fix(validation): close Theme 3 — 11 input-validation / unbounded-input findings

Each finding is a focused validation guard or upper bound at a trust boundary.
Highlights:
- Commons-015: EncryptionMetadata ctor now validates Algorithm (AES-256-GCM
  only), Kdf (PBKDF2-SHA256 only), Iterations ([100k, 10M]), non-null Salt/IV.
- Transport-004: new BundleUnlockRateLimiter (sliding-window, per-key,
  singleton) wired into BundleImporter.LoadAsync; over-budget callers see
  BundleUnlockRateLimitedException. Per-bundle 3-strike + per-window cap.
- ESG-022: ExternalSystemClient.InvokeHttpAsync allow-lists the documented
  GET/POST/PUT/PATCH/DELETE set (case-insensitive); unknown verbs throw.
- SEL-015: SiteEventLogger queue now bounded (10k cap, DropOldest); dropped
  events fault their Task and increment FailedWriteCount so the drop is
  observable instead of an unbounded memory growth.
- SEL-017: EventLogQueryService clamps caller-supplied PageSize to a new
  MaxQueryPageSize cap (default 500) so int.MaxValue can't OOM the host.
- SEL-020: LogEventAsync rejects severities outside {Info, Warning, Error}
  (matches SQLite BINARY-collation query filter).
- InboundAPI-020: ContentType "json" check now case-insensitive
  (application/JSON no longer slips through as not-json).
- InboundAPI-024: _knownBadMethods capped at 1000 entries (drops new entries
  once full); per-request DB lookup remains the correctness path.
- SR-025: HandleSetStaticAttribute validates the attribute name against the
  deployed config; unknown names now return Success=false instead of
  leaking orphan override rows into the SQLite store.
- TE-021: MoveTemplateAsync runs the sibling-name-collision check at the
  destination, mirroring TemplateFolderService.MoveFolderAsync.
- TE-022: LockEnforcer's once-locked-stays-locked rule now also covers
  LockedInDerived (was previously only IsLocked).

New regression tests across 8 test projects (EncryptionMetadata, rate
limiter, ESG client allow-list, SEL bounded channel / PageSize clamp /
severity validation, InboundAPI ContentType + bad-methods cap, SiteRT
unknown-attribute, TemplateEngine MoveTemplate + LockedInDerived).
Build clean; affected suites all green. README regenerated: 93 open (was 104).

Note: a separate manual re-run was needed for the SiteEventLogging hunk
because its initial subagent's source edits never landed on disk despite
reporting success (file-collision-style failure mode).

code-reviews/TemplateEngine/findings.md

@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-28 |
 | Reviewer | claude-agent |
 | Commit reviewed | `1eb6e97` |
-| Open findings | 6 |
+| Open findings | 4 |
 
 ## Summary
 
@@ -1067,7 +1067,7 @@ _Unresolved._
 |--|--|
 | Severity | Medium |
 | Category | Correctness & logic bugs |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.TemplateEngine/TemplateService.cs:173` |
 
 **Description**
@@ -1102,9 +1102,21 @@ templates with the same `FolderId == newFolderId` and the same `Name`
 (case-insensitive), mirroring `TemplateFolderService.MoveFolderAsync` lines
 130–142. Add a regression test `MoveTemplate_NameCollisionAtDestination_Fails`.
 
-**Resolution**
+**Resolution (2026-05-28):**
 
-_Unresolved._
+Resolved (commit `pending`): `MoveTemplateAsync` now loads `GetAllTemplatesAsync`
+on any FolderId-changing move and rejects the move if another template at the
+destination shares the moved template's name (case-insensitive), mirroring
+`TemplateFolderService.MoveFolderAsync`'s sibling-name uniqueness check; the
+FolderId is not written when the check fails. Cycle detection is deliberately
+not added — a template move changes only `FolderId` and never touches
+`ParentTemplateId`, and templates have no folder-children navigation, so no
+inheritance- or folder-graph cycle is reachable through this path (the
+finding's own description states this; only the sibling-name check applies).
+Regression tests: `MoveTemplate_NameCollisionAtDestination_Fails` (case-
+insensitive collision rejected, FolderId untouched, `UpdateTemplateAsync` never
+called) and `MoveTemplate_NoCollisionAtDestination_Succeeds` (same-named
+template in a *different* folder is not a collision).
 
 ### TemplateEngine-022 — `LockEnforcer.ValidateLockChange` enforces "once-locked-stays-locked" for `IsLocked` but not for `LockedInDerived`
 
@@ -1112,7 +1124,7 @@ _Unresolved._
 |--|--|
 | Severity | Low |
 | Category | Documentation & comments |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.TemplateEngine/LockEnforcer.cs:109`, `src/ScadaLink.TemplateEngine/TemplateService.cs:323`, `src/ScadaLink.TemplateEngine/TemplateService.cs:476`, `src/ScadaLink.TemplateEngine/TemplateService.cs:623` |
 
 **Description**
@@ -1156,7 +1168,20 @@ like `IsLocked`, extend `ValidateLockChange` (or add a sibling
 intended to be mutable, update the `LockEnforcer` summary to scope the rule
 to `IsLocked` only. Either way, add a test pinning the chosen behaviour.
 
-**Resolution**
+**Resolution (2026-05-28):**
 
-_Unresolved._
+Resolved (commit `pending`): chose option (b) — `LockedInDerived` is now a
+one-way ratchet on base templates, matching the design intent that an existing
+block on derived overrides cannot be retroactively re-allowed. Added a sibling
+`LockEnforcer.ValidateLockedInDerivedChange(originalLockedInDerived,
+proposedLockedInDerived, memberName)` and wired it into `UpdateAttributeAsync`,
+`UpdateAlarmAsync`, and `UpdateScriptAsync` (only when the owning template is
+*not* derived — derived rows never carry an authoritative `LockedInDerived`,
+they inherit the base's value). The `LockEnforcer` class XML summary now
+explicitly extends the once-locked-stays-locked rule to both `IsLocked` and
+`LockedInDerived` so the documentation matches the enforced behaviour.
+Regression tests: `LockEnforcerTests.ValidateLockedInDerivedChange_*` (true→
+false rejected, false→true / true→true / false→false accepted) and
+`TemplateServiceTests.UpdateAttribute_LockedInDerivedDowngrade_OnBase_Rejected`
+(end-to-end on the attribute update path).