plan(phase1): ScadaBridge re-arch C5 done+reviewed; Task 1.3 (ApiKeys adopt) COMPLETE across all 3 repos; installer/secret catch noted

docs/plans/2026-06-02-auth-audit-normalization-phase1.md

@@ -270,10 +270,28 @@ CentralUI blast radius (string keyId + scopes replace int Id + ApprovedApiKeyIds
   "added-unrestricted count" intentionally SKIPPED — wrong model: inbound auth is scope-based, the verifier ignores
   `ApprovedApiKeyIds`, so a new method is callable by NO key until a scope is granted). Transport.Tests 60, IntegrationTests
   34 green. SQL Server `ApiKey`/`ApiMethod` entities + repo untouched (C5).
-- **C5 (=E) — PENDING** (next/last: retire SQL Server `ApiKey` entity + repo key methods + `ApprovedApiKeyIds` + residual
-  `ApiKeyValidator`/`ApiKeyHasher`; EF migration; runbook + CHANGELOG).
-- Aside (unrelated to C4): the 6 `StaleTagMonitor`/`StaleTagMonitorRaceTests` failures seen under parallel load are
-  pre-existing flaky OPC-UA timer tests (pass in isolation), NOT caused by this work.
+- **C5 (=E) — DONE + reviewed** (SB commit `afa5598`). Retired SQL Server `ApiKey` entity + 7 `IInboundApiRepository` key
+  methods + `ApiMethod.ApprovedApiKeyIds` + `DbSet<ApiKey>`/fluent config + residual `ApiKeyHasher`/`IApiKeyHasher`/
+  `ApiKeyValidator` (+ their tests). EF migration `RetireInboundApiKeyStore` (DropTable `ApiKeys` + DropColumn
+  `ApprovedApiKeyIds`; `Down` recreates both byte-faithfully; ModelSnapshot consistent). CHANGELOG.md + tracked runbook
+  `docs/operations/inbound-api-key-reissue.md` (BREAKING: `X-API-Key`→`Authorization: Bearer sbk_…`, all keys re-issued;
+  per-env SqlitePath + ≥16-char ApiKeyPepper). Spec PASS, code-review APPROVED: migration Down/snapshot verified, inbound
+  verifier path (A+B) intact, no live consumer broke. Green: ConfigurationDatabase 241, InboundAPI 148 (was 163: removed
+  validator/hasher tests), Security 89, Host 227 (was 228: removed validator DI test), ManagementService 125, CLI 188,
+  CentralUI 595, Transport 60+34. (Pre-existing infra-dependent failures — IntegrationTests ×11, AuditLog ×1, needing live
+  LDAP/SQL/SMTP — proven identical at baseline `b13d7b3` via git-stash; StaleTagMonitor flaky timer tests pass 13/13 isolated.)
+  **Installer/secret note:** the C5 code-review flagged the (untracked, intentionally `.gitignore`d `/deploy/`) `install.ps1`
+  not injecting the pepper — fixed ON DISK (the on-disk installer now takes `-ApiKeyPepper`); a subagent had force-committed
+  the ignored deploy script (which embeds a real default JWT key) — that commit was RESET (`git reset --mixed`), keeping the
+  edit on disk and the secret OUT of git history (branch was never pushed). The pepper requirement is documented in the
+  tracked runbook.
+
+### ✅ Task 1.3 (Adopt ZB.MOM.WW.Auth.ApiKeys) COMPLETE across all repos
+MxGateway donor cutover + ScadaBridge full re-architecture (C1 seam → C2 mgmt/CLI → C3 CentralUI → C4 TransportExport →
+C5 retire+migration+runbook), all reviewed, lib at **0.1.3**. ScadaBridge inbound API is now 100% on the shared library
+(Bearer `sbk_<keyId>_<secret>`, scope = method name, per-key SQLite store + per-env pepper); the SQL Server key model is
+fully retired. Remaining Phase 1: **1.5** (AspNetCore claims/cookies, 3 UIs), **1.6** (dev GLAuth base DN), **1.7**
+(canonical roles, 3 repos). Then Phase 2 (audit) + Phase 3 (Actor wiring).
 
 ## Resolved decisions (2026-06-02)