fix(auth): OtOpcUa 1.2 review fixes — startup insecure-transport guard + Ldaps in prod overlays, test fidelity, 0.1.1 pin

tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/LdapOptionsBindingTests.cs

@@ -1,7 +1,9 @@
 using Microsoft.Extensions.Configuration;
 using Shouldly;
 using Xunit;
+using ZB.MOM.WW.OtOpcUa.Host.Configuration;
 using ZB.MOM.WW.OtOpcUa.Security.Ldap;
+using LdapTransport = ZB.MOM.WW.Auth.Abstractions.Ldap.LdapTransport;
 
 namespace ZB.MOM.WW.OtOpcUa.Host.IntegrationTests;
 
@@ -60,3 +62,64 @@ public sealed class LdapOptionsBindingTests
         options.DevStubMode.ShouldBeFalse();
     }
 }
+
+/// <summary>
+/// End-to-end guard for the shipped production overlays: binds each of the three prod overlay
+/// files' real <c>Security:Ldap</c> section (the same files the host loads at boot, copied into the
+/// test output via the Host project reference) and runs the <see cref="LdapOptionsValidator"/> the
+/// host wires via <c>AddValidatedOptions</c>. Proves each prod overlay declares a TLS transport and
+/// therefore PASSES startup validation — i.e. the host actually boots with these overlays after the
+/// insecure-transport guard was added. The <c>Development</c> overlay (DevStubMode) is verified to
+/// pass via the guard exemption.
+/// </summary>
+public sealed class ProdOverlayValidationTests
+{
+    private static readonly LdapOptionsValidator Sut = new();
+
+    private static LdapOptions BindOverlay(string fileName)
+    {
+        var path = Path.Combine(AppContext.BaseDirectory, fileName);
+        File.Exists(path).ShouldBeTrue($"overlay '{fileName}' should be copied to the test output");
+
+        var configuration = new ConfigurationBuilder()
+            .AddJsonFile(path, optional: false, reloadOnChange: false)
+            .Build();
+
+        return configuration.GetSection(LdapOptions.SectionName).Get<LdapOptions>() ?? new LdapOptions();
+    }
+
+    [Theory]
+    [InlineData("appsettings.admin.json")]
+    [InlineData("appsettings.driver.json")]
+    [InlineData("appsettings.admin-driver.json")]
+    public void Prod_overlay_declares_ldaps_transport(string fileName)
+    {
+        var options = BindOverlay(fileName);
+
+        options.DevStubMode.ShouldBeFalse();
+        options.Transport.ShouldBe(LdapTransport.Ldaps);
+    }
+
+    [Theory]
+    [InlineData("appsettings.admin.json")]
+    [InlineData("appsettings.driver.json")]
+    [InlineData("appsettings.admin-driver.json")]
+    public void Prod_overlay_passes_startup_validation(string fileName)
+    {
+        var options = BindOverlay(fileName);
+
+        // Match the host: these overlays only set Security:Ldap fields, so backfill the required
+        // Server/SearchBase/Port the way the base C# defaults do (LdapOptions defaults are valid),
+        // then validate exactly as AddValidatedOptions would at boot.
+        Sut.Validate(null, options).Succeeded.ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Development_overlay_passes_startup_validation_via_devstub_exemption()
+    {
+        var options = BindOverlay("appsettings.Development.json");
+
+        options.DevStubMode.ShouldBeTrue();
+        Sut.Validate(null, options).Succeeded.ShouldBeTrue();
+    }
+}