docs(code-reviews): regenerate index — all High findings resolved or re-triaged

Adds IsInherited/LockedInDerived to the TemplateAlarm entity (mirroring the
attribute/script override model), an EF migration, base-alarm copy-on-derive,
inherited-alarm flattening skip, and LockedInDerived override-rejection validation.

README.md

@@ -46,7 +46,7 @@ This document serves as the master index for the SCADA system design. The system
 | 10 | Security & Auth | [docs/requirements/Component-Security.md](docs/requirements/Component-Security.md) | Direct LDAP bind (LDAPS/StartTLS), JWT sessions (HMAC-SHA256, 15-min refresh, 30-min idle), role-based authorization, site-scoped permissions. |
 | 11 | Health Monitoring | [docs/requirements/Component-HealthMonitoring.md](docs/requirements/Component-HealthMonitoring.md) | 30s report interval, 60s offline threshold, monotonic sequence numbers, raw error counts, tag resolution counts, dead letter monitoring. |
 | 12 | Site Event Logging | [docs/requirements/Component-SiteEventLogging.md](docs/requirements/Component-SiteEventLogging.md) | SQLite storage, 30-day retention + 1GB cap, daily purge, paginated remote queries with keyword search. |
-| 13 | Cluster Infrastructure | [docs/requirements/Component-ClusterInfrastructure.md](docs/requirements/Component-ClusterInfrastructure.md) | Akka.NET cluster, keep-oldest SBR with down-if-alone, min-nr-of-members=1, 2s/10s/15s failure detection, CoordinatedShutdown, automatic dual-node recovery. |
+| 13 | Cluster Infrastructure | [docs/requirements/Component-ClusterInfrastructure.md](docs/requirements/Component-ClusterInfrastructure.md) | Akka.NET cluster, keep-oldest SBR with down-if-alone, min-nr-of-members=1, 2s/10s/15s failure detection, CoordinatedShutdown, automatic dual-node recovery. The `ClusterInfrastructure` project owns the `ClusterOptions` config model; the Akka bootstrap/SBR/CoordinatedShutdown wiring lives in the Host. |
 | 14 | Inbound API | [docs/requirements/Component-InboundAPI.md](docs/requirements/Component-InboundAPI.md) | POST /api/{methodName}, X-API-Key header, flat JSON, extended type system (Object/List), script-based implementations, failures-only logging. |
 | 15 | Host | [docs/requirements/Component-Host.md](docs/requirements/Component-Host.md) | Single deployable binary, role-based component registration, per-component config binding (Options pattern), readiness gating, dead letter monitoring, Akka.NET bootstrap, ASP.NET Core hosting for central. |
 | 16 | Commons | [docs/requirements/Component-Commons.md](docs/requirements/Component-Commons.md) | Namespace/folder convention (Types/Interfaces/Entities/Messages), shared data types, POCOs, repository interfaces, message contracts with additive-only versioning, UTC timestamp convention. |

code-reviews/ClusterInfrastructure/findings.md

@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-16 |
 | Reviewer | claude-agent |
 | Commit reviewed | `9c60592` |
-| Open findings | 8 |
+| Open findings | 7 |
 
 ## Summary
 
@@ -52,7 +52,7 @@ adequately for what exists.
 |--|--|
 | Severity | High |
 | Category | Design-document adherence |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.ClusterInfrastructure/ServiceCollectionExtensions.cs:9`, `src/ScadaLink.ClusterInfrastructure/ServiceCollectionExtensions.cs:16` |
 
 **Description**
@@ -123,9 +123,20 @@ of two substantial decisions, both requiring the user:
    shared `ClusterOptions` contract. That fix is a design-doc edit, also outside this
    module's permitted edit scope.
 
-Either path is a deliberate architecture decision, not a bug fix, so per
+Either path is a deliberate architecture decision, not a bug fix. The decision was
-REVIEW-PROCESS.md §2 this finding is left **Open** and surfaced for the user to decide.
+surfaced to the user, who chose **option 2 — accept the current placement**: the Akka
-No code change was made. Module test suite verified green (3 passed) at re-triage time.
+bootstrap stays in the Host (the single deployable binary that performs all actor-system
+bring-up), and the design docs are corrected to record the true ownership.
+
+**Resolved** — fixing commit `<pending>`, date 2026-05-16. The finding was a design-doc
+drift, not missing behaviour. `docs/requirements/Component-ClusterInfrastructure.md` now
+carries an "Implementation Note — Code Placement" section stating that the
+`ScadaLink.ClusterInfrastructure` project owns the `ClusterOptions` configuration model
+while `ScadaLink.Host` owns the Akka bootstrap, HOCON generation, split-brain-resolver
+wiring, `CoordinatedShutdown` integration, and active-node health checks. The README
+component table (row 13) was updated to match. No code change was required — the
+documented cluster behaviour already exists and is exercised; only the doc's
+module-ownership claim was wrong. Module test suite green (3 passed).
 
 ### ClusterInfrastructure-002 — No-op DI extension methods report success while doing nothing
 

code-reviews/DeploymentManager/findings.md

@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-16 |
 | Reviewer | claude-agent |
 | Commit reviewed | `9c60592` |
-| Open findings | 12 |
+| Open findings | 11 |
 
 ## Summary
 
@@ -231,7 +231,7 @@ _Unresolved._
 |--|--|
 | Severity | High |
 | Category | Design-document adherence |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.DeploymentManager/DeploymentService.cs:84-200,363-368` |
 
 **Description**
@@ -261,19 +261,32 @@ stale-rejection.
 
 **Resolution**
 
-_Unresolved._ Finding confirmed valid against the source — `GetDeploymentStatusAsync`
+Resolved 2026-05-16 (commit `<pending>`): implemented the cross-module
-only reads the local `DeploymentRecord` via `GetDeploymentByDeploymentIdAsync`,
+query-the-site-before-redeploy idempotency feature across Commons, SiteRuntime,
-and `DeployInstanceAsync` unconditionally generates a new deployment ID with no
+Communication, and DeploymentManager — new `DeploymentStateQueryRequest` /
-site reconciliation. Left Open: a proper fix is a cross-module new feature, not
+`DeploymentStateQueryResponse` contracts, a `DeploymentManagerActor` handler
-a bug fix scoped to `ScadaLink.DeploymentManager`. It requires (1) a new
+answering from the site's deployed-config store, a
-request/response message contract in `ScadaLink.Commons`, (2) a new
+`CommunicationService.QueryDeploymentStateAsync` method routed over the
-`CommunicationService` query method in `ScadaLink.Communication`, and (3)
+ClusterClient command/control transport, and reconciliation in
-site-side handling of the query — all outside the DeploymentManager module — plus
+`DeployInstanceAsync` (`TryReconcileWithSiteAsync`) that queries the site only
-a design decision on the query protocol. The reconciliation logic in
+when a prior record is `InProgress` or `Failed` due to a timeout, marks the
-`DeploymentService` cannot be implemented without those. Recommend tracking as a
+prior record `Success` without re-sending if the site already has the target
-dedicated cross-module feature work item (or, alternatively, amending the design
+revision hash, and falls through to a normal deploy (relying on site-side
-doc to delegate reconciliation entirely to site-side stale-rejection — also
+stale-rejection) when the query fails. Regression tests:
-outside this module's editable scope).
+`RoundTrip_DeploymentStateQueryRequest_Succeeds`,
+`RoundTrip_DeploymentStateQueryResponse_Deployed_Succeeds`,
+`RoundTrip_DeploymentStateQueryResponse_NotDeployed_NullApplied`,
+`DeploymentStateQuery_DeployedInstance_ReturnsAppliedIdentity`,
+`DeploymentStateQuery_UnknownInstance_ReturnsNotDeployed`,
+`DeploymentStateQuery_ForwardedToDeploymentManager`,
+`QueryDeploymentStateAsync_BeforeInitialization_Throws`,
+`QueryDeploymentStateAsync_SendsEnvelopeAndReturnsResponse`,
+`DeployInstanceAsync_PriorInProgressRecord_SiteHasTargetHash_MarksSuccessWithoutRedeploy`,
+`DeployInstanceAsync_PriorInProgressRecord_SiteHasDifferentHash_ProceedsWithDeploy`,
+`DeployInstanceAsync_PriorFailedTimeoutRecord_QueriesSite`,
+`DeployInstanceAsync_PriorSuccessRecord_SkipsSiteQuery`,
+`DeployInstanceAsync_FreshFirstTimeDeploy_SkipsSiteQuery`,
+`DeployInstanceAsync_PriorInProgressRecord_QueryFails_FallsThroughToDeploy`.
 
