fix(validation): close Theme 3 — 11 input-validation / unbounded-input findings

Each finding is a focused validation guard or upper bound at a trust boundary.
Highlights:
- Commons-015: EncryptionMetadata ctor now validates Algorithm (AES-256-GCM
  only), Kdf (PBKDF2-SHA256 only), Iterations ([100k, 10M]), non-null Salt/IV.
- Transport-004: new BundleUnlockRateLimiter (sliding-window, per-key,
  singleton) wired into BundleImporter.LoadAsync; over-budget callers see
  BundleUnlockRateLimitedException. Per-bundle 3-strike + per-window cap.
- ESG-022: ExternalSystemClient.InvokeHttpAsync allow-lists the documented
  GET/POST/PUT/PATCH/DELETE set (case-insensitive); unknown verbs throw.
- SEL-015: SiteEventLogger queue now bounded (10k cap, DropOldest); dropped
  events fault their Task and increment FailedWriteCount so the drop is
  observable instead of an unbounded memory growth.
- SEL-017: EventLogQueryService clamps caller-supplied PageSize to a new
  MaxQueryPageSize cap (default 500) so int.MaxValue can't OOM the host.
- SEL-020: LogEventAsync rejects severities outside {Info, Warning, Error}
  (matches SQLite BINARY-collation query filter).
- InboundAPI-020: ContentType "json" check now case-insensitive
  (application/JSON no longer slips through as not-json).
- InboundAPI-024: _knownBadMethods capped at 1000 entries (drops new entries
  once full); per-request DB lookup remains the correctness path.
- SR-025: HandleSetStaticAttribute validates the attribute name against the
  deployed config; unknown names now return Success=false instead of
  leaking orphan override rows into the SQLite store.
- TE-021: MoveTemplateAsync runs the sibling-name-collision check at the
  destination, mirroring TemplateFolderService.MoveFolderAsync.
- TE-022: LockEnforcer's once-locked-stays-locked rule now also covers
  LockedInDerived (was previously only IsLocked).

New regression tests across 8 test projects (EncryptionMetadata, rate
limiter, ESG client allow-list, SEL bounded channel / PageSize clamp /
severity validation, InboundAPI ContentType + bad-methods cap, SiteRT
unknown-attribute, TemplateEngine MoveTemplate + LockedInDerived).
Build clean; affected suites all green. README regenerated: 93 open (was 104).

Note: a separate manual re-run was needed for the SiteEventLogging hunk
because its initial subagent's source edits never landed on disk despite
reporting success (file-collision-style failure mode).

