fix(auth): move AddZbLdapAuth to Host composition root so component-lib AddSecurity() drops IConfiguration param (satisfy OptionsTests arch rule; fix pre-existing ac34dac red); behaviour-preserving

src/ZB.MOM.WW.ScadaBridge.Security/ServiceCollectionExtensions.cs

@@ -1,5 +1,4 @@
 using Microsoft.AspNetCore.Authentication.Cookies;
-using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -15,29 +14,37 @@ public static class ServiceCollectionExtensions
     /// under the existing <c>ScadaBridge:Security</c> section as a <c>Ldap</c> sub-section
     /// (Task 1.4 config rename) so the non-LDAP <see cref="SecurityOptions"/> fields stay
     /// where they are while the LDAP connection settings bind to the shared library.
+    /// The Host composition root references this constant to register the shared LDAP
+    /// auth (<c>AddZbLdapAuth</c>) before calling <see cref="AddSecurity"/>.
     /// </summary>
     public const string LdapSectionPath = "ScadaBridge:Security:Ldap";
 
     /// <summary>
-    /// Registers LDAP authentication (shared <c>ZB.MOM.WW.Auth.Ldap</c>), JWT token service,
-    /// role mapper, cookie authentication, and authorization policies.
+    /// Registers the JWT token service, role mapper, cookie authentication, and
+    /// authorization policies. This is a component library and therefore takes no
+    /// <c>IConfiguration</c> (Options pattern only).
     /// </summary>
+    /// <remarks>
+    /// LDAP authentication (shared <c>ZB.MOM.WW.Auth.Ldap</c> via <c>AddZbLdapAuth</c>) is
+    /// registered by the Host composition root — which calls <c>AddZbLdapAuth</c> with the
+    /// nested <see cref="LdapSectionPath"/> <em>before</em> this method — because that
+    /// registration is config-coupled (it binds <c>LdapOptions</c> from
+    /// <c>IConfiguration</c>) and component libraries must not accept <c>IConfiguration</c>.
+    /// </remarks>
     /// <param name="services">The service collection to register into.</param>
-    /// <param name="configuration">
-    /// Application configuration, read for the nested <see cref="LdapSectionPath"/> LDAP
-    /// options bound + validated by <c>AddZbLdapAuth</c>.
-    /// </param>
-    public static IServiceCollection AddSecurity(this IServiceCollection services, IConfiguration configuration)
+    public static IServiceCollection AddSecurity(this IServiceCollection services)
     {
-        // Task 1.2 cutover: replace ScadaBridge's bespoke LdapAuthService with the shared
-        // ZB.MOM.WW.Auth.Ldap implementation (ScadaBridge was the donor for its hardened
-        // bind-then-search / escaping / fail-closed semantics, so this is a behaviour-
-        // equivalent re-point). AddZbLdapAuth binds LdapOptions from the nested Ldap
-        // sub-section, registers IValidateOptions<LdapOptions> with ValidateOnStart (so a
-        // misconfigured directory fails fast at boot — superseding the old
-        // SecurityOptionsValidator LDAP checks), and registers ILdapAuthService as a
-        // stateless singleton.
-        services.AddZbLdapAuth(configuration, LdapSectionPath);
+        // Task 1.2 cutover: ScadaBridge's bespoke LdapAuthService was replaced by the
+        // shared ZB.MOM.WW.Auth.Ldap implementation (ScadaBridge was the donor for its
+        // hardened bind-then-search / escaping / fail-closed semantics, so this was a
+        // behaviour-equivalent re-point). That registration — AddZbLdapAuth, which binds
+        // LdapOptions from the nested Ldap sub-section, registers IValidateOptions<LdapOptions>
+        // with ValidateOnStart (so a misconfigured directory fails fast at boot —
+        // superseding the old SecurityOptionsValidator LDAP checks), and registers
+        // ILdapAuthService as a stateless singleton — now lives at the Host composition
+        // root (which calls AddZbLdapAuth(configuration, LdapSectionPath) immediately
+        // before AddSecurity()), because it is config-coupled and this is a component
+        // library.
 
         services.AddScoped<JwtTokenService>();
         services.AddScoped<RoleMapper>();