fix(host): resolve Host-003,004 — replace plaintext secrets with env placeholders, validate site seed-node ports; re-triage Host-002

src/ScadaLink.Host/StartupValidator.cs

@@ -40,23 +40,55 @@ public static class StartupValidator
                 errors.Add("ScadaLink:Security:JwtSigningKey required for Central");
         }
 
+        var seedNodes = configuration.GetSection("ScadaLink:Cluster:SeedNodes").Get<List<string>>();
+        if (seedNodes == null || seedNodes.Count < 2)
+            errors.Add("ScadaLink:Cluster:SeedNodes must have at least 2 entries");
+
         if (role == "Site")
         {
             var grpcPortStr = nodeSection["GrpcPort"];
-            if (grpcPortStr != null && (!int.TryParse(grpcPortStr, out var gp) || gp < 1 || gp > 65535))
+            int grpcPort = 8083; // NodeOptions default when the key is absent
+            if (grpcPortStr != null && (!int.TryParse(grpcPortStr, out grpcPort) || grpcPort < 1 || grpcPort > 65535))
                 errors.Add("ScadaLink:Node:GrpcPort must be 1-65535");
 
             var dbSection = configuration.GetSection("ScadaLink:Database");
             if (string.IsNullOrEmpty(dbSection["SiteDbPath"]))
                 errors.Add("ScadaLink:Database:SiteDbPath required for Site nodes");
-        }
 
-        var seedNodes = configuration.GetSection("ScadaLink:Cluster:SeedNodes").Get<List<string>>();
-        if (seedNodes == null || seedNodes.Count < 2)
-            errors.Add("ScadaLink:Cluster:SeedNodes must have at least 2 entries");
+            // Host-004: a seed node must reference an Akka.Remote endpoint, never the
+            // Kestrel HTTP/2 gRPC port. A seed entry whose port equals this node's
+            // GrpcPort would make a joining node attempt an Akka.Remote TCP
+            // association against the gRPC listener and fail.
+            if (seedNodes != null)
+            {
+                foreach (var seed in seedNodes)
+                {
+                    if (SeedNodePort(seed) == grpcPort)
+                        errors.Add(
+                            $"ScadaLink:Cluster:SeedNodes entry '{seed}' must not target the gRPC port " +
+                            $"({grpcPort}); seed nodes must reference Akka remoting ports");
+                }
+            }
+        }
 
         if (errors.Count > 0)
             throw new InvalidOperationException(
                 $"Configuration validation failed:\n{string.Join("\n", errors.Select(e => $"  - {e}"))}");
     }
+
+    /// <summary>
+    /// Extracts the TCP port from an Akka seed-node address of the form
+    /// <c>akka.tcp://system@host:port</c>. Returns <c>-1</c> when no port can be parsed.
+    /// </summary>
+    private static int SeedNodePort(string seedNode)
+    {
+        if (string.IsNullOrWhiteSpace(seedNode))
+            return -1;
+
+        var lastColon = seedNode.LastIndexOf(':');
+        if (lastColon < 0 || lastColon == seedNode.Length - 1)
+            return -1;
+
+        return int.TryParse(seedNode[(lastColon + 1)..], out var port) ? port : -1;
+    }
 }