fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

tests/ZB.MOM.WW.ScadaBridge.KpiHistory.Tests/KpiHistoryRecorderActorTests.cs

@@ -142,6 +142,40 @@ public class KpiHistoryRecorderActorTests : TestKit
         }
     }
 
+    /// <summary>
+    /// Repository fake whose <see cref="RecordSamplesAsync"/> blocks on a manual-reset gate
+    /// until the test releases it, holding a sample pass "in flight" so an overlapping-tick
+    /// scenario can be driven deterministically. Counts how many times the write was entered.
+    /// </summary>
+    private sealed class GatedRepository : IKpiHistoryRepository
+    {
+        private readonly ManualResetEventSlim _release = new(initialState: false);
+        private int _writeCount;
+
+        /// <summary>Number of times <see cref="RecordSamplesAsync"/> has been entered.</summary>
+        public int WriteCount => Volatile.Read(ref _writeCount);
+
+        /// <summary>Releases all blocked writes so the gated passes can complete.</summary>
+        public void Release() => _release.Set();
+
+        public Task RecordSamplesAsync(
+            IReadOnlyCollection<KpiSample> samples, CancellationToken cancellationToken = default)
+        {
+            Interlocked.Increment(ref _writeCount);
+            // Block on a threadpool thread (PipeTo runs the pass off the actor thread), holding
+            // the pass in flight until the test opens the gate.
+            return Task.Run(() => _release.Wait(cancellationToken), cancellationToken);
+        }
+
+        public Task<IReadOnlyList<KpiSeriesPoint>> GetRawSeriesAsync(
+            string source, string metric, string scope, string? scopeKey,
+            DateTime fromUtc, DateTime toUtc, CancellationToken cancellationToken = default) =>
+            Task.FromResult<IReadOnlyList<KpiSeriesPoint>>(Array.Empty<KpiSeriesPoint>());
+
+        public Task<int> PurgeOlderThanAsync(DateTime before, CancellationToken cancellationToken = default) =>
+            Task.FromResult(0);
+    }
+
     private IServiceProvider BuildServiceProvider(
         IKpiHistoryRepository repository, params IKpiSampleSource[] sources)
     {
@@ -244,11 +278,62 @@ public class KpiHistoryRecorderActorTests : TestKit
             duration: TimeSpan.FromSeconds(2),
             interval: TimeSpan.FromMilliseconds(50));
 
-        // Second tick to the SAME actor: source now returns a healthy sample.
-        // AwaitAssert confirms the actor processed the message and recorded it.
+        // Second tick to the SAME actor: source now returns a healthy sample. Re-send the tick
+        // on each poll so we don't race the (asynchronous) SampleComplete that lowers the
+        // in-flight guard after the faulted first pass — a tick that lands before the guard
+        // clears is harmlessly skipped, and the next poll's tick runs. The recovered sample
+        // being recorded proves the actor's message loop is still alive after a faulted pass.
+        // (>= 1 rather than exactly-1: a later re-sent tick could run an extra recovering pass
+        // once the guard clears, which is not what this test pins — KH-001's one-pass-per-tick
+        // guard is pinned by OverlappingTick_WhileFirstPassInFlight_DoesNotStartSecondPass.)
+        AwaitAssert(
+            () =>
+            {
+                actor.Tell(KpiHistoryRecorderActor.SampleTick.Instance);
+                Assert.NotEmpty(repository.Recorded);
+            },
+            duration: TimeSpan.FromSeconds(3),
+            interval: TimeSpan.FromMilliseconds(50));
+    }
+
+    [Fact]
+    public void OverlappingTick_WhileFirstPassInFlight_DoesNotStartSecondPass()
+    {
+        // KpiHistory-001 regression: the in-flight guard must coalesce a tick that arrives
+        // while a prior sample pass is still awaiting its DB write. With a gated repository
+        // holding the first write open, a second SampleTick must NOT spawn a second pass —
+        // so RecordSamplesAsync is entered exactly once until the gate is released.
+        var repository = new GatedRepository();
+        var sp = BuildServiceProvider(repository, new HealthySource());
+        var actor = CreateActor(sp);
+
+        // First tick: raises the guard, enters the (gated, blocking) write — held in flight.
         actor.Tell(KpiHistoryRecorderActor.SampleTick.Instance);
         AwaitAssert(
-            () => Assert.Single(repository.Recorded),
+            () => Assert.Equal(1, repository.WriteCount),
+            duration: TimeSpan.FromSeconds(3),
+            interval: TimeSpan.FromMilliseconds(50));
+
+        // Second tick while the first pass is still in flight: must be skipped by the guard.
+        actor.Tell(KpiHistoryRecorderActor.SampleTick.Instance);
+
+        // Give the second tick ample time to (wrongly) start a pass; the write count must
+        // stay at 1, proving no second concurrent pass was launched.
+        Assert.Equal(1, repository.WriteCount);
+        Thread.Sleep(300);
+        Assert.Equal(1, repository.WriteCount);
+
+        // Release the gate so the first pass completes and the guard is lowered; a fresh
+        // tick must now run a new pass (guard correctly reset, not stuck). Re-send the tick on
+        // each poll so we don't race the (asynchronous) SampleComplete that lowers the guard —
+        // a tick that lands before the guard clears is harmlessly skipped, the next one runs.
+        repository.Release();
+        AwaitAssert(
+            () =>
+            {
+                actor.Tell(KpiHistoryRecorderActor.SampleTick.Instance);
+                Assert.Equal(2, repository.WriteCount);
+            },
             duration: TimeSpan.FromSeconds(3),
             interval: TimeSpan.FromMilliseconds(50));
     }