fix(high-severity): close 9 of 10 open High findings across 8 modules

Comm-016: delete dead HandleConnectionStateChanged + _debugSubscriptions /
_inProgressDeployments tracking + ConnectionStateChanged message record.
Disconnect detection is owned by the transport layers (gRPC keepalive PING
~25s; Ask-timeout at CommunicationService). Updates the
Component-Communication.md design doc to make that explicit.

SnF-018: NotificationForwarder.DeliverAsync now discards a corrupt buffered
payload (Warning log + return true) instead of returning false and parking
the row — honoring the design's "notifications do not park" invariant.

DM-018: reconciliation no longer force-sets Enabled, preserving an
intentional Disabled state after central failover.

ESG-018: DeliverBufferedAsync (both ExternalSystemClient + DatabaseGateway)
catches JsonException and returns false, turning a corrupt buffered row
into a parked operation instead of a retry-forever poison message.

InboundAPI-022: register ActiveNodeGate as IActiveNodeGate in the Central
DI branch so standby-node gating is actually wired up in production.

NS-019: remove orphaned NotificationDeliveryService /
INotificationDeliveryService / NotificationResult; central notification
delivery now lives entirely in NotificationOutbox.

SEL-016: normalise From/To filters to UTC before ISO-string compare so
non-UTC DateTimeOffset clients no longer get spuriously excluded events.

TE-017: include Description on attributes/alarms and a HashableConnections
projection (protocol, endpoint JSON, failover count) in the revision hash
and DiffService; staleness detection now catches description-only and
connection-endpoint edits.

Transport-001 and Transport-002 (also High) remain Open — they're being
handled in a follow-up batch because both touch BundleImporter.cs and
must serialise.

