fix(security): close Theme 7 — 8 secrets / redaction / append-only findings

Security-sensitive batch, handled main-thread for careful judgment on
secret-leak and pepper-bypass paths.

Secret leak / pepper bypass:
- CD-016 (pepper bypass): InboundApiRepository's GetApiKeyByValueAsync no
  longer hashes the candidate with the unpeppered ApiKeyHasher.Default —
  ctor takes a lazy Func<IApiKeyHasher> accessor (lazy so test composition
  roots without a pepper still bring up the repository), and the DI
  registration wires sp.GetService<IApiKeyHasher>() so the production
  peppered hasher matches the stored KeyHash. Regression test asserts
  positive (peppered roundtrip) AND negative (Default hasher misses the
  same key — proving the lookup uses the injected hasher).
- MgmtSvc-020 (SMTP credential leak): UpdateSmtpConfig/ListSmtpConfigs
  now project through SmtpConfigPublicShape so the response payload and
  audit-row afterState never carry the Credentials field — only a
  HasCredentials bool. The SMTP password / OAuth2 client secret no
  longer leaves the Admin-only UpdateSmtpConfig boundary the caller
  already supplied it to.

Redaction:
- AuditLog-008 (test-fixture under-redact): new
  SafeDefaultAuditPayloadFilter (stateless singleton) does HTTP header
  redaction for the always-sensitive defaults (Authorization, X-Api-Key,
  Cookie, Set-Cookie). FallbackAuditWriter, CentralAuditWriter, and
  AuditLogIngestActor (both ingest paths) default to it instead of null
  — composition roots that bypass AddAuditLog can no longer write
  unredacted auth headers to the audit store.
- NotifService-025 (over-mask): CredentialRedactor.Scrub now only masks
  the last colon-separated component (password / clientSecret) AND only
  if it's >= 12 chars (typical password heuristic). Short user names
  like "root" no longer become global redaction tokens that eat unrelated
  diagnostic text. The full packed string is always masked regardless of
  length. 3 new negative tests pin the no-over-mask contract.

Audit-row correctness / fail-loud:
- InboundAPI-025: Program.cs UseWhen predicate now excludes /api/audit,
  /api/management, /api/centralui, /api/script-analysis AND requires POST
  — the AuditWriteMiddleware no longer emits spurious ApiInbound rows
  for audit-log query/export endpoints (write-on-read recursion broken).
- ESG-021: ApplyAuth now logs Warning (not silent) on empty
  AuthConfiguration for apikey/basic, unknown AuthType, and malformed
  Basic config. AuthConfiguration value NEVER logged. AuthType=none
  remains silent (documented unauthenticated sentinel).
- Security-021: AddSecurity now logs a startup Warning when
  RequireHttpsCookie=false — an HTTP-only deployment that previously
  transmitted the cookie-embedded JWT silently in cleartext is now
  audible in the log.

Defensive:
- CD-021: SwitchOutPartitionAsync's monthBoundary format string now
  yyyy-MM-dd HH:mm:ss.fffffff (datetime2(7) precision) so a future
  sub-second / non-midnight boundary doesn't silently round to the
  wrong partition.

Plus reconciled stale per-module Open-findings counters that had drifted
from earlier sessions (AuditLog, CD, ESG, IAPI, MgmtSvc, NotifService,
Security).

Build clean; all affected test projects green (Host 208, ConfigDB 242,
ESG 69, IAPI 151, MgmtSvc 100, NotifService 55, Security 85, AuditLog
247/248 — 1 pre-existing date-sensitive integration test flake on
PartitionPurgeTests, unrelated). README regenerated: 46 open (was 54).

src/ScadaLink.ConfigurationDatabase/Repositories/AuditLogRepository.cs

@@ -198,8 +198,12 @@ VALUES
 
         // ISO 8601 in UTC — SQL Server's datetime2 literal parser accepts this
         // unambiguously and the value is round-trip-safe across SET DATEFORMAT
-        // settings.
-        var monthBoundaryStr = monthBoundary.ToUniversalTime().ToString("yyyy-MM-dd HH:mm:ss");
+        // settings. CD-021: use datetime2(7) precision (.fffffff) so a future
+        // non-midnight or sub-second boundary doesn't silently round to the
+        // wrong partition (today the migration only seeds at T00:00:00 exactly,
+        // but the format string is on the boundary value's own contract — match
+        // it to the column precision rather than to the current seed pattern).
+        var monthBoundaryStr = monthBoundary.ToUniversalTime().ToString("yyyy-MM-dd HH:mm:ss.fffffff");
 
