review(Driver.Galaxy.Contracts): first review; [Range] guard on EventPumpChannelCapacity

First review at 7286d320. -002 (Medium) fixed: EventPumpChannelCapacity now [Range(1,..)]
(a 0 passed AdminUI validation but faulted the driver at InitializeAsync). -001 stale finding-id
doc fixed. -003 ResolveApiKey dedup Open (3-module coordination).

src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Contracts/GalaxyDriverOptions.cs

@@ -40,8 +40,8 @@ public sealed record GalaxyDriverOptions(
 ///         no startup warning.</item>
 ///       <item>Anything else — treated as a literal cleartext API key for back-compat.
 ///         The resolver emits a <c>Warning</c> at startup so an operator who accidentally
-///         committed a cleartext key sees it (Driver.Galaxy-010); production should
-///         migrate to <c>env:</c> or <c>file:</c>.</item>
+///         committed a cleartext key sees it; production should migrate to <c>env:</c>
+///         or <c>file:</c>.</item>
 ///     </list>
 /// </summary>
 // PR 6.5 tuning notes:
@@ -83,12 +83,14 @@ public sealed record GalaxyGatewayOptions(
 ///     fan-out loop (PR 6.2). Default 50_000 = one second of headroom at 50k tags / 1Hz;
 ///     raise it when <c>galaxy.events.dropped</c> shows up under transient consumer
 ///     slowness, lower it on a memory-tight host where the headroom isn't needed.
+///     Must be ≥ 1 — <c>EventPump</c> enforces this at construction and throws
+///     <see cref="ArgumentOutOfRangeException"/> if the value is zero or negative.
 /// </param>
 public sealed record GalaxyMxAccessOptions(
     string ClientName,
     int PublishingIntervalMs = 1000,
     int WriteUserId = 0,
-    int EventPumpChannelCapacity = 50_000);
+    [Range(1, int.MaxValue)] int EventPumpChannelCapacity = 50_000);
 
 /// <summary>
 ///     Galaxy Repository browse-side knobs consumed by PR 4.1's <c>GalaxyDiscoverer</c>.