fix: type field as object + drop dead nested helper (issue #7 follow-up)

The PR-#2 first pass on issue #7 fixed constructor-signature reflection
(the DI-container surface) so the plugin loaded on gateway 25.x. The
reporter then ran the live lab against the post-fix DLL and showed a
SECOND failure path: gateway 25.5.0 ships IAnyCAPlugin v3.2.0.0, the
plugin loads cleanly through Initialize at CA-registration time, but the
very first Enroll trips TypeLoadException — the JIT eagerly resolves the
declared types of instance fields when it compiles ANY method on the
class, and `_domainValidatorFactory` was still declared as
`IDomainValidatorFactory` (a type the v3.2 assembly doesn't ship).

Changes:

1. CERTInextCAPlugin.cs:48 — `_domainValidatorFactory` field re-typed
   from `volatile IDomainValidatorFactory` to `volatile object`. CLR
   class-load no longer eagerly tries to resolve the v3.3-only
   IDomainValidatorFactory type.

2. CERTInextCAPlugin.cs:63 — new private property
   `DomainValidatorFactory` returns `_domainValidatorFactory as
   IDomainValidatorFactory`. The cast is inside the property body and
   therefore JIT-lazy per-method, so the type is only resolved when the
   property actually runs (on hosts where the type exists). All read
   sites that need typed access go through the property.

3. CERTInextCAPlugin.cs:1387 — the nested helper class
   `DomainValidatorConfigProvider : IDomainValidatorConfigProvider` was
   dead code (declared but never instantiated). Deleted — a nested type
   declaring a v3.3-only base interface is itself a class-load hazard,
   and the cost of removing it is zero.

4. Null-check guards (`_domainValidatorFactory != null`,
   `_domainValidatorFactory == null`) remain as field reads — comparing
   `object` to null doesn't touch the v3.3 type at all.

Tests:

- CERTInextCAPluginPublicSurfaceTests gained three new regression
  guards:
    * NoInstanceField_DeclaredTypeReferencesV3Point3OnlyTypes — walks
      every instance field via reflection and asserts none are
      declared as a v3.3-only type. This is the exact regression that
      slipped through the first issue-#7 pass.
    * NoNestedType_ImplementsV3Point3OnlyInterface — walks nested
      type interface lists. Catches the dead-code nested helper pattern.
    * NoPublicMethod_SignatureReferencesV3Point3OnlyTypes — walks
      public methods' return and parameter types so reflection-driven
      hosts don't trip on signature metadata.
- DcvEnroll_CompletesWithoutThrowing still passes against the live
  sandbox — the DomainValidatorFactory property cast hot path on v3.3
  works correctly.

156/156 unit tests pass. Release build 0 warnings, 0 errors.

Author: spbsoluble

CERTInext.Tests/CERTInextCAPluginPublicSurfaceTests.cs

@@ -58,6 +58,91 @@ public void NoPublicConstructor_ReferencesV3Point3OnlyTypes()
             }
         }
 
