fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

src/ZB.MOM.WW.ScadaBridge.SiteRuntime/Actors/SiteReplicationActor.cs

@@ -189,18 +189,16 @@ public class SiteReplicationActor : ReceiveActor
                     foreach (var db in command.DatabaseConnections)
                         await _storage.StoreDatabaseConnectionAsync(db.Name, db.ConnectionString, db.MaxRetries, db.RetryDelay);
 
-                if (command.NotificationLists != null)
-                    foreach (var nl in command.NotificationLists)
-                        await _storage.StoreNotificationListAsync(nl.Name, nl.RecipientEmails);
+                // DeploymentManager-025 / SiteRuntime-031: notification lists and SMTP
+                // configuration are central-only and are never persisted on a site.
+                // Mirror the primary apply path: purge any pre-fix rows (including the
+                // plaintext SMTP password) instead of writing the command's
+                // (now-always-null) NotificationLists/SmtpConfigurations.
+                await _storage.PurgeCentralOnlyNotificationConfigAsync();
 
                 if (command.DataConnections != null)
                     foreach (var dc in command.DataConnections)
                         await _storage.StoreDataConnectionDefinitionAsync(dc.Name, dc.Protocol, dc.PrimaryConfigurationJson, dc.BackupConfigurationJson, dc.FailoverRetryCount);
-
-                if (command.SmtpConfigurations != null)
-                    foreach (var smtp in command.SmtpConfigurations)
-                        await _storage.StoreSmtpConfigurationAsync(smtp.Name, smtp.Server, smtp.Port, smtp.AuthMode,
-                            smtp.FromAddress, smtp.Username, smtp.Password, smtp.OAuthConfig);
             }
             catch (Exception ex)
             {