fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

tests/ZB.MOM.WW.ScadaBridge.SiteCallAudit.Tests/SiteCallAuditPurgeTests.cs

@@ -1,5 +1,6 @@
 using Akka.Actor;
 using Akka.TestKit.Xunit2;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging.Abstractions;
 using ZB.MOM.WW.ScadaBridge.AuditLog.Central;
 using ZB.MOM.WW.ScadaBridge.Commons.Entities.Audit;
@@ -177,4 +178,48 @@ public class SiteCallAuditPurgeTests : TestKit
             duration: TimeSpan.FromSeconds(3),
             interval: TimeSpan.FromMilliseconds(50));
     }
+
+    // ---------------------------------------------------------------------
+    // 4. SiteCallAudit-007: purge timer arms even when the reconciliation
+    //    collaborators are ABSENT (production ctor, no IPullSiteCallsClient /
+    //    ISiteEnumerator registered). Proves the decoupling — a host that omits
+    //    the reconciliation client still purges, so the central SiteCalls table
+    //    cannot grow unbounded.
+    // ---------------------------------------------------------------------
+
+    [Fact]
+    public void PurgeTick_ProductionCtor_NoReconciliationCollaborators_StillPurges()
+    {
+        var repo = new RecordingRepo { RowsDeletedPerCall = 3 };
+
+        // Build a DI container that registers the repository the production
+        // ctor resolves per-tick, but deliberately registers NEITHER
+        // IPullSiteCallsClient NOR ISiteEnumerator. GetService returns null for
+        // both, so the actor's reconciliation tick is gated off — but the purge
+        // tick must still arm (SiteCallAudit-007).
+        var provider = new ServiceCollection()
+            .AddScoped<ISiteCallAuditRepository>(_ => repo)
+            .BuildServiceProvider();
+
+        var options = FastPurgeOptions(retentionDays: 30);
+        Sys.ActorOf(Props.Create(() => new SiteCallAuditActor(
+            provider,
+            options,
+            NullLogger<SiteCallAuditActor>.Instance)));
+
+        // No reconciliation collaborators were registered, yet the purge tick
+        // must still fire on the production path.
+        AwaitAssert(
+            () => Assert.True(repo.PurgeThresholds.Count >= 1,
+                "purge timer must arm even when the reconciliation collaborators are absent "
+                + $"(SiteCallAudit-007), got {repo.PurgeThresholds.Count} purge calls"),
+            duration: TimeSpan.FromSeconds(3),
+            interval: TimeSpan.FromMilliseconds(50));
+
+        var threshold = repo.PurgeThresholds[0];
+        var expected = DateTime.UtcNow - TimeSpan.FromDays(30);
+        Assert.True(
+            Math.Abs((threshold - expected).TotalMinutes) < 1.0,
+            $"purge threshold {threshold:o} should be within 1 minute of {expected:o}");
+    }
 }