Harden fail-closed handling, fix mutex leaks, and add mutation-verified tests

[JeremiahM37]

Fixes F-2060, F-2061, F-2438, F-2445, F-2446, F-2456, F-2458, F-2459, F-2460, F-2461, F-2464, F-2465, F-2836, F-2837, F-2838, F-2840, F-3866, F-3867, F-3869, F-3873

• Unlock mutex on early-return failure paths in wolfsentry_event_update_config and wolfsentry_event_set_aux_event
• Bound JSON prefix-bits to the address family max to prevent OOB read in wolfsentry_route_init
• Reject PENALTYBOXED flag in route_flags_to_add_on_insert and route_flags_to_clear_on_insert, and run flag sensicality check on both
• Return ERR_ABRT instead of ERR_OK when the lwIP filter callbacks see a NULL wolfsentry context
• Treat dispatch errors as REJECT in the lwIP ethernet/IPv4/IPv6/TCP/ICMP4 filters
• Treat dispatch errors as REJECT in the lwIP UDP filter
• Treat dispatch errors as REJECT in the lwIP ICMPv6 filter
• Treat dispatch errors as deny in wolfip_dispatch_event
• Deny unrecognized protocols and event reasons in the wolfIP filter shims
• Return ERR_ABRT for "can't happen" filter event reasons in the lwIP shims
• Extend the user-value mutability test to assert that overwrite_p=1 is rejected on a read-only KV
• New tests
  • derogatory_threshold_for_penaltybox == 0 disables auto-penaltybox
  • penaltybox_duration == 0 means permanent penaltybox
  • penaltybox-timeout boundary semantics (uses a mock clock)
  • DONT_COUNT_CURRENT_CONNECTIONS flag bypasses the connection-count cap
  • INHIBIT_ACTIONS flag suppresses action dispatch
  • action_res_filter_bits_unset route-exclusion logic
  • stale-purge boundary semantics (uses a mock clock)

[douzzer]

There's a couple false positives in the mix here -- the mitigations for them need to be reverted:

F-2836 "route_flags_to_add_on_insert accepts GREENLISTED flag, enabling auto-accept of all inserted routes"

F-2840 "route_flags_to_clear_on_insert accepts PENALTYBOXED flag without validation, bypassing penalty boxing for inserted routes"

I've closed the Fenrir issues as WontFix.

[douzzer]

Also it would be good to have dispatch errors in the glue layer invoke the default policy, though that would be tricky. E.g. clearly there's no way to discover the default policy if the wolfsentry context is null -- ABRT seems reasonable there. But when there's a context to check, we should use its default.