ScadaBridge/src/ZB.MOM.WW.ScadaBridge.InboundAPI/InboundApiOptions.cs

namespace ZB.MOM.WW.ScadaBridge.InboundAPI;

public class InboundApiOptions
{
    /// <summary>
    /// Default cap on the inbound API request body, in bytes (InboundAPI-006).
    /// </summary>
    public const long DefaultMaxRequestBodyBytes = 1L * 1024 * 1024; // 1 MiB

    /// <summary>Default timeout for inbound API method execution before the request is cancelled.</summary>
    public TimeSpan DefaultMethodTimeout { get; set; } = TimeSpan.FromSeconds(30);

    /// <summary>
    /// InboundAPI-006: maximum accepted request body size for <c>POST /api/{methodName}</c>.
    /// Requests whose body exceeds this are rejected with HTTP 413 before being
    /// buffered into a <see cref="System.Text.Json.JsonDocument"/>. The inbound API
    /// has no rate limiting (a deliberate design choice), so an explicit, modest cap
    /// bounds per-request allocations.
    /// </summary>
    public long MaxRequestBodyBytes { get; set; } = DefaultMaxRequestBodyBytes;

    /// <summary>
    /// Server-side HMAC pepper for inbound-API bearer credentials, bound from
    /// <c>ScadaBridge:InboundApi:ApiKeyPepper</c>.
    /// <para>
    /// Auth re-arch (C5): the legacy SQL Server hashing path that consumed this
    /// property was retired. The pepper itself is still required — the shared
    /// ZB.MOM.WW.Auth.ApiKeys verifier reads the SAME configuration key
    /// (<c>PepperSecretName</c> in the Host composition root points at it) to pepper
    /// the SQLite-stored keys. It is a secret: supply a strong, random value
    /// (≥ 16 characters), DIFFERENT per environment, via a secret store and never
    /// hard-coded. This property is retained so the section still binds cleanly; the
    /// value is consumed by the library verifier, not by <c>AddInboundAPI</c>.
    /// </para>
    /// </summary>
    public string ApiKeyPepper { get; set; } = string.Empty;
}