fix(host): resolve Host-003,004 — replace plaintext secrets with env placeholders, validate site seed-node ports; re-triage Host-002

src/ScadaLink.Host/appsettings.Central.json

@@ -16,9 +16,10 @@
       "FailureDetectionThreshold": "00:00:10",
       "MinNrOfMembers": 1
     },
+    "_secrets": "Host-003: Secrets are NOT committed in this file. Supply them via environment variables, which the Host's configuration builder (AddEnvironmentVariables) overlays over this file. Required: ScadaLink__Database__ConfigurationDb, ScadaLink__Database__MachineDataDb, ScadaLink__Security__LdapServiceAccountPassword, ScadaLink__Security__JwtSigningKey. The ${...} placeholders below are intentionally non-functional and must be overridden per environment.",
     "Database": {
-      "ConfigurationDb": "Server=localhost,1433;Database=ScadaLinkConfig;User Id=scadalink_app;Password=ScadaLink_Dev1#;TrustServerCertificate=true",
-      "MachineDataDb": "Server=localhost,1433;Database=ScadaLinkMachineData;User Id=scadalink_app;Password=ScadaLink_Dev1#;TrustServerCertificate=true"
+      "ConfigurationDb": "${SCADALINK_CONFIGURATIONDB_CONNECTION_STRING}",
+      "MachineDataDb": "${SCADALINK_MACHINEDATADB_CONNECTION_STRING}"
     },
     "Security": {
       "LdapServer": "localhost",
@@ -27,8 +28,8 @@
       "AllowInsecureLdap": true,
       "LdapSearchBase": "dc=scadalink,dc=local",
       "LdapServiceAccountDn": "cn=admin,dc=scadalink,dc=local",
-      "LdapServiceAccountPassword": "password",
-      "JwtSigningKey": "scadalink-dev-jwt-signing-key-must-be-at-least-32-characters-long",
+      "LdapServiceAccountPassword": "${SCADALINK_LDAP_SERVICE_ACCOUNT_PASSWORD}",
+      "JwtSigningKey": "${SCADALINK_JWT_SIGNING_KEY}",
       "JwtExpiryMinutes": 15,
       "IdleTimeoutMinutes": 30
     },