docs+code: close Theme 1 — 24 design-doc / XML-doc drift findings

Doc/XML-comment drift + small adherence fixes across 17 modules. Highlights:
- Host-017: site CoordinatedShutdown ordering — SiteStreamGrpcServer gains
  CancelAllStreams() (refuse new streams, cancel active), wired into
  Program.cs site branch via ApplicationStopping.
- InboundAPI-021: ParentExecutionId now travels on RouteToGet/SetAttributes
  symmetric with RouteToCallRequest; RouteHelper stamps from _parentExecutionId.
- ClusterInfra-012: ClusterOptionsValidator now requires both seed nodes.
- Comm-018: SiteCommunicationActor.HeartbeatMessage.IsActive derived from
  cluster leader check (was hardcoded true).
- DM-020: reconciliation audit row attributes the current user, not prior deployer.
- SEL-019: EventLogPurgeService early-exits on standby via active-node check.
- Plus comment/XML-doc accuracy fixes across AuditLog, ConfigurationDatabase,
  NotificationOutbox, SiteRuntime, SiteCallAudit; doc refreshes for Component-
  Commons / -ManagementService / -CLI / -ExternalSystemGateway / -HealthMonitoring
  / -Transport / -ConfigurationDatabase; CD-023 index-name doc alignment.

11 new regression tests (RouteHelper x4, SiteStreamGrpcServer x2,
ClusterOptionsValidator x1, SiteCommunicationActor x1, DeploymentService x1,
EventLogPurgeService x3). Build clean (0 warnings); InboundAPI/Communication/
Host suites all green. README regenerated: 112 open (was 136).

code-reviews/SiteCallAudit/findings.md

@@ -202,7 +202,7 @@ _Unresolved._
 |--|--|
 | Severity | Low |
 | Category | Design-document adherence |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.SiteCallAudit/SiteCallAuditActor.cs:23-30` (actor XML), `src/ScadaLink.SiteCallAudit/ServiceCollectionExtensions.cs:8-13`, `docs/requirements/Component-SiteCallAudit.md:24-32` |
 
 **Description**
@@ -229,9 +229,13 @@ doc as deferred — the doc reads as if it ships.
   listing what's not yet implemented (matches the pattern Audit Log uses for
   its tamper-evidence hash chain).
 
-**Resolution**
+**Resolution (2026-05-28):**
 
-_Unresolved._
+Updated the class-level XML on `SiteCallAuditActor` to reflect actual state:
+telemetry ingest, query/detail/KPI handlers (Task 4), and the central→site
+Retry/Discard relay (Task 5) are implemented; the periodic reconciliation
+puller and the daily terminal-row purge scheduler remain deferred. The design
+doc update is tracked separately.
 
 ### SiteCallAudit-005 — `AckErrorMessage` switch arm for `SiteUnreachable` returns ack message instead of throwing
 
@@ -239,7 +243,7 @@ _Unresolved._
 |--|--|
 | Severity | Low |
 | Category | Documentation & comments |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.SiteCallAudit/SiteCallAuditActor.cs:548-563` |
 
 **Description**
@@ -281,9 +285,16 @@ SiteCallRelayOutcome.SiteUnreachable =>
 
 — fail fast if the invariant is ever violated by a refactor.
 
-**Resolution**
+**Resolution (2026-05-28):**
 
-_Unresolved._
+Behaviour kept (return `ack.ErrorMessage`); `AckErrorMessage` stays total and
+side-effect-free. Expanded the inline comment on the `SiteUnreachable` arm to
+explain WHY it returns rather than throws: site-unreachable is classified as
+transient by the upstream relay (which has already built its
+`SiteUnreachable` response and detail text via `SiteUnreachableMessage`), so a
+defensive fall-through surfaces the ack's message and lets the caller schedule
+a retry — throwing would turn a benign refactor invariant violation into a
+relay-path crash.
 
 ### SiteCallAudit-006 — Stuck-only paging test does not exercise the multi-page boundary with an interleaved non-stuck row at the cursor