chore(docker): supply DEV-ONLY ApiKeyPepper to local Central nodes

The Auth/Config normalization made ScadaBridge:InboundApi:ApiKeyPepper a hard
Central-only startup requirement (>=16 chars), but the local dev composes never
supplied it, so deploy.sh's freshly-built image crash-looped both Central nodes
on ConfigPreflight validation. Add a clearly-marked DEV-ONLY, insecure pepper
inline to each cluster's Central environment (distinct per environment). These
are NOT real secrets — production injects a true per-env secret out-of-band per
docs/operations/inbound-api-key-reissue.md; the inline values exist only so the
local docker / docker-env2 clusters start.

docker-env2/docker-compose.yml

@@ -6,6 +6,12 @@ services:
       SCADABRIDGE_CONFIG: Central
       ASPNETCORE_ENVIRONMENT: Development
       ASPNETCORE_URLS: "http://+:5000"
+      # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization
+      # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup
+      # requirement (>=16 chars, per-environment). Distinct from the docker/ cluster's
+      # pepper per the "different per environment" guidance; real deployments inject a
+      # true secret out-of-band, never from source control. Both Central nodes share it.
+      ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-env2-cluster-0001"
     ports:
       - "9101:5000"   # Web UI + Inbound API
       - "9111:8081"   # Akka remoting
@@ -23,6 +29,12 @@ services:
       SCADABRIDGE_CONFIG: Central
       ASPNETCORE_ENVIRONMENT: Development
       ASPNETCORE_URLS: "http://+:5000"
+      # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization
+      # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup
+      # requirement (>=16 chars, per-environment). Distinct from the docker/ cluster's
+      # pepper per the "different per environment" guidance; real deployments inject a
+      # true secret out-of-band, never from source control. Both Central nodes share it.
+      ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-env2-cluster-0001"
     ports:
       - "9102:5000"   # Web UI + Inbound API
       - "9112:8081"   # Akka remoting

docker/docker-compose.yml

@@ -6,6 +6,12 @@ services:
       SCADABRIDGE_CONFIG: Central
       ASPNETCORE_ENVIRONMENT: Development
       ASPNETCORE_URLS: "http://+:5000"
+      # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization
+      # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup
+      # requirement (>=16 chars, per-environment). Real deployments inject a true secret
+      # out-of-band (env/secret store), never from source control — see
+      # docs/operations/inbound-api-key-reissue.md. Both Central nodes share one pepper.
+      ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-docker-cluster-0001"
     ports:
       - "9001:5000"   # Web UI + Inbound API
       - "9011:8081"   # Akka remoting (host access for CLI/debugging)
@@ -23,6 +29,12 @@ services:
       SCADABRIDGE_CONFIG: Central
       ASPNETCORE_ENVIRONMENT: Development
       ASPNETCORE_URLS: "http://+:5000"
+      # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization
+      # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup
+      # requirement (>=16 chars, per-environment). Real deployments inject a true secret
+      # out-of-band (env/secret store), never from source control — see
+      # docs/operations/inbound-api-key-reissue.md. Both Central nodes share one pepper.
+      ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-docker-cluster-0001"
     ports:
       - "9002:5000"   # Web UI + Inbound API
       - "9012:8081"   # Akka remoting