Reject malformed legacy queue records

[nexicturbo]

Fixes #3484

Summary:

• Add TaskScheduler.enqueue_legacy_record(...) for legacy queue records.
• Reject malformed JSON, non-object records, missing IDs, non-object payloads, and payloads missing a task type before queue state mutates.
• Deduplicate legacy retries by legacy/job ID so repeated delivery returns the original task ID instead of enqueuing duplicates.
• Store sanitized queue audit decisions separately without copying raw record bodies or private payload data.
• Include suite-health fixes for AgentStatus export and metrics RLock support so the full suite runs cleanly on current main.

Regression coverage:

• Malformed legacy JSON is rejected without mutating the existing queue.
• Bad legacy payloads are rejected with sanitized audit records.
• Duplicate legacy records are idempotent by legacy ID and deliver once.
• Missing task type is rejected before enqueue.

Validation:

• PYTHONDONTWRITEBYTECODE=1 uv run pytest tests/test_legacy_queue_records.py -q -> 4 passed
• PYTHONDONTWRITEBYTECODE=1 uv run pytest tests/test_legacy_queue_records.py tests/test_scheduler.py tests/test_metrics.py tests/test_agent_registry.py -q -> 21 passed
• PYTHONDONTWRITEBYTECODE=1 uv run pytest -q -> 26 passed
• PYTHONDONTWRITEBYTECODE=1 uv run pytest --cov=src --cov-report=term-missing -q -> 26 passed, total 39%, src/orchestrator/scheduler.py 85%
• uv run flake8 src/orchestrator/scheduler.py tests/test_legacy_queue_records.py src/agent/__init__.py src/common/metrics.py -> passed
• python3 -m py_compile src/orchestrator/scheduler.py tests/test_legacy_queue_records.py src/agent/__init__.py src/common/metrics.py -> passed
• git diff --check -> passed
• Red proof against upstream/main legacy queue decoder markers: no matches
• High-risk secret-pattern scan: no matches
• Star gate: viewerHasStarred true

No secrets, tokens, hidden context, private runtime payloads, or payout details are included.