feat(auth)!: ScadaBridge retire SQL Server ApiKey entity + ApprovedApiKeyIds + legacy hashing; EF migration RetireInboundApiKeyStore; re-issue runbook + CHANGELOG (re-arch C5/E) — BREAKING: X-API-Key -> Bearer sbk_, keys re-issued

src/ZB.MOM.WW.ScadaBridge.InboundAPI/InboundApiOptions.cs

@@ -20,15 +20,17 @@ public class InboundApiOptions
     public long MaxRequestBodyBytes { get; set; } = DefaultMaxRequestBodyBytes;
 
     /// <summary>
-    /// ConfigurationDatabase-012: server-side HMAC pepper used to hash inbound-API
-    /// bearer credentials. API keys are persisted as a deterministic keyed hash, never
-    /// as plaintext; this pepper is the HMAC key that binds every hash to this
-    /// deployment, so a stolen configuration database is not directly exploitable.
+    /// Server-side HMAC pepper for inbound-API bearer credentials, bound from
+    /// <c>ScadaBridge:InboundApi:ApiKeyPepper</c>.
     /// <para>
-    /// This is a secret: supply a strong, random value via configuration or a secret
-    /// store, never hard-coded. It must be present and at least
-    /// <see cref="ZB.MOM.WW.ScadaBridge.Commons.Types.InboundApi.ApiKeyHasher.MinimumPepperLength"/>
-    /// characters — <c>AddInboundAPI</c> fails fast otherwise.
+    /// Auth re-arch (C5): the legacy SQL Server hashing path that consumed this
+    /// property was retired. The pepper itself is still required — the shared
+    /// ZB.MOM.WW.Auth.ApiKeys verifier reads the SAME configuration key
+    /// (<c>PepperSecretName</c> in the Host composition root points at it) to pepper
+    /// the SQLite-stored keys. It is a secret: supply a strong, random value
+    /// (≥ 16 characters), DIFFERENT per environment, via a secret store and never
+    /// hard-coded. This property is retained so the section still binds cleanly; the
+    /// value is consumed by the library verifier, not by <c>AddInboundAPI</c>.
     /// </para>
     /// </summary>
     public string ApiKeyPepper { get; set; } = string.Empty;