tests/ScadaLink.Commons.Tests/Types/Transport/EncryptionMetadataTests.cs

@@ -0,0 +1,143 @@
+using ScadaLink.Commons.Types.Transport;
+
+namespace ScadaLink.Commons.Tests.Types.Transport;
+
+/// <summary>
+/// Commons-015: <see cref="EncryptionMetadata"/> must reject malformed envelopes at
+/// the type boundary (unknown algorithm, unsupported KDF, sub-minimum or over-cap
+/// iteration counts, null salt/IV). Valid construction must round-trip the fields.
+/// </summary>
+public sealed class EncryptionMetadataTests
+{
+    [Fact]
+    public void Constructor_WithDocumentedValues_Succeeds()
+    {
+        // 600_000 is the design-doc production value; "abc"/"def" are placeholder
+        // Base64 strings, kept short for test legibility.
+        var meta = new EncryptionMetadata(
+            Algorithm: "AES-256-GCM",
+            Kdf: "PBKDF2-SHA256",
+            Iterations: 600_000,
+            SaltB64: "abc",
+            IvB64: "def");
+
+        Assert.Equal("AES-256-GCM", meta.Algorithm);
+        Assert.Equal("PBKDF2-SHA256", meta.Kdf);
+        Assert.Equal(600_000, meta.Iterations);
+        Assert.Equal("abc", meta.SaltB64);
+        Assert.Equal("def", meta.IvB64);
+    }
+
+    [Theory]
+    [InlineData("AES-128-CBC")]      // weaker algorithm
+    [InlineData("AES-256-CBC")]      // unauthenticated mode
+    [InlineData("aes-256-gcm")]      // case must match exactly
+    [InlineData("")]
+    [InlineData("FOO")]
+    public void Constructor_UnknownAlgorithm_Throws(string algorithm)
+    {
+        var ex = Assert.Throws<ArgumentException>(() => new EncryptionMetadata(
+            Algorithm: algorithm,
+            Kdf: "PBKDF2-SHA256",
+            Iterations: 600_000,
+            SaltB64: "abc",
+            IvB64: "def"));
+
+        Assert.Equal("Algorithm", ex.ParamName);
+        Assert.Contains("AES-256-GCM", ex.Message);
+    }
+
+    [Theory]
+    [InlineData("PBKDF2-SHA1")]      // weaker hash
+    [InlineData("argon2id")]         // unsupported KDF
+    [InlineData("pbkdf2-sha256")]    // case must match
+    [InlineData("")]
+    public void Constructor_UnknownKdf_Throws(string kdf)
+    {
+        var ex = Assert.Throws<ArgumentException>(() => new EncryptionMetadata(
+            Algorithm: "AES-256-GCM",
+            Kdf: kdf,
+            Iterations: 600_000,
+            SaltB64: "abc",
+            IvB64: "def"));
+
+        Assert.Equal("Kdf", ex.ParamName);
+        Assert.Contains("PBKDF2-SHA256", ex.Message);
+    }
+
+    [Theory]
+    [InlineData(0)]
+    [InlineData(-1)]
+    [InlineData(1)]
+    [InlineData(99_999)]                  // one below the floor
+    [InlineData(10_000_001)]              // one above the ceiling
+    [InlineData(int.MaxValue)]
+    public void Constructor_IterationsOutOfRange_Throws(int iterations)
+    {
+        var ex = Assert.Throws<ArgumentException>(() => new EncryptionMetadata(
+            Algorithm: "AES-256-GCM",
+            Kdf: "PBKDF2-SHA256",
+            Iterations: iterations,
+            SaltB64: "abc",
+            IvB64: "def"));
+
+        Assert.Equal("Iterations", ex.ParamName);
+    }
+
+    [Theory]
+    [InlineData(100_000)]                 // OWASP minimum (exact)
+    [InlineData(600_000)]                 // design-doc production value
+    [InlineData(10_000_000)]              // ceiling (exact)
+    public void Constructor_IterationsAtBoundary_Succeeds(int iterations)
+    {
+        // Exercises the inclusive boundary check on both ends.
+        var meta = new EncryptionMetadata(
+            Algorithm: "AES-256-GCM",
+            Kdf: "PBKDF2-SHA256",
+            Iterations: iterations,
+            SaltB64: "abc",
+            IvB64: "def");
+
+        Assert.Equal(iterations, meta.Iterations);
+    }
+
+    [Fact]
+    public void Constructor_NullSalt_Throws()
+    {
+        // null is rejected; empty is permitted (the seed pattern used by BundleSerializer.Pack).
+        Assert.Throws<ArgumentNullException>(() => new EncryptionMetadata(
+            Algorithm: "AES-256-GCM",
+            Kdf: "PBKDF2-SHA256",
+            Iterations: 600_000,
+            SaltB64: null!,
+            IvB64: "def"));
+    }
+
+    [Fact]
+    public void Constructor_NullIv_Throws()
+    {
+        Assert.Throws<ArgumentNullException>(() => new EncryptionMetadata(
+            Algorithm: "AES-256-GCM",
+            Kdf: "PBKDF2-SHA256",
+            Iterations: 600_000,
+            SaltB64: "abc",
+            IvB64: null!));
+    }
+
+    [Fact]
+    public void Constructor_EmptySaltAndIv_Succeeds_ForSeedPattern()
+    {
+        // BundleSerializer.Pack re-stamps salt/iv from the ciphertext it actually
+        // writes, so callers (BundleExporter) construct a seed instance with empty
+        // placeholders. Validation must therefore accept empty here.
+        var seed = new EncryptionMetadata(
+            Algorithm: "AES-256-GCM",
+            Kdf: "PBKDF2-SHA256",
+            Iterations: 600_000,
+            SaltB64: string.Empty,
+            IvB64: string.Empty);
+
+        Assert.Equal(string.Empty, seed.SaltB64);
+        Assert.Equal(string.Empty, seed.IvB64);
+    }
+}