docs(code-reviews): regenerate index after batch 1 High fixes

docs(code-reviews): re-triage ClusterInfrastructure-001 — bootstrap lives in Host, needs design decision
fix(configuration-database): resolve ConfigurationDatabase-001 — remove dead child-template query in GetTemplateWithChildrenAsync
2026-05-16 19:33:11 -04:00 · 2026-05-16 19:33:09 -04:00 · 2026-05-16 19:33:09 -04:00 · 2026-05-16 19:33:09 -04:00 · 2026-05-16 19:33:09 -04:00 · 2026-05-16 19:33:09 -04:00
32 changed files with 1085 additions and 80 deletions
@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-16 |
 | Reviewer | claude-agent |
 | Commit reviewed | `9c60592` |
-| Open findings | 13 |
+| Open findings | 12 |

 ## Summary

@@ -54,7 +54,7 @@ argument parsing, and the command-tree wiring are untested.
 |--|--|
 | Severity | High |
 | Category | Correctness & logic bugs |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.CLI/Commands/CommandHelpers.cs:18`, `src/ScadaLink.CLI/Commands/DebugCommands.cs:45`, `src/ScadaLink.CLI/CliConfig.cs:37-39` |

 **Description**
@@ -79,7 +79,12 @@ only then override the config value. Apply the same fix to `DebugCommands.BuildS

 **Resolution**

-_Unresolved._
+Resolved 2026-05-16 (commit `<pending>`). Removed the `--format` option's
+`DefaultValueFactory` in `Program.cs` and added `CommandHelpers.ResolveFormat`, which uses
+`ParseResult.GetResult(formatOption)` to detect an explicitly supplied flag and resolves
+precedence explicitly: explicit `--format` → `CliConfig.DefaultFormat` (env var / config
+file) → `"json"`. Both `CommandHelpers.ExecuteCommandAsync` and `DebugCommands.BuildStream`
+now call `ResolveFormat`. Regression tests added in `FormatResolutionTests`.

 ### CLI-002 — Empty success body crashes table rendering with an unhandled exception

@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-16 |
 | Reviewer | claude-agent |
 | Commit reviewed | `9c60592` |
-| Open findings | 18 |
+| Open findings | 15 |

 ## Summary

@@ -108,7 +108,7 @@ the commit whose message references `CentralUI-001`.
 |--|--|
 | Severity | High |
 | Category | Security |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.CentralUI/Auth/AuthEndpoints.cs:63-69`; `src/ScadaLink.CentralUI/Components/Pages/Deployment/*.razor` |

 **Description**
@@ -134,7 +134,20 @@ keep this consistent.

 **Resolution**

-_Unresolved._
+Resolved 2026-05-16. Confirmed: the `SiteId` claim was written at login
+(`AuthEndpoints`, `RoleMapper`) but never read by any CentralUI page — site
+scoping was unenforced. Added a scoped `SiteScopeService` (`Auth/SiteScopeService.cs`)
+that reads the current circuit's `SiteId` claims and exposes `IsSystemWideAsync`,
+`PermittedSiteIdsAsync`, `FilterSitesAsync`, and `IsSiteAllowedAsync` (absence of
+claims = system-wide, matching `SiteScopeAuthorizationHandler`). All seven
+Deployment/Monitoring pages now consume it: `Topology`, `DebugView`,
+`InstanceCreate`, `Deployments` filter their site/instance lists; `InstanceConfigure`
+rejects direct navigation to an instance on a non-permitted site; `DebugView`,
+`InstanceCreate`, and `ParkedMessages` re-check the claim server-side before any
+mutating/streaming command. Regression tests: `SiteScopeServiceTests` (6 tests
+pinning the helper logic) and `TopologyPageTests.SiteScoping_ScopedDeploymentUser_OnlySeesPermittedSites`
+/ `SiteScoping_SystemWideDeploymentUser_SeesAllSites`. Fixed by the commit whose
+message references `CentralUI-002`.

