test(integration): repair IntegrationTests harness and stale API-key test

- ScadaLinkWebApplicationFactory removed the AkkaHostedService SINGLETON, not
  just its IHostedService registration, so IClusterNodeProvider's factory
  (Program.cs) could not resolve it — 10 tests failed at host build. Now removes
  only the factory-registered IHostedService descriptors and keeps the singleton.
- Configure an LDAP service account so ResolveUserDnAsync does search-then-bind
  against GLAuth (whose DN layout the no-service-account fallback DN never
  matched), fixing LoginEndpoint_WithValidLdapCredentials.
- IntegrationSurfaceTests: ApiKeyValidator now matches keys by HMAC hash over
  GetAllApiKeysAsync (ConfigurationDatabase-012); the test mocked the removed
  GetApiKeyByValueAsync path. Suite now 64/64.

tests/ScadaLink.IntegrationTests/IntegrationSurfaceTests.cs

@@ -33,7 +33,9 @@ public class IntegrationSurfaceTests
             TimeoutSeconds = 30
         };
 
-        repository.GetApiKeyByValueAsync("key-value-123").Returns(key);
+        // ConfigurationDatabase-012: the validator fetches every key and matches
+        // the candidate by HMAC hash in constant time (no secret-equality lookup).
+        repository.GetAllApiKeysAsync().Returns(new List<ApiKey> { key });
         repository.GetMethodByNameAsync("getStatus").Returns(method);
         repository.GetApprovedKeysForMethodAsync(10).Returns(new List<ApiKey> { key });
 

tests/ScadaLink.IntegrationTests/ScadaLinkWebApplicationFactory.cs

@@ -43,6 +43,12 @@ public class ScadaLinkWebApplicationFactory : WebApplicationFactory<Program>
             ["ScadaLink__Security__LdapUseTls"] = "false",
             ["ScadaLink__Security__AllowInsecureLdap"] = "true",
             ["ScadaLink__Security__LdapSearchBase"] = "dc=scadalink,dc=local",
+            // GLAuth places users at cn=<name>,ou=<group>,ou=users,dc=... — the
+            // no-service-account fallback DN (uid=<name>,dc=...) does not match,
+            // so a service account is configured to enable search-then-bind:
+            // resolve the user's real DN by (uid=<name>) lookup, then bind it.
+            ["ScadaLink__Security__LdapServiceAccountDn"] = "cn=admin,ou=SCADA-Admins,ou=users,dc=scadalink,dc=local",
+            ["ScadaLink__Security__LdapServiceAccountPassword"] = "password",
         };
 
         foreach (var (key, value) in envVars)
@@ -74,14 +80,14 @@ public class ScadaLinkWebApplicationFactory : WebApplicationFactory<Program>
             services.AddDbContext<ScadaLinkDbContext>(options =>
                 options.UseInMemoryDatabase($"ScadaLink_IntegrationTests_{Guid.NewGuid()}"));
 
-            // Remove AkkaHostedService to avoid Akka.NET remoting DNS resolution in tests.
+            // Remove the factory-registered IHostedService registrations so
-            // It registers as both a singleton and a hosted service via factory.
+            // Akka.NET remoting / DNS resolution never starts in tests — but
-            var akkaDescriptors = services
+            // keep the AkkaHostedService SINGLETON resolvable: IClusterNodeProvider
-                .Where(d =>
+            // (and other services) depend on it via GetRequiredService.
-                    d.ServiceType == typeof(AkkaHostedService) ||
+            var hostedServiceDescriptors = services
-                    (d.ServiceType == typeof(IHostedService) && d.ImplementationFactory != null))
+                .Where(d => d.ServiceType == typeof(IHostedService) && d.ImplementationFactory != null)
                 .ToList();
-            foreach (var d in akkaDescriptors)
+            foreach (var d in hostedServiceDescriptors)
                 services.Remove(d);
         });
     }