fix(inbound): authorize+secure Database helper, async/deadline-bound DB, wait-timeout-bound WaitForAttribute

Resolves InboundAPI-026/027/028/029 (+ newly-surfaced -030).

- 026: authorize the scoped Database helper in the design doc; SQL-injection
  protection is parameter binding (values never concatenated); allow writes via
  ExecuteAsync; drop the false 'read-only' claim. Named connections only.
- 027: async ADO.NET end-to-end (no .GetAwaiter().GetResult()); honour the method
  deadline token on ExecuteScalarAsync/ExecuteReaderAsync/ExecuteNonQueryAsync +
  a CommandTimeout backstop derived from the method timeout.
- 028: negative-path tests (null-gateway, deadline cancellation, parameterization)
  + e2e Database + WaitForAttribute cases through the real endpoint.
- 029: WaitForAttribute is bounded by its WAIT timeout (per-wait CTS + client-abort
  + explicit token), NOT the method deadline (spec §6) — a long wait may outlive the
  method timeout; WithRequestAborted threads the raw client-abort token separately.
- 030: Central UI compile-surface mirrors (InboundScriptHost / SandboxInboundScriptHost)
  gained the Database member (drifted since the runtime helper was added) so the
  authorized async API type-checks at the design-time gate.

tests/ZB.MOM.WW.ScadaBridge.InboundAPI.Tests/EndpointExtensionsTests.cs

@@ -16,8 +16,12 @@ using ZB.MOM.WW.Auth.ApiKeys.Sqlite;
 using ZB.MOM.WW.ScadaBridge.Commons.Entities.InboundApi;
 using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories;
 using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
+using ZB.MOM.WW.ScadaBridge.Commons.Messages.InboundApi;
 using ZB.MOM.WW.ScadaBridge.Commons.Observability;
+using ZB.MOM.WW.ScadaBridge.Commons.Types;
 using ZB.MOM.WW.ScadaBridge.InboundAPI.Middleware;
+using Microsoft.Data.Sqlite;
+using System.Data.Common;
 using System.Diagnostics.Metrics;
 using System.Net;
 using System.Net.Http.Headers;
@@ -548,6 +552,102 @@ public sealed class EndpointExtensionsTests : IDisposable
         public void Dispose() => _listener.Dispose();
     }
 
