docs+code: close Theme 1 — 24 design-doc / XML-doc drift findings

Doc/XML-comment drift + small adherence fixes across 17 modules. Highlights:
- Host-017: site CoordinatedShutdown ordering — SiteStreamGrpcServer gains
  CancelAllStreams() (refuse new streams, cancel active), wired into
  Program.cs site branch via ApplicationStopping.
- InboundAPI-021: ParentExecutionId now travels on RouteToGet/SetAttributes
  symmetric with RouteToCallRequest; RouteHelper stamps from _parentExecutionId.
- ClusterInfra-012: ClusterOptionsValidator now requires both seed nodes.
- Comm-018: SiteCommunicationActor.HeartbeatMessage.IsActive derived from
  cluster leader check (was hardcoded true).
- DM-020: reconciliation audit row attributes the current user, not prior deployer.
- SEL-019: EventLogPurgeService early-exits on standby via active-node check.
- Plus comment/XML-doc accuracy fixes across AuditLog, ConfigurationDatabase,
  NotificationOutbox, SiteRuntime, SiteCallAudit; doc refreshes for Component-
  Commons / -ManagementService / -CLI / -ExternalSystemGateway / -HealthMonitoring
  / -Transport / -ConfigurationDatabase; CD-023 index-name doc alignment.

11 new regression tests (RouteHelper x4, SiteStreamGrpcServer x2,
ClusterOptionsValidator x1, SiteCommunicationActor x1, DeploymentService x1,
EventLogPurgeService x3). Build clean (0 warnings); InboundAPI/Communication/
Host suites all green. README regenerated: 112 open (was 136).

code-reviews/Host/findings.md

@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-28 |
 | Reviewer | claude-agent |
 | Commit reviewed | `1eb6e97` |
-| Open findings | 7 |
+| Open findings | 6 |
 
 ## Summary
 
@@ -871,7 +871,7 @@ _Open._
 |--|--|
 | Severity | Medium |
 | Category | Design-document adherence |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.Host/Program.cs:229-265`, `src/ScadaLink.Communication/Grpc/SiteStreamGrpcServer.cs` |
 
 **Description**
@@ -910,9 +910,32 @@ integration test under `tests/ScadaLink.Host.Tests` that starts a site host,
 opens a stream, triggers shutdown, and asserts the stream completes with
 `Cancelled` before the actor system tears down.
 
-**Resolution**
+**Resolution (2026-05-28):**
 
-_Open._
+REQ-HOST-7 steps (1)+(2) wired. `SiteStreamGrpcServer` gained:
+- a monotonic `_shuttingDown` flag,
+- `CancelAllStreams()` — flips the flag, cancels every `_activeStreams[*].Cts`
+  (with `ObjectDisposedException` swallow for entries cleaning themselves
+  up concurrently), idempotent on repeat calls,
+- a `SubscribeInstance` guard that returns `Unavailable "Server shutting
+  down"` for new subscriptions arriving after the flag flips.
+
+`Program.cs` site branch now resolves `IHostApplicationLifetime` and the
+`SiteStreamGrpcServer` singleton, then registers
+`ApplicationStopping.Register(() => siteGrpcServer.CancelAllStreams())`.
+`ApplicationStopping` fires before any `IHostedService.StopAsync`, so the
+gRPC server begins refusing new streams and tears down in-flight ones
+BEFORE `AkkaHostedService` runs `CoordinatedShutdown` — matching REQ-HOST-7's
+ordering. Clients observe a clean `Cancelled` and reconnect rather than a
+silent stream that times out via keepalive (~25 s).
+
+Two unit regression tests added to
+`tests/ScadaLink.Communication.Tests/Grpc/SiteStreamGrpcServerTests.cs`:
+`Host017_CancelAllStreams_CancelsActiveStreamsAndRefusesNewOnes` (active
+streams complete, new ones rejected) and `Host017_CancelAllStreams_IsIdempotent`
+(double-call safe). A full site-host integration test was deferred — the
+unit suite covers both server-side invariants and the wiring is a single
+`Register` line in `Program.cs`.
 
 ### Host-018 — Shipped per-role configs omit `NodeOptions.NodeName`, leaving `SourceNode` null