feat(auth): ScadaBridge re-pin Auth 0.1.3 + add IInboundApiKeyAdmin seam over library admin facade (re-arch C1, additive)

src/ZB.MOM.WW.ScadaBridge.Host/Program.cs

@@ -144,6 +144,26 @@ try
 
         builder.Services.AddZbApiKeyAuth(builder.Configuration, apiKeyStoreSection);
 
+        // Inbound-API key re-arch (C1), additive: expose the library admin facade
+        // (ApiKeyAdminCommands) and the app-side management seam (IInboundApiKeyAdmin)
+        // in the SAME container as AddZbApiKeyAuth, so CLI + CentralUI later create /
+        // list / enable / disable / delete inbound keys and edit their method-scopes
+        // through one shared path. AddZbApiKeyAuth registers the stores/pepper/migrator
+        // but NOT ApiKeyAdminCommands itself, so it is composed here. CentralUI resolves
+        // from this same provider (it is registered via AddCentralUI() above), so the
+        // seam is reachable from both the ManagementActor and CentralUI pages — exactly
+        // as IInboundApiRepository already is.
+        builder.Services.AddSingleton(sp => new ZB.MOM.WW.Auth.ApiKeys.Admin.ApiKeyAdminCommands(
+            sp.GetRequiredService<Microsoft.Extensions.Options.IOptions<ZB.MOM.WW.Auth.Abstractions.ApiKeys.ApiKeyOptions>>().Value,
+            sp.GetRequiredService<ZB.MOM.WW.Auth.Abstractions.ApiKeys.IApiKeyAdminStore>(),
+            sp.GetRequiredService<ZB.MOM.WW.Auth.Abstractions.ApiKeys.IApiKeyAuditStore>(),
+            sp.GetRequiredService<ZB.MOM.WW.Auth.ApiKeys.IApiKeyPepperProvider>(),
+            sp.GetRequiredService<ZB.MOM.WW.Auth.ApiKeys.Sqlite.SqliteAuthStoreMigrator>(),
+            TimeProvider.System));
+        builder.Services.AddSingleton<
+            ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Security.IInboundApiKeyAdmin,
+            LibraryInboundApiKeyAdmin>();
+
         builder.Services.AddManagementService();
 
         var configDbConnectionString = configuration["ScadaBridge:Database:ConfigurationDb"]