fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

tests/ZB.MOM.WW.ScadaBridge.SiteRuntime.Tests/Actors/DeploymentManagerRedeployTests.cs

@@ -184,6 +184,62 @@ public class DeploymentManagerRedeployTests : TestKit, IDisposable
         Assert.True(disable.Success);
     }
 
+    [Fact]
+    public async Task SR029_DeleteDuringPendingRedeploy_InstanceStaysDeleted_AndCounterIsCorrect()
+    {
+        // Regression test for SiteRuntime-029. A delete arriving WHILE a redeploy is
+        // still terminating used to: (1) over-decrement _totalDeployedCount, and
+        // (2) leave the buffered _pendingRedeploys entry intact — so when Terminated
+        // fired, HandleTerminated called ApplyDeployment(isRedeploy: true) and
+        // RESURRECTED the just-deleted instance (re-creating the actor and re-writing
+        // the deployed-config SQLite row). After the fix, HandleDelete is authoritative
+        // over the mid-redeploy bookkeeping: it cancels the pending redeploy (telling
+        // the displaced deployer it was superseded), clears the terminating shadow, and
+        // decrements the counter exactly once.
+        var health = new CountCapturingHealthCollector();
+        var actor = CreateDeploymentManager(health);
+        await Task.Delay(500);
+
+        // Establish the running instance.
+        actor.Tell(new DeployInstanceCommand(
+            "dep-1", "RaceTarget", "h1", MakeConfigJson("RaceTarget"), "admin", DateTimeOffset.UtcNow));
+        var first = ExpectMsg<DeploymentStatusResponse>(TimeSpan.FromSeconds(5));
+        Assert.Equal(DeploymentStatus.Success, first.Status);
+        await Task.Delay(300);
+
+        // Fire a redeploy immediately followed by a delete. Both queue on the
+        // singleton mailbox: HandleDeploy runs first (removes from _instanceActors,
+        // watches + stops the predecessor, buffers the redeploy, sets the terminating
+        // shadow), then HandleDelete runs while the predecessor is still terminating
+        // (Terminated has not fired) — exactly the SiteRuntime-029 window.
+        var redeployProbe = CreateTestProbe();
+        actor.Tell(new DeployInstanceCommand(
+            "dep-2", "RaceTarget", "h2", MakeConfigJson("RaceTarget"), "admin", DateTimeOffset.UtcNow),
+            redeployProbe.Ref);
+        actor.Tell(new DeleteInstanceCommand("del-1", "RaceTarget", DateTimeOffset.UtcNow));
+
+        // The delete succeeds...
+        var delete = ExpectMsg<InstanceLifecycleResponse>(TimeSpan.FromSeconds(10));
+        Assert.True(delete.Success);
+
+        // ...and the displaced redeploy is told it was superseded (not silently lost).
+        var superseded = redeployProbe.ExpectMsg<DeploymentStatusResponse>(TimeSpan.FromSeconds(10));
+        Assert.Equal("dep-2", superseded.DeploymentId);
+        Assert.Equal(DeploymentStatus.Failed, superseded.Status);
+        Assert.Contains("superseded", superseded.ErrorMessage!, StringComparison.OrdinalIgnoreCase);
+
+        // Give the predecessor's Terminated signal time to fire — it must NOT
+        // resurrect the deleted instance.
+        await Task.Delay(1000);
+
+        // The instance stays deleted: no deployed-config row remains.
+        var configs = await _storage.GetAllDeployedConfigsAsync();
+        Assert.DoesNotContain(configs, c => c.InstanceUniqueName == "RaceTarget");
+
+        // The deployed count is back to 0 — neither over-decremented nor resurrected.
+        Assert.Equal(0, health.LastDeployedCount);
+    }
+
     [Fact]
     public async Task Redeploy_ExistingInstance_DoesNotOverCountDeployedInstances()
     {