fix(validation): close Theme 3 — 11 input-validation / unbounded-input findings

Each finding is a focused validation guard or upper bound at a trust boundary.
Highlights:
- Commons-015: EncryptionMetadata ctor now validates Algorithm (AES-256-GCM
  only), Kdf (PBKDF2-SHA256 only), Iterations ([100k, 10M]), non-null Salt/IV.
- Transport-004: new BundleUnlockRateLimiter (sliding-window, per-key,
  singleton) wired into BundleImporter.LoadAsync; over-budget callers see
  BundleUnlockRateLimitedException. Per-bundle 3-strike + per-window cap.
- ESG-022: ExternalSystemClient.InvokeHttpAsync allow-lists the documented
  GET/POST/PUT/PATCH/DELETE set (case-insensitive); unknown verbs throw.
- SEL-015: SiteEventLogger queue now bounded (10k cap, DropOldest); dropped
  events fault their Task and increment FailedWriteCount so the drop is
  observable instead of an unbounded memory growth.
- SEL-017: EventLogQueryService clamps caller-supplied PageSize to a new
  MaxQueryPageSize cap (default 500) so int.MaxValue can't OOM the host.
- SEL-020: LogEventAsync rejects severities outside {Info, Warning, Error}
  (matches SQLite BINARY-collation query filter).
- InboundAPI-020: ContentType "json" check now case-insensitive
  (application/JSON no longer slips through as not-json).
- InboundAPI-024: _knownBadMethods capped at 1000 entries (drops new entries
  once full); per-request DB lookup remains the correctness path.
- SR-025: HandleSetStaticAttribute validates the attribute name against the
  deployed config; unknown names now return Success=false instead of
  leaking orphan override rows into the SQLite store.
- TE-021: MoveTemplateAsync runs the sibling-name-collision check at the
  destination, mirroring TemplateFolderService.MoveFolderAsync.
- TE-022: LockEnforcer's once-locked-stays-locked rule now also covers
  LockedInDerived (was previously only IsLocked).

New regression tests across 8 test projects (EncryptionMetadata, rate
limiter, ESG client allow-list, SEL bounded channel / PageSize clamp /
severity validation, InboundAPI ContentType + bad-methods cap, SiteRT
unknown-attribute, TemplateEngine MoveTemplate + LockedInDerived).
Build clean; affected suites all green. README regenerated: 93 open (was 104).

Note: a separate manual re-run was needed for the SiteEventLogging hunk
because its initial subagent's source edits never landed on disk despite
reporting success (file-collision-style failure mode).

tests/ScadaLink.TemplateEngine.Tests/LockEnforcerTests.cs

@@ -211,4 +211,46 @@ public class LockEnforcerTests
 
         Assert.Null(result);
     }
+
+    // ========================================================================
+    // TemplateEngine-022: LockedInDerived one-way ratchet
+    // ========================================================================
+
+    [Fact]
+    public void ValidateLockedInDerivedChange_ClearLocked_ReturnsError()
+    {
+        // Once a base template marks a member LockedInDerived, the flag may
+        // not be cleared — derived overrides previously blocked would
+        // otherwise become retroactively legal.
+        var result = LockEnforcer.ValidateLockedInDerivedChange(true, false, "Speed");
+
+        Assert.NotNull(result);
+        Assert.Contains("locked-in-derived", result);
+        Assert.Contains("cannot be cleared", result);
+    }
+
+    [Fact]
+    public void ValidateLockedInDerivedChange_LockUnlocked_ReturnsNull()
+    {
+        // Setting the flag from false→true is the normal direction.
+        var result = LockEnforcer.ValidateLockedInDerivedChange(false, true, "Speed");
+
+        Assert.Null(result);
+    }
+
+    [Fact]
+    public void ValidateLockedInDerivedChange_KeepLocked_ReturnsNull()
+    {
+        var result = LockEnforcer.ValidateLockedInDerivedChange(true, true, "Speed");
+
+        Assert.Null(result);
+    }
+
+    [Fact]
+    public void ValidateLockedInDerivedChange_KeepUnlocked_ReturnsNull()
+    {
+        var result = LockEnforcer.ValidateLockedInDerivedChange(false, false, "Speed");
+
+        Assert.Null(result);
+    }
 }

tests/ScadaLink.TemplateEngine.Tests/TemplateServiceTests.cs

@@ -1086,6 +1086,8 @@ public class TemplateServiceTests
         var folder = new TemplateFolder("Dev") { Id = 7 };
         _repoMock.Setup(r => r.GetTemplateByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(t);
         _repoMock.Setup(r => r.GetFolderByIdAsync(7, It.IsAny<CancellationToken>())).ReturnsAsync(folder);
+        _repoMock.Setup(r => r.GetAllTemplatesAsync(It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new List<Template> { t });
 
         var result = await _service.MoveTemplateAsync(1, 7, "admin");
 
