fix(core): prevent orphan sites from failed SiteCreate; null-safe SiteDelete

[renemadsen]

Closes #4695.

Problem

Core.SiteCreate registers a site remotely and commits the local Sites row, then creates the EntityItems / Unit / Worker / SiteWorker in separate non-transactional steps with no rollback. If any step throws, the Sites row is left active with no Worker/SiteWorker — an orphan that permanently blocks recreating a worker by that name (downstream Sites.Name duplicate check). Separately, Core.SiteDelete NRE'd on worker-less sites (siteWorkerDto/WorkerUid dereferenced unguarded), so it couldn't be used to recover orphans.

Fix

• SiteCreate compensating cleanup: track the remotely-created site uid (and worker uid, if reached) and, on exception, remove them via Advanced_SiteItemDelete (site + entity items + remote deregister + local soft-delete) and Advanced_WorkerDelete (worker). Each cleanup is wrapped so it never masks the original exception, which is always re-thrown. Cleanup routes through Advanced_SiteItemDelete (not SiteDelete) deliberately: SiteDelete→SiteReadSimple calls .First() on the SiteWorkers set and throws on worker-less sites, so it cannot clean an orphan; Advanced_SiteItemDelete removes the site directly.
• SiteDelete null-safety: guard siteDto.WorkerUid != null and siteWorkerDto != null so deleting a site with no SiteWorker no longer NREs and still soft-deletes the site + entity items. Happy path (fully-formed worker) unchanged.
• Test: Core_Advanced_SiteItemDelete_OnSiteWithoutSiteWorker_SoftDeletesSite — arranges a worker-less orphan site and asserts it is soft-deleted without throwing.

Notes / limitations

• Known residual: Advanced_SiteItemDelete only soft-deletes the local row when the remote deregister succeeds; a remote failure leaves the local orphan. This mirrors the existing primitive contract and is covered operationally by the downstream plugin mitigation (fix(workers): clean up orphan SDK site so deleted/failed workers don't block name reuse eform-backendconfiguration-plugin#1004), which cleans the local row by name. A belt-and-suspenders compensation-local forced soft-delete could be a follow-up.
• The deployable mitigation already shipped plugin-side (Bump AWSSDK.Core from 3.7.12.25 to 3.7.12.26 #1004); this is the SDK root-cause fix and requires a NuGet release to take effect in hosts.

🤖 Generated with Claude Code

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}