feat(credentials): enforce and surface lock-advertised PIN length bounds

[raman325]

Proposed change

Derive the tightest-common (min, max) PIN length across all of a slot's bound locks, then enforce it on write and surface it in the UI.

• Authoritative gate (slot coordinator): a non-empty PIN is validated against every bound lock's advertised length range before it is written. A violation raises ServiceValidationError naming each offending lock and its required range. Empty PINs (slot clears) are exempt. Locks whose capabilities are not cached (disconnected or not yet probed) and locks that do not advertise the credential type are skipped, so the write proceeds rather than blocking on unknown limits and the sync layer surfaces any later device rejection.
• Best-effort hints (PIN text entity): native_min/native_max now reflect the live tightest-common range across the bound locks. Non-credential keys (the slot name) and an unsatisfiable intersection fall back to the default range so the control is never rendered inverted, and the range always widens to admit the current stored value (the empty string after a clear, or a PIN written before the lock advertised its limits) so HA state rendering never raises. The hints do not block input; the coordinator gate is what rejects out-of-range PINs.

New building blocks:

• LockCapabilities.length_bounds(credential_type) — effective (min, max) for one lock, normalizing non-positive advertised bounds to "unbounded"/"no minimum".
• aggregate_length_bounds(...) — folds many locks into one tightest-common range (largest min, smallest max); UI defaults deliberately live in the caller.
• BaseLock.cached_capabilities — synchronous, I/O-free read of the warmed capability cache for synchronous callers.

This is groundwork that generalizes cleanly to other credential types: CREDENTIAL_TYPE_BY_CONF_KEY in text.py is the single per-type knob, and the helpers are credential-type-parametric.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New feature (which adds functionality)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[codecov]

Codecov Report

❌ Patch coverage is 98.86364% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 97.13%. Comparing base (5f5163c) to head (ac2213c).
⚠️ Report is 9 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...nents/lock_code_manager/domain/slot_coordinator.py	95.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1279      +/-   ##
==========================================
+ Coverage   97.10%   97.13%   +0.03%     
==========================================
  Files          54       54              
  Lines        6553     6638      +85     
  Branches      460      460              
==========================================
+ Hits         6363     6448      +85     
  Misses        190      190              

Flag	Coverage Δ
python	97.66% <98.86%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...components/lock_code_manager/domain/credentials.py	100.00% <100.00%> (ø)
...om_components/lock_code_manager/providers/_base.py	97.27% <100.00%> (+0.21%)	⬆️
custom_components/lock_code_manager/text.py	98.68% <100.00%> (+1.62%)	⬆️
...nents/lock_code_manager/domain/slot_coordinator.py	95.09% <95.00%> (-0.02%)	⬇️

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.