 ### CentralUI-003 — `Console.SetOut`/`SetError` mutates process-global state across concurrent circuits

@@ -142,7 +155,7 @@ _Unresolved._
 |--|--|
 | Severity | High |
 | Category | Concurrency & thread safety |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.CentralUI/ScriptAnalysis/ScriptAnalysisService.cs:359-423` |

 **Description**
@@ -166,7 +179,20 @@ the correct fix.

 **Resolution**

-_Unresolved._
+Resolved 2026-05-16. Confirmed: `RunInSandboxAsync` redirected the process-global
+`Console.Out`/`Console.Error` per call and restored them in `finally`, so a
+concurrent run's `finally` could restore the writer while another run was still
+executing — the long run silently lost output (reproduced by the regression
+test, 74 of 80 expected lines captured). Added `SandboxConsoleCapture`, a routing
+`TextWriter` installed into `Console.Out`/`Console.Error` exactly once for the
+process; each run pushes its own `StringWriter` onto an `AsyncLocal` capture
+scope via `BeginCapture`, so writes are routed per logical call-tree with no
+per-run mutation of global `Console` state. `RunInSandboxAsync` now opens the
+scope with `using` declarations instead of calling `Console.SetOut`. Regression
+tests `RunInSandbox_CapturesConsoleOutput` and
+`RunInSandbox_ConcurrentRuns_DoNotCrossContaminateConsoleOutput` fail against the
+pre-fix code and pass after. Fixed by the commit whose message references
+`CentralUI-003`.

 ### CentralUI-004 — `CookieAuthenticationStateProvider` reads `HttpContext` for the life of the circuit

@@ -174,7 +200,7 @@ _Unresolved._
 |--|--|
 | Severity | High |
 | Category | Security |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.CentralUI/Auth/CookieAuthenticationStateProvider.cs:22-28` |

 **Description**
@@ -202,7 +228,19 @@ circuit is established.

 **Resolution**

-_Unresolved._
+Resolved 2026-05-16. Confirmed: `GetAuthenticationStateAsync` read
+`_httpContextAccessor.HttpContext?.User` on every call; the provider is
+registered `Scoped`, so it is constructed within the initial HTTP request's DI
+scope while `HttpContext` is still valid, but every later call (an
+`<AuthorizeView>` re-evaluating, or a page calling it directly) over the
+long-lived SignalR circuit saw `HttpContext == null` and returned an anonymous
+principal. The provider now snapshots the principal once in the constructor into
+a cached `Task<AuthenticationState>` and serves that for the life of the
+circuit, never touching `IHttpContextAccessor` again. Regression tests
+`CookieAuthenticationStateProviderTests.GetAuthenticationStateAsync_StillReturnsUser_AfterHttpContextIsGone`
+and `..._IsStableAcrossCalls_IgnoringStaleForeignContext` fail against the
+pre-fix code (they would see an anonymous / foreign principal) and pass after.
+Fixed by the commit whose message references `CentralUI-004`.

 ### CentralUI-005 — Session expiry implementation diverges from the documented policy

@@ -83,7 +83,49 @@ should clearly state it is unimplemented so callers do not assume otherwise.

 **Resolution**

-_Unresolved._
+_Re-triaged 2026-05-16 — remains Open, needs a design decision from the user._
+
+Verified against the source at the reviewed commit: the finding's factual claims hold.
+`src/ScadaLink.ClusterInfrastructure` still contains only `ClusterOptions.cs` and a
+no-op `ServiceCollectionExtensions.cs`, and the `.csproj` references no Akka packages.
+
+However, the documented cluster behaviour is **not actually absent from the system** —
+it has been implemented in the **Host** project rather than in this module:
+
+- `src/ScadaLink.Host/Actors/AkkaHostedService.cs` bootstraps the `ActorSystem`,
+  generates the HOCON from `ClusterOptions` (it imports `ScadaLink.ClusterInfrastructure`
+  and injects `IOptions<ClusterOptions>`), and configures the `keep-oldest` split-brain
+  resolver with `down-if-alone = on` (see `AkkaHostedService.cs:95-96`).
+- `src/ScadaLink.Host/Health/AkkaClusterHealthCheck.cs`, `AkkaClusterNodeProvider.cs`,
+  and `Health/ActiveNodeHealthCheck.cs` cover cluster membership / active-node detection.
+- Akka cluster/remote package references live in `ScadaLink.Host.csproj` and the
+  per-component projects (`SiteRuntime`, `Communication`, etc.).
+
+So the real situation is an **ownership / design-doc drift**, not missing behaviour:
+`Component-ClusterInfrastructure.md` assigns the Akka bootstrap, HOCON generation,
+split-brain config and `CoordinatedShutdown` wiring to this module, but the
+implementation deliberately lives in the Host. `ClusterOptions` is the one piece this
+module legitimately owns and it is consumed correctly by the Host.
+
+Resolving CI-001 as literally written is **not a small, well-scoped fix** — it is one
+of two substantial decisions, both requiring the user:
+
+1. **Move the bootstrap into this module** — relocate the HOCON generation, split-brain
+   config, cluster-singleton helpers and `CoordinatedShutdown` wiring out of
+   `ScadaLink.Host` into `ScadaLink.ClusterInfrastructure`, add the Akka package
+   references, and re-wire the Host to call into it. This is a cross-module refactor
+   touching `src/ScadaLink.Host/*` and several other projects — outside the edit scope
+   permitted for this finding (only `src/ScadaLink.ClusterInfrastructure/`,
+   `tests/ScadaLink.ClusterInfrastructure.Tests/`, and this file may be edited).
+2. **Accept the current placement** — keep the bootstrap in the Host and update
+   `Component-ClusterInfrastructure.md` (and the README component table) to record that
+   the Host owns the actor-system/cluster bootstrap and that this module's role is the
+   shared `ClusterOptions` contract. That fix is a design-doc edit, also outside this
+   module's permitted edit scope.
+
+Either path is a deliberate architecture decision, not a bug fix, so per
+REVIEW-PROCESS.md §2 this finding is left **Open** and surfaced for the user to decide.
+No code change was made. Module test suite verified green (3 passed) at re-triage time.