@@ -1098,6 +1100,8 @@ public class TemplateServiceTests
     {
         var t = new Template("X") { Id = 1, FolderId = 7 };
         _repoMock.Setup(r => r.GetTemplateByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(t);
+        _repoMock.Setup(r => r.GetAllTemplatesAsync(It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new List<Template> { t });
 
         var result = await _service.MoveTemplateAsync(1, null, "admin");
 
@@ -1117,4 +1121,78 @@ public class TemplateServiceTests
         Assert.True(result.IsFailure);
         Assert.Contains("not found", result.Error);
     }
+
+    [Fact]
+    public async Task MoveTemplate_NameCollisionAtDestination_Fails()
+    {
+        // TemplateEngine-021: moving "Pump" into a folder that already contains a
+        // template named "Pump" (case-insensitive) must be rejected before the
+        // FolderId is persisted. Mirrors TemplateFolderService.MoveFolderAsync
+        // sibling-name uniqueness, and pins the design rule that naming
+        // collisions are design-time errors.
+        var moving = new Template("Pump") { Id = 1, FolderId = null };
+        var existing = new Template("pump") { Id = 2, FolderId = 7 }; // case-insensitive clash
+        var folder = new TemplateFolder("Dev") { Id = 7 };
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(moving);
+        _repoMock.Setup(r => r.GetFolderByIdAsync(7, It.IsAny<CancellationToken>())).ReturnsAsync(folder);
+        _repoMock.Setup(r => r.GetAllTemplatesAsync(It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new List<Template> { moving, existing });
+
+        var result = await _service.MoveTemplateAsync(1, 7, "admin");
+
+        Assert.True(result.IsFailure);
+        Assert.Contains("already exists", result.Error);
+        // The destination FolderId must NOT have been written when the move is rejected.
+        Assert.Null(moving.FolderId);
+        _repoMock.Verify(r => r.UpdateTemplateAsync(It.IsAny<Template>(), It.IsAny<CancellationToken>()), Times.Never);
+    }
+
+    [Fact]
+    public async Task MoveTemplate_NoCollisionAtDestination_Succeeds()
+    {
+        // TemplateEngine-021 companion: a sibling with the same name in a
+        // *different* folder is not a collision. The move must succeed.
+        var moving = new Template("Pump") { Id = 1, FolderId = null };
+        var unrelated = new Template("Pump") { Id = 2, FolderId = 8 }; // different folder
+        var folder = new TemplateFolder("Dev") { Id = 7 };
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(moving);
+        _repoMock.Setup(r => r.GetFolderByIdAsync(7, It.IsAny<CancellationToken>())).ReturnsAsync(folder);
+        _repoMock.Setup(r => r.GetAllTemplatesAsync(It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new List<Template> { moving, unrelated });
+
+        var result = await _service.MoveTemplateAsync(1, 7, "admin");
+
+        Assert.True(result.IsSuccess);
+        Assert.Equal(7, result.Value.FolderId);
+    }
+
+    [Fact]
+    public async Task UpdateAttribute_LockedInDerivedDowngrade_OnBase_Rejected()
+    {
+        // TemplateEngine-022: LockedInDerived is a one-way ratchet on base
+        // templates. Once true, it cannot be cleared — otherwise existing
+        // derived overrides that were previously blocked would become
+        // retroactively legal.
+        var baseTemplate = new Template("Sensor") { Id = 2 }; // base — not derived
+        var existing = new TemplateAttribute("SetPoint")
+        {
+            Id = 100,
+            TemplateId = 2,
+            DataType = DataType.Float,
+            LockedInDerived = true
+        };
+        _repoMock.Setup(r => r.GetTemplateAttributeByIdAsync(100, It.IsAny<CancellationToken>())).ReturnsAsync(existing);
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(2, It.IsAny<CancellationToken>())).ReturnsAsync(baseTemplate);
+
+        var proposed = new TemplateAttribute("SetPoint")
+        {
+            DataType = DataType.Float,
+            LockedInDerived = false // attempt to clear the lock
+        };
+        var result = await _service.UpdateAttributeAsync(100, proposed, "admin");
+
+        Assert.True(result.IsFailure);
+        Assert.Contains("locked-in-derived", result.Error);
+        Assert.True(existing.LockedInDerived); // unchanged
+    }
 }