fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

tests/ZB.MOM.WW.ScadaBridge.Security.Tests/SecurityTests.cs

@@ -71,12 +71,16 @@ public class LdapAuthServiceTests
     [Fact]
     public async Task AuthenticateAsync_ConnectionFailure_FailsClosed_NeverThrows()
     {
-        // Point at a non-existent server: the library fails closed (never throws) and
-        // maps the unreachable directory to the system-side ServiceAccountBindFailed
-        // bucket — preserving the donor's "directory unavailable ⇒ login fails" rule.
+        // Security-025: point at a guaranteed-unroutable loopback address (127.0.0.1 on a
+        // closed high port) rather than DNS-resolving "nonexistent.invalid". The connect is
+        // refused deterministically and immediately, with no external DNS dependency and no
+        // multi-second timeout dead-time, so this stays a fast, network-sandbox-safe unit
+        // test. The library still fails closed (never throws) and maps the unreachable
+        // directory to the system-side ServiceAccountBindFailed bucket — preserving the
+        // donor's "directory unavailable ⇒ login fails" rule, which is what this asserts.
         var options = CreateOptions(LdapTransport.None, allowInsecure: true) with
         {
-            Server = "nonexistent.invalid",
+            Server = "127.0.0.1",
             Port = 9999,
             ConnectionTimeoutMs = 2_000,
         };
@@ -1159,6 +1163,85 @@ public class AuthorizationPolicyTests
         Assert.True(await EvaluatePolicy(AuthorizationPolicies.OperationalAudit, principal));
     }
 
+    // ─────────────────────────────────────────────────────────────────────
+    // Security-024 — M7 two-person Secured Write separation-of-duties (SoD)
+    // policies. The whole safety argument of Secured Writes is that the role
+    // that INITIATES (Operator → RequireOperator) is distinct from the role
+    // that APPROVES (Verifier → RequireVerifier). These functional
+    // AuthorizeAsync tests prove the grant/deny behaviour and the mutual
+    // distinctness — a regression that mapped, say, RequireOperator to
+    // Roles.Verifier would now fail here instead of silently collapsing the
+    // SoD (the prior coverage only asserted the constant string values).
+    // ─────────────────────────────────────────────────────────────────────
+
+    [Fact]
+    public async Task OperatorPolicy_OperatorRole_Succeeds()
+    {
+        var principal = CreatePrincipal(new[] { Roles.Operator });
+        Assert.True(await EvaluatePolicy(AuthorizationPolicies.RequireOperator, principal));
+    }
+
+    [Theory]
+    [InlineData("Verifier")]
+    [InlineData("Administrator")]
+    [InlineData("Designer")]
+    [InlineData("Deployer")]
+    [InlineData("Viewer")]
+    public async Task OperatorPolicy_NonOperatorRoles_Fail(string role)
+    {
+        var principal = CreatePrincipal(new[] { role });
+        Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireOperator, principal));
+    }
+
+    [Fact]
+    public async Task OperatorPolicy_NoRoles_Fails()
+    {
+        var principal = CreatePrincipal(Array.Empty<string>());
+        Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireOperator, principal));
+    }
+
+    [Fact]
+    public async Task VerifierPolicy_VerifierRole_Succeeds()
+    {
+        var principal = CreatePrincipal(new[] { Roles.Verifier });
+        Assert.True(await EvaluatePolicy(AuthorizationPolicies.RequireVerifier, principal));
+    }
+
+    [Theory]
+    [InlineData("Operator")]
+    [InlineData("Administrator")]
+    [InlineData("Designer")]
+    [InlineData("Deployer")]
+    [InlineData("Viewer")]
+    public async Task VerifierPolicy_NonVerifierRoles_Fail(string role)
+    {
+        var principal = CreatePrincipal(new[] { role });
+        Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireVerifier, principal));
+    }
+
+    [Fact]
+    public async Task VerifierPolicy_NoRoles_Fails()
+    {
+        var principal = CreatePrincipal(Array.Empty<string>());
+        Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireVerifier, principal));
+    }
+
+    [Fact]
+    public async Task SecuredWriteSoD_OperatorPrincipalCannotSatisfyVerifier_AndViceVersa()
+    {
+        // The SoD invariant at the policy layer: an Operator-only principal can
+        // initiate (RequireOperator) but cannot approve (RequireVerifier), and a
+        // Verifier-only principal is the mirror. The two policies are mutually
+        // distinct, so a single role can never both initiate and approve.
+        var operatorOnly = CreatePrincipal(new[] { Roles.Operator });
+        Assert.True(await EvaluatePolicy(AuthorizationPolicies.RequireOperator, operatorOnly));
+        Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireVerifier, operatorOnly));
+
+        var verifierOnly = CreatePrincipal(new[] { Roles.Verifier });
+        Assert.True(await EvaluatePolicy(AuthorizationPolicies.RequireVerifier, verifierOnly));
+        Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireOperator, verifierOnly));
+    }
+
     private static ClaimsPrincipal CreatePrincipal(string[] roles, string[]? siteIds = null)
     {
         var claims = new List<Claim>();