tests/ScadaLink.TemplateEngine.Tests/Flattening/DiffServiceTests.cs

@@ -133,4 +133,122 @@ public class DiffServiceTests
         Assert.Single(diff.ScriptChanges);
         Assert.Equal(DiffChangeType.Changed, diff.ScriptChanges[0].ChangeType);
     }
+
+    [Fact]
+    public void ComputeDiff_AttributeDescriptionChange_DetectedAsChanged()
+    {
+        // TemplateEngine-017: AttributesEqual must compare Description.
+        var oldConfig = new FlattenedConfiguration
+        {
+            InstanceUniqueName = "Instance1",
+            Attributes =
+            [
+                new ResolvedAttribute { CanonicalName = "Temp", Value = "25", DataType = "Double", Description = "Original" }
+            ]
+        };
+        var newConfig = new FlattenedConfiguration
+        {
+            InstanceUniqueName = "Instance1",
+            Attributes =
+            [
+                new ResolvedAttribute { CanonicalName = "Temp", Value = "25", DataType = "Double", Description = "Updated" }
+            ]
+        };
+
+        var diff = _sut.ComputeDiff(oldConfig, newConfig);
+
+        Assert.True(diff.HasChanges);
+        Assert.Single(diff.AttributeChanges);
+        Assert.Equal(DiffChangeType.Changed, diff.AttributeChanges[0].ChangeType);
+    }
+
+    [Fact]
+    public void ComputeDiff_AlarmDescriptionChange_DetectedAsChanged()
+    {
+        // TemplateEngine-017: AlarmsEqual must compare Description.
+        var oldConfig = new FlattenedConfiguration
+        {
+            InstanceUniqueName = "Instance1",
+            Alarms =
+            [
+                new ResolvedAlarm { CanonicalName = "HighTemp", TriggerType = "RangeViolation", Description = "Original" }
+            ]
+        };
+        var newConfig = new FlattenedConfiguration
+        {
+            InstanceUniqueName = "Instance1",
+            Alarms =
+            [
+                new ResolvedAlarm { CanonicalName = "HighTemp", TriggerType = "RangeViolation", Description = "Updated" }
+            ]
+        };
+
+        var diff = _sut.ComputeDiff(oldConfig, newConfig);
+
+        Assert.True(diff.HasChanges);
+        Assert.Single(diff.AlarmChanges);
+        Assert.Equal(DiffChangeType.Changed, diff.AlarmChanges[0].ChangeType);
+    }
+
+    [Fact]
+    public void ConnectionsEqual_IdenticalConfigs_ReturnsTrue()
+    {
+        // TemplateEngine-017: ConnectionsEqual is the comparator callers use
+        // to detect connection-endpoint drift (the diff-view extension that
+        // surfaces this in the UI is tracked under TemplateEngine-018).
+        var a = new ConnectionConfig
+        {
+            Protocol = "OpcUa",
+            ConfigurationJson = "{\"endpoint\":\"opc.tcp://host-a\"}",
+            BackupConfigurationJson = "{\"endpoint\":\"opc.tcp://host-b\"}",
+            FailoverRetryCount = 3
+        };
+        var b = a with { };
+
+        Assert.True(DiffService.ConnectionsEqual(a, b));
+    }
+
+    [Fact]
+    public void ConnectionsEqual_EndpointEdit_ReturnsFalse()
+    {
+        // TemplateEngine-017: primary endpoint JSON edit must surface as a
+        // change. Without this, deployment redeploys ship a different
+        // ConnectionConfig with no visible drift signal.
+        var a = new ConnectionConfig
+        {
+            Protocol = "OpcUa",
+            ConfigurationJson = "{\"endpoint\":\"opc.tcp://host-a:4840\"}",
+            FailoverRetryCount = 3
+        };
+        var b = a with { ConfigurationJson = "{\"endpoint\":\"opc.tcp://host-b:4840\"}" };
+
+        Assert.False(DiffService.ConnectionsEqual(a, b));
+    }
+
+    [Fact]
+    public void ConnectionsEqual_BackupConfigurationEdit_ReturnsFalse()
+    {
+        var a = new ConnectionConfig { Protocol = "OpcUa", ConfigurationJson = "{}", BackupConfigurationJson = null, FailoverRetryCount = 3 };
+        var b = a with { BackupConfigurationJson = "{\"endpoint\":\"opc.tcp://backup\"}" };
+
+        Assert.False(DiffService.ConnectionsEqual(a, b));
+    }
+
+    [Fact]
+    public void ConnectionsEqual_FailoverRetryCountEdit_ReturnsFalse()
+    {
+        var a = new ConnectionConfig { Protocol = "OpcUa", ConfigurationJson = "{}", FailoverRetryCount = 3 };
+        var b = a with { FailoverRetryCount = 5 };
+
+        Assert.False(DiffService.ConnectionsEqual(a, b));
+    }
+
+    [Fact]
+    public void ConnectionsEqual_ProtocolEdit_ReturnsFalse()
+    {
+        var a = new ConnectionConfig { Protocol = "OpcUa", ConfigurationJson = "{}", FailoverRetryCount = 3 };
+        var b = a with { Protocol = "Modbus" };
+
+        Assert.False(DiffService.ConnectionsEqual(a, b));
+    }
 }

