fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

src/ZB.MOM.WW.ScadaBridge.ExternalSystemGateway/DatabaseGateway.cs

@@ -332,20 +332,30 @@ public class DatabaseGateway : IDatabaseGateway
         }
         catch (OperationCanceledException) when (cancellationToken.IsCancellationRequested)
         {
-            // [2] The caller asked to abandon the work — propagate the cancellation
+            // [1] The caller asked to abandon the work — propagate the cancellation
             // unchanged; it must never be reclassified as a transient DB error.
             throw;
         }
         catch (SqlException ex)
         {
-            // Classify by SqlException.Number and rethrow as the strongly-typed
-            // transient / permanent failure the callers branch on. The context
-            // is the connection NAME, never the connection string.
+            // [2] ExternalSystemGateway-025: a caller-token cancellation can surface
+            // from the SQL driver as a SqlException (a mid-flight cancel), not an
+            // OperationCanceledException, so the [1] filter above never sees it.
+            // Re-check the caller's token at the TOP of this block so such a cancel
+            // propagates as OperationCanceledException regardless of the driver's
+            // exception shape — never reclassified as a permanent DB error (the
+            // "-008 cancel-not-reclassified" contract). Version-independent: no need
+            // to match a specific SqlException number.
+            cancellationToken.ThrowIfCancellationRequested();
+
+            // Otherwise classify by SqlException.Number and rethrow as the
+            // strongly-typed transient / permanent failure the callers branch on.
+            // The context is the connection NAME, never the connection string.
             throw SqlErrorClassifier.Throw(connectionName, ex);
         }
         catch (Exception ex) when (SqlErrorClassifier.IsTransient(ex))
         {
-            // [1] A live outage that did not surface as a SqlException — treat as
+            // [3] A live outage that did not surface as a SqlException — treat as
             // transient so the caller buffers + retries. The message uses the
             // connection NAME, never the connection string (credential safety).
             throw new TransientDatabaseException(