fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

tests/ZB.MOM.WW.ScadaBridge.StoreAndForward.Tests/QueueDepthGaugeTests.cs

@@ -131,6 +131,84 @@ public class QueueDepthGaugeTests : IAsyncLifetime, IDisposable
         Assert.Equal(1, ReadQueueDepthGauge());
     }
 
+    /// <summary>
+    /// StoreAndForward-025: after a graceful <see cref="StoreAndForwardService.StopAsync"/>
+    /// the service must deregister its queue-depth provider from the process-global gauge
+    /// slot, so the gauge stops reporting the stopped instance's (now-frozen) depth and the
+    /// provider closure no longer pins the dead service. With the provider cleared the gauge
+    /// falls back to 0.
+    /// </summary>
+    [Fact]
+    public async Task StopAsync_ClearsQueueDepthProvider_GaugeFallsBackToZero()
+    {
+        var fresh = new StoreAndForwardService(
+            _storage,
+            new StoreAndForwardOptions { RetryTimerInterval = TimeSpan.FromMinutes(10) },
+            NullLogger<StoreAndForwardService>.Instance);
+
+        // Register a Pending row this instance owns, then start so the instance registers
+        // its provider and seeds the cached count to 1 → gauge reports 1.
+        await _storage.EnqueueAsync(new StoreAndForwardMessage
+        {
+            Id = Guid.NewGuid().ToString("N"),
+            Category = StoreAndForwardCategory.ExternalSystem,
+            Target = "api",
+            PayloadJson = "{}",
+            Status = StoreAndForwardMessageStatus.Pending,
+            CreatedAt = DateTimeOffset.UtcNow,
+            MaxRetries = 3
+        });
+        await fresh.StartAsync();
+        Assert.Equal(1, ReadQueueDepthGauge());
+
+        // Graceful stop must deregister the provider; the gauge falls back to 0 rather
+        // than reporting this dead instance's frozen depth of 1.
+        await fresh.StopAsync();
+        Assert.Equal(0, ReadQueueDepthGauge());
+    }
+
+    /// <summary>
+    /// StoreAndForward-025 (compare-and-clear): when a newer instance has already
+    /// registered its provider into the process-global slot, a late
+    /// <see cref="StoreAndForwardService.StopAsync"/> of an older instance must NOT clear
+    /// the slot — the identity-checked clear only removes the slot when it still holds the
+    /// stopping instance's own delegate. After the late stop the gauge must still report
+    /// the newer instance's depth, not 0.
+    /// </summary>
+    [Fact]
+    public async Task StopAsync_DoesNotClobberNewerInstanceProvider()
+    {
+        // Old instance: starts over an empty store, registers its provider (gauge → 0),
+        // then takes a single buffered message so it would report 1 if it stayed live.
+        var older = new StoreAndForwardService(
+            _storage,
+            new StoreAndForwardOptions { RetryTimerInterval = TimeSpan.FromMinutes(10) },
+            NullLogger<StoreAndForwardService>.Instance);
+        await older.StartAsync();
+        older.TestOnly_IncrementBufferedCount(); // older's depth would be 1
+        Assert.Equal(1, ReadQueueDepthGauge());
+
+        // New instance: starts and re-registers into the same global slot, winning it.
+        // It seeds from the (empty) store and stands in two buffered messages → depth 2.
+        var newer = new StoreAndForwardService(
+            _storage,
+            new StoreAndForwardOptions { RetryTimerInterval = TimeSpan.FromMinutes(10) },
+            NullLogger<StoreAndForwardService>.Instance);
+        await newer.StartAsync();
+        newer.TestOnly_IncrementBufferedCount();
+        newer.TestOnly_IncrementBufferedCount();
+        Assert.Equal(2, ReadQueueDepthGauge());
+
+        // Late stop of the OLDER instance: compare-and-clear must fail the identity check
+        // (the slot now holds the newer instance's delegate), so the newer provider stays.
+        await older.StopAsync();
+        Assert.Equal(2, ReadQueueDepthGauge());
+
+        // Cleanup: stop the newer instance, which legitimately clears its own provider.
+        await newer.StopAsync();
+        Assert.Equal(0, ReadQueueDepthGauge());
+    }
+
     [Fact]
     public async Task Gauge_SeedsFromExistingPendingRows_OnStart()
     {