docs(code-review): re-review 17 changed modules at 1f9de8a2 — 8 new findings

Re-reviewed the modules whose source changed since the last review baseline
(full-review remediation fd618cf1 + InboundAPI Database-helper fixes b3c90143),
focused on whether the fixes are sound and regression-free. 9 of 17 modules
clean; 8 new findings (0 Critical, 0 High, 4 Medium, 4 Low), all code-verified
by the orchestrator before recording:

- DataConnectionLayer-029 (Med): DCL-023's unsubscribe-clears-in-flight reopens a
  double-subscribe window that leaks an orphaned alarm feed; the alarm completion
  handler overwrites the subscription id without the tag-path guard at line 908.
- InboundAPI-031 (Med): WaitForAttribute's 5s grace backstop is tighter than the
  CommunicationService Ask's timeout+IntegrationTimeout (30s) round-trip slack, so
  a slow-but-valid timed-out 'false' arriving in the 5-30s window is cancelled into
  an unhandled OperationCanceledException/500 (contradicts spec 6 + its own comment).
- SiteRuntime-032 (Med): SiteRuntime-029's wasPresent guard skips the deployed-count
  decrement when deleting a DISABLED instance (absent from both maps), drifting the
  health-dashboard tally; self-heals on singleton restart (observational, hence Med).
- StoreAndForward-028 (Med): StoreAndForward-025 resets the register-guard but not
  _bufferedCount, so a same-instance Stop->Start re-seeds the depth gauge to ~2N.
- AuditLog-017, CentralUI-037, ScriptAnalysis-009, SiteRuntime-033 (Low): a
  test-coverage gap plus stale doc-comments/spec following the remediation.

Header commit/date bumped to 1f9de8a2 / 2026-06-24 on all 17 modules; README
regenerated (8 pending / 576 total).

code-reviews/ManagementService/findings.md

@@ -5,9 +5,9 @@
 | Module | `src/ZB.MOM.WW.ScadaBridge.ManagementService` |
 | Design doc | `docs/requirements/Component-ManagementService.md` |
 | Status | Reviewed |
-| Last reviewed | 2026-06-19 |
+| Last reviewed | 2026-06-24 |
 | Reviewer | claude-agent |
-| Commit reviewed | `d6ead8ae` |
+| Commit reviewed | `1f9de8a2` |
 | Open findings | 0 (1 Deferred — see ManagementService-012) |
 
 ## Summary
@@ -1216,3 +1216,26 @@ Make the comments accurate after fixing the gating.
 
 Resolved 2026-06-19 (commit `cd8e4872`): with both update commands moved to Administrator (MS-024), the
 SMTP "Admin-only" comment is now accurate and the SMS list comment was updated to "Admin-only".
+
+## Re-review — 2026-06-24 (commit `1f9de8a2`)
+
+Focused re-review of the changes since the prior review — verifying the code-review remediation + feature fixes are sound and regression-free. Reviewed by a per-module workflow agent; findings code-verified by the orchestrator.
+
+**Changes reviewed:** Three remediation changes to ManagementActor.cs: (1) MgmtSvc-021 moved UpdateSmtpConfigCommand and UpdateSmsConfigCommand from the Designer role gate to the Administrator gate in GetRequiredRole; (2) MgmtSvc-021 changed HandleUpdateSmsConfig to treat an empty/whitespace AuthToken as "omitted" (IsNullOrWhiteSpace guard) instead of clearing the stored Twilio secret; (3) Security-023 added a ValidateMappingRole helper that rejects any LDAP-group-mapping Role not in the canonical Roles.All set (case-insensitive membership, verbatim storage) at the create/update write paths.
+
+**Verdict:** The changed code is clean, correct, and regression-free. All three fixes are sound: the SMTP/SMS admin gate now matches the design doc (Component-NotificationService.md line 19: "Admin role (SMTP and SMS configuration)") and the RequireAdmin UI pages, closing a privilege gap where a Designer could rotate production credentials via CLI/API. The empty-AuthToken guard correctly prevents silent secret wipe while preserving the intentionally-asymmetric null-only guard on SMTP Credentials (which may be cleared for anonymous SMTP). The role-mapping validation rejects non-canonical roles before any DB write via a clean COMMAND_FAILED client error (ManagementCommandException), and its case-insensitive membership / verbatim-storage choice flows correctly through RoleMapper which compares roles case-insensitively. Test coverage is thorough and matches each change point precisely. No new issues introduced.
+
+| # | Category | Examined | Notes |
+|---|----------|----------|-------|
+| 1 | Correctness & logic bugs | ☑ | IsNullOrWhiteSpace guard correctly preserves the stored AuthToken on blank input; ValidateMappingRole rejects before DB write; gate reassignment is internally consistent (commands removed from Designer block, added to Administrator block, no duplication). No issues found. |
+| 2 | Akka.NET conventions | ☑ | No actor-model changes; handlers remain static async returning into the existing PipeTo/error envelope path. ManagementCommandException surfaces as ManagementError COMMAND_FAILED, not an internal-detail leak. No issues found. |
+| 3 | Concurrency & thread safety | ☑ | ValidateMappingRole is a pure static method; no shared mutable state, no captured sender/this. Scoped repos resolved per-command as before. No issues found. |
+| 4 | Error handling & resilience | ☑ | Validation throws a curated ManagementCommandException whose message is safe to surface verbatim (no server/DB internals); falls into the existing finding-016 client-safe error path. No issues found. |
+| 5 | Security | ☑ | Core intent of the diff: closes a privilege-escalation gap (SMTP/SMS secret rotation now Admin-only, matching UI RequireAdmin), prevents accidental secret wipe, and rejects non-canonical role claims. AuthToken still projected away in responses/audit. No issues found. |
+| 6 | Performance & resource management | ☑ | Roles.All.Contains over a 6-element array per write is negligible; no new allocations on hot paths, no IDisposable/stream lifetimes touched. No issues found. |
+| 7 | Design-document adherence | ☑ | Component-NotificationService.md line 19 explicitly mandates Admin role for SMTP/SMS config; the gate change aligns code with spec (prior Designer gate was the drift). Role-canonicalization matches Roles.cs source-of-truth intent. No stale doc identified. No issues found. |
+| 8 | Code organization & conventions | ☑ | ValidateMappingRole factored once and reused by both create/update handlers; comments are accurate and cite the asymmetry rationale with SmtpConfiguration. Consistent with surrounding style. No issues found. |
+| 9 | Testing coverage | ☑ | New RoleMappingValidationTests (unknown role, misspelled canonical, no-row asserts, canonical success with verbatim casing) plus ManagementActorTests deltas covering Admin-positive, Designer/Viewer-rejection, and empty-AuthToken preservation. Each change point is directly exercised. No issues found. |
+| 10 | Documentation & comments | ☑ | MgmtSvc-020 comment updated from 'Designer-gated' to 'Admin-only' to match the new gate; MgmtSvc-021 and Security-023 comments accurately describe rationale and explicitly scope out the deferred case-sensitivity asymmetry. No stale comments. No issues found. |
+
+_No new findings — the changes in this module are clean._