fix: resolve 17 P2 defects and 5 P3 defects from pre-launch audit

Batch fix covering multiple modules:
- P2-01: HandRegistry Semaphore-based max_concurrent enforcement
- P2-03: Populate toolCount/metricCount from Hand trait methods
- P2-06: heartbeat_update_config minimum interval validation
- P2-07: ReflectionResult used_fallback marker for rule-based fallback
- P2-08/09: identity_propose_change parameter naming consistency
- P2-10: ClassroomMetadata is_placeholder flag for LLM failure
- P2-11: classroomStore userDidCloseDuringGeneration intent tracking
- P2-12: workflowStore pipeline_create sends actionType
- P2-13/14: PipelineInfo step_count + PipelineStepInfo for proper step mapping
- P2-15: Pipe transform support in context.resolve (8 transforms)
- P2-16: Mustache {{...}} → \${...} auto-normalization
- P2-17: SaaSLogin password placeholder 6→8
- P2-19: serialize_skill_md + update_skill preserve tools field
- P2-22: ToolOutputGuard sensitive patterns from warn→block
- P2-23: Mutex::unwrap() → unwrap_or_else in relay/service.rs
- P3-01/03/07/08/09: Various P3 fixes
- DEFECT_LIST.md: comprehensive status sync (43/51 fixed, 8 remaining)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

crates/zclaw-hands/src/hands/quiz.rs

@@ -885,6 +885,16 @@ impl Hand for QuizHand {
     }
 
     async fn execute(&self, _context: &HandContext, input: Value) -> Result<HandResult> {
+        // P2-04: Reject oversized input before deserialization
+        const MAX_INPUT_SIZE: usize = 50_000; // 50KB limit
+        let input_str = serde_json::to_string(&input).unwrap_or_default();
+        if input_str.len() > MAX_INPUT_SIZE {
+            return Ok(HandResult::error(format!(
+                "Input too large ({} bytes, max {} bytes)",
+                input_str.len(), MAX_INPUT_SIZE
+            )));
+        }
+
         let action: QuizAction = match serde_json::from_value(input) {
             Ok(a) => a,
             Err(e) => {