fix(scriptanalysis): M3.6 — full-framework analysis refs close forbidden-type-in-allowed-ns blind spot; pin Process/Stopwatch; fix stale codec test; drop dead ContainsInCode

tests/ZB.MOM.WW.ScadaBridge.TemplateEngine.Tests/Validation/ScriptCompilerTests.cs

@@ -56,6 +56,31 @@ public class ScriptCompilerTests
         Assert.Contains("forbidden", result.Error, StringComparison.OrdinalIgnoreCase);
     }
 
+    [Fact]
+    public void TryCompile_ForbiddenTypeInAllowedNamespace_RejectedAsForbidden()
+    {
+        // System.Diagnostics is an ALLOWED namespace (Stopwatch/Debug ok), so the
+        // `using` directive can't be flagged; Process is a forbidden TYPE reached
+        // as a bare identifier. The validator's full-framework semantic resolution
+        // must catch it authoritatively as a forbidden API (not merely as an
+        // undefined-symbol compile error).
+        var result = _sut.TryCompile(
+            "using System.Diagnostics; var p = Process.Start(\"x\");", "Test");
+        Assert.True(result.IsFailure);
+        Assert.Contains("forbidden", result.Error, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public void TryCompile_StopwatchInAllowedDiagnostics_ReturnsSuccess()
+    {
+        // The companion to the Process case: Stopwatch lives in the same allowed
+        // System.Diagnostics namespace and must NOT be flagged.
+        var result = _sut.TryCompile(
+            "using System.Diagnostics; var sw = Stopwatch.StartNew(); var e = sw.ElapsedMilliseconds;",
+            "Test");
+        Assert.True(result.IsSuccess, result.IsFailure ? result.Error : null);
+    }
+
     // --- Real-compile gate (the win over the old structural-only scan) ---
 
     [Fact]