fix(security): resolve Security-001/002/003 — reachable StartTLS path, Secure cookie, JWT signing key validation

src/ScadaLink.Security/SecurityOptions.cs

@@ -4,7 +4,24 @@ public class SecurityOptions
 {
     public string LdapServer { get; set; } = string.Empty;
     public int LdapPort { get; set; } = 389;
-    public bool LdapUseTls { get; set; } = true;
+
+    /// <summary>
+    /// Transport security mode for the LDAP connection. Defaults to LDAPS.
+    /// Use <see cref="LdapTransport.StartTls"/> to connect on the plaintext port
+    /// and upgrade the session before binding.
+    /// </summary>
+    public LdapTransport LdapTransport { get; set; } = LdapTransport.Ldaps;
+
+    /// <summary>
+    /// True when the configured transport provides encryption (LDAPS or StartTLS).
+    /// Retained for backward compatibility: assigning a value maps onto
+    /// <see cref="LdapTransport"/> (true =&gt; LDAPS, false =&gt; None).
+    /// </summary>
+    public bool LdapUseTls
+    {
+        get => LdapTransport != LdapTransport.None;
+        set => LdapTransport = value ? LdapTransport.Ldaps : LdapTransport.None;
+    }
 
     /// <summary>
     /// Allow insecure (non-TLS) LDAP connections. ONLY for dev/test with GLAuth.
@@ -39,7 +56,16 @@ public class SecurityOptions
     /// </summary>
     public string LdapGroupAttribute { get; set; } = "memberOf";
 
+    /// <summary>
+    /// Symmetric HMAC-SHA256 signing key for cookie-embedded JWTs. Must be at least
+    /// 32 bytes (256 bits) — validated at <see cref="JwtTokenService"/> construction.
+    /// </summary>
     public string JwtSigningKey { get; set; } = string.Empty;
+
+    /// <summary>
+    /// Minimum signing-key length in bytes required for HMAC-SHA256 (256 bits).
+    /// </summary>
+    public const int MinJwtSigningKeyBytes = 32;
     public int JwtExpiryMinutes { get; set; } = 15;
     public int IdleTimeoutMinutes { get; set; } = 30;