fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

tests/ZB.MOM.WW.ScadaBridge.SiteRuntime.Tests/Persistence/ArtifactStorageTests.cs

@@ -1,5 +1,6 @@
 using Microsoft.Extensions.Logging.Abstractions;
 using ZB.MOM.WW.ScadaBridge.SiteRuntime.Persistence;
+using ZB.MOM.WW.ScadaBridge.SiteRuntime.Repositories;
 
 namespace ZB.MOM.WW.ScadaBridge.SiteRuntime.Tests.Persistence;
 
@@ -140,6 +141,42 @@ public class ArtifactStorageTests : IAsyncLifetime, IDisposable
         // Upsert should not throw
     }
 
+    // ── DeploymentManager-025 / SiteRuntime-031: central-only notif/SMTP purge ──
+
+    [Fact]
+    public async Task PurgeCentralOnlyNotificationConfig_RemovesPersistedNotificationListsAndSmtpRows()
+    {
+        // Simulate a pre-fix build that already shipped a notification list and an
+        // SMTP config (with a plaintext password) to the site.
+        await _storage.StoreNotificationListAsync("Ops Team", ["ops@example.com"]);
+        await _storage.StoreSmtpConfigurationAsync(
+            "smtp.example.com:587", "smtp.example.com", 587, "BasicAuth",
+            "noreply@example.com", "smtpuser", "PLAINTEXT-SECRET", null);
+
+        var repo = new SiteNotificationRepository(_storage);
+        Assert.NotEmpty(await repo.GetAllNotificationListsAsync());
+        Assert.NotEmpty(await repo.GetAllSmtpConfigurationsAsync());
+
+        // The fix: every artifact apply/deploy purges these central-only rows.
+        await _storage.PurgeCentralOnlyNotificationConfigAsync();
+
+        // Both tables are now empty — the plaintext SMTP credential is gone.
+        Assert.Empty(await repo.GetAllNotificationListsAsync());
+        Assert.Empty(await repo.GetAllSmtpConfigurationsAsync());
+    }
+
+    [Fact]
+    public async Task PurgeCentralOnlyNotificationConfig_IsIdempotent_OnEmptyTables()
+    {
+        // No rows present — purge must not throw and must leave the tables empty.
+        await _storage.PurgeCentralOnlyNotificationConfigAsync();
+        await _storage.PurgeCentralOnlyNotificationConfigAsync();
+
+        var repo = new SiteNotificationRepository(_storage);
+        Assert.Empty(await repo.GetAllNotificationListsAsync());
+        Assert.Empty(await repo.GetAllSmtpConfigurationsAsync());
+    }
+
     // ── Schema includes all WP-33 tables ──
 
     [Fact]