docs(code-review): re-review 17 changed modules at 1f9de8a2 — 8 new findings

Re-reviewed the modules whose source changed since the last review baseline
(full-review remediation fd618cf1 + InboundAPI Database-helper fixes b3c90143),
focused on whether the fixes are sound and regression-free. 9 of 17 modules
clean; 8 new findings (0 Critical, 0 High, 4 Medium, 4 Low), all code-verified
by the orchestrator before recording:

- DataConnectionLayer-029 (Med): DCL-023's unsubscribe-clears-in-flight reopens a
  double-subscribe window that leaks an orphaned alarm feed; the alarm completion
  handler overwrites the subscription id without the tag-path guard at line 908.
- InboundAPI-031 (Med): WaitForAttribute's 5s grace backstop is tighter than the
  CommunicationService Ask's timeout+IntegrationTimeout (30s) round-trip slack, so
  a slow-but-valid timed-out 'false' arriving in the 5-30s window is cancelled into
  an unhandled OperationCanceledException/500 (contradicts spec 6 + its own comment).
- SiteRuntime-032 (Med): SiteRuntime-029's wasPresent guard skips the deployed-count
  decrement when deleting a DISABLED instance (absent from both maps), drifting the
  health-dashboard tally; self-heals on singleton restart (observational, hence Med).
- StoreAndForward-028 (Med): StoreAndForward-025 resets the register-guard but not
  _bufferedCount, so a same-instance Stop->Start re-seeds the depth gauge to ~2N.
- AuditLog-017, CentralUI-037, ScriptAnalysis-009, SiteRuntime-033 (Low): a
  test-coverage gap plus stale doc-comments/spec following the remediation.

Header commit/date bumped to 1f9de8a2 / 2026-06-24 on all 17 modules; README
regenerated (8 pending / 576 total).

code-reviews/CentralUI/findings.md

@@ -5,10 +5,10 @@
 | Module | `src/ZB.MOM.WW.ScadaBridge.CentralUI` |
 | Design doc | `docs/requirements/Component-CentralUI.md` |
 | Status | Reviewed |
-| Last reviewed | 2026-06-19 |
+| Last reviewed | 2026-06-24 |
 | Reviewer | claude-agent |
-| Commit reviewed | `d6ead8ae` |
-| Open findings | 0 |
+| Commit reviewed | `1f9de8a2` |
+| Open findings | 1 |
 
