docs(battlenode): document four latent low-tier hygiene hazards

Comment-only; behavior-preserving; 231 BattleNode tests green.

- OutboundSequencer._archive: name the unbounded-per-match growth + ack-prune point.
- NodeCrypto.BuildAes: SECURITY remarks on key-derived IV reuse + base64 entropy loss;
  warn against caching the session key.
- MatchContext/BattlePlayer: FOOTGUN notes on reference-based record equality over the deck list.
- RecordTokensFrom: TRUST note on isSelf/idx overwrite; name the idx>deckCount guard for
  untrusted peers (not added — trusted-LAN today).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

SVSim.BattleNode/Reliability/OutboundSequencer.cs

@@ -14,6 +14,11 @@ public sealed class OutboundSequencer
     private const long FirstPlaySeq = 1;
 
     private long _next = FirstPlaySeq;
+
+    // Holds every ordered (stocked) push for the WHOLE match — there is no per-ack pruning, so it
+    // grows with battle length × concurrent battles. Bounded only by Clear() in the terminate cascade.
+    // Fine at current scale; if battles get long or concurrency scales, prune entries below the peer's
+    // ack watermark here (contrast the inbound side, which is bounded by InboundTracker.WindowSize).
     private readonly Dictionary<long, MsgEnvelope> _archive = new();
 
     public IReadOnlyDictionary<long, MsgEnvelope> Archive => _archive;