fix(auth): ScadaBridge inbound auth review fixes — scope-before-DB, pinned 403 body, pepper fail-fast, log category

src/ZB.MOM.WW.ScadaBridge.Host/StartupValidator.cs

@@ -71,7 +71,21 @@ public static class StartupValidator
                     "required for Central")
                 .Require("ScadaBridge:Security:JwtSigningKey",
                     _ => !string.IsNullOrEmpty(configuration.GetSection("ScadaBridge:Security")["JwtSigningKey"]),
-                    "required for Central"))
+                    "required for Central")
+                // Review #4 (fail-fast pepper validation): the inbound API-key pepper
+                // backs the peppered-HMAC secret compare in the shared
+                // ZB.MOM.WW.Auth.ApiKeys verifier (wired by AddZbApiKeyAuth at the
+                // Central composition root). A missing or too-short pepper does not
+                // fault at boot — the verifier just fails every secret compare, so the
+                // inbound API silently serves 401s to otherwise-valid keys. Validate it
+                // here (Central-only, pre-host) so a misconfigured pepper fails fast at
+                // startup with a clear message instead of as a runtime auth blackout.
+                // The Require predicate receives config[key] directly; the >=16-char
+                // floor matches the test pepper's minimum and the secret-strength
+                // baseline used elsewhere.
+                .Require("ScadaBridge:InboundApi:ApiKeyPepper",
+                    value => !string.IsNullOrEmpty(value) && value.Length >= 16,
+                    "is required and must be at least 16 characters for Central (backs the inbound API-key peppered-HMAC verifier)"))
             // SeedNodes count (unconditional, after SiteId).
             .Require("ScadaBridge:Cluster:SeedNodes",
                 _ => seedNodes != null && seedNodes.Count >= 2,