST/GET/DELETE /management-access-policies/directory-services/roles
with query params policy_names + member_names. The role IS the member of
the membership relation. Real-array apply returned:

  HTTP 400: Member identifier is required.

GET masked the bug because the API silently ignores unknown query params
and returns the full collection, which our wrapper happened to filter
down by other means.

Fix:
- Client dsrmPath: role_names -> member_names (applies to Get/Post/Delete)
- Mock handler: accept/require member_names on all 3 methods
- Client test: assert member_names on POST recorded request

Discovered during Phase 50.1 UAT against real arrays par5/pa7 on 2026-04-17.
Phase 50.1 goal (DSR POST ?names=) was validated successful; this is a
distinct defect in the sibling membership resource delivered by Phase 50.

Author: SoulKyu

internal/client/management_access_policy_directory_service_role_memberships.go

@@ -6,11 +6,13 @@ import (
 	"net/url"
 )
 
-// dsrmPath builds "/management-access-policies/directory-services/roles?policy_names=<p>&role_names=<r>".
+// dsrmPath builds "/management-access-policies/directory-services/roles?policy_names=<p>&member_names=<r>".
+// FlashBlade API v2.22 expects `member_names` (not `role_names`) on this endpoint — the role IS the
+// member of the membership relation. Using `role_names` yields HTTP 400 "Member identifier is required".
 func dsrmPath(policyName, roleName string) string {
 	v := url.Values{}
 	v.Set("policy_names", policyName)
-	v.Set("role_names", roleName)
+	v.Set("member_names", roleName)
 	return "/management-access-policies/directory-services/roles?" + v.Encode()
 }
 

internal/client/management_access_policy_directory_service_role_memberships_test.go

@@ -36,8 +36,8 @@ func assertDSRMQueryParams(t *testing.T, r *http.Request) {
 	if got := r.URL.Query().Get("policy_names"); got != "pure:policy/array_admin" {
 		t.Errorf("expected policy_names=pure:policy/array_admin, got %q", got)
 	}
-	if got := r.URL.Query().Get("role_names"); got != "admin-role" {
-		t.Errorf("expected role_names=admin-role, got %q", got)
+	if got := r.URL.Query().Get("member_names"); got != "admin-role" {
+		t.Errorf("expected member_names=admin-role, got %q", got)
 	}
 }
 

internal/testmock/handlers/management_access_policy_directory_service_role_memberships.go

@@ -51,14 +51,14 @@ func (s *mapDsrMembershipsStore) handle(w http.ResponseWriter, r *http.Request)
 }
 
 // handleGet returns the pair when found, or empty list + 200 on miss.
-// Both policy_names and role_names are optional individually; when both are provided,
+// Both policy_names and member_names are optional individually; when both are provided,
 // the response is filtered to that exact pair.
 func (s *mapDsrMembershipsStore) handleGet(w http.ResponseWriter, r *http.Request) {
-	if !ValidateQueryParams(w, r, []string{"policy_names", "role_names"}) {
+	if !ValidateQueryParams(w, r, []string{"policy_names", "member_names"}) {
 		return
 	}
 	pName := r.URL.Query().Get("policy_names")
-	rName := r.URL.Query().Get("role_names")
+	rName := r.URL.Query().Get("member_names")
 
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -79,14 +79,14 @@ func (s *mapDsrMembershipsStore) handleGet(w http.ResponseWriter, r *http.Reques
 // handlePost is idempotent: creates the pair if absent, returns 200 with the pair either way.
 // This resolves Q3 from 50-CONTEXT.md — Terraform replays never produce 409 conflicts.
 func (s *mapDsrMembershipsStore) handlePost(w http.ResponseWriter, r *http.Request) {
-	if !ValidateQueryParams(w, r, []string{"policy_names", "role_names"}) {
+	if !ValidateQueryParams(w, r, []string{"policy_names", "member_names"}) {
 		return
 	}
 	pName, okP := RequireQueryParam(w, r, "policy_names")
 	if !okP {
 		return
 	}
-	rName, okR := RequireQueryParam(w, r, "role_names")
+	rName, okR := RequireQueryParam(w, r, "member_names")
 	if !okR {
 		return
 	}
@@ -105,14 +105,14 @@ func (s *mapDsrMembershipsStore) handlePost(w http.ResponseWriter, r *http.Reque
 
 // handleDelete removes the pair from the set. Idempotent — missing pair is silently ignored.
 func (s *mapDsrMembershipsStore) handleDelete(w http.ResponseWriter, r *http.Request) {
-	if !ValidateQueryParams(w, r, []string{"policy_names", "role_names"}) {
+	if !ValidateQueryParams(w, r, []string{"policy_names", "member_names"}) {
 		return
 	}
 	pName, okP := RequireQueryParam(w, r, "policy_names")
 	if !okP {
 		return
 	}
-	rName, okR := RequireQueryParam(w, r, "role_names")
+	rName, okR := RequireQueryParam(w, r, "member_names")
 	if !okR {
 		return
 	}