fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules

Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).

Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
  configs (incl. credentials) to sites; site purges already-persisted rows on apply
  (enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
  mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
  audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
  forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
  added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)

Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.

Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.

tests/ZB.MOM.WW.ScadaBridge.TemplateEngine.Tests/Services/TemplateFolderServiceTests.cs

@@ -30,7 +30,8 @@ public class TemplateFolderServiceTests
         Assert.Equal("Dev", result.Value.Name);
         Assert.Null(result.Value.ParentFolderId);
         _repoMock.Verify(r => r.AddFolderAsync(It.IsAny<TemplateFolder>(), It.IsAny<CancellationToken>()), Times.Once);
-        _repoMock.Verify(r => r.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Once);
+        // Two saves: the folder entity, then the staged audit row (TemplateEngine-024).
+        _repoMock.Verify(r => r.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Exactly(2));
     }
 
     [Fact]
@@ -485,9 +486,120 @@ public class TemplateFolderServiceTests
         // Both swapped siblings persisted.
         _repoMock.Verify(r => r.UpdateFolderAsync(a, It.IsAny<CancellationToken>()), Times.Once);
         _repoMock.Verify(r => r.UpdateFolderAsync(b, It.IsAny<CancellationToken>()), Times.Once);
-        _repoMock.Verify(r => r.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Once);
+        // Two saves: the swapped siblings, then the staged audit row (TemplateEngine-024).
+        _repoMock.Verify(r => r.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Exactly(2));
         // Audit entry written (mirrors Move/Rename audit assertions).
         _auditMock.Verify(au => au.LogAsync("admin", "Reorder", "TemplateFolder", "2", "B",
             It.IsAny<object?>(), It.IsAny<CancellationToken>()), Times.Once);
     }
+
+    // ========================================================================
+    // TemplateEngine-024 — each folder mutator must SaveChanges *after* LogAsync
+    // so the staged audit row is persisted (and not discarded when the scope is
+    // disposed). Verified by tracking call order across the mutators.
+    // ========================================================================
+
+    [Fact]
+    public async Task CreateFolder_PersistsAuditRow_SaveFollowsLog()
+    {
+        AssertAuditRowPersisted(await BuildOrderTracker(async () =>
+            await _sut.CreateFolderAsync("Dev", null, "admin"),
+            seed: () => _repoMock.Setup(r => r.GetAllFoldersAsync(It.IsAny<CancellationToken>()))
+                .ReturnsAsync(new List<TemplateFolder>())));
+    }
+
+    [Fact]
+    public async Task RenameFolder_PersistsAuditRow_SaveFollowsLog()
+    {
+        var folder = new TemplateFolder("Old") { Id = 1, ParentFolderId = null };
+        AssertAuditRowPersisted(await BuildOrderTracker(async () =>
+            await _sut.RenameFolderAsync(1, "New", "admin"),
+            seed: () =>
+            {
+                _repoMock.Setup(r => r.GetFolderByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(folder);
+                _repoMock.Setup(r => r.GetAllFoldersAsync(It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(new List<TemplateFolder> { folder });
+            }));
+    }
+
+    [Fact]
+    public async Task MoveFolder_PersistsAuditRow_SaveFollowsLog()
+    {
+        var f1 = new TemplateFolder("A") { Id = 1, ParentFolderId = null };
+        var f2 = new TemplateFolder("B") { Id = 2, ParentFolderId = null };
+        AssertAuditRowPersisted(await BuildOrderTracker(async () =>
+            await _sut.MoveFolderAsync(1, 2, "admin"),
+            seed: () =>
+            {
+                _repoMock.Setup(r => r.GetFolderByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(f1);
+                _repoMock.Setup(r => r.GetFolderByIdAsync(2, It.IsAny<CancellationToken>())).ReturnsAsync(f2);
+                _repoMock.Setup(r => r.GetAllFoldersAsync(It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(new List<TemplateFolder> { f1, f2 });
+            }));
+    }
+
+    [Fact]
+    public async Task ReorderFolder_PersistsAuditRow_SaveFollowsLog()
+    {
+        var a = new TemplateFolder("A") { Id = 1, ParentFolderId = null, SortOrder = 0 };
+        var b = new TemplateFolder("B") { Id = 2, ParentFolderId = null, SortOrder = 1 };
+        AssertAuditRowPersisted(await BuildOrderTracker(async () =>
+            await _sut.ReorderFolderAsync(2, ReorderDirection.Up, "admin"),
+            seed: () =>
+            {
+                _repoMock.Setup(r => r.GetFolderByIdAsync(2, It.IsAny<CancellationToken>())).ReturnsAsync(b);
+                _repoMock.Setup(r => r.GetAllFoldersAsync(It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(new List<TemplateFolder> { a, b });
+            }));
+    }
+
+    [Fact]
+    public async Task DeleteFolder_PersistsAuditRow_SaveFollowsLog()
+    {
+        var f = new TemplateFolder("Empty") { Id = 1 };
+        AssertAuditRowPersisted(await BuildOrderTracker(async () =>
+            await _sut.DeleteFolderAsync(1, "admin"),
+            seed: () =>
+            {
+                _repoMock.Setup(r => r.GetFolderByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(f);
+                _repoMock.Setup(r => r.GetAllFoldersAsync(It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(new List<TemplateFolder> { f });
+                _repoMock.Setup(r => r.GetAllTemplatesAsync(It.IsAny<CancellationToken>()))
+                    .ReturnsAsync(new List<Template>());
+            }));
+    }
+
+    /// <summary>
+    /// Records the interleaving of <c>LogAsync</c> and <c>SaveChangesAsync</c> calls
+    /// while invoking a mutator, returning the ordered list of call markers
+    /// ("save" / "log") observed during the operation.
+    /// </summary>
+    private async Task<List<string>> BuildOrderTracker(Func<Task> act, Action seed)
+    {
+        seed();
+        var calls = new List<string>();
+        _repoMock.Setup(r => r.SaveChangesAsync(It.IsAny<CancellationToken>()))
+            .Callback(() => calls.Add("save"))
+            .ReturnsAsync(1);
+        _auditMock.Setup(a => a.LogAsync(It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(),
+                It.IsAny<string>(), It.IsAny<string>(), It.IsAny<object?>(), It.IsAny<CancellationToken>()))
+            .Callback(() => calls.Add("log"))
+            .Returns(Task.CompletedTask);
+
+        await act();
+        return calls;
+    }
+
+    /// <summary>
+    /// Asserts the mutator logged an audit entry and then issued a
+    /// <c>SaveChangesAsync</c> after it — proving the staged audit row is
+    /// persisted rather than discarded (TemplateEngine-024).
+    /// </summary>
+    private static void AssertAuditRowPersisted(List<string> calls)
+    {
+        var logIndex = calls.IndexOf("log");
+        Assert.True(logIndex >= 0, "Expected an audit LogAsync call.");
+        // There must be at least one SaveChangesAsync recorded *after* the log call.
+        Assert.Contains("save", calls.Skip(logIndex + 1));
+    }
 }