+    // --- InboundAPI-028: drive the new script-facing capabilities (Database +
+    //     WaitForAttribute) end-to-end through the real POST /api/{methodName} flow,
+    //     so a wiring regression in executor→context→helper / RouteHelper is caught. ---
+
+    [Fact]
+    public async Task Script_UsingDatabase_RunsEndToEndThroughEndpoint()
+    {
+        // A method whose script reads through Database.QueryAsync — proving the executor
+        // builds the Database helper, resolves IDatabaseGateway from the per-execution
+        // DI scope, and the parameterized read reaches the body. (InboundAPI-028)
+        var method = SeedMethod(1, "movein",
+            "return await Database.QuerySingleAsync<string>(\"BTDB\", \"SELECT Code FROM Machine WHERE SAPID=@s\", new { s = (string)Parameters[\"sap\"] });",
+            """[{"name":"sap","type":"String","required":true}]""");
+
+        using var host = await BuildHostAsync(method, additionalServices: services =>
+        {
+            services.AddSingleton<IDatabaseGateway>(SeededSqliteGateway());
+        });
+        var token = await SeedKeyAsync(host, keyId: "key1", displayName: "movein-caller",
+            scopes: new[] { "movein" });
+        var client = host.GetTestClient();
+
+        var response = await client.SendAsync(BuildPost("movein", """{"sap":"131453"}""", token));
+        var body = await response.Content.ReadAsStringAsync();
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.Contains("Z28061A", body);
+    }
+
+    [Fact]
+    public async Task Script_UsingWaitForAttribute_RunsEndToEndThroughEndpoint()
+    {
+        // A method whose script awaits Route.To(...).WaitForAttribute(...) — proving the
+        // executor binds the RouteHelper and the wait routes through IInstanceRouter and
+        // returns its result through the endpoint. (InboundAPI-028)
+        var method = SeedMethod(2, "waitmethod",
+            "return await Route.To(\"inst-1\").WaitForAttribute(\"Flag\", true, System.TimeSpan.FromSeconds(1));");
+
+        var locator = Substitute.For<IInstanceLocator>();
+        locator.GetSiteIdForInstanceAsync("inst-1", Arg.Any<CancellationToken>()).Returns("SiteA");
+        var router = Substitute.For<IInstanceRouter>();
+        router.RouteToWaitForAttributeAsync("SiteA", Arg.Any<RouteToWaitForAttributeRequest>(), Arg.Any<CancellationToken>())
+            .Returns(ci => new RouteToWaitForAttributeResponse(
+                ((RouteToWaitForAttributeRequest)ci[1]).CorrelationId,
+                Matched: true, Value: true, Quality: "Good", TimedOut: false,
+                Success: true, ErrorMessage: null, DateTimeOffset.UtcNow));
+
+        using var host = await BuildHostAsync(method, additionalServices: services =>
+        {
+            services.RemoveAll<IInstanceLocator>();
+            services.AddSingleton(locator);
+            services.RemoveAll<IInstanceRouter>();
+            services.AddSingleton(router);
+        });
+        var token = await SeedKeyAsync(host, keyId: "key1", displayName: "wait-caller",
+            scopes: new[] { "waitmethod" });
+        var client = host.GetTestClient();
+
+        var response = await client.SendAsync(BuildPost("waitmethod", "{}", token));
+        var body = await response.Content.ReadAsStringAsync();
+
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+        Assert.Contains("true", body);
+    }
+
+    // SQLite-backed IDatabaseGateway fake. Owns its keep-alive connection so the shared
+    // in-memory db lives for the gateway's (= host's) lifetime — NOT a GC-eligible local,
+    // which could be collected mid-suite (under GC pressure + SqliteConnection.ClearAllPools
+    // in Dispose) and drop the db before the request opens its own connection. A unique db
+    // name per instance also keeps tests from contaminating each other. Seeded with
+    // Machine(Code,SAPID)=('Z28061A','131453').
+    private sealed class SqliteGateway : IDatabaseGateway, IDisposable
+    {
+        private readonly string _cs;
+        private readonly SqliteConnection _keepAlive;
+        public SqliteGateway(string cs)
+        {
+            _cs = cs;
+            _keepAlive = new SqliteConnection(cs);
+            _keepAlive.Open();
+            using var cmd = _keepAlive.CreateCommand();
+            cmd.CommandText = "CREATE TABLE IF NOT EXISTS Machine(Code TEXT, SAPID TEXT); DELETE FROM Machine; INSERT INTO Machine VALUES('Z28061A','131453');";
+            cmd.ExecuteNonQuery();
+        }
+        public async Task<DbConnection> GetConnectionAsync(string name, CancellationToken ct = default)
+        { var c = new SqliteConnection(_cs); await c.OpenAsync(ct); return c; }
+        public Task<ExternalCallResult> CachedWriteAsync(string c, string s,
+            IReadOnlyDictionary<string, object?>? p = null, string? o = null, CancellationToken ct = default,
+            TrackedOperationId? t = null, Guid? e = null, string? src = null, Guid? pe = null)
+            => throw new NotImplementedException();
+        public void Dispose() => _keepAlive.Dispose();
+    }
+
+    private static SqliteGateway SeededSqliteGateway() =>
+        new($"DataSource=file:movein-endpoint-{Guid.NewGuid():N}?mode=memory&cache=shared");
+
     private static HttpRequestMessage BuildPost(string methodName, string body, string bearerToken)
     {
         var request = new HttpRequestMessage(HttpMethod.Post, "/api/" + methodName)