 ### DeploymentManager-007 — "Diff View" reduced to a hash comparison with no diff detail
 

code-reviews/README.md

@@ -40,10 +40,10 @@ module file and counted in **Total**.
 | Severity | Open findings |
 |----------|---------------|
 | Critical | 0 |
-| High | 3 |
+| High | 0 |
 | Medium | 100 |
 | Low | 90 |
-| **Total** | **193** |
+| **Total** | **190** |
 
 ## Module Status
 
@@ -51,12 +51,12 @@ module file and counted in **Total**.
 |--------|---------------|--------|----------------|------|-------|
 | [CLI](CLI/findings.md) | 2026-05-16 | `9c60592` | 0/0/6/6 | 12 | 13 |
 | [CentralUI](CentralUI/findings.md) | 2026-05-16 | `9c60592` | 0/0/10/5 | 15 | 19 |
-| [ClusterInfrastructure](ClusterInfrastructure/findings.md) | 2026-05-16 | `9c60592` | 0/1/4/3 | 8 | 8 |
+| [ClusterInfrastructure](ClusterInfrastructure/findings.md) | 2026-05-16 | `9c60592` | 0/0/4/3 | 7 | 8 |
 | [Commons](Commons/findings.md) | 2026-05-16 | `9c60592` | 0/0/4/8 | 12 | 12 |
 | [Communication](Communication/findings.md) | 2026-05-16 | `9c60592` | 0/0/5/3 | 8 | 11 |
 | [ConfigurationDatabase](ConfigurationDatabase/findings.md) | 2026-05-16 | `9c60592` | 0/0/4/6 | 10 | 11 |
 | [DataConnectionLayer](DataConnectionLayer/findings.md) | 2026-05-16 | `9c60592` | 0/0/6/2 | 8 | 13 |
-| [DeploymentManager](DeploymentManager/findings.md) | 2026-05-16 | `9c60592` | 0/1/6/5 | 12 | 14 |
+| [DeploymentManager](DeploymentManager/findings.md) | 2026-05-16 | `9c60592` | 0/0/6/5 | 11 | 14 |
 | [ExternalSystemGateway](ExternalSystemGateway/findings.md) | 2026-05-16 | `9c60592` | 0/0/7/4 | 11 | 14 |
 | [HealthMonitoring](HealthMonitoring/findings.md) | 2026-05-16 | `9c60592` | 0/0/5/5 | 10 | 12 |
 | [Host](Host/findings.md) | 2026-05-16 | `9c60592` | 0/0/3/7 | 10 | 11 |
@@ -67,7 +67,7 @@ module file and counted in **Total**.
 | [SiteEventLogging](SiteEventLogging/findings.md) | 2026-05-16 | `9c60592` | 0/0/4/3 | 7 | 11 |
 | [SiteRuntime](SiteRuntime/findings.md) | 2026-05-16 | `9c60592` | 0/0/8/5 | 13 | 16 |
 | [StoreAndForward](StoreAndForward/findings.md) | 2026-05-16 | `9c60592` | 0/0/4/7 | 11 | 14 |
-| [TemplateEngine](TemplateEngine/findings.md) | 2026-05-16 | `9c60592` | 0/1/5/4 | 10 | 14 |
+| [TemplateEngine](TemplateEngine/findings.md) | 2026-05-16 | `9c60592` | 0/0/5/4 | 9 | 14 |
 
 ## Pending Findings
 
@@ -80,13 +80,9 @@ description, location, recommendation — lives in the module's `findings.md`.
 
 _None open._
 
-### High (3)
+### High (0)
 
-| ID | Module | Title |
+_None open._
-|----|--------|-------|
-| ClusterInfrastructure-001 | [ClusterInfrastructure](ClusterInfrastructure/findings.md) | Module implements none of its documented responsibilities |
-| DeploymentManager-006 | [DeploymentManager](DeploymentManager/findings.md) | Query-the-site-before-redeploy idempotency requirement not implemented |
-| TemplateEngine-002 | [TemplateEngine](TemplateEngine/findings.md) | Derived templates omit all base alarms; composed alarms cannot be overridden per slot |
 
 ### Medium (100)
 

code-reviews/TemplateEngine/findings.md

@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-16 |
 | Reviewer | claude-agent |
 | Commit reviewed | `9c60592` |
-| Open findings | 10 |
+| Open findings | 9 |
 
 ## Summary
 
@@ -91,7 +91,7 @@ Regression tests: `Flatten_ThreeLevelComposition_AttributesAlarmsScriptsAllResol
 |--|--|
 | Severity | High |
 | Category | Correctness & logic bugs |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.TemplateEngine/TemplateService.cs:799` |
 
 **Description**
@@ -116,22 +116,25 @@ already do.
 
 **Resolution**
 
-_Unresolved (re-triaged 2026-05-16)._ Partially mis-stated and out of the
+Resolved 2026-05-16 (commit `<pending>`): implemented the per-slot alarm
-current fix scope. Correction to the description: composed/inherited alarms
+override mechanism as a coordinated `Commons` + `ConfigurationDatabase` +
-are **not** dropped from the flattened deployment output — `FlatteningService`
+`TemplateEngine` change, mirroring the existing attribute/script override
-resolves alarms from the entire inheritance chain (`ResolveInheritedAlarms`
+design. Added `IsInherited` / `LockedInDerived` to the `TemplateAlarm` POCO
-walks `templateChain`, which includes the base of a derived template), so an
+(`ScadaLink.Commons`) and an EF migration `AddDerivedAlarmFields` adding two
-instance of a derived template still receives the base template's alarms. The
+`bit NOT NULL DEFAULT 0` columns to `TemplateAlarms`. `BuildDerivedTemplate`
-real, valid gap is narrower: there is no per-slot **alarm override**
+now copies base alarms as `IsInherited = true` placeholder rows.
-mechanism. The fix genuinely requires adding `IsInherited` / `LockedInDerived`
+`FlatteningService.ResolveInheritedAlarms` skips `IsInherited` placeholder
-fields to the `TemplateAlarm` entity, which lives in `ScadaLink.Commons`
+rows so they no longer shadow the live base alarm, and `ValidateLockedInDerived`
-(a different module). Adding an alarm copy loop to `BuildDerivedTemplate`
+now rejects a derived override of a `LockedInDerived` base alarm.
-without those fields would be actively harmful: copied alarm rows on the
+`UpdateAlarmAsync` honours the base `LockedInDerived` lock and persists
-derived template would shadow the live base alarm with stale data during
+`IsInherited` / `LockedInDerived`, exactly as `UpdateAttributeAsync` /
-flattening (`ResolveInheritedAlarms` has no `IsInherited` skip for alarms,
+`UpdateScriptAsync` do. Regression tests:
-unlike attributes/scripts). Resolving this safely is a cross-module change
+`Flatten_InheritedAlarmOnDerived_BaseValueWins`,
-(`Commons` + `TemplateEngine`) and must be scheduled as a coordinated edit;
+`Flatten_OverriddenAlarmOnDerived_DerivedValueWins`,
-left **Open** pending that.
+`Flatten_LockedInDerivedAlarmOverride_Fails`,
+`AddComposition_CopiesAlarmsAsInherited`,
+`UpdateAlarm_LockedInDerivedBase_RejectsOnDerived`,
+`UpdateAlarm_DerivedOverride_PersistsIsInheritedFalse`.
 
 ### TemplateEngine-003 — `UpdateAttributeAsync` lets a non-locked attribute change its fixed DataType / DataSourceReference
 

docs/requirements/Component-ClusterInfrastructure.md

@@ -18,6 +18,26 @@ Both central and site clusters.
 - Support cluster singleton hosting (used by the Site Runtime Deployment Manager singleton on site clusters).
 - Manage Windows service lifecycle (start, stop, restart) on each node.
 
+## Implementation Note — Code Placement
+
+This component is a **design responsibility**, not a single buildable project that
+contains all of the code. The cluster-infrastructure responsibilities above are
+realised across two projects:
+
+- **`src/ScadaLink.ClusterInfrastructure`** owns the cluster **configuration model**:
+  the `ClusterOptions` POCO (seed nodes, roles, remoting/gRPC ports, failure-detection
+  timings, split-brain settings) bound from `appsettings.json` via the Options pattern.
+- **`src/ScadaLink.Host`** owns the cluster **bootstrap and runtime wiring**: it
+  builds the Akka.NET HOCON from `ClusterOptions`, starts the `ActorSystem`,
+  configures the keep-oldest split-brain resolver (`down-if-alone = on`), wires
+  `CoordinatedShutdown` into the service lifecycle, and provides active-node /
+  cluster-membership health checks. See `Component-Host.md` (REQ-HOST-*) for detail.
+
+This split is deliberate — the Host is the single deployable binary and the only
+project that performs Akka.NET bootstrap, so the cluster bring-up lives there
+alongside role-based component registration. The `ClusterInfrastructure` project
+remains the home of the configuration contract that the Host consumes.
+
 ## Cluster Topology
 
 ### Central Cluster

src/ScadaLink.Commons/Entities/Templates/TemplateAlarm.cs

@@ -14,6 +14,21 @@ public class TemplateAlarm
     public string? TriggerConfiguration { get; set; }
     public int? OnTriggerScriptId { get; set; }
 
