test(host): supply Central test ApiKeyPepper so StartupValidator preflight passes (fix pre-existing 1fcc4f5 red); lock pepper-required behavior

Commit 1fcc4f5 added a Central-only Require for ScadaBridge:InboundApi:ApiKeyPepper
(>=16 chars) to StartupValidator. That Require fires in Program.cs before WebApplicationFactory
can apply any WithWebHostBuilder config overlays, so it must be satisfied via environment
variables (which ARE in the pre-host AddEnvironmentVariables() pass).

Fix (test-only, no src/ changes):
- CentralDbTestEnvironment: add ScadaBridge__InboundApi__ApiKeyPepper env var (TestPepper
  constant, 23 chars) alongside the existing db connection string; restore on Dispose.
  Fixes HealthCheckTests, MetricsEndpointTests, and HostStartupTests.CentralRole_StartsWithoutError
  which all use CentralDbTestEnvironment.
- CentralActorPathTests.InitializeAsync: set the pepper env var before WebApplicationFactory
  is constructed (the class uses IAsyncLifetime directly, not CentralDbTestEnvironment).
- CentralCompositionRootTests ctor + Dispose: same env-var pattern; those tests already had
  the pepper in AddInMemoryCollection (DI-layer only, too late for pre-host validation).
- CentralAuditWiringTests ctor + Dispose: same env-var pattern for the same reason.
- StartupValidatorTests.ValidCentralConfig(): add pepper so the unit tests that call
  StartupValidator.Validate() directly with a Central config stop failing.
- Add guard tests: Central_MissingApiKeyPepper_FailsValidation,
  Central_ShortApiKeyPepper_FailsValidation, Site_ApiKeyPepper_NotRequired — these lock
  the production behavior introduced by 1fcc4f5.

tests/ZB.MOM.WW.ScadaBridge.Host.Tests/ActorPathTests.cs

@@ -29,6 +29,13 @@ public class CentralActorPathTests : IAsyncLifetime
         _previousEnv = Environment.GetEnvironmentVariable("DOTNET_ENVIRONMENT");
         Environment.SetEnvironmentVariable("DOTNET_ENVIRONMENT", "Central");
 
+        // Supply the pepper so the Central-role StartupValidator preflight (1fcc4f5)
+        // passes before WebApplicationFactory gets a chance to overlay DI config.
+        // The pre-host config builder includes AddEnvironmentVariables(), so this
+        // env var is visible to StartupValidator.Validate() at Program.cs line 42.
+        Environment.SetEnvironmentVariable("ScadaBridge__InboundApi__ApiKeyPepper",
+            CentralDbTestEnvironment.TestPepper);
+
         _factory = new WebApplicationFactory<Program>()
             .WithWebHostBuilder(builder =>
             {
@@ -86,6 +93,7 @@ public class CentralActorPathTests : IAsyncLifetime
     {
         _factory?.Dispose();
         Environment.SetEnvironmentVariable("DOTNET_ENVIRONMENT", _previousEnv);
+        Environment.SetEnvironmentVariable("ScadaBridge__InboundApi__ApiKeyPepper", null);
         await Task.CompletedTask;
     }
 

tests/ZB.MOM.WW.ScadaBridge.Host.Tests/AkkaHostedServiceAuditWiringTests.cs

@@ -95,6 +95,12 @@ public class CentralAuditWiringTests : IDisposable
         _previousEnv = Environment.GetEnvironmentVariable("DOTNET_ENVIRONMENT");
         Environment.SetEnvironmentVariable("DOTNET_ENVIRONMENT", "Central");
 
+        // Supply the pepper so the Central-role StartupValidator preflight (1fcc4f5)
+        // passes. The pre-host config builder uses AddEnvironmentVariables(), which
+        // runs before WithWebHostBuilder.ConfigureAppConfiguration applies DI config.
+        Environment.SetEnvironmentVariable("ScadaBridge__InboundApi__ApiKeyPepper",
+            CentralDbTestEnvironment.TestPepper);
+
         _factory = new WebApplicationFactory<Program>()
             .WithWebHostBuilder(builder =>
             {
@@ -148,6 +154,7 @@ public class CentralAuditWiringTests : IDisposable
     {
         _factory.Dispose();
         Environment.SetEnvironmentVariable("DOTNET_ENVIRONMENT", _previousEnv);
+        Environment.SetEnvironmentVariable("ScadaBridge__InboundApi__ApiKeyPepper", null);
     }
 
     [Fact]

tests/ZB.MOM.WW.ScadaBridge.Host.Tests/CentralDbTestEnvironment.cs

@@ -8,7 +8,10 @@ namespace ZB.MOM.WW.ScadaBridge.Host.Tests;
 /// environment variable (<c>Program</c>'s configuration builder calls
 /// <c>AddEnvironmentVariables()</c>).
 ///
-/// Dispose restores the previous value so tests stay isolated.
+/// Also supplies <c>ScadaBridge__InboundApi__ApiKeyPepper</c> so the Central-role
+/// StartupValidator preflight (added in 1fcc4f5) does not fail for tests that set
+/// <c>DOTNET_ENVIRONMENT=Central</c> without an explicit pepper env var. Both vars
+/// are restored on Dispose so tests stay isolated.
 /// </summary>
 internal sealed class CentralDbTestEnvironment : IDisposable
 {
@@ -19,16 +22,27 @@ internal sealed class CentralDbTestEnvironment : IDisposable
 
     private const string ConfigKey = "ScadaBridge__Database__ConfigurationDb";
 