         // Two-statement batch: the first SELECT samples the per-partition row
         // count BEFORE the dance so we can report it back to the purge actor;

src/ScadaLink.ConfigurationDatabase/Repositories/InboundApiRepository.cs

@@ -10,16 +10,38 @@ namespace ScadaLink.ConfigurationDatabase.Repositories;
 public class InboundApiRepository : IInboundApiRepository
 {
     private readonly ScadaLinkDbContext _context;
+    // CD-016: lazily resolved so the InboundAPI ApiKeyHasher factory (which throws
+    // when no pepper is configured) is only invoked if GetApiKeyByValueAsync is
+    // actually called — Central/Host startup composition roots that never call
+    // this method (the production ApiKeyValidator deliberately doesn't) get to
+    // bring InboundApiRepository up without forcing every test to wire a
+    // throw-away pepper into InboundApiOptions.
+    private readonly Func<IApiKeyHasher> _hasherAccessor;
     private readonly ILogger<InboundApiRepository> _logger;
 
     /// <summary>
     /// Initializes a new instance of the InboundApiRepository class.
     /// </summary>
     /// <param name="context">The database context for accessing inbound API data.</param>
+    /// <param name="hasherAccessor">
+    /// CD-016: factory that returns the API-key hasher used to digest a candidate
+    /// plaintext for the peppered <see cref="GetApiKeyByValueAsync"/> lookup.
+    /// Resolution is deferred to first call so a composition root that doesn't
+    /// register <see cref="IApiKeyHasher"/> (or whose factory would throw because
+    /// no pepper is configured) can still bring up the repository for callers that
+    /// don't touch the value-lookup path. Defaults to a factory returning
+    /// <see cref="ApiKeyHasher.Default"/>; production wires
+    /// <c>sp =&gt; sp.GetRequiredService&lt;IApiKeyHasher&gt;()</c> via DI so the
+    /// lookup uses the same peppered digest as the production write path.
+    /// </param>
     /// <param name="logger">Optional logger instance for warnings and diagnostics.</param>
-    public InboundApiRepository(ScadaLinkDbContext context, ILogger<InboundApiRepository>? logger = null)
+    public InboundApiRepository(
+        ScadaLinkDbContext context,
+        Func<IApiKeyHasher>? hasherAccessor = null,
+        ILogger<InboundApiRepository>? logger = null)
     {
         _context = context ?? throw new ArgumentNullException(nameof(context));
+        _hasherAccessor = hasherAccessor ?? (() => ApiKeyHasher.Default);
         _logger = logger ?? NullLogger<InboundApiRepository>.Instance;
     }
 
@@ -34,7 +56,13 @@ public class InboundApiRepository : IInboundApiRepository
     /// <inheritdoc />
     public async Task<ApiKey?> GetApiKeyByValueAsync(string keyValue, CancellationToken cancellationToken = default)
     {
-        var keyHash = ApiKeyHasher.Default.Hash(keyValue);
+        // CD-016: hash the candidate with the DI-provided peppered hasher so this
+        // lookup matches keys whose stored KeyHash was produced by the production
+        // ApiKeyHasher(pepper). The pre-fix call to ApiKeyHasher.Default would
+        // silently return null for every real key on any peppered deployment.
+        // Resolution is deferred until this method is actually called so the
+        // pepper-validating factory doesn't fire during startup composition.
+        var keyHash = _hasherAccessor().Hash(keyValue);
         return await _context.Set<ApiKey>().FirstOrDefaultAsync(k => k.KeyHash == keyHash, cancellationToken);
     }
 

src/ScadaLink.ConfigurationDatabase/ServiceCollectionExtensions.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using ScadaLink.Commons.Interfaces;
 using ScadaLink.Commons.Interfaces.Repositories;
 using ScadaLink.Commons.Interfaces.Services;
@@ -53,7 +54,15 @@ public static class ServiceCollectionExtensions
         services.AddScoped<INotificationOutboxRepository, NotificationOutboxRepository>();
         services.AddScoped<IAuditLogRepository, AuditLogRepository>();
         services.AddScoped<ISiteCallAuditRepository, SiteCallAuditRepository>();
-        services.AddScoped<IInboundApiRepository, InboundApiRepository>();
+        // CD-016: factory registration wires a lazy accessor for IApiKeyHasher so
+        // the production peppered hasher is used (via DI) when GetApiKeyByValueAsync
+        // is actually called, but composition roots that never call it (and may
+        // not register IApiKeyHasher at all) still bring up the repository.
+        services.AddScoped<IInboundApiRepository>(sp => new InboundApiRepository(
+            sp.GetRequiredService<ScadaLinkDbContext>(),
+            hasherAccessor: () => sp.GetService<Commons.Types.InboundApi.IApiKeyHasher>()
+                ?? Commons.Types.InboundApi.ApiKeyHasher.Default,
+            logger: sp.GetService<ILogger<InboundApiRepository>>()));
         services.AddScoped<IAuditCorrelationContext, AuditCorrelationContext>();
         services.AddScoped<IAuditService, AuditService>();
         services.AddScoped<IInstanceLocator, InstanceLocator>();