fix(inbound-api): resolve InboundAPI-009,010,011,013 — cache failed compiles, reject unknown body fields, close enumeration oracle, drop misnamed factory; InboundAPI-007,012 flagged

src/ScadaLink.InboundAPI/ParameterValidator.cs

@@ -61,6 +61,19 @@ public static class ParameterValidator
         var result = new Dictionary<string, object?>();
         var errors = new List<string>();
 
+        // InboundAPI-010: report top-level body fields that do not match any defined
+        // parameter, so a caller learns about a typo'd parameter name instead of
+        // having the field silently ignored.
+        var defined = new HashSet<string>(definitions.Select(d => d.Name), StringComparer.Ordinal);
+        var unexpected = body.Value.EnumerateObject()
+            .Select(p => p.Name)
+            .Where(name => !defined.Contains(name))
+            .ToList();
+        if (unexpected.Count > 0)
+        {
+            errors.Add($"Unexpected parameter(s): {string.Join(", ", unexpected)}");
+        }
+
         foreach (var def in definitions)
         {
             if (body.Value.TryGetProperty(def.Name, out var prop))
@@ -89,6 +102,13 @@ public static class ParameterValidator
         return ParameterValidationResult.Valid(result);
     }
 
+    /// <summary>
+    /// Coerces a JSON element to the declared parameter type. InboundAPI-010: the
+    /// <c>Object</c> and <c>List</c> extended types are validated for JSON <em>shape</em>
+    /// only (object vs. array) — there is no field-level or element-level type
+    /// validation. A method script that needs a specific nested structure must
+    /// validate it itself; invalid nested data surfaces as a runtime script error.
+    /// </summary>
     private static (object? value, string? error) CoerceValue(JsonElement element, string expectedType, string paramName)
     {
         return expectedType.ToLowerInvariant() switch