+    // Test-only pepper — satisfies the ≥16-char StartupValidator requirement without
+    // committing a real secret. The env-var name uses the double-underscore delimiter
+    // so AddEnvironmentVariables() maps it to ScadaBridge:InboundApi:ApiKeyPepper.
+    internal const string TestPepper = "test-pepper-01234567890";
+    private const string PepperKey = "ScadaBridge__InboundApi__ApiKeyPepper";
+
     private readonly string? _previousConfig;
+    private readonly string? _previousPepper;
 
     public CentralDbTestEnvironment()
     {
         _previousConfig = Environment.GetEnvironmentVariable(ConfigKey);
         Environment.SetEnvironmentVariable(ConfigKey, ConfigurationDb);
+
+        _previousPepper = Environment.GetEnvironmentVariable(PepperKey);
+        Environment.SetEnvironmentVariable(PepperKey, TestPepper);
     }
 
     public void Dispose()
     {
         Environment.SetEnvironmentVariable(ConfigKey, _previousConfig);
+        Environment.SetEnvironmentVariable(PepperKey, _previousPepper);
     }
 }

tests/ZB.MOM.WW.ScadaBridge.Host.Tests/CompositionRootTests.cs

@@ -90,6 +90,12 @@ public class CentralCompositionRootTests : IDisposable
         _previousEnv = Environment.GetEnvironmentVariable("DOTNET_ENVIRONMENT");
         Environment.SetEnvironmentVariable("DOTNET_ENVIRONMENT", "Central");
 
+        // Supply the pepper so the Central-role StartupValidator preflight (1fcc4f5)
+        // passes. The pre-host config builder uses AddEnvironmentVariables(), which
+        // runs before WithWebHostBuilder.ConfigureAppConfiguration applies DI config.
+        Environment.SetEnvironmentVariable("ScadaBridge__InboundApi__ApiKeyPepper",
+            CentralDbTestEnvironment.TestPepper);
+
         _factory = new WebApplicationFactory<Program>()
             .WithWebHostBuilder(builder =>
             {
@@ -151,6 +157,7 @@ public class CentralCompositionRootTests : IDisposable
     {
         _factory.Dispose();
         Environment.SetEnvironmentVariable("DOTNET_ENVIRONMENT", _previousEnv);
+        Environment.SetEnvironmentVariable("ScadaBridge__InboundApi__ApiKeyPepper", null);
     }
 
     // --- Singletons ---

tests/ZB.MOM.WW.ScadaBridge.Host.Tests/StartupValidatorTests.cs

@@ -24,6 +24,8 @@ public class StartupValidatorTests
         ["ScadaBridge:Security:JwtSigningKey"] = "test-signing-key-at-least-32-chars-long",
         ["ScadaBridge:Cluster:SeedNodes:0"] = "akka.tcp://scadabridge@central-node1:8081",
         ["ScadaBridge:Cluster:SeedNodes:1"] = "akka.tcp://scadabridge@central-node2:8081",
+        // 1fcc4f5: Central requires a pepper (≥16 chars) for the inbound-API peppered-HMAC verifier.
+        ["ScadaBridge:InboundApi:ApiKeyPepper"] = "test-pepper-01234567890",
     };
 
     private static Dictionary<string, string?> ValidSiteConfig() => new()
@@ -187,6 +189,46 @@ public class StartupValidatorTests
         Assert.Contains("JwtSigningKey required for Central", ex.Message);
     }
 
+    [Fact]
+    public void Central_MissingApiKeyPepper_FailsValidation()
+    {
+        // Guard for 1fcc4f5: Central nodes require a pepper (≥16 chars) to back
+        // the inbound-API peppered-HMAC verifier. A missing pepper must fail fast
+        // so a misconfigured deployment is caught before the actor system starts.
+        var values = ValidCentralConfig();
+        values.Remove("ScadaBridge:InboundApi:ApiKeyPepper");
+        var config = BuildConfig(values);
+
+        var ex = Assert.Throws<InvalidOperationException>(() => StartupValidator.Validate(config));
+        Assert.Contains("ApiKeyPepper", ex.Message);
+    }
+
+    [Fact]
+    public void Central_ShortApiKeyPepper_FailsValidation()
+    {
+        // Guard for 1fcc4f5: a pepper shorter than 16 characters must also be rejected.
+        var values = ValidCentralConfig();
+        values["ScadaBridge:InboundApi:ApiKeyPepper"] = "tooshort";
+        var config = BuildConfig(values);
+
+        var ex = Assert.Throws<InvalidOperationException>(() => StartupValidator.Validate(config));
+        Assert.Contains("ApiKeyPepper", ex.Message);
+    }
+
+    [Fact]
+    public void Site_ApiKeyPepper_NotRequired()
+    {
+        // Site nodes do not host the inbound API, so the pepper must NOT be required
+        // for them — absence must not fail validation.
+        var values = ValidSiteConfig();
+        // Explicitly ensure no pepper is present
+        values.Remove("ScadaBridge:InboundApi:ApiKeyPepper");
+        var config = BuildConfig(values);
+
+        var ex = Record.Exception(() => StartupValidator.Validate(config));
+        Assert.Null(ex);
+    }
+
     [Fact]
     public void Site_MissingSiteDbPath_FailsValidation()
     {