Resolve Worker-009..015 code-review findings

Worker-009: WorkerFrameWriter serialized twice and WorkerFrameReader
allocated a payload byte[] per frame. The writer now serializes once into a
single prefix+payload buffer; the reader rents the payload buffer from
ArrayPool and honors the logical frame length.

Worker-010: VariantConverter projected a uint+Time value as a full FILETIME,
producing a near-1601 timestamp. The FILETIME projection is now gated on
`value is long`; uint falls through to the integer projection.

Worker-011: replaced the opaque retryAttempts formula in WorkerPipeClient
with MaxRetryAttempts = int.MaxValue, leaving the connect deadline as the
sole bound.

Worker-012: rewrote stale "future PR / polls on a Timer" comments in
AlarmDispatcher, AlarmCommandHandler, MxAccessAlarmEventSink and
MxAccessEventMapper to match the shipped, post-Worker-001 behavior.

Worker-013 (re-triaged): already resolved — StaMessagePumpTests and
MxAccessStaSessionTests cover the pump and poll loop directly.

Worker-014: moved IAlarmCommandHandler into its own file so
AlarmCommandHandler.cs declares one public type.

Worker-015: clarified the MxAccessBaseEventSink.EnqueueEvent overflow-catch
comment explaining the deliberate double RecordFault no-op.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/MxGateway.Worker/Ipc/WorkerFrameReader.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Buffers;
 using System.IO;
 using System.Threading;
 using System.Threading.Tasks;
@@ -29,7 +30,7 @@ public sealed class WorkerFrameReader
     public async Task<WorkerEnvelope> ReadAsync(CancellationToken cancellationToken = default)
     {
         byte[] lengthPrefix = new byte[sizeof(uint)];
-        await ReadExactlyOrThrowAsync(lengthPrefix, cancellationToken).ConfigureAwait(false);
+        await ReadExactlyOrThrowAsync(lengthPrefix, lengthPrefix.Length, cancellationToken).ConfigureAwait(false);
 
         uint payloadLength = ReadUInt32LittleEndian(lengthPrefix);
         if (payloadLength == 0)
@@ -46,20 +47,32 @@ public sealed class WorkerFrameReader
                 $"Worker frame payload length {payloadLength} exceeds the configured maximum of {_options.MaxMessageBytes} bytes.");
         }
 
-        byte[] payload = new byte[payloadLength];
-        await ReadExactlyOrThrowAsync(payload, cancellationToken).ConfigureAwait(false);
-
+        // Rent the payload buffer from the shared pool rather than allocating
+        // a fresh byte[] per frame. ParseFrom copies whatever it needs into
+        // the parsed message, so the rented buffer can be returned as soon as
+        // parsing completes.
+        int length = checked((int)payloadLength);
+        byte[] payload = ArrayPool<byte>.Shared.Rent(length);
         WorkerEnvelope envelope;
         try
         {
-            envelope = WorkerEnvelope.Parser.ParseFrom(payload);
+            await ReadExactlyOrThrowAsync(payload, length, cancellationToken).ConfigureAwait(false);
+
+            try
+            {
+                envelope = WorkerEnvelope.Parser.ParseFrom(payload, 0, length);
+            }
+            catch (InvalidProtocolBufferException exception)
+            {
+                throw new WorkerFrameProtocolException(
+                    WorkerFrameProtocolErrorCode.InvalidEnvelope,
+                    "Worker frame payload is not a valid WorkerEnvelope protobuf message.",
+                    exception);
+            }
         }
-        catch (InvalidProtocolBufferException exception)
+        finally
         {
-            throw new WorkerFrameProtocolException(
-                WorkerFrameProtocolErrorCode.InvalidEnvelope,
-                "Worker frame payload is not a valid WorkerEnvelope protobuf message.",
-                exception);
+            ArrayPool<byte>.Shared.Return(payload);
         }
 
         WorkerEnvelopeValidator.Validate(envelope, _options);
@@ -77,13 +90,14 @@ public sealed class WorkerFrameReader
 
     private async Task ReadExactlyOrThrowAsync(
         byte[] buffer,
+        int count,
         CancellationToken cancellationToken)
     {
         int offset = 0;
-        while (offset < buffer.Length)
+        while (offset < count)
         {
             int bytesRead = await _stream
-                .ReadAsync(buffer, offset, buffer.Length - offset, cancellationToken)
+                .ReadAsync(buffer, offset, count - offset, cancellationToken)
                 .ConfigureAwait(false);
 
             if (bytesRead == 0)