fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

tests/ZB.MOM.WW.ScadaBridge.DeploymentManager.Tests/ArtifactDeploymentServiceTests.cs

@@ -32,6 +32,9 @@ public class ArtifactDeploymentServiceTests : TestKit
         _deploymentRepo = Substitute.For<IDeploymentManagerRepository>();
         _templateRepo = Substitute.For<ITemplateEngineRepository>();
         _externalSystemRepo = Substitute.For<IExternalSystemRepository>();
+        // DeploymentManager-025/-027: the notification repo is retained only so the
+        // tests can assert the artifact path NEVER touches it (it is no longer a
+        // constructor dependency of ArtifactDeploymentService).
         _notificationRepo = Substitute.For<INotificationRepository>();
         _audit = Substitute.For<IAuditService>();
     }
@@ -149,9 +152,8 @@ public class ArtifactDeploymentServiceTests : TestKit
     {
         // DeploymentManager-023: previously each per-site iteration of the deploy-many
         // loop re-issued the global artifact queries (shared scripts, external systems,
-        // DB connections, notification lists, SMTP configs) — a textbook N+1 over the
-        // global sets. With three sites the queries must now be issued ONCE in total,
-        // regardless of site count.
+        // DB connections) — a textbook N+1 over the global sets. With three sites the
+        // queries must now be issued ONCE in total, regardless of site count.
         var sites = new List<Site>
         {
             new("Site One", "site-1") { Id = 1 },
@@ -170,8 +172,16 @@ public class ArtifactDeploymentServiceTests : TestKit
         await _templateRepo.Received(1).GetAllSharedScriptsAsync(Arg.Any<CancellationToken>());
         await _externalSystemRepo.Received(1).GetAllExternalSystemsAsync(Arg.Any<CancellationToken>());
         await _externalSystemRepo.Received(1).GetAllDatabaseConnectionsAsync(Arg.Any<CancellationToken>());
-        await _notificationRepo.Received(1).GetAllNotificationListsAsync(Arg.Any<CancellationToken>());
-        await _notificationRepo.Received(1).GetAllSmtpConfigurationsAsync(Arg.Any<CancellationToken>());
+        // DeploymentManager-025/-027: notification lists and SMTP configuration are
+        // central-only — the artifact path must NEVER fetch them, and the per-site
+        // command must NEVER carry them.
+        await _notificationRepo.DidNotReceive().GetAllNotificationListsAsync(Arg.Any<CancellationToken>());
+        await _notificationRepo.DidNotReceive().GetAllSmtpConfigurationsAsync(Arg.Any<CancellationToken>());
+        Assert.All(recorder.Received, cmd =>
+        {
+            Assert.Null(cmd.NotificationLists);
+            Assert.Null(cmd.SmtpConfigurations);
+        });
         // The per-site query (data connections) DOES vary per site and must still run
         // once per site.
         await _siteRepo.Received(1).GetDataConnectionsBySiteIdAsync(1, Arg.Any<CancellationToken>());
@@ -197,8 +207,14 @@ public class ArtifactDeploymentServiceTests : TestKit
         await _templateRepo.Received(1).GetAllSharedScriptsAsync(Arg.Any<CancellationToken>());
         await _externalSystemRepo.Received(1).GetAllExternalSystemsAsync(Arg.Any<CancellationToken>());
         await _externalSystemRepo.Received(1).GetAllDatabaseConnectionsAsync(Arg.Any<CancellationToken>());
-        await _notificationRepo.Received(1).GetAllNotificationListsAsync(Arg.Any<CancellationToken>());
-        await _notificationRepo.Received(1).GetAllSmtpConfigurationsAsync(Arg.Any<CancellationToken>());
+        // DeploymentManager-025/-027: central-only — never fetched, never shipped.
+        await _notificationRepo.DidNotReceive().GetAllNotificationListsAsync(Arg.Any<CancellationToken>());
+        await _notificationRepo.DidNotReceive().GetAllSmtpConfigurationsAsync(Arg.Any<CancellationToken>());
+        Assert.All(recorder.Received, cmd =>
+        {
+            Assert.Null(cmd.NotificationLists);
+            Assert.Null(cmd.SmtpConfigurations);
+        });
     }
 
     [Fact]