fix(validation): close Theme 3 — 11 input-validation / unbounded-input findings

Each finding is a focused validation guard or upper bound at a trust boundary.
Highlights:
- Commons-015: EncryptionMetadata ctor now validates Algorithm (AES-256-GCM
  only), Kdf (PBKDF2-SHA256 only), Iterations ([100k, 10M]), non-null Salt/IV.
- Transport-004: new BundleUnlockRateLimiter (sliding-window, per-key,
  singleton) wired into BundleImporter.LoadAsync; over-budget callers see
  BundleUnlockRateLimitedException. Per-bundle 3-strike + per-window cap.
- ESG-022: ExternalSystemClient.InvokeHttpAsync allow-lists the documented
  GET/POST/PUT/PATCH/DELETE set (case-insensitive); unknown verbs throw.
- SEL-015: SiteEventLogger queue now bounded (10k cap, DropOldest); dropped
  events fault their Task and increment FailedWriteCount so the drop is
  observable instead of an unbounded memory growth.
- SEL-017: EventLogQueryService clamps caller-supplied PageSize to a new
  MaxQueryPageSize cap (default 500) so int.MaxValue can't OOM the host.
- SEL-020: LogEventAsync rejects severities outside {Info, Warning, Error}
  (matches SQLite BINARY-collation query filter).
- InboundAPI-020: ContentType "json" check now case-insensitive
  (application/JSON no longer slips through as not-json).
- InboundAPI-024: _knownBadMethods capped at 1000 entries (drops new entries
  once full); per-request DB lookup remains the correctness path.
- SR-025: HandleSetStaticAttribute validates the attribute name against the
  deployed config; unknown names now return Success=false instead of
  leaking orphan override rows into the SQLite store.
- TE-021: MoveTemplateAsync runs the sibling-name-collision check at the
  destination, mirroring TemplateFolderService.MoveFolderAsync.
- TE-022: LockEnforcer's once-locked-stays-locked rule now also covers
  LockedInDerived (was previously only IsLocked).

New regression tests across 8 test projects (EncryptionMetadata, rate
limiter, ESG client allow-list, SEL bounded channel / PageSize clamp /
severity validation, InboundAPI ContentType + bad-methods cap, SiteRT
unknown-attribute, TemplateEngine MoveTemplate + LockedInDerived).
Build clean; affected suites all green. README regenerated: 93 open (was 104).

Note: a separate manual re-run was needed for the SiteEventLogging hunk
because its initial subagent's source edits never landed on disk despite
reporting success (file-collision-style failure mode).

tests/ScadaLink.SiteEventLogging.Tests/EventLogQueryServiceTests.cs

@@ -316,4 +316,45 @@ public class EventLogQueryServiceTests : IDisposable
             cmd.ExecuteNonQuery();
         });
     }
+
+    // --- SiteEventLogging-017: PageSize hard upper bound ---
+
+    [Fact]
+    public async Task Query_PageSize_IsClampedToMaxQueryPageSize()
+    {
+        // Tighten the cap to make the assertion deterministic without seeding 100k rows.
+        var dbPath = Path.Combine(Path.GetTempPath(), $"test_pagesize_{Guid.NewGuid()}.db");
+        var options = Options.Create(new SiteEventLogOptions
+        {
+            DatabasePath = dbPath,
+            QueryPageSize = 500,
+            MaxQueryPageSize = 3,
+        });
+        using var logger = new SiteEventLogger(options, NullLogger<SiteEventLogger>.Instance);
+        var query = new EventLogQueryService(logger, options, NullLogger<EventLogQueryService>.Instance);
+
+        try
+        {
+            // Seed 5 rows but request PageSize = 100_000 — must be clamped to 3.
+            for (var i = 0; i < 5; i++)
+                await logger.LogEventAsync("script", "Info", null, $"src-{i}", $"msg-{i}");
+
+            var response = query.ExecuteQuery(new EventLogQueryRequest(
+                CorrelationId: Guid.NewGuid().ToString(),
+                SiteId: "site-1",
+                From: null, To: null,
+                EventType: null, Severity: null, InstanceId: null, KeywordFilter: null,
+                ContinuationToken: null,
+                PageSize: 100_000,
+                Timestamp: DateTimeOffset.UtcNow));
+
+            Assert.Equal(3, response.Entries.Count);
+            Assert.True(response.HasMore);
+        }
+        finally
+        {
+            logger.Dispose();
+            if (File.Exists(dbPath)) File.Delete(dbPath);
+        }
+    }
 }