+    /// <summary>
+    /// True when this row was copied from the base template and has not been
+    /// overridden on the derived template. Changes to the base flow downward
+    /// for inherited rows; an explicit override flips this to false.
+    /// Always false on base (non-derived) templates.
+    /// </summary>
+    public bool IsInherited { get; set; }
+
+    /// <summary>
+    /// Set on a base alarm. When true, derived templates may not override the
+    /// alarm — the row is rendered readonly with a 🔒 in the derived UI, and
+    /// any attempt to update it through the API is rejected.
+    /// </summary>
+    public bool LockedInDerived { get; set; }
+
     public TemplateAlarm(string name)
     {
         Name = name ?? throw new ArgumentNullException(nameof(name));

src/ScadaLink.Commons/Messages/Deployment/DeploymentStateQueryRequest.cs

@@ -0,0 +1,13 @@
+namespace ScadaLink.Commons.Messages.Deployment;
+
+/// <summary>
+/// Central→site query for the currently-applied deployment state of a single
+/// instance. Issued by the Deployment Manager before a re-deploy when a prior
+/// deployment record is stuck <c>InProgress</c> or <c>Failed</c> due to a
+/// timeout, so the site's actual state can be reconciled against the target
+/// revision before re-sending a deployment ("Deployment Identity &amp; Idempotency").
+/// </summary>
+public record DeploymentStateQueryRequest(
+    string CorrelationId,
+    string InstanceUniqueName,
+    DateTimeOffset Timestamp);

src/ScadaLink.Commons/Messages/Deployment/DeploymentStateQueryResponse.cs

@@ -0,0 +1,15 @@
+namespace ScadaLink.Commons.Messages.Deployment;
+
+/// <summary>
+/// Site→central response carrying the instance's currently-applied deployment
+/// state. If <see cref="IsDeployed"/> is <c>false</c> the instance has no
+/// deployed configuration at the site and <see cref="AppliedDeploymentId"/> /
+/// <see cref="AppliedRevisionHash"/> are <c>null</c>.
+/// </summary>
+public record DeploymentStateQueryResponse(
+    string CorrelationId,
+    string InstanceUniqueName,
+    bool IsDeployed,
+    string? AppliedDeploymentId,
+    string? AppliedRevisionHash,
+    DateTimeOffset Timestamp);

src/ScadaLink.Communication/Actors/SiteCommunicationActor.cs

@@ -76,6 +76,11 @@ public class SiteCommunicationActor : ReceiveActor, IWithTimers
         Receive<EnableInstanceCommand>(msg => _deploymentManagerProxy.Forward(msg));
         Receive<DeleteInstanceCommand>(msg => _deploymentManagerProxy.Forward(msg));
 
+        // DeploymentManager-006: query-the-site-before-redeploy — forward to
+        // the Deployment Manager, which owns the deployed-config store and
+        // answers with the instance's currently-applied deployment identity.
+        Receive<DeploymentStateQueryRequest>(msg => _deploymentManagerProxy.Forward(msg));
+
         // Pattern 3: Artifact Deployment — forward to artifact handler if registered
         Receive<DeployArtifactsCommand>(msg =>
         {

src/ScadaLink.Communication/CommunicationService.cs

@@ -73,6 +73,26 @@ public class CommunicationService
             envelope, _options.DeploymentTimeout, cancellationToken);
     }
 
+    /// <summary>
+    /// DeploymentManager-006: queries a site for the currently-applied deployment
+    /// identity of a single instance. Used by the Deployment Manager before a
+    /// re-deploy to reconcile against the site's actual state. Sent over the
+    /// existing ClusterClient command/control transport; the Ask times out (no
+    /// central buffering) if the site is unreachable, and the caller falls
+    /// through to a normal deploy.
+    /// </summary>
+    public async Task<DeploymentStateQueryResponse> QueryDeploymentStateAsync(
+        string siteId, DeploymentStateQueryRequest request, CancellationToken cancellationToken = default)
+    {
+        _logger.LogDebug(
+            "Sending DeploymentStateQueryRequest to site {SiteId}, instance={Instance}, correlationId={CorrelationId}",
+            siteId, request.InstanceUniqueName, request.CorrelationId);
+
+        var envelope = new SiteEnvelope(siteId, request);
+        return await GetActor().Ask<DeploymentStateQueryResponse>(
+            envelope, _options.QueryTimeout, cancellationToken);
+    }
+
     // ── Pattern 2: Lifecycle ──
 
     public async Task<InstanceLifecycleResponse> DisableInstanceAsync(

src/ScadaLink.ConfigurationDatabase/Migrations/20260517000628_AddDerivedAlarmFields.cs

@@ -0,0 +1,40 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ScadaLink.ConfigurationDatabase.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddDerivedAlarmFields : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<bool>(
+                name: "IsInherited",
+                table: "TemplateAlarms",
+                type: "bit",
+                nullable: false,
+                defaultValue: false);
+
+            migrationBuilder.AddColumn<bool>(
+                name: "LockedInDerived",
+                table: "TemplateAlarms",
+                type: "bit",
+                nullable: false,
+                defaultValue: false);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "IsInherited",
+                table: "TemplateAlarms");
+
+            migrationBuilder.DropColumn(
+                name: "LockedInDerived",
+                table: "TemplateAlarms");
+        }
+    }
+}

src/ScadaLink.ConfigurationDatabase/Migrations/ScadaLinkDbContextModelSnapshot.cs

@@ -917,9 +917,15 @@ namespace ScadaLink.ConfigurationDatabase.Migrations
                         .HasMaxLength(2000)
                         .HasColumnType("nvarchar(2000)");
 
+                    b.Property<bool>("IsInherited")
+                        .HasColumnType("bit");
+
                     b.Property<bool>("IsLocked")
                         .HasColumnType("bit");
 
+                    b.Property<bool>("LockedInDerived")
+                        .HasColumnType("bit");
+
                     b.Property<string>("Name")
                         .IsRequired()
                         .HasMaxLength(200)

src/ScadaLink.DeploymentManager/DeploymentService.cs

@@ -43,6 +43,14 @@ public class DeploymentService
     private readonly DeploymentManagerOptions _options;
     private readonly ILogger<DeploymentService> _logger;
 
+    /// <summary>
+    /// Prefix written to <see cref="DeploymentRecord.ErrorMessage"/> when a
+    /// deployment fails because the site command timed out or was cancelled.
+    /// Used by the query-before-redeploy trigger (DeploymentManager-006) to tell
+    /// a timeout-induced failure apart from other deployment errors.
+    /// </summary>
+    private const string TimeoutFailurePrefix = "Communication failure:";
+
     public DeploymentService(
         IDeploymentManagerRepository repository,
         ISiteRepository siteRepository,
@@ -118,6 +126,18 @@ public class DeploymentService
             return Result<DeploymentRecord>.Failure($"Pre-deployment validation failed: {errors}");
         }
 
+        // DeploymentManager-006: query-the-site-before-redeploy idempotency.
+        // If a prior deployment for this instance is stuck InProgress or Failed
+        // due to a timeout, the site may have actually applied the config. Query
+        // the site for its currently-applied revision before re-sending so a
+        // duplicate deployment is not produced (design: "Deployment Identity &
+        // Idempotency"). A clean prior Success or a fresh first-time deploy
+        // skips this extra round-trip.
+        var reconciled = await TryReconcileWithSiteAsync(
+            instance, revisionHash, cancellationToken);
+        if (reconciled != null)
+            return Result<DeploymentRecord>.Success(reconciled);
+
         // Serialize for transmission
         var configJson = JsonSerializer.Serialize(flattenedConfig);
 
@@ -199,7 +219,7 @@ public class DeploymentService
 
             record.Status = DeploymentStatus.Failed;
             record.ErrorMessage = isTimeout
-                ? $"Communication failure: {ex.Message}"
+                ? $"{TimeoutFailurePrefix} {ex.Message}"
                 : $"Deployment error: {ex.Message}";
             record.CompletedAt = DateTimeOffset.UtcNow;
 
@@ -401,6 +421,105 @@ public class DeploymentService
         return await _repository.GetDeploymentByDeploymentIdAsync(deploymentId, cancellationToken);
     }
 
