fix(content): CONTENT module quality remediation — RAII fixes, noexcept dtor, regression tests, uninitialized struct defaults, [[nodiscard]] annotations (Phases 3–7)

[Copilot]

• Implement PM_LOAD_ADMIN_MODEL and PM_LIST_ADMIN_MODELS with real built-in administrative model payloads
• Replace PM_PREDICT_END null placeholder with a deterministic ETA fallback payload
• Enable fulltext AQL function registration in the builtin function registry
• Update src/STUB_INVENTORY.md to mark resolved stubs and refresh active counts/IDs
• Run relevant validation commands/tests and summarize results

[makr-code]

@copilot weiter

[Copilot]

@copilot weiter

Continuing with Phase 3.2. Added in commit 6546c3c:

CON-009 — RAII fix: raw new/delete for tags JSON in metadata encryption (content_manager.cpp)

The metadata-encryption loop (ingestRawBlob) allocated a temporary nlohmann::json for the "tags" field via new nlohmann::json(arr) and then manually deleted it in three separate exit paths — including the exception handler — making it exception-unsafe. Replaced with a local stack variable (tags_tmp) that is destroyed automatically at end of scope. Three raw delete call sites eliminated.

// Before (exception-unsafe — delete in early-continue, success path, and catch):
nlohmann::json arr = meta.tags;
target = new nlohmann::json(arr);
// ... manual delete target in 3 places

// After (RAII):
nlohmann::json tags_tmp;
if (f == "tags") { tags_tmp = meta.tags; target = &tags_tmp; }
// tags_tmp destroyed automatically — no manual delete needed

CHANGELOG.md updated under [Unreleased] with CON-007/CON-008/CON-009.

[makr-code]

@copilot weiter

[Copilot]

@copilot weiter

Phase 3.3 complete in commit f9984db.

CON-010 — RAII for EVP_MD_CTX in content_fs.cpp::sha256Hex()
4 raw EVP_MD_CTX_free() early-return call sites removed:

// Before: manual free on every early return
EVP_MD_CTX* mdctx = EVP_MD_CTX_new();
if (...) { EVP_MD_CTX_free(mdctx); return ""; }  // ×3
EVP_MD_CTX_free(mdctx);  // normal exit

// After: unique_ptr frees automatically on all paths
using EvpCtxPtr = std::unique_ptr<EVP_MD_CTX, decltype(&EVP_MD_CTX_free)>;
EvpCtxPtr mdctx(EVP_MD_CTX_new(), EVP_MD_CTX_free);

CON-011 — RAII for EVP_MD_CTX in content_manager.cpp::ingestStream()
3 EVP_MD_CTX_free(sha256_ctx); sha256_ctx = nullptr; call sites (init-fail, update-fail in read loop, finalize) replaced by sha256_ctx.reset(). Closes the exception-unsafe leak in the streaming ingest path.

Additional cleanup: redundant explicit file.close() removed from the archive ingestion loop — std::ifstream already guarantees RAII closure at end of each loop iteration.

[makr-code]

@copilot weiter