Harden routing, dispatch, leaks, and parser correctness

[JeremiahM37]

Fixes F-2448, F-971, F-1210, F-1211, F-1212, F-2064, F-2065, F-3186, F-3434, F-3661, F-988, F-1215, F-1676, F-2852, F-2853, F-3198

• Use MSB-first bit ordering in addr_prefix_match_size so CIDR tiebreaks pick the correct longer-prefix route.
• Plug refcount/allocation leaks on error paths in action clone, dispatch fallback to default_event, addr_family render IO error, and kv_template / action_template alloc-before-lock.
• Add bounds/overflow guards: ws_itoa INT_MIN UB via unsigned magnitude, alloca size in route lookup, JSON buf realloc multiplication, and route_private_data_size truncation to uint16_t.
• Harden JSON parsing against OOB reads in convert_hex_byte short input and convert_wolfsentry_duration non-null-terminated input.
• Misc: replace undefined null with NULL in malloc-debug build, propagate render_proto IO errors, drop the duplicated read2write_reservation_holder check in lock_destroy.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #83

Scan targets checked: wolfsentry-bugs, wolfsentry-src

No new issues found in the changed files. ✅