+    /// <summary>
+    /// DeploymentManager-006: query-the-site-before-redeploy reconciliation.
+    ///
+    /// The site query is issued ONLY when a prior <see cref="DeploymentRecord"/>
+    /// for this instance is stuck <see cref="DeploymentStatus.InProgress"/>, or
+    /// is <see cref="DeploymentStatus.Failed"/> due to a timeout — the only
+    /// cases where the site may have applied the config without central
+    /// learning of it. Fresh first-time deploys and redeploys after a clean
+    /// prior <see cref="DeploymentStatus.Success"/> skip the extra round-trip.
+    ///
+    /// Reconciliation: if the site already has the TARGET revision hash, the
+    /// prior record is marked <see cref="DeploymentStatus.Success"/> and
+    /// returned (the caller must NOT re-send the deploy). Otherwise <c>null</c>
+    /// is returned and the normal deploy proceeds.
+    ///
+    /// Query failure: if the site is unreachable or the query times out, this
+    /// returns <c>null</c> (fall through to a normal deploy) — site-side
+    /// stale-rejection of an older revision hash is the safety net. The deploy
+    /// is never aborted on a failed query.
+    /// </summary>
+    private async Task<DeploymentRecord?> TryReconcileWithSiteAsync(
+        Instance instance,
+        string targetRevisionHash,
+        CancellationToken cancellationToken)
+    {
+        var prior = await _repository.GetCurrentDeploymentStatusAsync(instance.Id, cancellationToken);
+        if (prior == null || !ShouldQuerySiteBeforeRedeploy(prior))
+            return null;
+
+        DeploymentStateQueryResponse response;
+        try
+        {
+            var siteId = await ResolveSiteIdentifierAsync(instance.SiteId, cancellationToken);
+            var query = new DeploymentStateQueryRequest(
+                Guid.NewGuid().ToString("N"), instance.UniqueName, DateTimeOffset.UtcNow);
+
+            _logger.LogInformation(
+                "Querying site {SiteId} for applied deployment state of instance {Instance} " +
+                "before re-deploy (prior record {DeploymentId} is {Status})",
+                siteId, instance.UniqueName, prior.DeploymentId, prior.Status);
+
+            response = await _communicationService.QueryDeploymentStateAsync(
+                siteId, query, cancellationToken);
+        }
+        catch (Exception ex)
+        {
+            // Query failure (site unreachable / timeout): do NOT abort. Fall
+            // through to a normal deploy; site-side stale-rejection of an older
+            // revision hash is the safety net.
+            _logger.LogWarning(ex,
+                "Site query before re-deploy of instance {Instance} failed; " +
+                "proceeding with normal deploy (site-side stale-rejection is the safety net)",
+                instance.UniqueName);
+            return null;
+        }
+
+        if (response.IsDeployed &&
+            string.Equals(response.AppliedRevisionHash, targetRevisionHash, StringComparison.Ordinal))
+        {
+            // The site already has the target revision — the prior deployment
+            // actually succeeded. Reconcile the stale record instead of
+            // re-sending the deploy.
+            _logger.LogInformation(
+                "Site already has target revision {RevisionHash} for instance {Instance}; " +
+                "marking prior deployment record {DeploymentId} Success without re-deploying",
+                targetRevisionHash, instance.UniqueName, prior.DeploymentId);
+
+            prior.Status = DeploymentStatus.Success;
+            prior.ErrorMessage = null;
+            prior.CompletedAt = DateTimeOffset.UtcNow;
+            await _repository.UpdateDeploymentRecordAsync(prior, cancellationToken);
+            await _repository.SaveChangesAsync(cancellationToken);
+
+            await _auditService.LogAsync(prior.DeployedBy, "DeployReconciled", "Instance",
+                instance.Id.ToString(), instance.UniqueName,
+                new { DeploymentId = prior.DeploymentId, RevisionHash = targetRevisionHash },
+                cancellationToken);
+
+            return prior;
+        }
+
+        // Site does not have the target revision (or is not deployed) — proceed
+        // with the normal deploy.
+        return null;
+    }
+
+    /// <summary>
+    /// DeploymentManager-006: the site is queried before a re-deploy only when a
+    /// prior record is stuck <see cref="DeploymentStatus.InProgress"/>, or is
+    /// <see cref="DeploymentStatus.Failed"/> because the site command timed out
+    /// (detected via the <see cref="TimeoutFailurePrefix"/> error-message
+    /// marker). All other prior states skip the query.
+    /// </summary>
+    private static bool ShouldQuerySiteBeforeRedeploy(DeploymentRecord prior) =>
+        prior.Status == DeploymentStatus.InProgress
+        || (prior.Status == DeploymentStatus.Failed
+            && prior.ErrorMessage != null
+            && prior.ErrorMessage.StartsWith(TimeoutFailurePrefix, StringComparison.Ordinal));
+
     private async Task StoreDeployedSnapshotAsync(
         int instanceId,
         string deploymentId,

src/ScadaLink.SiteRuntime/Actors/DeploymentManagerActor.cs

@@ -78,6 +78,12 @@ public class DeploymentManagerActor : ReceiveActor, IWithTimers
         Receive<EnableInstanceCommand>(HandleEnable);
         Receive<DeleteInstanceCommand>(HandleDelete);
 
+        // DeploymentManager-006: query-the-site-before-redeploy idempotency.
+        // Central asks for the instance's currently-applied deployment identity
+        // before re-sending a deployment whose prior record is stuck InProgress
+        // or Failed due to a timeout.
+        Receive<DeploymentStateQueryRequest>(HandleDeploymentStateQuery);
+
         // WP-33: Handle system-wide artifact deployment
         Receive<DeployArtifactsCommand>(HandleDeployArtifacts);
 
@@ -446,6 +452,44 @@ public class DeploymentManagerActor : ReceiveActor, IWithTimers
         _logger.LogInformation("Instance {Instance} deleted", instanceName);
     }
 
+    /// <summary>
+    /// DeploymentManager-006: answers a central query for the instance's
+    /// currently-applied deployment identity. The site's deployed-config store
+    /// (SQLite) is the authoritative record — it covers both enabled and
+    /// disabled instances, and survives node restart/failover. If the instance
+    /// has no stored config, the response reports <c>IsDeployed = false</c> with
+    /// null identity so central falls through to a normal deploy.
+    /// </summary>
+    private void HandleDeploymentStateQuery(DeploymentStateQueryRequest request)
+    {
+        var sender = Sender;
+        var instanceName = request.InstanceUniqueName;
+
+        _storage.GetAllDeployedConfigsAsync().ContinueWith(t =>
+        {
+            if (!t.IsCompletedSuccessfully)
+            {
+                _logger.LogError(
+                    t.Exception?.GetBaseException(),
+                    "Failed to read deployed configs for deployment state query of {Instance}",
+                    instanceName);
+                // Treat a storage read failure as "unknown" — central falls
+                // through to a normal deploy and relies on site-side
+                // stale-rejection as the safety net.
+                return new DeploymentStateQueryResponse(
+                    request.CorrelationId, instanceName, false, null, null, DateTimeOffset.UtcNow);
+            }
+
+            var config = t.Result.FirstOrDefault(c => c.InstanceUniqueName == instanceName);
+            return config == null
+                ? new DeploymentStateQueryResponse(
+                    request.CorrelationId, instanceName, false, null, null, DateTimeOffset.UtcNow)
+                : new DeploymentStateQueryResponse(
+                    request.CorrelationId, instanceName, true,
+                    config.DeploymentId, config.RevisionHash, DateTimeOffset.UtcNow);
+        }).PipeTo(sender);
+    }
+
     // ── DCL connection management ──
 
     private readonly HashSet<string> _createdConnections = new();

src/ScadaLink.TemplateEngine/Flattening/FlatteningService.cs

@@ -180,13 +180,14 @@ public class FlatteningService
 
     /// <summary>
     /// Reports any LockedInDerived violations across the chain — i.e., a base
-    /// attribute/script marked LockedInDerived that a downstream derived
+    /// attribute/alarm/script marked LockedInDerived that a downstream derived
     /// template overrides (IsInherited=false). Returns null on success or an
     /// error message describing the first offending entries.
     /// </summary>
     private static string? ValidateLockedInDerived(IReadOnlyList<Template> templateChain)
     {
         var attrLocks = new Dictionary<string, Template>(StringComparer.Ordinal);
+        var alarmLocks = new Dictionary<string, Template>(StringComparer.Ordinal);
         var scriptLocks = new Dictionary<string, Template>(StringComparer.Ordinal);
         var errors = new List<string>();
 
@@ -202,6 +203,14 @@ public class FlatteningService
                     errors.Add($"Attribute '{attr.Name}' is LockedInDerived by base template '{lockingTemplate.Name}' and cannot be overridden by '{template.Name}'.");
             }
 
+            foreach (var alarm in template.Alarms)
+            {
+                if (alarm.LockedInDerived)
+                    alarmLocks[alarm.Name] = template;
+                else if (!alarm.IsInherited && alarmLocks.TryGetValue(alarm.Name, out var lockingTemplate) && lockingTemplate.Id != template.Id)
+                    errors.Add($"Alarm '{alarm.Name}' is LockedInDerived by base template '{lockingTemplate.Name}' and cannot be overridden by '{template.Name}'.");
+            }
+
             foreach (var script in template.Scripts)
             {
                 if (script.LockedInDerived)
@@ -385,8 +394,16 @@ public class FlatteningService
 
             foreach (var alarm in template.Alarms)
             {
-                if (result.TryGetValue(alarm.Name, out var existing) && existing.IsLocked)
+                if (result.TryGetValue(alarm.Name, out var existing))
-                    continue;
+                {
+                    if (existing.IsLocked)
+                        continue;
+                    // IsInherited rows on a derived template are placeholders
+                    // that must not shadow the live base alarm; they only
+                    // contribute a row when the base lacks one.
+                    if (alarm.IsInherited)
+                        continue;
+                }
 