tests/ZB.MOM.WW.ScadaBridge.TemplateEngine.Tests/Validation/SemanticValidatorTests.cs

@@ -840,24 +840,6 @@ public class SemanticValidatorTests
         Assert.Contains(targets, t => t.TargetName == "Script2" && !t.IsShared && t.ArgumentCount == 0);
     }
 
-    [Fact]
-    public void ParseParameterDefinitions_ValidJson_ReturnsList()
-    {
-        var json = "[{\"name\":\"a\",\"type\":\"Int32\"},{\"name\":\"b\",\"type\":\"String\"}]";
-        var result = SemanticValidator.ParseParameterDefinitions(json);
-
-        Assert.Equal(2, result.Count);
-        Assert.Equal("Int32", result[0]);
-        Assert.Equal("String", result[1]);
-    }
-
-    [Fact]
-    public void ParseParameterDefinitions_NullOrEmpty_ReturnsEmpty()
-    {
-        Assert.Empty(SemanticValidator.ParseParameterDefinitions(null));
-        Assert.Empty(SemanticValidator.ParseParameterDefinitions(""));
-    }
-
     // ── HiLo validation ─────────────────────────────────────────────────────
 
     private static FlattenedConfiguration HiLoConfig(string attrName, string dataType, string triggerJson) =>