refactor(battle-node): de-magic wire flags and scattered constants

Quality pass from the 2026-06-04 BattleNode review (audit in the outer
repo). All changes are behavior-preserving — identical wire bytes,
verified by the full 1008-test suite staying green.

- Name scattered magic numbers: crypto key/IV lengths, outbound-sequencer
  base, WS receive buffer / EIO ping / SID length, polite-close timeout,
  upgrade-credential keys, battle-id digit math, deterministic-turn spin.
- resultCode = 1 -> (int)ReceiveNodeResultCode.Success across body records.
- Pong "3" -> EngineIoPacketType.Pong; remove dead NoOpBotParticipant.Touch
  (replace with #pragma warning disable CS0067).
- Wire-flag enums, serialized as numbers via JsonNumberEnumConverter:
  turnState -> TurnState{First,Second}, isSelf -> CardOwner{Opponent,Self},
  open -> ChoiceVisibility{Hidden,Open}.
- isOfficial / isInvoke -> bool / bool? via new NumericBoolJsonConverter
  (reads/writes 0/1; TDD'd). Scoped to the BattleNode wire boundary only;
  MatchContext and the HTTP/AI-start path stay int (AI-start uses -1 as a
  sentinel, so it is not boolean).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

SVSim.BattleNode/Hosting/BattleNodeWebSocketHandler.cs

@@ -33,6 +33,15 @@ namespace SVSim.BattleNode.Hosting;
 /// </remarks>
 public sealed class BattleNodeWebSocketHandler
 {
+    /// <summary>Header/query key names carrying the upgrade credentials — the auth contract
+    /// with the client (and the loader that sets them). Single source of truth for both ends.</summary>
+    private const string BattleIdCredential = "BattleId";
+    private const string ViewerIdCredential = "viewerId";
+
+    /// <summary>Grace period for the close handshake on a bail-out path. A fresh, short timeout —
+    /// <c>ctx.RequestAborted</c> may already be canceled by the path that decided to bail.</summary>
+    private static readonly TimeSpan PoliteCloseTimeout = TimeSpan.FromSeconds(5);
+
     private readonly IBattleSessionStore _store;
     private readonly IWaitingRoom _waitingRoom;
     private readonly BattleNodeOptions _options;
@@ -73,8 +82,8 @@ public sealed class BattleNodeWebSocketHandler
         // for the WebSocket-only transport (not on the URL query string). Real clients
         // therefore send BattleId/viewerId as headers; the integration test sends them as
         // query params for convenience. Check headers first, fall back to query.
-        var battleId = ReadCredential(ctx, "BattleId");
-        var encryptedViewerId = ReadCredential(ctx, "viewerId");
+        var battleId = ReadCredential(ctx, BattleIdCredential);
+        var encryptedViewerId = ReadCredential(ctx, ViewerIdCredential);
         if (string.IsNullOrEmpty(battleId) || string.IsNullOrEmpty(encryptedViewerId))
         {
             _log.LogWarning("WS upgrade missing BattleId or viewerId (header or query).");
@@ -222,9 +231,7 @@ public sealed class BattleNodeWebSocketHandler
     /// </summary>
     private async Task TryPoliteCloseAsync(WebSocket ws, string reason, string battleId)
     {
-        // Use a fresh, short timeout — ctx.RequestAborted may already be canceled by the
-        // path that decided to bail out, which would skip the close immediately.
-        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
+        using var cts = new CancellationTokenSource(PoliteCloseTimeout);
         try
         {
             if (ws.State == WebSocketState.Open)