fix(auth): C1 review polish — guard name at seam, document seam contract (throws/O(n)), explicit cookie test (review #1/#2/#3/#5/#8)

tests/ZB.MOM.WW.ScadaBridge.Security.Tests/LibraryInboundApiKeyAdminTests.cs

@@ -54,6 +54,18 @@ public sealed class LibraryInboundApiKeyAdminTests : IAsyncLifetime
         _sut = new LibraryInboundApiKeyAdmin(commands);
     }
 
+    [Theory]
+    [InlineData(null)]
+    [InlineData("")]
+    [InlineData("   ")]
+    public async Task CreateAsync_NullOrWhitespaceName_Throws(string? name)
+    {
+        // ThrowIfNullOrWhiteSpace throws ArgumentNullException for null and ArgumentException
+        // for empty/whitespace; both are ArgumentException subtypes, so ThrowsAnyAsync covers all.
+        await Assert.ThrowsAnyAsync<ArgumentException>(
+            () => _sut.CreateAsync(name!, new[] { "MethodA" }, CancellationToken.None));
+    }
+
     [Fact]
     public async Task CreateAsync_ReturnsKeyIdAndToken_TokenStartsWith_sbk()
     {

tests/ZB.MOM.WW.ScadaBridge.Security.Tests/SecurityTests.cs

@@ -443,6 +443,9 @@ public class SecurityReviewRegressionTests
         services.AddLogging();
         services.AddDataProtection();
         services.AddSecurity();
+        // Explicitly set RequireHttpsCookie=true so the test asserts SecurePolicy.Always
+        // without relying on the SecurityOptions default value.
+        services.Configure<SecurityOptions>(o => o.RequireHttpsCookie = true);
 
         using var provider = services.BuildServiceProvider();
         var cookieOptions = provider