+        [Fact]
+        public void NoInstanceField_DeclaredTypeReferencesV3Point3OnlyTypes()
+        {
+            // The .NET JIT eagerly resolves the declared types of all instance fields
+            // when it first compiles ANY method on a class. If an instance field is
+            // declared with a missing-type-on-this-host type, TypeLoadException fires
+            // the very first time Initialize / Enroll / Synchronize / anything is
+            // invoked — independent of whether the field is read on that code path.
+            //
+            // Issue #7's original fix patched constructor-signature reflection (the
+            // DI-container surface). The follow-up comment showed a separate failure
+            // path where Enroll trips on field-type loading. This test guards against
+            // a regression of either: field types must use only types the v3.2 host
+            // ships, with `object` as the typical neutral-typed storage and an `as`
+            // cast inside method bodies (JIT-lazy) for actual use.
+            var fields = typeof(CERTInextCAPlugin)
+                .GetFields(BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance);
+
+            foreach (var field in fields)
+            {
+                string fieldTypeName = field.FieldType.FullName ?? field.FieldType.Name;
+                V3Point3OnlyTypeNames.Should().NotContain(fieldTypeName,
+                    $"instance field '{field.Name}' (declared type {fieldTypeName}) on " +
+                    $"{field.DeclaringType?.FullName} would trigger TypeLoadException when the JIT " +
+                    $"first compiles any method on the class on a v3.2 gateway host. " +
+                    $"Re-type the field as `object` and cast to the v3.3 type inside method " +
+                    $"bodies — see issue #7 follow-up.");
+            }
+        }
+
+        [Fact]
+        public void NoNestedType_ImplementsV3Point3OnlyInterface()
+        {
+            // Nested types declared with a base/interface reference to a v3.3-only
+            // interface put that interface in the containing class's nested-type
+            // metadata. CLR class-load behaviour around nested-type interface
+            // resolution is fragile across .NET versions, so we forbid it outright
+            // as a belt-and-braces measure.
+            var nestedTypes = typeof(CERTInextCAPlugin)
+                .GetNestedTypes(BindingFlags.Public | BindingFlags.NonPublic);
+
+            foreach (var nested in nestedTypes)
+            {
+                foreach (var iface in nested.GetInterfaces())
+                {
+                    string ifaceName = iface.FullName ?? iface.Name;
+                    V3Point3OnlyTypeNames.Should().NotContain(ifaceName,
+                        $"nested type '{nested.FullName}' implements v3.3-only interface " +
+                        $"'{ifaceName}', which would leak into the containing class's " +
+                        $"reflection surface on a v3.2 host. Delete the nested type or " +
+                        $"refactor it to not declare the v3.3 interface in its base list.");
+                }
+            }
+        }
+
+        [Fact]
+        public void NoPublicMethod_SignatureReferencesV3Point3OnlyTypes()
+        {
+            // Reflection-driven hosts (anything calling Type.GetMethods()) eagerly
+            // resolve return-type and parameter-type metadata on each method. Public
+            // method signatures must therefore avoid v3.3-only types the same way
+            // public constructors do. SetDomainValidatorFactory's `object` parameter
+            // is the safe pattern.
+            var publicInstanceMethods = typeof(CERTInextCAPlugin)
+                .GetMethods(BindingFlags.Public | BindingFlags.Instance | BindingFlags.DeclaredOnly);
+
+            foreach (var method in publicInstanceMethods)
+            {
+                // Property accessors get caught here too — that's intentional.
+                string returnTypeName = method.ReturnType.FullName ?? method.ReturnType.Name;
+                V3Point3OnlyTypeNames.Should().NotContain(returnTypeName,
+                    $"public method '{method.Name}' returns v3.3-only type '{returnTypeName}'. " +
+                    $"Change the return type to `object` and have callers cast at the use site.");
+
+                foreach (var param in method.GetParameters())
+                {
+                    string paramTypeName = param.ParameterType.FullName ?? param.ParameterType.Name;
+                    V3Point3OnlyTypeNames.Should().NotContain(paramTypeName,
+                        $"public method '{method.Name}' parameter '{param.Name}' is " +
+                        $"v3.3-only type '{paramTypeName}'. Change the parameter to `object` " +
+                        $"and cast inside the method body — see SetDomainValidatorFactory.");
+                }
+            }
+        }
+
         [Fact]
         public void ParameterlessConstructor_IsPublic()
         {

