feat(health): AuditRedactionFailure counter + bridge (#23 M5)

Bundle C task M5-T7 — surface DefaultAuditPayloadFilter redactor
over-redactions as a Site Health metric so a misconfigured /
catastrophic regex shows up on /monitoring/health rather than
disappearing into a NoOp sink.

  - SiteHealthReport: new 'AuditRedactionFailure' int field
    (defaulted to 0 for back-compat with existing producers/tests).
  - ISiteHealthCollector / SiteHealthCollector:
    new IncrementAuditRedactionFailure() — per-interval atomic
    counter with Interlocked, reset on CollectReport, mirroring
    the M2 Bundle G SiteAuditWriteFailures pattern.
  - HealthMetricsAuditRedactionFailureCounter: new bridge in
    ScadaLink.AuditLog.Site that forwards IAuditRedactionFailureCounter
    increments to ISiteHealthCollector — mirrors
    HealthMetricsAuditWriteFailureCounter one-for-one.
  - AddAuditLogHealthMetricsBridge: now ALSO Replaces the
    NoOpAuditRedactionFailureCounter binding with the health-metrics
    bridge, so a single AddAuditLogHealthMetricsBridge() call wires
    both the M2 Bundle G write-failure counter and the M5 Bundle C
    redaction-failure counter into the health report.

Site-side only for M5 — the filter also runs on CentralAuditWriter
and AuditLogIngestActor (where it just keeps the NoOp default), but
a central-side health-metric surface for AuditRedactionFailure is
deferred to M6 alongside the rest of the central health collector
work.

Tests:
  - AuditRedactionFailureMetricTests (HealthMonitoring) covers the
    SiteHealthCollector increment/report/reset shape (3 tests).
  - HealthMetricsAuditRedactionFailureCounterTests (AuditLog) covers
    the AuditLog → HealthMonitoring bridge (3 tests).
  - Existing CountCapturingHealthCollector stub in
    DeploymentManagerRedeployTests extended with the new no-op
    interface method.

Verified: dotnet build clean, all 24 test projects green
(the only Failed at first ScadaLink.SiteRuntime.Tests run was the
known-flaky InstanceActorChildAttributeRaceTests; passes on re-run
in isolation and full suite, unrelated to these changes).

src/ScadaLink.AuditLog/ServiceCollectionExtensions.cs

@@ -172,26 +172,38 @@ public static class ServiceCollectionExtensions
     }
 
     /// <summary>
-    /// Audit Log (#23) M2 Bundle G — swap the default
-    /// <see cref="NoOpAuditWriteFailureCounter"/> registration for the real
-    /// <see cref="HealthMetricsAuditWriteFailureCounter"/> bridge so the
-    /// FallbackAuditWriter primary-failure counter surfaces in the site health
-    /// report payload as <c>SiteHealthReport.SiteAuditWriteFailures</c>.
+    /// Audit Log (#23) M2 Bundle G + M5 Bundle C — swap the default
+    /// <see cref="NoOpAuditWriteFailureCounter"/> and
+    /// <see cref="NoOpAuditRedactionFailureCounter"/> registrations for the
+    /// real <see cref="HealthMetricsAuditWriteFailureCounter"/> /
+    /// <see cref="HealthMetricsAuditRedactionFailureCounter"/> bridges so the
+    /// FallbackAuditWriter primary-failure counter AND the
+    /// DefaultAuditPayloadFilter redactor-failure counter both surface in the
+    /// site health report payload as
+    /// <c>SiteHealthReport.SiteAuditWriteFailures</c> +
+    /// <c>SiteHealthReport.AuditRedactionFailure</c>.
     /// </summary>
     /// <remarks>
     /// <para>
     /// Must be called AFTER both <see cref="AddAuditLog"/> (registers the
-    /// NoOp default this method replaces) and
+    /// NoOp defaults this method replaces) and
     /// <c>ScadaLink.HealthMonitoring.ServiceCollectionExtensions.AddHealthMonitoring</c>
     /// or <c>AddSiteHealthMonitoring</c> (registers the
-    /// <see cref="ISiteHealthCollector"/> the bridge depends on). Resolving
-    /// <see cref="IAuditWriteFailureCounter"/> without the latter throws
+    /// <see cref="ISiteHealthCollector"/> the bridges depend on). Resolving
+    /// <see cref="IAuditWriteFailureCounter"/> or
+    /// <see cref="IAuditRedactionFailureCounter"/> without the latter throws
     /// <see cref="InvalidOperationException"/> at <c>GetRequiredService</c>
     /// time — by design, since a silent NoOp would mask a misconfiguration.
     /// </para>
     /// <para>
-    /// Idempotent — calling twice replaces the descriptor each time without
-    /// piling up registrations.
+    /// Idempotent — calling twice replaces each descriptor without piling up
+    /// registrations.
+    /// </para>
+    /// <para>
+    /// Site-side only for M5: the central composition root keeps the NoOp
+    /// defaults; the central health-metric surface that would expose
+    /// <c>AuditRedactionFailure</c> next to the existing central counters
+    /// ships in M6.
     /// </para>
     /// </remarks>
     public static IServiceCollection AddAuditLogHealthMetricsBridge(this IServiceCollection services)
@@ -200,6 +212,8 @@ public static class ServiceCollectionExtensions
 
         services.Replace(
             ServiceDescriptor.Singleton<IAuditWriteFailureCounter, HealthMetricsAuditWriteFailureCounter>());
+        services.Replace(
+            ServiceDescriptor.Singleton<IAuditRedactionFailureCounter, HealthMetricsAuditRedactionFailureCounter>());
         return services;
     }
 }