tests/ScadaLink.TemplateEngine.Tests/Flattening/RevisionHashServiceTests.cs

@@ -131,6 +131,154 @@ public class RevisionHashServiceTests
         }
     }
 
+    [Fact]
+    public void ComputeHash_AttributeDescriptionEdit_ChangesHash()
+    {
+        // TemplateEngine-017: Description must be folded into the hash so that
+        // edits to authoring-time documentation (which still travels in the
+        // deployed payload) flow through the staleness indicator.
+        var baseAttr = new ResolvedAttribute
+        {
+            CanonicalName = "Temperature",
+            Value = "25",
+            DataType = "Double",
+            Description = "Original description"
+        };
+        var editedAttr = baseAttr with { Description = "Updated description" };
+
+        var configBefore = new FlattenedConfiguration
+        {
+            InstanceUniqueName = "Instance1",
+            TemplateId = 1,
+            SiteId = 1,
+            Attributes = [baseAttr]
+        };
+        var configAfter = configBefore with { Attributes = [editedAttr] };
+
+        Assert.NotEqual(_sut.ComputeHash(configBefore), _sut.ComputeHash(configAfter));
+    }
+
+    [Fact]
+    public void ComputeHash_AlarmDescriptionEdit_ChangesHash()
+    {
+        // TemplateEngine-017: same Description contract applies to alarms.
+        var baseAlarm = new ResolvedAlarm
+        {
+            CanonicalName = "HighTemp",
+            TriggerType = "RangeViolation",
+            Description = "Original"
+        };
+        var editedAlarm = baseAlarm with { Description = "Updated" };
+
+        var configBefore = new FlattenedConfiguration
+        {
+            InstanceUniqueName = "Instance1",
+            TemplateId = 1,
+            SiteId = 1,
+            Alarms = [baseAlarm]
+        };
+        var configAfter = configBefore with { Alarms = [editedAlarm] };
+
+        Assert.NotEqual(_sut.ComputeHash(configBefore), _sut.ComputeHash(configAfter));
+    }
+
+    [Fact]
+    public void ComputeHash_ConnectionEndpointEdit_ChangesHash()
+    {
+        // TemplateEngine-017: a Deployment user editing the primary endpoint
+        // JSON of a data connection bound to an instance must produce a
+        // different revision hash. The connection's protocol, primary/backup
+        // configuration JSON, and failover retry count are all part of the
+        // deployment package and therefore part of the hash input.
+        var connectionsBefore = new Dictionary<string, ConnectionConfig>
+        {
+            ["plc1"] = new ConnectionConfig
+            {
+                Protocol = "OpcUa",
+                ConfigurationJson = "{\"endpoint\":\"opc.tcp://host-a:4840\"}",
+                BackupConfigurationJson = null,
+                FailoverRetryCount = 3
+            }
+        };
+        var connectionsAfter = new Dictionary<string, ConnectionConfig>
+        {
+            ["plc1"] = connectionsBefore["plc1"] with
+            {
+                ConfigurationJson = "{\"endpoint\":\"opc.tcp://host-b:4840\"}"
+            }
+        };
+
+        var configBefore = new FlattenedConfiguration
+        {
+            InstanceUniqueName = "Instance1",
+            TemplateId = 1,
+            SiteId = 1,
+            Connections = connectionsBefore
+        };
+        var configAfter = configBefore with { Connections = connectionsAfter };
+
+        Assert.NotEqual(_sut.ComputeHash(configBefore), _sut.ComputeHash(configAfter));
+    }
+
+    [Fact]
+    public void ComputeHash_ConnectionProtocolEdit_ChangesHash()
+    {
+        // TemplateEngine-017: changing protocol must change the hash.
+        var connectionsBefore = new Dictionary<string, ConnectionConfig>
+        {
+            ["plc1"] = new ConnectionConfig
+            {
+                Protocol = "OpcUa",
+                ConfigurationJson = "{}",
+                FailoverRetryCount = 3
+            }
+        };
+        var connectionsAfter = new Dictionary<string, ConnectionConfig>
+        {
+            ["plc1"] = connectionsBefore["plc1"] with { Protocol = "Modbus" }
+        };
+
+        var configBefore = new FlattenedConfiguration
+        {
+            InstanceUniqueName = "Instance1",
+            TemplateId = 1,
+            SiteId = 1,
+            Connections = connectionsBefore
+        };
+        var configAfter = configBefore with { Connections = connectionsAfter };
+
+        Assert.NotEqual(_sut.ComputeHash(configBefore), _sut.ComputeHash(configAfter));
+    }
+
+    [Fact]
+    public void ComputeHash_ConnectionsSameContent_SameHash()
+    {
+        // TemplateEngine-017: equal Connections maps must yield the same hash,
+        // regardless of dictionary iteration order (the SortedDictionary
+        // projection guards this).
+        var connections1 = new Dictionary<string, ConnectionConfig>
+        {
+            ["b"] = new ConnectionConfig { Protocol = "OpcUa", ConfigurationJson = "{\"k\":2}", FailoverRetryCount = 3 },
+            ["a"] = new ConnectionConfig { Protocol = "OpcUa", ConfigurationJson = "{\"k\":1}", FailoverRetryCount = 3 }
+        };
+        var connections2 = new Dictionary<string, ConnectionConfig>
+        {
+            ["a"] = new ConnectionConfig { Protocol = "OpcUa", ConfigurationJson = "{\"k\":1}", FailoverRetryCount = 3 },
+            ["b"] = new ConnectionConfig { Protocol = "OpcUa", ConfigurationJson = "{\"k\":2}", FailoverRetryCount = 3 }
+        };
+
+        var config1 = new FlattenedConfiguration
+        {
+            InstanceUniqueName = "Instance1",
+            TemplateId = 1,
+            SiteId = 1,
+            Connections = connections1
+        };
+        var config2 = config1 with { Connections = connections2 };
+
+        Assert.Equal(_sut.ComputeHash(config1), _sut.ComputeHash(config2));
+    }
+
     private static FlattenedConfiguration CreateConfig(string instanceName, string tempValue)
     {
         return new FlattenedConfiguration