                 // HiLo per-setpoint override: derived templates can supply a
                 // partial TriggerConfiguration (e.g., just `hi`) and have the

src/ScadaLink.TemplateEngine/TemplateService.cs

@@ -398,6 +398,16 @@ public class TemplateService
             if (parentMember != null && parentMember.IsLocked)
                 return Result<TemplateAlarm>.Failure(
                     $"Alarm '{existing.Name}' is locked in parent and cannot be overridden.");
+
+            // Derived templates may not override alarms the base marked LockedInDerived.
+            if (template.IsDerived)
+            {
+                var baseTemplate = await _repository.GetTemplateByIdAsync(template.ParentTemplateId.Value, cancellationToken);
+                var baseAlarm = baseTemplate?.Alarms.FirstOrDefault(a => a.Name == existing.Name);
+                if (baseAlarm != null && baseAlarm.LockedInDerived)
+                    return Result<TemplateAlarm>.Failure(
+                        $"Alarm '{existing.Name}' is locked by base template '{baseTemplate!.Name}' and cannot be overridden.");
+            }
         }
 
         // Validate fixed fields
@@ -411,6 +421,10 @@ public class TemplateService
         existing.Description = proposed.Description;
         existing.OnTriggerScriptId = proposed.OnTriggerScriptId;
         existing.IsLocked = proposed.IsLocked;
+        if (template?.IsDerived == true)
+            existing.IsInherited = proposed.IsInherited;
+        else
+            existing.LockedInDerived = proposed.LockedInDerived;
         // Name and TriggerType are NOT updated (fixed)
 
         await _repository.UpdateTemplateAlarmAsync(existing, cancellationToken);
@@ -818,6 +832,21 @@ public class TemplateService
             });
         }
 
+        foreach (var alarm in baseTemplate.Alarms)
+        {
+            derived.Alarms.Add(new TemplateAlarm(alarm.Name)
+            {
+                Description = alarm.Description,
+                PriorityLevel = alarm.PriorityLevel,
+                IsLocked = alarm.IsLocked,
+                TriggerType = alarm.TriggerType,
+                TriggerConfiguration = alarm.TriggerConfiguration,
+                OnTriggerScriptId = alarm.OnTriggerScriptId,
+                IsInherited = true,
+                LockedInDerived = false,
+            });
+        }
+
         foreach (var script in baseTemplate.Scripts)
         {
             derived.Scripts.Add(new TemplateScript(script.Name, script.Code)

tests/ScadaLink.Commons.Tests/Messages/CompatibilityTests.cs

@@ -326,4 +326,48 @@ public class CompatibilityTests
         Assert.NotNull(msg);
         Assert.Equal((DeploymentStatus)99, msg!.Status);
     }
+
+    // ── DeploymentManager-006: query-the-site-before-redeploy contracts ──
+
+    [Fact]
+    public void RoundTrip_DeploymentStateQueryRequest_Succeeds()
+    {
+        var msg = new DeploymentStateQueryRequest("corr-1", "inst-1", DateTimeOffset.UtcNow);
+        var json = JsonSerializer.Serialize(msg);
+        var deserialized = JsonSerializer.Deserialize<DeploymentStateQueryRequest>(json, Options);
+
+        Assert.NotNull(deserialized);
+        Assert.Equal("corr-1", deserialized!.CorrelationId);
+        Assert.Equal("inst-1", deserialized.InstanceUniqueName);
+    }
+
+    [Fact]
+    public void RoundTrip_DeploymentStateQueryResponse_Deployed_Succeeds()
+    {
+        var msg = new DeploymentStateQueryResponse(
+            "corr-1", "inst-1", true, "dep-9", "sha256:abc", DateTimeOffset.UtcNow);
+        var json = JsonSerializer.Serialize(msg);
+        var deserialized = JsonSerializer.Deserialize<DeploymentStateQueryResponse>(json, Options);
+
+        Assert.NotNull(deserialized);
+        Assert.True(deserialized!.IsDeployed);
+        Assert.Equal("dep-9", deserialized.AppliedDeploymentId);
+        Assert.Equal("sha256:abc", deserialized.AppliedRevisionHash);
+    }
+
+    [Fact]
+    public void RoundTrip_DeploymentStateQueryResponse_NotDeployed_NullApplied()
+    {
+        // When the instance is not deployed at the site, the applied identity
+        // fields are null — verified to survive a JSON round-trip.
+        var msg = new DeploymentStateQueryResponse(
+            "corr-1", "inst-1", false, null, null, DateTimeOffset.UtcNow);
+        var json = JsonSerializer.Serialize(msg);
+        var deserialized = JsonSerializer.Deserialize<DeploymentStateQueryResponse>(json, Options);
+
+        Assert.NotNull(deserialized);
+        Assert.False(deserialized!.IsDeployed);
+        Assert.Null(deserialized.AppliedDeploymentId);
+        Assert.Null(deserialized.AppliedRevisionHash);
+    }
 }

tests/ScadaLink.Communication.Tests/CommunicationServiceTests.cs

@@ -1,12 +1,15 @@
+using Akka.Actor;
+using Akka.TestKit.Xunit2;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
+using ScadaLink.Commons.Messages.Deployment;
 
 namespace ScadaLink.Communication.Tests;
 
 /// <summary>
 /// WP-2: Tests for CommunicationService initialization and state.
 /// </summary>
-public class CommunicationServiceTests
+public class CommunicationServiceTests : TestKit
 {
     [Fact]
     public async Task BeforeInitialization_ThrowsOnUsage()
@@ -18,7 +21,7 @@ public class CommunicationServiceTests
         // CommunicationService requires SetCommunicationActor before use
         await Assert.ThrowsAsync<InvalidOperationException>(() =>
             service.DeployInstanceAsync("site1",
-                new Commons.Messages.Deployment.DeployInstanceCommand(
+                new DeployInstanceCommand(
                     "dep1", "inst1", "hash1", "{}", "admin", DateTimeOffset.UtcNow)));
     }
 
@@ -30,4 +33,63 @@ public class CommunicationServiceTests
         Assert.NotNull(method);
         Assert.Equal(typeof(void), method!.ReturnType);
     }
+
+    // ── DeploymentManager-006: query-the-site-before-redeploy ──
+
+    [Fact]
+    public async Task QueryDeploymentStateAsync_BeforeInitialization_Throws()
+    {
+        var service = new CommunicationService(
+            Options.Create(new CommunicationOptions()),
+            NullLogger<CommunicationService>.Instance);
+
+        await Assert.ThrowsAsync<InvalidOperationException>(() =>
+            service.QueryDeploymentStateAsync("site1",
+                new DeploymentStateQueryRequest("corr-1", "inst1", DateTimeOffset.UtcNow)));
+    }
+
+    [Fact]
+    public async Task QueryDeploymentStateAsync_SendsEnvelopeAndReturnsResponse()
+    {
+        // The query must be dispatched as a SiteEnvelope over the existing
+        // command/control transport, exactly like other site-directed commands,
+        // and the typed response returned to the caller.
+        var service = new CommunicationService(
+            Options.Create(new CommunicationOptions()),
+            NullLogger<CommunicationService>.Instance);
+
+        // A probe stands in for CentralCommunicationActor: it asserts the
+        // envelope shape and replies with a typed response.
+        var commActor = Sys.ActorOf(Props.Create(() => new EchoStateQueryActor()));
+        service.SetCommunicationActor(commActor);
+
+        var request = new DeploymentStateQueryRequest("corr-9", "QueriedInst", DateTimeOffset.UtcNow);
+        var response = await service.QueryDeploymentStateAsync("site-a", request);
+
+        Assert.Equal("corr-9", response.CorrelationId);
+        Assert.Equal("QueriedInst", response.InstanceUniqueName);
+        Assert.True(response.IsDeployed);
+        Assert.Equal("sha256:applied", response.AppliedRevisionHash);
+    }
+
+    /// <summary>
+    /// Stand-in for CentralCommunicationActor: verifies the message is wrapped
+    /// in a SiteEnvelope targeting the requested site and replies with a typed
+    /// DeploymentStateQueryResponse.
+    /// </summary>
+    private class EchoStateQueryActor : ReceiveActor
+    {
+        public EchoStateQueryActor()
+        {
+            Receive<SiteEnvelope>(env =>
+            {
+                if (env is { SiteId: "site-a", Message: DeploymentStateQueryRequest req })
+                {
+                    Sender.Tell(new DeploymentStateQueryResponse(
+                        req.CorrelationId, req.InstanceUniqueName, true,
+                        "dep-applied", "sha256:applied", DateTimeOffset.UtcNow));
+                }
+            });
+        }
+    }
 }

tests/ScadaLink.Communication.Tests/SiteCommunicationActorTests.cs

@@ -51,6 +51,22 @@ public class SiteCommunicationActorTests : TestKit
         dmProbe.ExpectMsg<DeleteInstanceCommand>();
     }
 
