docs(code-review): re-review 17 changed modules at 1f9de8a2 — 8 new findings

Re-reviewed the modules whose source changed since the last review baseline
(full-review remediation fd618cf1 + InboundAPI Database-helper fixes b3c90143),
focused on whether the fixes are sound and regression-free. 9 of 17 modules
clean; 8 new findings (0 Critical, 0 High, 4 Medium, 4 Low), all code-verified
by the orchestrator before recording:

- DataConnectionLayer-029 (Med): DCL-023's unsubscribe-clears-in-flight reopens a
  double-subscribe window that leaks an orphaned alarm feed; the alarm completion
  handler overwrites the subscription id without the tag-path guard at line 908.
- InboundAPI-031 (Med): WaitForAttribute's 5s grace backstop is tighter than the
  CommunicationService Ask's timeout+IntegrationTimeout (30s) round-trip slack, so
  a slow-but-valid timed-out 'false' arriving in the 5-30s window is cancelled into
  an unhandled OperationCanceledException/500 (contradicts spec 6 + its own comment).
- SiteRuntime-032 (Med): SiteRuntime-029's wasPresent guard skips the deployed-count
  decrement when deleting a DISABLED instance (absent from both maps), drifting the
  health-dashboard tally; self-heals on singleton restart (observational, hence Med).
- StoreAndForward-028 (Med): StoreAndForward-025 resets the register-guard but not
  _bufferedCount, so a same-instance Stop->Start re-seeds the depth gauge to ~2N.
- AuditLog-017, CentralUI-037, ScriptAnalysis-009, SiteRuntime-033 (Low): a
  test-coverage gap plus stale doc-comments/spec following the remediation.

Header commit/date bumped to 1f9de8a2 / 2026-06-24 on all 17 modules; README
regenerated (8 pending / 576 total).

code-reviews/DeploymentManager/findings.md

@@ -5,9 +5,9 @@
 | Module | `src/ZB.MOM.WW.ScadaBridge.DeploymentManager` |
 | Design doc | `docs/requirements/Component-DeploymentManager.md` |
 | Status | Reviewed |
-| Last reviewed | 2026-06-20 |
+| Last reviewed | 2026-06-24 |
 | Reviewer | claude-agent |
-| Commit reviewed | `4307c381` |
+| Commit reviewed | `1f9de8a2` |
 | Open findings | 0 |
 
 ## Summary
@@ -1438,3 +1438,26 @@ it.
 **Resolution**
 
 Resolved 2026-06-20 (commit `fd618cf1`): the artifact tests no longer assert the forbidden notification/SMTP shipping — flipped `Received(1)` → `DidNotReceive()` and added assertions that the shipped command's NotificationLists/SmtpConfigurations are null.
+
+## Re-review — 2026-06-24 (commit `1f9de8a2`)
+
+Focused re-review of the changes since the prior review — verifying the code-review remediation + feature fixes are sound and regression-free. Reviewed by a per-module workflow agent; findings code-verified by the orchestrator.
+
+**Changes reviewed:** The diff removes the notification-list/SMTP artifact path from ArtifactDeploymentService (DeploymentManager-025): the INotificationRepository is no longer stored or queried (discarded via `_ = notificationRepo`), FetchGlobalArtifactsAsync no longer fetches notification lists or SMTP configs (and drops their mapping plus the two GlobalArtifactSnapshot record fields), and BuildDeployArtifactsCommandAsync now always sends `NotificationLists: null`/`SmtpConfigurations: null` on the per-site DeployArtifactsCommand. XML docs and inline comments were rewritten to document the central-only invariant.
+
+**Verdict:** The change is sound, regression-free, and brings the code into alignment with the design spec rather than away from it. Component-DeploymentManager.md (lines 142-145) explicitly states notification lists and SMTP configuration are NOT deployable artifacts and that no SMTP credential is ever distributed to a site — the prior code violated this; the fix corrects it. The end-to-end invariant holds: the DeployArtifactsCommand fields are retained for additive message-contract compatibility, and the SiteRuntime apply path (SiteReplicationActor / DeploymentManagerActor) ignores the now-null fields and actively purges any pre-fix plaintext-SMTP rows. The DeploymentManager project builds with 0 warnings/errors and all 8 ArtifactDeploymentService tests pass, including new assertions that the notification repo is never called and that every per-site command carries null notification/SMTP fields. No new issues introduced.
+
+| # | Category | Examined | Notes |
+|---|----------|----------|-------|
+| 1 | Correctness & logic bugs | ☑ | Mixed positional/named constructor args bind correctly (build verified); fields correctly forced null. No issues found. |
+| 2 | Akka.NET conventions | ☑ | No actor code touched; this is a plain async service. Site-side apply path confirmed to ignore null fields. No issues found. |
+| 3 | Concurrency & thread safety | ☑ | Per-site commands still built sequentially before parallel dispatch (DbContext not thread-safe comment intact); change does not alter concurrency model. No issues found. |
+| 4 | Error handling & resilience | ☑ | Removed code carried no error handling; surrounding try/catch + per-site timeout unchanged. No issues found. |
+| 5 | Security | ☑ | Positive security improvement: plaintext SMTP credentials are no longer mapped into artifacts or distributed to sites; site side purges pre-fix rows. No issues found. |
+| 6 | Performance & resource management | ☑ | Drops two repository round-trips from the global fetch; comment math (≈ N + M·N) updated accordingly. No leaks. No issues found. |
+| 7 | Design-document adherence | ☑ | Now matches Component-DeploymentManager.md:142-145 and CLAUDE.md 'notification delivery is central-only'; corrects a prior spec violation. No drift. |
+| 8 | Code organization & conventions | ☑ | Unused ctor param retained for DI/source compat and explicitly discarded with a documenting comment; GlobalArtifactSnapshot trimmed cleanly. No issues found. |
+| 9 | Testing coverage | ☑ | Tests updated to DidNotReceive() on both notification queries plus Assert.All null-field checks on recorded commands; 8/8 pass. Good coverage of the delta. |
+| 10 | Documentation & comments | ☑ | XML/inline comments thoroughly updated to explain the central-only invariant and additive-compat field retention; design doc consistent. No stale references. |
+
+_No new findings — the changes in this module are clean._