fix(high-severity): close 9 of 10 open High findings across 8 modules

Comm-016: delete dead HandleConnectionStateChanged + _debugSubscriptions /
_inProgressDeployments tracking + ConnectionStateChanged message record.
Disconnect detection is owned by the transport layers (gRPC keepalive PING
~25s; Ask-timeout at CommunicationService). Updates the
Component-Communication.md design doc to make that explicit.

SnF-018: NotificationForwarder.DeliverAsync now discards a corrupt buffered
payload (Warning log + return true) instead of returning false and parking
the row — honoring the design's "notifications do not park" invariant.

DM-018: reconciliation no longer force-sets Enabled, preserving an
intentional Disabled state after central failover.

ESG-018: DeliverBufferedAsync (both ExternalSystemClient + DatabaseGateway)
catches JsonException and returns false, turning a corrupt buffered row
into a parked operation instead of a retry-forever poison message.

InboundAPI-022: register ActiveNodeGate as IActiveNodeGate in the Central
DI branch so standby-node gating is actually wired up in production.

NS-019: remove orphaned NotificationDeliveryService /
INotificationDeliveryService / NotificationResult; central notification
delivery now lives entirely in NotificationOutbox.

SEL-016: normalise From/To filters to UTC before ISO-string compare so
non-UTC DateTimeOffset clients no longer get spuriously excluded events.

TE-017: include Description on attributes/alarms and a HashableConnections
projection (protocol, endpoint JSON, failover count) in the revision hash
and DiffService; staleness detection now catches description-only and
connection-endpoint edits.

Transport-001 and Transport-002 (also High) remain Open — they're being
handled in a follow-up batch because both touch BundleImporter.cs and
must serialise.

tests/ScadaLink.DeploymentManager.Tests/DeploymentServiceTests.cs

@@ -820,6 +820,56 @@ public class DeploymentServiceTests : TestKit
         Assert.Equal("sha256:target", storedSnapshot.RevisionHash);
     }
 
+    // ── DeploymentManager-018: reconciliation must preserve an intentional Disabled state ──
+
+    [Fact]
+    public async Task DeployInstanceAsync_Reconciled_DisabledInstance_PreservesDisabledState()
+    {
+        // DeploymentManager-018: after a central failover, the in-memory
+        // OperationLockManager is lost (by design — in-progress treated as
+        // failed). The prior deployment record remains InProgress in the DB.
+        // The operator can legitimately invoke Disable on the instance between
+        // the timed-out deploy and the redeploy. Disable does not change the
+        // deployed config, so the site still reports the target revision hash.
+        // When the operator retries the deploy, the reconciliation branch must
+        // NOT silently overwrite Instance.State back to Enabled — that would
+        // undo the explicit operator action with no audit trail.
+        var instance = new Instance("ReconcileDisabled")
+        {
+            Id = 72, SiteId = 1, State = InstanceState.Disabled
+        };
+        _repo.GetInstanceByIdAsync(72, Arg.Any<CancellationToken>()).Returns(instance);
+        SetupValidPipeline(72, "ReconcileDisabled", "sha256:target");
+
+        var prior = new DeploymentRecord("dep-prior-72", "admin")
+        {
+            InstanceId = 72,
+            Status = DeploymentStatus.InProgress,
+            RevisionHash = "sha256:target"
+        };
+        _repo.GetCurrentDeploymentStatusAsync(72, Arg.Any<CancellationToken>()).Returns(prior);
+        _repo.GetDeployedSnapshotByInstanceIdAsync(72, Arg.Any<CancellationToken>())
+            .Returns((DeployedConfigSnapshot?)null);
+
+        var commActor = Sys.ActorOf(Props.Create(() =>
+            new ReconcileProbeActor(siteHash: "sha256:target", failQuery: false)));
+        var service = CreateServiceWithCommActor(commActor);
+
+        var result = await service.DeployInstanceAsync(72, "admin");
+
+        // The reconciliation still succeeds and the prior record is marked
+        // Success — central and site agree on the applied config.
+        Assert.True(result.IsSuccess);
+        Assert.Equal(DeploymentStatus.Success, prior.Status);
+        Assert.Equal(1, ReconcileProbeActor.QueryCount);
+        Assert.Equal(0, ReconcileProbeActor.DeployCount);
+
+        // DeploymentManager-018: the operator's explicit Disable must survive
+        // the reconciliation — Instance.State stays Disabled, not silently
+        // flipped to Enabled.
+        Assert.Equal(InstanceState.Disabled, instance.State);
+    }
+
     // ── DeploymentManager-016: reconciled record must carry the target revision hash ──
 
     [Fact]