fix(rank-battle): inherit BaseRequest so auth fields survive translation roundtrip

The translation middleware decrypts + msgpack-decodes the request body
into the action's first-parameter type, then re-serializes that DTO to
JSON for the auth handler to read. Phase 3's DoMatchingRequestDto and
RankBattleFinishRequestDto didn't inherit BaseRequest, so viewer_id /
steam_id / steam_session_ticket were dropped during the msgpack → DTO
→ JSON pivot — the auth handler then saw a body with no auth fields
and 401'd every request.

Fixed by making both DTOs extend BaseRequest, mirroring the Phase 2 TK2
DoMatchingRequest pattern.

Also added [FromBody] BaseRequest parameters to the previously body-less
actions (AiStart × 2, ForceFinish, AddClientLog, GetLatestMasterPoint).
The translation middleware explicitly requires at least one parameter
to bind the decrypted msgpack body (see L130-136 of the middleware);
without it the request would throw InvalidOperationException at runtime.

Tests updated to post viewer_id / steam_id / steam_session_ticket
placeholder values in the request body, matching the existing TK2 test
pattern.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

SVSim.EmulatedEntrypoint/Controllers/RankBattleController.cs

@@ -5,6 +5,7 @@ using SVSim.Database.Enums;
 using SVSim.EmulatedEntrypoint.Constants;
 using SVSim.EmulatedEntrypoint.Matching;
 using SVSim.EmulatedEntrypoint.Models.Dtos.RankBattle;
+using SVSim.EmulatedEntrypoint.Models.Dtos.Requests;
 using SVSim.EmulatedEntrypoint.Security.SteamSessionAuthentication;
 using SVSim.EmulatedEntrypoint.Services;
 
@@ -56,12 +57,15 @@ public sealed class RankBattleController : ControllerBase
     public Task<IActionResult> DoMatchingUnlimited([FromBody] DoMatchingRequestDto req, CancellationToken ct)
         => DoMatchingInternal("unlimited_rank_battle", Format.Unlimited, req, ct);
 
+    // AIBattleStartTask has no SetParameter override, so the body is just the inherited
+    // PostParams (viewer_id / steam_id / steam_session_ticket) — but the translation
+    // middleware requires at least one parameter to bind the decrypted body. Use BaseRequest.
     [HttpPost("/ai_rotation_rank_battle/start")]
-    public Task<IActionResult> AiStartRotation(CancellationToken ct)
+    public Task<IActionResult> AiStartRotation([FromBody] BaseRequest _, CancellationToken ct)
         => AiStartInternal(Format.Rotation, ct);
 
     [HttpPost("/ai_unlimited_rank_battle/start")]
-    public Task<IActionResult> AiStartUnlimited(CancellationToken ct)
+    public Task<IActionResult> AiStartUnlimited([FromBody] BaseRequest _, CancellationToken ct)
         => AiStartInternal(Format.Unlimited, ct);
 
     /// <summary>
@@ -84,26 +88,28 @@ public sealed class RankBattleController : ControllerBase
         });
     }
 
+    // BaseRequest parameter on every body-less action so the translation middleware can
+    // bind the decrypted msgpack body (it explicitly requires at least one parameter).
     [HttpPost("/rank_battle/force_finish")]
-    public IActionResult ForceFinish()
+    public IActionResult ForceFinish([FromBody] BaseRequest _)
     {
-        if (!TryGetViewerId(out var _)) return Unauthorized();
+        if (!TryGetViewerId(out var _u)) return Unauthorized();
         return Ok(new { });
     }
 
     [HttpPost("/rank_battle/add_client_log")]
     [HttpPost("/rank_battle/add_all_client_log")]
     [HttpPost("/rank_battle/add_last_turn_log")]
-    public IActionResult AddClientLog()
+    public IActionResult AddClientLog([FromBody] BaseRequest _)
     {
-        if (!TryGetViewerId(out var _)) return Unauthorized();
+        if (!TryGetViewerId(out var _u)) return Unauthorized();
         return Ok(new { });
     }
 
     [HttpPost("/rank_battle/get_latest_master_point")]
-    public IActionResult GetLatestMasterPoint()
+    public IActionResult GetLatestMasterPoint([FromBody] BaseRequest _)
     {
-        if (!TryGetViewerId(out var _)) return Unauthorized();
+        if (!TryGetViewerId(out var _u)) return Unauthorized();
         return Ok(new { });
     }
 

SVSim.EmulatedEntrypoint/Models/Dtos/RankBattle/DoMatchingRequestDto.cs

@@ -1,10 +1,17 @@
 using System.Text.Json.Serialization;
 using MessagePack;
+using SVSim.EmulatedEntrypoint.Models.Dtos.Requests;
 
 namespace SVSim.EmulatedEntrypoint.Models.Dtos.RankBattle;
 
-[MessagePackObject(keyAsPropertyName: true)]
-public sealed class DoMatchingRequestDto
+/// <summary>
+/// Standard DoMatchingParam shape for rank battle (rotation/unlimited). Inherits viewer_id /
+/// steam_id / steam_session_ticket from <see cref="BaseRequest"/> so the auth fields survive
+/// the translation-middleware msgpack → DTO → JSON round-trip (otherwise the
+/// SteamSessionAuthenticationHandler sees a body without auth fields and 401s).
+/// </summary>
+[MessagePackObject]
+public sealed class DoMatchingRequestDto : BaseRequest
 {
     [JsonPropertyName("deck_no")]
     [Key("deck_no")]
@@ -20,7 +27,7 @@ public sealed class DoMatchingRequestDto
 
     [JsonPropertyName("log")]
     [Key("log")]
-    public string? Log { get; set; }
+    public int Log { get; set; }
 
     [JsonPropertyName("use_stage_select")]
     [Key("use_stage_select")]
@@ -28,7 +35,7 @@ public sealed class DoMatchingRequestDto
 
     [JsonPropertyName("excluded_field_id_list")]
     [Key("excluded_field_id_list")]
-    public int[]? ExcludedFieldIdList { get; set; }
+    public List<long> ExcludedFieldIdList { get; set; } = new();
 
     [JsonPropertyName("is_default_skin")]
     [Key("is_default_skin")]

SVSim.EmulatedEntrypoint/Models/Dtos/RankBattle/RankBattleFinishRequestDto.cs

@@ -1,5 +1,6 @@
 using System.Text.Json.Serialization;
 using MessagePack;
+using SVSim.EmulatedEntrypoint.Models.Dtos.Requests;
 
 namespace SVSim.EmulatedEntrypoint.Models.Dtos.RankBattle;
 
@@ -7,9 +8,12 @@ namespace SVSim.EmulatedEntrypoint.Models.Dtos.RankBattle;
 /// Standard BattleFinishParam shape — see docs/api-spec/common/types.ts.md and
 /// docs/api-spec/endpoints/post-login/rank-battle/finish.md. Future: promote to
 /// a shared common DTO when a second finish endpoint reuses this.
+///
+/// Inherits viewer_id / steam_id / steam_session_ticket from <see cref="BaseRequest"/>
+/// so the auth fields survive the translation-middleware round-trip.
 /// </summary>
-[MessagePackObject(keyAsPropertyName: true)]
-public sealed class RankBattleFinishRequestDto
+[MessagePackObject]
+public sealed class RankBattleFinishRequestDto : BaseRequest
 {
     [JsonPropertyName("battle_result")]
     [Key("battle_result")]