feat(auth)!: ScadaBridge retire SQL Server ApiKey entity + ApprovedApiKeyIds + legacy hashing; EF migration RetireInboundApiKeyStore; re-issue runbook + CHANGELOG (re-arch C5/E) — BREAKING: X-API-Key -> Bearer sbk_, keys re-issued

tests/ZB.MOM.WW.ScadaBridge.AuditLog.Tests/Integration/InboundApiAuditTests.cs

@@ -116,8 +116,9 @@ public class InboundApiAuditTests : IClassFixture<MsSqlMigrationFixture>
                         // Mirror production order: routing → auth → audit
                         // middleware → endpoint. The auth scheme always
                         // succeeds; per-request auth-failure semantics are
-                        // produced INSIDE the endpoint handler (mirroring
-                        // ApiKeyValidator's in-handler short-circuit).
+                        // produced INSIDE the endpoint handler (mirroring the
+                        // shared ZB.MOM.WW.Auth.ApiKeys verifier's in-handler
+                        // short-circuit).
                         app.UseRouting();
                         app.UseAuthentication();
                         app.UseAuthorization();
@@ -241,9 +242,9 @@ public class InboundApiAuditTests : IClassFixture<MsSqlMigrationFixture>
 
         using var host = await BuildHostAsync(async ctx =>
         {
-            // The production ApiKeyValidator returns 401 from inside the
-            // handler when the X-API-Key header is missing or invalid; the
-            // handler must NOT stash an actor name in that case so the
+            // The production inbound endpoint returns 401 from inside the
+            // handler when the Bearer token is missing or fails verification;
+            // the handler must NOT stash an actor name in that case so the
             // middleware emits Actor=null on the resulting audit row.
             ctx.Response.StatusCode = 401;
             await ctx.Response.WriteAsync("unauthorized");