CERTInext/CERTInextCAPlugin.cs

@@ -35,17 +35,33 @@ public class CERTInextCAPlugin : IAnyCAPlugin, IDisposable
         private CERTInextConfig _config;
         private ICERTInextClient _client;
         private ICertificateDataReader _certificateDataReader;
-        // Not readonly: SetDomainValidatorFactory mutates this post-construction.
-        // A v3.3 gateway host can call SetDomainValidatorFactory between `new` and
-        // Initialize() to wire up DCV; on a v3.2 host where the factory type doesn't
-        // exist, the field remains null and DCV gracefully no-ops.
+        // Typed as `object` — NOT `IDomainValidatorFactory` — so the .NET JIT does not
+        // eagerly resolve the v3.3-only IDomainValidatorFactory type when it compiles
+        // any method on this class.  Resolving an instance field's declared type is
+        // part of the JIT's per-class metadata load, distinct from constructor-signature
+        // reflection (which we already protected in the issue #7 first pass).  On a
+        // gateway host whose IAnyCAPlugin assembly is v3.2.0.0 (no IDomainValidatorFactory),
+        // declaring the field with the missing type causes TypeLoadException the first
+        // time ANY instance method on the class is compiled — typically Initialize.
         //
-        // `volatile` because the field is written by SetDomainValidatorFactory and
-        // read by EnrollNewAsync/TryRunDcvDuringSyncAsync, which can run on different
-        // threads.  The standard gateway lifecycle wires the factory before the first
-        // operation, but no contract forbids a later re-wire and the cost of `volatile`
-        // is negligible compared to the time spent inside Enroll/Synchronize.
-        private volatile IDomainValidatorFactory _domainValidatorFactory;
+        // Reads of this field perform an `as IDomainValidatorFactory` cast inside method
+        // bodies (see DomainValidatorFactory below).  Casts in method bodies are JIT-lazy
+        // per-method, so the type is only resolved on hosts that actually have it.
+        //
+        // `volatile` because the field is written by SetDomainValidatorFactory and read
+        // by EnrollNewAsync / TryRunDcvDuringSyncAsync, which can run on different threads.
+        // See GitHub issue #7 for the full reasoning.
+        private volatile object _domainValidatorFactory;
+
+        /// <summary>
+        /// Returns the injected <see cref="IDomainValidatorFactory"/> when one is
+        /// available, or <c>null</c> when DCV is not wired up.  The cast is inside this
+        /// property body (and therefore JIT-lazy) so the missing-type case on a v3.2
+        /// gateway host stays compileable and never triggers <c>TypeLoadException</c>
+        /// at runtime.  All read sites in this class go through this property.
+        /// </summary>
+        private IDomainValidatorFactory DomainValidatorFactory =>
+            _domainValidatorFactory as IDomainValidatorFactory;
 
         // True when the client was passed in via a test-injection constructor and therefore
         // should not be disposed by this class (the test owns the mock's lifetime).
@@ -1125,16 +1141,12 @@ private static bool IsDcvNotYetReady(Exception ex)
             return hasPhrase && !hasOtherEmsCode;
         }
 
-        /// <summary>
-        /// Passes connector configuration to DNS provider plugins for per-domain configuration lookup.
-        /// </summary>
-        private sealed class DomainValidatorConfigProvider : Keyfactor.AnyGateway.Extensions.IDomainValidatorConfigProvider
-        {
-            public Dictionary<string, object> DomainValidationConfiguration { get; }
-
-            public DomainValidatorConfigProvider(Dictionary<string, object> config)
-                => DomainValidationConfiguration = config ?? new Dictionary<string, object>();
-        }
+        // (`DomainValidatorConfigProvider` nested helper removed — it declared an
+        // implementation of `Keyfactor.AnyGateway.Extensions.IDomainValidatorConfigProvider`,
+        // a v3.3-only interface, but the type was never instantiated anywhere in the
+        // plugin. Keeping a nested type whose base list references a missing assembly
+        // type is a hazard for CLR class-load on v3.2 hosts (see issue #7). Dead code
+        // that costs nothing to remove.)
 
         /// <summary>
         /// Best-effort DCV retry for an order that may still be pending validation.
@@ -1414,7 +1426,7 @@ private async Task<bool> PerformDcvIfNeededAsync(
                     : _config.DcvTxtRecordTemplate;
                 string hostname = string.Format(template, domain);
 
-                var validator = _domainValidatorFactory.ResolveDomainValidator(domain, "dns-01");
+                var validator = DomainValidatorFactory.ResolveDomainValidator(domain, "dns-01");
                 if (validator == null)
                     throw new InvalidOperationException(
                         $"No DNS provider plugin is configured for domain '{domain}'. " +