fix(configuration): resolve Low code-review findings (Configuration-004,005,007,010,011)

- Configuration-004: NodePermissions stored as int to match the EF
  HasConversion<int>() in OtOpcUaConfigDbContext.ConfigureNodeAcl.
- Configuration-005: serialise LiteDbConfigCache.PutAsync so concurrent
  Put for the same (ClusterId, GenerationId) cannot duplicate rows.
- Configuration-007: rethrow OperationCanceledException from
  GenerationApplier.ApplyPass when the caller's token is cancelled.
- Configuration-010: scrub secrets and drop the full exception object
  from the ResilientConfigReader fallback warning log.
- Configuration-011: pin the previously-uncovered GenerationApplier
  cancellation and path-length / publish-validation paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Core/ZB.MOM.WW.OtOpcUa.Configuration/LocalCache/ResilientConfigReader.cs

@@ -1,3 +1,4 @@
+using System.Text.RegularExpressions;
 using Microsoft.Extensions.Logging;
 using Polly;
 using Polly.Retry;
@@ -61,6 +62,23 @@ public sealed class ResilientConfigReader
         _pipeline = builder.Build();
     }
 
+    /// <summary>
+    ///     Configuration-010: redact connection-string fragments (Password, User Id, Pwd, etc.)
+    ///     that a caller's exception message could carry. Conservative regex pass — anything
+    ///     matching <c>Key=Value</c> with a known credential key gets its value replaced.
+    /// </summary>
+    private static readonly Regex SecretsRegex = new(
+        @"(?ix)\b(Password|Pwd|User\s*Id|Uid|AccessToken|Authorization|Api[-_]?Key)\s*=\s*[^;,)\s]*",
+        RegexOptions.Compiled);
+
+    internal static string ScrubSecrets(string? message)
+    {
+        if (string.IsNullOrEmpty(message)) return message ?? string.Empty;
+        // Replace the entire matched fragment (key + value) with a redaction marker so the
+        // key name itself doesn't leak — log scrapers grep for "Password=" too.
+        return SecretsRegex.Replace(message, "[redacted credential]");
+    }
+
     /// <summary>
     ///     Execute <paramref name="centralFetch"/> through the resilience pipeline. On full failure
     ///     (post-retry), reads the sealed cache for <paramref name="clusterId"/> and passes the
@@ -88,7 +106,15 @@ public sealed class ResilientConfigReader
         // that case, not propagate. Only rethrow if the caller actually requested cancellation.
         catch (Exception ex) when (ex is not OperationCanceledException || !cancellationToken.IsCancellationRequested)
         {
-            _logger.LogWarning(ex, "Central-DB read failed after retries; falling back to sealed cache for cluster {ClusterId}", clusterId);
+            // Configuration-010: do NOT pass the raw exception object — it carries the stack
+            // and inner-exception chain, and SqlException/wrapping delegates can surface
+            // connection-string fragments (Password=…, User Id=…) embedded in messages.
+            // Log only the exception type and a scrubbed message so secrets stay out of logs.
+            _logger.LogWarning(
+                "Central-DB read failed after retries ({ExceptionType}: {SanitizedMessage}); falling back to sealed cache for cluster {ClusterId}",
+                ex.GetType().Name,
+                ScrubSecrets(ex.Message),
+                clusterId);
             // GenerationCacheUnavailableException surfaces intentionally — fails the caller's
             // operation. StaleConfigFlag stays unchanged; the flag only flips when we actually
             // served a cache snapshot.