 ## Summary
 
@@ -1685,3 +1685,47 @@ Add a test that saving succeeds with a Messaging Service SID and no From Number.
 Resolved 2026-06-19 (commit `33e1802e`): added `SavingNewConfig_MessagingServiceSidOnly_NoFromNumber_Saves`,
 which asserts the config persists with a null FromNumber. Complemented by ManagementActor + CLI
 either-or tests in the same commit.
+
+## Re-review — 2026-06-24 (commit `1f9de8a2`)
+
+Focused re-review of the changes since the prior review — verifying the code-review remediation + feature fixes are sound and regression-free. Reviewed by a per-module workflow agent; findings code-verified by the orchestrator.
+
+**Changes reviewed:** Added a `Database` accessor to both inbound script-analysis globals types. `InboundScriptHost.DatabaseAccessor` (editor/diagnostics mirror) exposes `QuerySingleAsync<T>`/`QueryAsync`/`ExecuteAsync` as never-invoked signature stubs that return default/empty; `SandboxInboundScriptHost.DatabaseAccessor` (Test Run mirror) exposes the same three methods, each throwing `ScriptSandboxException` because a central Test Run has no configured DB connection — symmetric with the pre-existing throwing `RouteAccessor`.
+
+**Verdict:** The change is clean, minimal, and faithful to the runtime it mirrors. Both new `DatabaseAccessor` types replicate the exact signatures of the shipped runtime `InboundAPI.InboundDatabaseHelper` (verified method-by-method), so inbound scripts using `Database.*` now type-check in the editor and recompile identically in a Test Run while remaining safely unreachable (sandbox throws). It aligns the editor surface with the Component-InboundAPI.md spec (lines 202-222), closing a prior drift where `Database.*` would have falsely flagged as a compile error. The CentralUI project builds with 0 warnings/0 errors and the additions are well-XML-documented. No correctness, security, concurrency, or contract regressions found. One Low-severity doc-comment staleness exists just outside the changed files in ScriptAnalysisService.cs.
+
+| # | Category | Examined | Notes |
+|---|----------|----------|-------|
+| 1 | Correctness & logic bugs | ☑ | Editor-mirror stubs are never invoked (Roslyn reads signatures only); default/empty return bodies are appropriate. Sandbox-mirror throws on every call, symmetric with RouteAccessor. No logic defects. |
+| 2 | Akka.NET conventions | ☑ | No issues found — these are plain POCO globals types for Roslyn analysis; no actors, messages, Tell/Ask, or supervision involved. |
+| 3 | Concurrency & thread safety | ☑ | No issues found — accessors are stateless (sandbox RouteTarget holds only an immutable readonly instanceCode); no shared mutable state, no captured sender/this. |
+| 4 | Error handling & resilience | ☑ | Sandbox DatabaseAccessor throws ScriptSandboxException with a clear operation-named message; consistent with the established Route Unavailable() pattern. No swallowed exceptions. |
+| 5 | Security | ☑ | Mirror methods never execute SQL — no injection surface here; runtime InboundDatabaseHelper enforces parameter binding (InboundAPI-026). No secrets logged; connection names embedded in sandbox messages are non-sensitive. |
+| 6 | Performance & resource management | ☑ | No issues found — no connections, streams, or disposables opened in either mirror; the sandbox path throws before touching any resource. |
+| 7 | Design-document adherence | ☑ | Mirror signatures exactly match Component-InboundAPI.md (lines 215-217) and runtime InboundDatabaseHelper. Change correctly closes prior editor drift; no spec violation. |
+| 8 | Code organization & conventions | ☑ | Nested accessor classes match the existing RouteHelper/RouteAccessor structure; consistent naming, full XML docs. Builds clean under ImplicitUsings + Nullable. |
+| 9 | Testing coverage | ☑ | New InboundScript_Database_DiagnosesClean covers the editor mirror via Diagnose, matching the established inbound-Route test pattern. No dedicated RunInSandbox test asserts the inbound Database throws, but this mirrors the existing (also-untested) inbound-Route sandbox-throw behavior — consistent, not a regression. |
+| 10 | Documentation & comments | ☑ | Both new files are thoroughly XML-documented. ScriptAnalysisService.cs doc comment (lines 163-164, outside the changed files) now under-describes the inbound sandbox surface — reported as Low. |
+
+**New findings from this re-review (1):**
+
+### CentralUI-037 — RunInSandboxAsync doc comment omits new Database-throws behavior
+
+| | |
+|--|--|
+| Severity | Low |
+| Category | Documentation & comments |
+| Status | Open |
+| Location | `src/ZB.MOM.WW.ScadaBridge.CentralUI/ScriptAnalysis/ScriptAnalysisService.cs:163` |
+
+**Description**
+
+The XML summary on RunInSandboxAsync states only "For the SandboxInboundScriptHost surface, every Route call throws because cross-site routing needs a deployed site." The reviewed change added a Database accessor to SandboxInboundScriptHost whose three methods also throw ScriptSandboxException in a Test Run. The comment is now incomplete relative to the code it describes — a reader would not learn that Database.* also fails in an inbound Test Run. This is documentation-only; the throwing behavior itself is correct and intended.
+
+**Recommendation**
+
+Extend the line-163 sentence to note that the inbound sandbox surface also throws on every Database call (no configured central DB connection in a Test Run), mirroring the existing Route wording.
+
+**Resolution**
+
+_Unresolved._