Fix 10 critical/high issues from Phase 6-7 audit ...

- Entity::select_from_db() throws on missing record (fatal error fix)
- Scripts::select_scripts_by_aliases_types() early return on empty array (SQL syntax fix)
- ThinBuilder WHERE operator whitelist (SQL injection prevention)
- validate_identifier() rejects numeric start (SQL correctness)
- Remove escape_string_in_arr() dead code (security hygiene)
- MetaManager::create_or_update() wrapped in transaction (race condition)
- Scripts::remove_scope() deletes DB before file (consistency)
- IN clause guards against non-array values (PHP 8 TypeError fix)
- Short where syntax supports IN operator (correctness)
- DeviceAuth::kill() clears Device auth cache (stale data fix)

Fix critical issues: router method enforcement, cron localhost guard, rate limiter file-based, entity update_at optional, device race condition, area remove transaction, control scripts static flush

Add high-complexity PHPUnit tests: retry/backoff, auth guard, transactions, happy-paths, script state ...

- Refactor Base.php: extract executeCurl/getCurlInfo for mockability
- Refactor App.php: split api_auth_guard into check_api_auth (testable) + guard wrapper
- Refactor Devices.php: add optional ?Base DI to connect_new_device
- Update TestApp.php: add control_scripts_instances for script tests
- Update bootstrap.php: define PHPUNIT_TEST to skip new App() autoload side-effect

New test files:
- DeviceAPIBaseRetryTest (7 tests) — retry/backoff with mock cURL
- AppAuthGuardTest (7 tests) — auth + rate limiter without exit
- DevicesModelTransactionTest (4 tests) — happy path, rollback, mode checks
- AreasControllerHappyPathTest (7 tests) — full area CRUD success flows
- ScriptsModelStateTest (8 tests) — scope list, script state, enable/disable

Total: 113 tests, 285 assertions — all passing.

Add medium-complexity PHPUnit tests: Area recursion, controller validation ...

- AreaRecursionTest (10 tests): recursive traversal, depth limit ≤10,
  remove() cascade, inner devices/scripts lookup, parent_area()
- AreasRESTAPIControllerValidationTest (10 tests): new_area, update_alias,
  remove_area, place_in_area, update_display_name validation
- DevicesRESTAPIControllerValidationTest (12 tests): setup_new_device,
  do_device_action, update_alias, devices_list, place_in_area validation
- ScriptsRESTAPIControllerValidationTest (10 tests): run_action_script,
  set_*_state, place_in_area validation
- Fix Controller::validate_positive_int_ids() return type: ?array → ?string
- Add DevTools to TestApp/bootstrap for Model instantiation
- Expand bootstrap.php text_msgs with controller error aliases
- Update server-audit.md coverage table: 80 tests, 202 assertions

Add PHPUnit coverage: Entity CRUD, Area placing, Sessions, Utils ...

- EntityCrudTest: 6 tests covering update, get, remove, id, to_array
- AreaPlacingTest: 2 tests for place_in_area and place_in_area_id
- SessionsTest: 4 tests for create, get_by_token, close, status
- UtilsTest: 7 tests for response_error/success, table_row_is_exists,
  generate_token, dayname_translate, fast_ping_tcp
- TestApp helper + bootstrap init with SQLite :memory: for app() dependencies
- Update server-audit.md: 36 total tests, expand coverage roadmap

Update server-audit.md: add testing section, mark all 5 phases resolved, update appendix

Update server-audit.md: mark Phase 5 complete (commit d9c9e17)

Update server-audit.md: mark Phase 4 complete (commit b4968d4)

Phase 4: Device communication resilience (batch scanning, retry, configurable timeouts, non-blocking events, reset check)

Phase 3: API hardening (validation, JSON wrappers, path traversal, rate limiting)

Phase 2: Data integrity & error handling (ErrorHandler, transactions, silent SQL, HTTP statuses, dead stubs)

Phase 1: Security Foundation (auth, SQLi, secrets, hashing, tokens, cookies)