+    [Fact]
+    public void DeploymentStateQuery_ForwardedToDeploymentManager()
+    {
+        // DeploymentManager-006: the site-before-redeploy query travels over the
+        // ClusterClient command/control transport and is routed to the local
+        // Deployment Manager, which owns the deployed-config store.
+        var dmProbe = CreateTestProbe();
+        var siteActor = Sys.ActorOf(Props.Create(() =>
+            new SiteCommunicationActor("site1", _options, dmProbe.Ref)));
+
+        var request = new DeploymentStateQueryRequest("corr-q", "inst1", DateTimeOffset.UtcNow);
+        siteActor.Tell(request);
+
+        dmProbe.ExpectMsg<DeploymentStateQueryRequest>(msg => msg.CorrelationId == "corr-q");
+    }
+
     [Fact]
     public void IntegrationCall_WithoutHandler_ReturnsFailure()
     {

tests/ScadaLink.DeploymentManager.Tests/DeploymentServiceTests.cs

@@ -1,3 +1,5 @@
+using Akka.Actor;
+using Akka.TestKit.Xunit2;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using NSubstitute;
@@ -17,7 +19,7 @@ namespace ScadaLink.DeploymentManager.Tests;
 /// <summary>
 /// WP-1/2/4/5/6/8/16: Tests for central-side DeploymentService.
 /// </summary>
-public class DeploymentServiceTests
+public class DeploymentServiceTests : TestKit
 {
     private readonly IDeploymentManagerRepository _repo;
     private readonly IFlatteningPipeline _pipeline;
@@ -363,4 +365,253 @@ public class DeploymentServiceTests
         // Failure case does not reach audit (returns before communication)
         // The audit is only logged after communication succeeds/fails
     }
+
+    // ── DeploymentManager-006: query-the-site-before-redeploy idempotency ──
+
+    /// <summary>
+    /// Builds a DeploymentService whose CommunicationService is backed by the
+    /// supplied actor, so the site query and deploy commands can be observed.
+    /// </summary>
+    private DeploymentService CreateServiceWithCommActor(IActorRef commActor)
+    {
+        var comms = new CommunicationService(
+            Options.Create(new CommunicationOptions
+            {
+                QueryTimeout = TimeSpan.FromSeconds(5),
+                DeploymentTimeout = TimeSpan.FromSeconds(5)
+            }),
+            NullLogger<CommunicationService>.Instance);
+        comms.SetCommunicationActor(commActor);
+
+        var siteRepo = Substitute.For<ISiteRepository>();
+        return new DeploymentService(
+            _repo, siteRepo, _pipeline, comms, _lockManager, _audit,
+            Options.Create(new DeploymentManagerOptions { OperationLockTimeout = TimeSpan.FromSeconds(5) }),
+            NullLogger<DeploymentService>.Instance);
+    }
+
+    private void SetupValidPipeline(int instanceId, string instanceName, string revisionHash)
+    {
+        var config = new FlattenedConfiguration { InstanceUniqueName = instanceName };
+        _pipeline.FlattenAndValidateAsync(instanceId, Arg.Any<CancellationToken>())
+            .Returns(Result<FlatteningPipelineResult>.Success(
+                new FlatteningPipelineResult(config, revisionHash, ValidationResult.Success())));
+    }
+
+    [Fact]
+    public async Task DeployInstanceAsync_PriorInProgressRecord_SiteHasTargetHash_MarksSuccessWithoutRedeploy()
+    {
+        // Prior record stuck InProgress -> site is queried. The site reports it
+        // already has the TARGET revision hash, so the prior record is marked
+        // Success and NO new DeployInstanceCommand is sent.
+        var instance = new Instance("RedeployInst") { Id = 7, SiteId = 1, State = InstanceState.Enabled };
+        _repo.GetInstanceByIdAsync(7, Arg.Any<CancellationToken>()).Returns(instance);
+        SetupValidPipeline(7, "RedeployInst", "sha256:target");
+
+        var prior = new DeploymentRecord("dep-prior", "admin")
+        {
+            InstanceId = 7,
+            Status = DeploymentStatus.InProgress,
+            RevisionHash = "sha256:target"
+        };
+        _repo.GetCurrentDeploymentStatusAsync(7, Arg.Any<CancellationToken>()).Returns(prior);
+
+        var commActor = Sys.ActorOf(Props.Create(() =>
+            new ReconcileProbeActor(siteHash: "sha256:target", failQuery: false)));
+        var service = CreateServiceWithCommActor(commActor);
+
+        var result = await service.DeployInstanceAsync(7, "admin");
+
+        Assert.True(result.IsSuccess);
+        Assert.Equal(DeploymentStatus.Success, prior.Status);
+        // The site query was issued, but no new deploy command was sent.
+        Assert.Equal(1, ReconcileProbeActor.QueryCount);
+        Assert.Equal(0, ReconcileProbeActor.DeployCount);
+        // No new deployment record was created — the prior one was reconciled.
+        await _repo.DidNotReceive().AddDeploymentRecordAsync(
+            Arg.Any<DeploymentRecord>(), Arg.Any<CancellationToken>());
+    }
+
+    [Fact]
+    public async Task DeployInstanceAsync_PriorInProgressRecord_SiteHasDifferentHash_ProceedsWithDeploy()
+    {
+        // Prior record stuck InProgress -> site is queried. The site has a
+        // DIFFERENT revision hash, so the normal deploy proceeds.
+        var instance = new Instance("RedeployInst2") { Id = 8, SiteId = 1, State = InstanceState.Enabled };
+        _repo.GetInstanceByIdAsync(8, Arg.Any<CancellationToken>()).Returns(instance);
+        SetupValidPipeline(8, "RedeployInst2", "sha256:target");
+
+        var prior = new DeploymentRecord("dep-prior2", "admin")
+        {
+            InstanceId = 8,
+            Status = DeploymentStatus.InProgress,
+            RevisionHash = "sha256:old"
+        };
+        _repo.GetCurrentDeploymentStatusAsync(8, Arg.Any<CancellationToken>()).Returns(prior);
+
+        var commActor = Sys.ActorOf(Props.Create(() =>
+            new ReconcileProbeActor(siteHash: "sha256:old", failQuery: false)));
+        var service = CreateServiceWithCommActor(commActor);
+
+        var result = await service.DeployInstanceAsync(8, "admin");
+
+        Assert.True(result.IsSuccess);
+        Assert.Equal(1, ReconcileProbeActor.QueryCount);
+        // The normal deploy proceeded — a new command was sent.
+        Assert.Equal(1, ReconcileProbeActor.DeployCount);
+        await _repo.Received().AddDeploymentRecordAsync(
+            Arg.Any<DeploymentRecord>(), Arg.Any<CancellationToken>());
+    }
+
+    [Fact]
+    public async Task DeployInstanceAsync_PriorFailedTimeoutRecord_QueriesSite()
+    {
+        // A prior record Failed due to a timeout also triggers the site query.
+        var instance = new Instance("TimedOutInst") { Id = 9, SiteId = 1, State = InstanceState.Enabled };
+        _repo.GetInstanceByIdAsync(9, Arg.Any<CancellationToken>()).Returns(instance);
+        SetupValidPipeline(9, "TimedOutInst", "sha256:target");
+
+        var prior = new DeploymentRecord("dep-prior3", "admin")
+        {
+            InstanceId = 9,
+            Status = DeploymentStatus.Failed,
+            RevisionHash = "sha256:target",
+            ErrorMessage = "Communication failure: deployment Ask timed out"
+        };
+        _repo.GetCurrentDeploymentStatusAsync(9, Arg.Any<CancellationToken>()).Returns(prior);
+
+        var commActor = Sys.ActorOf(Props.Create(() =>
+            new ReconcileProbeActor(siteHash: "sha256:target", failQuery: false)));
+        var service = CreateServiceWithCommActor(commActor);
+
+        var result = await service.DeployInstanceAsync(9, "admin");
+
+        Assert.True(result.IsSuccess);
+        Assert.Equal(1, ReconcileProbeActor.QueryCount);
+        Assert.Equal(0, ReconcileProbeActor.DeployCount);
+        Assert.Equal(DeploymentStatus.Success, prior.Status);
+    }
+
+    [Fact]
+    public async Task DeployInstanceAsync_PriorSuccessRecord_SkipsSiteQuery()
+    {
+        // A clean prior Success record must NOT trigger the extra round-trip.
+        var instance = new Instance("CleanInst") { Id = 10, SiteId = 1, State = InstanceState.Enabled };
+        _repo.GetInstanceByIdAsync(10, Arg.Any<CancellationToken>()).Returns(instance);
+        SetupValidPipeline(10, "CleanInst", "sha256:target");
+
+        var prior = new DeploymentRecord("dep-clean", "admin")
+        {
+            InstanceId = 10,
+            Status = DeploymentStatus.Success,
+            RevisionHash = "sha256:old"
+        };
+        _repo.GetCurrentDeploymentStatusAsync(10, Arg.Any<CancellationToken>()).Returns(prior);
+
+        var commActor = Sys.ActorOf(Props.Create(() =>
+            new ReconcileProbeActor(siteHash: "sha256:target", failQuery: false)));
+        var service = CreateServiceWithCommActor(commActor);
+
+        var result = await service.DeployInstanceAsync(10, "admin");
+
+        Assert.True(result.IsSuccess);
+        // No site query — the prior deploy completed cleanly.
+        Assert.Equal(0, ReconcileProbeActor.QueryCount);
+        Assert.Equal(1, ReconcileProbeActor.DeployCount);
+    }
+
+    [Fact]
+    public async Task DeployInstanceAsync_FreshFirstTimeDeploy_SkipsSiteQuery()
+    {
+        // No prior record at all -> fresh deploy, no extra round-trip.
+        var instance = new Instance("FreshInst") { Id = 11, SiteId = 1, State = InstanceState.NotDeployed };
+        _repo.GetInstanceByIdAsync(11, Arg.Any<CancellationToken>()).Returns(instance);
+        SetupValidPipeline(11, "FreshInst", "sha256:target");
+        _repo.GetCurrentDeploymentStatusAsync(11, Arg.Any<CancellationToken>())
+            .Returns((DeploymentRecord?)null);
+
+        var commActor = Sys.ActorOf(Props.Create(() =>
+            new ReconcileProbeActor(siteHash: "sha256:target", failQuery: false)));
+        var service = CreateServiceWithCommActor(commActor);
+
+        var result = await service.DeployInstanceAsync(11, "admin");
+
+        Assert.True(result.IsSuccess);
+        Assert.Equal(0, ReconcileProbeActor.QueryCount);
+        Assert.Equal(1, ReconcileProbeActor.DeployCount);
+    }
+
+    [Fact]
+    public async Task DeployInstanceAsync_PriorInProgressRecord_QueryFails_FallsThroughToDeploy()
+    {
+        // The site query fails (unreachable / times out). The deploy must NOT
+        // abort — it falls through to a normal deploy and relies on site-side
+        // stale-rejection as the safety net.
+        var instance = new Instance("UnreachableInst") { Id = 12, SiteId = 1, State = InstanceState.Enabled };
+        _repo.GetInstanceByIdAsync(12, Arg.Any<CancellationToken>()).Returns(instance);
+        SetupValidPipeline(12, "UnreachableInst", "sha256:target");
+
+        var prior = new DeploymentRecord("dep-prior5", "admin")
+        {
+            InstanceId = 12,
+            Status = DeploymentStatus.InProgress,
+            RevisionHash = "sha256:target"
+        };
+        _repo.GetCurrentDeploymentStatusAsync(12, Arg.Any<CancellationToken>()).Returns(prior);
+
+        // The probe drops the query (no reply) -> the Ask times out.
+        var commActor = Sys.ActorOf(Props.Create(() =>
+            new ReconcileProbeActor(siteHash: "sha256:target", failQuery: true)));
+        var service = CreateServiceWithCommActor(commActor);
+
+        var result = await service.DeployInstanceAsync(12, "admin");
+
+        // Did not abort — the deploy proceeded after the failed query.
+        Assert.True(result.IsSuccess);
+        Assert.Equal(1, ReconcileProbeActor.QueryCount);
+        Assert.Equal(1, ReconcileProbeActor.DeployCount);
+    }
+
+    /// <summary>
+    /// Stand-in CentralCommunicationActor for reconciliation tests. Counts the
+    /// site queries and deploy commands it receives, answers queries with a
+    /// configurable applied revision hash, and (optionally) drops the query to
+    /// simulate an unreachable site so the central Ask times out.
+    /// </summary>
+    private class ReconcileProbeActor : ReceiveActor
+    {
+        public static int QueryCount;
+        public static int DeployCount;
+
+        public ReconcileProbeActor(string siteHash, bool failQuery)
+        {
+            // Each test creates a fresh actor; reset the shared counters.
+            QueryCount = 0;
+            DeployCount = 0;
+
+            Receive<SiteEnvelope>(env =>
+            {
+                switch (env.Message)
+                {
+                    case DeploymentStateQueryRequest q:
+                        QueryCount++;
+                        if (!failQuery)
+                        {
+                            Sender.Tell(new DeploymentStateQueryResponse(
+                                q.CorrelationId, q.InstanceUniqueName, true,
+                                "dep-applied", siteHash, DateTimeOffset.UtcNow));
+                        }
+                        // failQuery: drop the message -> caller's Ask times out.
+                        break;
+
+                    case DeployInstanceCommand d:
+                        DeployCount++;
+                        Sender.Tell(new DeploymentStatusResponse(
+                            d.DeploymentId, d.InstanceUniqueName,
+                            DeploymentStatus.Success, null, DateTimeOffset.UtcNow));
+                        break;
+                }
+            });
+        }
+    }
 }

