Add XML documentation across gateway, worker, and .NET client

src/MxGateway.Tests/Security/Authentication/ApiKeyAdminCliRunnerTests.cs

@@ -8,6 +8,7 @@ namespace MxGateway.Tests.Security.Authentication;
 
 public sealed class ApiKeyAdminCliRunnerTests
 {
+    /// <summary>Verifies that CreateKeyAsync creates an authenticating key and audits the action.</summary>
     [Fact]
     public async Task CreateKeyAsync_CreatesAuthenticatingKeyAndAudits()
     {
@@ -44,6 +45,7 @@ public sealed class ApiKeyAdminCliRunnerTests
         Assert.Contains(auditRecords, record => record.EventType == "create-key" && record.KeyId == "operator01");
     }
 
+    /// <summary>Verifies that ListKeysAsync does not print the raw secret.</summary>
     [Fact]
     public async Task ListKeysAsync_DoesNotPrintRawSecret()
     {
@@ -72,6 +74,7 @@ public sealed class ApiKeyAdminCliRunnerTests
         Assert.DoesNotContain("secret_hash", listJson, StringComparison.OrdinalIgnoreCase);
     }
 
+    /// <summary>Verifies that RevokeKeyAsync causes the revoked key to fail verification and is audited.</summary>
     [Fact]
     public async Task RevokeKeyAsync_RevokedKeyFailsVerificationAndAudits()
     {
@@ -105,6 +108,7 @@ public sealed class ApiKeyAdminCliRunnerTests
         Assert.Contains(auditRecords, record => record.EventType == "revoke-key" && record.KeyId == "operator01");
     }
 
+    /// <summary>Verifies that RotateKeyAsync prints the new secret once and invalidates the old secret.</summary>
     [Fact]
     public async Task RotateKeyAsync_PrintsNewSecretOnceAndInvalidatesOldSecret()
     {
@@ -140,6 +144,7 @@ public sealed class ApiKeyAdminCliRunnerTests
         Assert.True(newVerification.Succeeded);
     }
 
+    /// <summary>Verifies that CreateKeyAsync prints the raw secret exactly once.</summary>
     [Fact]
     public async Task CreateKeyAsync_PrintsRawSecretExactlyOnce()
     {