fix(http): inherit BaseRequest on all TK2 + Colosseum request DTOs

MessagePack [Key("...")]-keyed contracts reject unknown fields, so request
DTOs that omit BaseRequest's envelope (viewer_id, steam_id,
steam_session_ticket) fail deserialization on the real msgpack wire path.
Routing smoke + JSON-direct tests didn't catch this because S.T.J. tolerates
extra keys and the routing smoke uses ValidBaseRequestJson, but anything
sent via the actual client encrypted=True path threw
MessagePackSerializationException.

Fix: every Arena*Request now inherits BaseRequest. Also updates the JSON
controller tests + e2e to include the envelope so the [ApiController]
auto-400 validation passes.

Discovered via /arena_colosseum/get_fee_info crash on the in-game arena
screen.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

SVSim.UnitTests/Controllers/ArenaTwoPickBattleControllerTests.cs

@@ -12,7 +12,10 @@ public class ArenaTwoPickBattleControllerTests
         using var factory = new SVSimTestFactory();
         var viewerId = await factory.SeedViewerAsync();
         using var client = factory.CreateAuthenticatedClient(viewerId);
-        var req = new { deck_no = 1L, need_init = 1, log = 1, excluded_field_id_list = new long[] { }, use_stage_select = 1, is_default_skin = 0 };
+        var req = new {
+            deck_no = 1L, need_init = 1, log = 1, excluded_field_id_list = new long[] { }, use_stage_select = 1, is_default_skin = 0,
+            viewer_id = "0", steam_id = 0, steam_session_ticket = "",
+        };
         var resp = await client.PostAsync("/arena_two_pick_battle/do_matching", JsonContent.Create(req));
 
         Assert.That(resp.StatusCode, Is.EqualTo(HttpStatusCode.OK));

SVSim.UnitTests/Controllers/ArenaTwoPickControllerTests.cs

@@ -6,12 +6,18 @@ namespace SVSim.UnitTests.Controllers;
 
 public class ArenaTwoPickControllerTests
 {
+    // Every request DTO inherits BaseRequest; the [ApiController] auto-400 path rejects
+    // bodies missing the envelope fields. Spread this into JSON bodies in addition to per-
+    // endpoint payload.
+    private static readonly object Envelope = new { viewer_id = "0", steam_id = 0, steam_session_ticket = "" };
+
     [Test]
     public async Task Top_unauthenticated_returns_401()
     {
         using var factory = new SVSimTestFactory();
         using var client = factory.CreateClient();
-        var resp = await client.PostAsync("/arena_two_pick/top", JsonContent.Create(new { mode = 0 }));
+        var resp = await client.PostAsync("/arena_two_pick/top",
+            JsonContent.Create(new { mode = 0, viewer_id = "0", steam_id = 0, steam_session_ticket = "" }));
         Assert.That(resp.StatusCode, Is.EqualTo(HttpStatusCode.Unauthorized));
     }
 
@@ -21,7 +27,8 @@ public class ArenaTwoPickControllerTests
         using var factory = new SVSimTestFactory();
         var viewerId = await factory.SeedViewerAsync();
         using var client = factory.CreateAuthenticatedClient(viewerId);
-        var resp = await client.PostAsync("/arena_two_pick/top", JsonContent.Create(new { mode = 0 }));
+        var resp = await client.PostAsync("/arena_two_pick/top",
+            JsonContent.Create(new { mode = 0, viewer_id = "0", steam_id = 0, steam_session_ticket = "" }));
         Assert.That(resp.StatusCode, Is.EqualTo(HttpStatusCode.OK));
         var body = await resp.Content.ReadAsStringAsync();
         StringAssert.Contains("\"entry_info\":null", body);