tests/ScadaLink.DeploymentManager.Tests/ScadaLink.DeploymentManager.Tests.csproj

@@ -9,6 +9,7 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="Akka.TestKit.Xunit2" />
     <PackageReference Include="coverlet.collector" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" />
     <PackageReference Include="NSubstitute" />

tests/ScadaLink.SiteRuntime.Tests/Actors/DeploymentManagerActorTests.cs

@@ -187,6 +187,46 @@ public class DeploymentManagerActorTests : TestKit, IDisposable
         Assert.DoesNotContain(configs, c => c.InstanceUniqueName == "LifecyclePump");
     }
 
+    // ── DeploymentManager-006: query-the-site-before-redeploy ──
+
+    [Fact]
+    public async Task DeploymentStateQuery_DeployedInstance_ReturnsAppliedIdentity()
+    {
+        // A deployed instance must report its currently-applied deployment ID
+        // and revision hash so central can reconcile before a re-deploy.
+        await _storage.StoreDeployedConfigAsync(
+            "QueriedPump", MakeConfigJson("QueriedPump"), "dep-applied", "sha256:applied", true);
+
+        var actor = CreateDeploymentManager();
+        await Task.Delay(2000); // allow startup to load configs
+
+        actor.Tell(new DeploymentStateQueryRequest("corr-q1", "QueriedPump", DateTimeOffset.UtcNow));
+
+        var response = ExpectMsg<DeploymentStateQueryResponse>(TimeSpan.FromSeconds(5));
+        Assert.Equal("corr-q1", response.CorrelationId);
+        Assert.Equal("QueriedPump", response.InstanceUniqueName);
+        Assert.True(response.IsDeployed);
+        Assert.Equal("dep-applied", response.AppliedDeploymentId);
+        Assert.Equal("sha256:applied", response.AppliedRevisionHash);
+    }
+
+    [Fact]
+    public async Task DeploymentStateQuery_UnknownInstance_ReturnsNotDeployed()
+    {
+        // An instance the site has never received a deployment for must report
+        // IsDeployed=false with null applied identity.
+        var actor = CreateDeploymentManager();
+        await Task.Delay(500);
+
+        actor.Tell(new DeploymentStateQueryRequest("corr-q2", "NeverDeployed", DateTimeOffset.UtcNow));
+
+        var response = ExpectMsg<DeploymentStateQueryResponse>(TimeSpan.FromSeconds(5));
+        Assert.Equal("corr-q2", response.CorrelationId);
+        Assert.False(response.IsDeployed);
+        Assert.Null(response.AppliedDeploymentId);
+        Assert.Null(response.AppliedRevisionHash);
+    }
+
     [Fact]
     public void DeploymentManager_SupervisionStrategy_ResumesOnException()
     {

tests/ScadaLink.TemplateEngine.Tests/Flattening/FlatteningServiceTests.cs

@@ -371,6 +371,110 @@ public class FlatteningServiceTests
         Assert.Equal("return base;", script.Code);
     }
 
