fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

tests/ZB.MOM.WW.ScadaBridge.DataConnectionLayer.Tests/DataConnectionActorAlarmTests.cs

@@ -231,4 +231,79 @@ public class DataConnectionActorAlarmTests : TestKit
             "", "", "", "", "", null, DateTimeOffset.UtcNow, "", ""));
         ExpectMsg<NativeAlarmTransitionUpdate>(u => u.Transition.Kind == AlarmTransitionKind.SnapshotComplete);
     }
+
+    // ── DataConnectionLayer-023: mid-flight alarm unsubscribe must release the adapter feed ──
+
+    [Fact]
+    public async Task DCL023_UnsubscribeDuringInFlightAlarmSubscribe_ReleasesAdapterFeed_AndKeepsStateClean()
+    {
+        // Regression test for DataConnectionLayer-023. Previously the native-alarm
+        // subscribe path never inherited the DCL-021 obsolete-completion guard: if the
+        // last subscriber unsubscribed while the adapter alarm subscribe was in flight,
+        // HandleUnsubscribeAlarms could not tear down the feed (the subscription id was
+        // not stored yet), and the late AlarmSubscribeCompleted unconditionally stored
+        // _alarmSubscriptionIds[source] = id — an orphaned device-side alarm feed that
+        // streamed transitions to nobody for the lifetime of the adapter. After the fix,
+        // HandleUnsubscribeAlarms clears the in-flight marker and the late completion is
+        // recognized as orphaned (no subscriber remains) and released via
+        // UnsubscribeAlarmsAsync, with no leaked subscription id retained.
+        var subscribeStarted = new TaskCompletionSource(TaskCreationOptions.RunContinuationsAsynchronously);
+        var releaseSubscribe = new TaskCompletionSource<string>(TaskCreationOptions.RunContinuationsAsynchronously);
+
+        var adapter = Substitute.For<IDataConnection, IAlarmSubscribableConnection>();
+        adapter.ConnectAsync(Arg.Any<IDictionary<string, string>>(), Arg.Any<CancellationToken>())
+            .Returns(Task.CompletedTask);
+        var alarmable = (IAlarmSubscribableConnection)adapter;
+        // Park the adapter subscribe so UnsubscribeAlarmsRequest is processed first.
+        alarmable.SubscribeAlarmsAsync(Arg.Any<string>(), Arg.Any<string?>(),
+                Arg.Any<AlarmTransitionCallback>(), Arg.Any<CancellationToken>())
+            .Returns(_ =>
+            {
+                subscribeStarted.TrySetResult();
+                return releaseSubscribe.Task;
+            });
+        alarmable.UnsubscribeAlarmsAsync(Arg.Any<string>(), Arg.Any<CancellationToken>())
+            .Returns(Task.CompletedTask);
+
+        var actor = Sys.ActorOf(Props.Create(() => new DataConnectionActor(
+            "conn", adapter, _options, _health, _factory, "OpcUa")));
+
+        // Subscribe a source — block on the parked adapter subscribe.
+        actor.Tell(new SubscribeAlarmsRequest("c1", "instA", "conn", "Tank01", null, DateTimeOffset.UtcNow));
+        // The immediate SubscribeAlarmsResponse only arrives after HandleAlarmSubscribeCompleted;
+        // since the subscribe is parked, none is expected yet.
+        await subscribeStarted.Task.WaitAsync(TimeSpan.FromSeconds(5));
+
+        // The last subscriber unsubscribes while the alarm subscribe is still in flight.
+        actor.Tell(new UnsubscribeAlarmsRequest("unsub-c1", "instA", "conn", "Tank01", DateTimeOffset.UtcNow));
+        await Task.Delay(150);
+
+        // Release the parked subscribe — AlarmSubscribeCompleted is now orphaned.
+        releaseSubscribe.SetResult("alarm-sub-orphan");
+        await Task.Delay(300);
+
+        // The orphaned, just-created adapter feed must be released exactly once.
+        await alarmable.Received(1).UnsubscribeAlarmsAsync(
+            Arg.Is<string>(s => s == "alarm-sub-orphan"), Arg.Any<CancellationToken>());
+
+        // No leaked subscription id must remain: a fresh subscribe to the same source
+        // must open a NEW adapter feed (proving _alarmSubscriptionIds was not populated
+        // with the orphaned id, which would have short-circuited the adapter subscribe).
+        var resubStarted = new TaskCompletionSource(TaskCreationOptions.RunContinuationsAsynchronously);
+        alarmable.SubscribeAlarmsAsync(Arg.Any<string>(), Arg.Any<string?>(),
+                Arg.Any<AlarmTransitionCallback>(), Arg.Any<CancellationToken>())
+            .Returns(_ =>
+            {
+                resubStarted.TrySetResult();
+                return Task.FromResult("alarm-sub-2");
+            });
+
+        actor.Tell(new SubscribeAlarmsRequest("c2", "instB", "conn", "Tank01", null, DateTimeOffset.UtcNow));
+        await resubStarted.Task.WaitAsync(TimeSpan.FromSeconds(5));
+        ExpectMsg<SubscribeAlarmsResponse>(m => m.Success, TimeSpan.FromSeconds(5));
+
+        // Two distinct adapter subscribes total (the orphaned one + the fresh one).
+        await alarmable.Received(2).SubscribeAlarmsAsync(
+            "Tank01", Arg.Any<string?>(), Arg.Any<AlarmTransitionCallback>(), Arg.Any<CancellationToken>());
+    }
 }