test(host): supply Central test ApiKeyPepper so StartupValidator preflight passes (fix pre-existing 1fcc4f5 red); lock pepper-required behavior

Commit 1fcc4f5 added a Central-only Require for ScadaBridge:InboundApi:ApiKeyPepper
(>=16 chars) to StartupValidator. That Require fires in Program.cs before WebApplicationFactory
can apply any WithWebHostBuilder config overlays, so it must be satisfied via environment
variables (which ARE in the pre-host AddEnvironmentVariables() pass).

Fix (test-only, no src/ changes):
- CentralDbTestEnvironment: add ScadaBridge__InboundApi__ApiKeyPepper env var (TestPepper
  constant, 23 chars) alongside the existing db connection string; restore on Dispose.
  Fixes HealthCheckTests, MetricsEndpointTests, and HostStartupTests.CentralRole_StartsWithoutError
  which all use CentralDbTestEnvironment.
- CentralActorPathTests.InitializeAsync: set the pepper env var before WebApplicationFactory
  is constructed (the class uses IAsyncLifetime directly, not CentralDbTestEnvironment).
- CentralCompositionRootTests ctor + Dispose: same env-var pattern; those tests already had
  the pepper in AddInMemoryCollection (DI-layer only, too late for pre-host validation).
- CentralAuditWiringTests ctor + Dispose: same env-var pattern for the same reason.
- StartupValidatorTests.ValidCentralConfig(): add pepper so the unit tests that call
  StartupValidator.Validate() directly with a Central config stop failing.
- Add guard tests: Central_MissingApiKeyPepper_FailsValidation,
  Central_ShortApiKeyPepper_FailsValidation, Site_ApiKeyPepper_NotRequired — these lock
  the production behavior introduced by 1fcc4f5.

tests/ZB.MOM.WW.ScadaBridge.Host.Tests/StartupValidatorTests.cs

@@ -24,6 +24,8 @@ public class StartupValidatorTests
         ["ScadaBridge:Security:JwtSigningKey"] = "test-signing-key-at-least-32-chars-long",
         ["ScadaBridge:Cluster:SeedNodes:0"] = "akka.tcp://scadabridge@central-node1:8081",
         ["ScadaBridge:Cluster:SeedNodes:1"] = "akka.tcp://scadabridge@central-node2:8081",
+        // 1fcc4f5: Central requires a pepper (≥16 chars) for the inbound-API peppered-HMAC verifier.
+        ["ScadaBridge:InboundApi:ApiKeyPepper"] = "test-pepper-01234567890",
     };
 
     private static Dictionary<string, string?> ValidSiteConfig() => new()
@@ -187,6 +189,46 @@ public class StartupValidatorTests
         Assert.Contains("JwtSigningKey required for Central", ex.Message);
     }
 
+    [Fact]
+    public void Central_MissingApiKeyPepper_FailsValidation()
+    {
+        // Guard for 1fcc4f5: Central nodes require a pepper (≥16 chars) to back
+        // the inbound-API peppered-HMAC verifier. A missing pepper must fail fast
+        // so a misconfigured deployment is caught before the actor system starts.
+        var values = ValidCentralConfig();
+        values.Remove("ScadaBridge:InboundApi:ApiKeyPepper");
+        var config = BuildConfig(values);
+
+        var ex = Assert.Throws<InvalidOperationException>(() => StartupValidator.Validate(config));
+        Assert.Contains("ApiKeyPepper", ex.Message);
+    }
+
+    [Fact]
+    public void Central_ShortApiKeyPepper_FailsValidation()
+    {
+        // Guard for 1fcc4f5: a pepper shorter than 16 characters must also be rejected.
+        var values = ValidCentralConfig();
+        values["ScadaBridge:InboundApi:ApiKeyPepper"] = "tooshort";
+        var config = BuildConfig(values);
+
+        var ex = Assert.Throws<InvalidOperationException>(() => StartupValidator.Validate(config));
+        Assert.Contains("ApiKeyPepper", ex.Message);
+    }
+
+    [Fact]
+    public void Site_ApiKeyPepper_NotRequired()
+    {
+        // Site nodes do not host the inbound API, so the pepper must NOT be required
+        // for them — absence must not fail validation.
+        var values = ValidSiteConfig();
+        // Explicitly ensure no pepper is present
+        values.Remove("ScadaBridge:InboundApi:ApiKeyPepper");
+        var config = BuildConfig(values);
+
+        var ex = Record.Exception(() => StartupValidator.Validate(config));
+        Assert.Null(ex);
+    }
+
     [Fact]
     public void Site_MissingSiteDbPath_FailsValidation()
     {