Add UploadSource header to Partner Center Ingestion API requests

[RafaelHinojosa]

Adds an UploadSource HTTP header to every Partner Center Ingestion API request made by PackageUploader CLI. This enables server-side telemetry to distinguish which tool originated a given API call.

New file

• UploadSourceConfig.cs — Internal config class with PackageUploaderSource constant, case-insensitive allowlist, and
  IsAllowedValue() validation. Fully documented with XML doc comments.

Modified files

• HttpRestClient.cs — Validates the upload source against the allowlist in the constructor; adds the UploadSource header in
  CreateJsonRequestMessage().
• IngestionHttpClient.cs — Accepts UploadSourceConfig as a 4th constructor parameter, passes it to the base class.
• PackageUploaderExtensions.cs — Registers UploadSourceConfig as a singleton in DI. Adds an optional uploadSource parameter (defaults to "PackageUploader").

Tests

• 5 unit tests — default value, config value, empty fallback, unknown rejection, whitespace trimming.
• 37 adversarial tests — CRLF injection, null bytes, SQL injection, XSS, SSTI, Log4Shell, Unicode homoglyphs, buffer overflow,
  header duplication, and more.

Design decisions

• Allowlist validation — Only pre-approved values are sent on the wire. Unknown values silently fall back to "PackageUploader"
  (no exceptions), consistent with the existing IngestionSdkVersion pattern.
• Scope — Header is added only to Partner Center metadata API requests (HttpRestClient). XFUS binary upload calls are unaffected.
• Future extensibility — Adding XGPM as a source requires only adding a constant + allowlist entry + passing it at the DI call
  site.

Testing
All 464 tests pass (59 ClientApi + 66 Application + 339 UI + 4 Real HTTP tests not included).

[RafaelHinojosa]

@microsoft-github-policy-service agree company="Microsoft"