+    // ── TemplateEngine-002: per-slot alarm override ────────────────────────
+
+    [Fact]
+    public void Flatten_InheritedAlarmOnDerived_BaseValueWins()
+    {
+        var baseTemplate = CreateTemplate(2, "Sensor");
+        baseTemplate.Alarms.Add(new TemplateAlarm("HighTemp")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            TriggerConfiguration = "{\"attributeName\":\"Temp\",\"high\":100}",
+            PriorityLevel = 5
+        });
+
+        var derived = CreateTemplate(1, "Pump.TempSensor", parentId: 2);
+        derived.Alarms.Add(new TemplateAlarm("HighTemp")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            TriggerConfiguration = "{\"attributeName\":\"Temp\",\"high\":999}",
+            PriorityLevel = 99,
+            IsInherited = true
+        });
+
+        var instance = CreateInstance();
+        var result = _sut.Flatten(
+            instance,
+            [derived, baseTemplate],
+            new Dictionary<int, IReadOnlyList<TemplateComposition>>(),
+            new Dictionary<int, IReadOnlyList<Template>>(),
+            new Dictionary<int, DataConnection>());
+
+        Assert.True(result.IsSuccess);
+        var alarm = result.Value.Alarms.First(a => a.CanonicalName == "HighTemp");
+        Assert.Equal(5, alarm.PriorityLevel);
+        Assert.Equal("{\"attributeName\":\"Temp\",\"high\":100}", alarm.TriggerConfiguration);
+    }
+
+    [Fact]
+    public void Flatten_OverriddenAlarmOnDerived_DerivedValueWins()
+    {
+        var baseTemplate = CreateTemplate(2, "Sensor");
+        baseTemplate.Alarms.Add(new TemplateAlarm("HighTemp")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            TriggerConfiguration = "{\"attributeName\":\"Temp\",\"high\":100}",
+            PriorityLevel = 5
+        });
+
+        var derived = CreateTemplate(1, "Pump.TempSensor", parentId: 2);
+        derived.Alarms.Add(new TemplateAlarm("HighTemp")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            TriggerConfiguration = "{\"attributeName\":\"Temp\",\"high\":120}",
+            PriorityLevel = 42,
+            IsInherited = false
+        });
+
+        var instance = CreateInstance();
+        var result = _sut.Flatten(
+            instance,
+            [derived, baseTemplate],
+            new Dictionary<int, IReadOnlyList<TemplateComposition>>(),
+            new Dictionary<int, IReadOnlyList<Template>>(),
+            new Dictionary<int, DataConnection>());
+
+        Assert.True(result.IsSuccess);
+        var alarm = result.Value.Alarms.First(a => a.CanonicalName == "HighTemp");
+        Assert.Equal(42, alarm.PriorityLevel);
+        Assert.Equal("{\"attributeName\":\"Temp\",\"high\":120}", alarm.TriggerConfiguration);
+    }
+
+    [Fact]
+    public void Flatten_LockedInDerivedAlarmOverride_Fails()
+    {
+        var baseTemplate = CreateTemplate(2, "Sensor");
+        baseTemplate.Alarms.Add(new TemplateAlarm("HighTemp")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            TriggerConfiguration = "{\"attributeName\":\"Temp\",\"high\":100}",
+            PriorityLevel = 5,
+            LockedInDerived = true
+        });
+
+        var derived = CreateTemplate(1, "Pump.TempSensor", parentId: 2);
+        derived.Alarms.Add(new TemplateAlarm("HighTemp")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            TriggerConfiguration = "{\"attributeName\":\"Temp\",\"high\":120}",
+            PriorityLevel = 42,
+            IsInherited = false
+        });
+
+        var instance = CreateInstance();
+        var result = _sut.Flatten(
+            instance,
+            [derived, baseTemplate],
+            new Dictionary<int, IReadOnlyList<TemplateComposition>>(),
+            new Dictionary<int, IReadOnlyList<Template>>(),
+            new Dictionary<int, DataConnection>());
+
+        Assert.True(result.IsFailure);
+        Assert.Contains("LockedInDerived", result.Error);
+        Assert.Contains("HighTemp", result.Error);
+    }
+
     // ── TemplateEngine-001: deep composition nesting ───────────────────────
 
     [Fact]

tests/ScadaLink.TemplateEngine.Tests/TemplateServiceTests.cs

@@ -566,6 +566,123 @@ public class TemplateServiceTests
         Assert.Contains("locked by base template 'Sensor'", result.Error);
     }
 
+    [Fact]
+    public async Task AddComposition_CopiesAlarmsAsInherited()
+    {
+        var moduleTemplate = new Template("Module") { Id = 2 };
+        moduleTemplate.Alarms.Add(new TemplateAlarm("HighTemp")
+        {
+            Id = 30,
+            TemplateId = 2,
+            TriggerType = AlarmTriggerType.RangeViolation,
+            TriggerConfiguration = "{\"attributeName\":\"Temp\",\"high\":100}",
+            PriorityLevel = 5,
+            Description = "Too hot"
+        });
+        var template = new Template("Parent") { Id = 1 };
+
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(template);
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(2, It.IsAny<CancellationToken>())).ReturnsAsync(moduleTemplate);
+        _repoMock.Setup(r => r.GetAllTemplatesAsync(It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new List<Template> { template, moduleTemplate });
+
+        Template? captured = null;
+        _repoMock.Setup(r => r.AddTemplateAsync(It.IsAny<Template>(), It.IsAny<CancellationToken>()))
+            .Callback<Template, CancellationToken>((t, _) => captured = t)
+            .Returns(Task.CompletedTask);
+
+        var result = await _service.AddCompositionAsync(1, 2, "myModule", "admin");
+
+        Assert.True(result.IsSuccess);
+        Assert.NotNull(captured);
+        Assert.Single(captured!.Alarms);
+        var copied = captured.Alarms.First();
+        Assert.Equal("HighTemp", copied.Name);
+        Assert.True(copied.IsInherited);
+        Assert.False(copied.LockedInDerived);
+        Assert.Equal(AlarmTriggerType.RangeViolation, copied.TriggerType);
+        Assert.Equal(5, copied.PriorityLevel);
+        Assert.Equal("Too hot", copied.Description);
+    }
+
+    [Fact]
+    public async Task UpdateAlarm_LockedInDerivedBase_RejectsOnDerived()
+    {
+        var existing = new TemplateAlarm("HighTemp")
+        {
+            Id = 300,
+            TemplateId = 77,
+            TriggerType = AlarmTriggerType.RangeViolation,
+            PriorityLevel = 5,
+            IsInherited = true
+        };
+        var baseTemplate = new Template("Sensor") { Id = 2 };
+        baseTemplate.Alarms.Add(new TemplateAlarm("HighTemp")
+        {
+            Id = 30,
+            TemplateId = 2,
+            TriggerType = AlarmTriggerType.RangeViolation,
+            LockedInDerived = true
+        });
+        var derived = new Template("Parent.slot") { Id = 77, ParentTemplateId = 2, IsDerived = true };
+
+        _repoMock.Setup(r => r.GetTemplateAlarmByIdAsync(300, It.IsAny<CancellationToken>())).ReturnsAsync(existing);
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(77, It.IsAny<CancellationToken>())).ReturnsAsync(derived);
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(2, It.IsAny<CancellationToken>())).ReturnsAsync(baseTemplate);
+        _repoMock.Setup(r => r.GetAllTemplatesAsync(It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new List<Template> { baseTemplate, derived });
+
+        var proposed = new TemplateAlarm("HighTemp")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            PriorityLevel = 99,
+            IsInherited = false
+        };
+        var result = await _service.UpdateAlarmAsync(300, proposed, "admin");
+
+        Assert.True(result.IsFailure);
+        Assert.Contains("locked by base template 'Sensor'", result.Error);
+    }
+
+    [Fact]
+    public async Task UpdateAlarm_DerivedOverride_PersistsIsInheritedFalse()
+    {
+        var existing = new TemplateAlarm("HighTemp")
+        {
+            Id = 300,
+            TemplateId = 77,
+            TriggerType = AlarmTriggerType.RangeViolation,
+            PriorityLevel = 5,
+            IsInherited = true
+        };
+        var baseTemplate = new Template("Sensor") { Id = 2 };
+        baseTemplate.Alarms.Add(new TemplateAlarm("HighTemp")
+        {
+            Id = 30,
+            TemplateId = 2,
+            TriggerType = AlarmTriggerType.RangeViolation
+        });
+        var derived = new Template("Parent.slot") { Id = 77, ParentTemplateId = 2, IsDerived = true };
+
+        _repoMock.Setup(r => r.GetTemplateAlarmByIdAsync(300, It.IsAny<CancellationToken>())).ReturnsAsync(existing);
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(77, It.IsAny<CancellationToken>())).ReturnsAsync(derived);
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(2, It.IsAny<CancellationToken>())).ReturnsAsync(baseTemplate);
+        _repoMock.Setup(r => r.GetAllTemplatesAsync(It.IsAny<CancellationToken>()))
+            .ReturnsAsync(new List<Template> { baseTemplate, derived });
+
+        var proposed = new TemplateAlarm("HighTemp")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            PriorityLevel = 99,
+            IsInherited = false
+        };
+        var result = await _service.UpdateAlarmAsync(300, proposed, "admin");
+
+        Assert.True(result.IsSuccess);
+        Assert.False(result.Value.IsInherited);
+        Assert.Equal(99, result.Value.PriorityLevel);
+    }
+
     [Fact]
     public async Task UpdateAttribute_DerivedOverride_PersistsIsInheritedFalse()
     {