 ### ClusterInfrastructure-002 — No-op DI extension methods report success while doing nothing

@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-16 |
 | Reviewer | claude-agent |
 | Commit reviewed | `9c60592` |
-| Open findings | 10 |
+| Open findings | 8 |

 ## Summary

@@ -98,7 +98,7 @@ references `Communication-001`.
 |--|--|
 | Severity | High |
 | Category | Error handling & resilience |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.Communication/Actors/DebugStreamBridgeActor.cs:170`, `src/ScadaLink.Communication/Actors/DebugStreamBridgeActor.cs:143` |

 **Description**
@@ -126,7 +126,14 @@ the gRPC cancellation reaches the site and stops the relay actor.

 **Resolution**

-_Unresolved._
+Resolved 2026-05-16 (commit `<pending>`). Root cause confirmed against source:
+`HandleGrpcError` flipped `_useNodeA` and scheduled `OpenGrpcStream` without ever
+unsubscribing the failed stream, leaving the old node's `StreamRelayActor` zombie until
+TCP/keepalive timeout. Fix: `HandleGrpcError` now resolves the client for the
+*previous* endpoint (before flipping `_useNodeA`) and calls `Unsubscribe(_correlationId)`
+on it, so the local CTS is cancelled and gRPC cancellation reaches the still-alive site.
+Regression test `DebugStreamBridgeActorTests.On_GrpcError_Unsubscribes_Old_Stream_Before_Reconnect`
+fails against the pre-fix code and passes after.

 ### Communication-003 — SiteStreamGrpcClient subscription map overwritten without disposal; reconnect can cancel the wrong stream

@@ -134,7 +141,7 @@ _Unresolved._
 |--|--|
 | Severity | High |
 | Category | Concurrency & thread safety |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.Communication/Grpc/SiteStreamGrpcClient.cs:77`, `src/ScadaLink.Communication/Grpc/SiteStreamGrpcClient.cs:106` |

 **Description**
@@ -161,7 +168,18 @@ caller-supplied correlation ID.

 **Resolution**

-_Unresolved._
+Resolved 2026-05-16 (commit `<pending>`). Root cause confirmed against source: the
+inline `_subscriptions[correlationId] = cts` overwrote a prior CTS without
+cancel/dispose (leak), and the `finally`'s `TryRemove(correlationId, out _)` removed by
+key only — a racing reconnect's live CTS could be removed by the prior call's `finally`,
+orphaning the live stream. Fix: extracted two internal helpers used by `SubscribeAsync`
+— `RegisterSubscription` cancels+disposes any existing CTS for the correlation ID before
+inserting, and `RemoveSubscription` uses the `ConcurrentDictionary.TryRemove(KeyValuePair)`
+overload so it removes only the CTS that call created (mirroring `SiteStreamGrpcServer`'s
+`StreamEntry` pattern). Regression tests
+`SiteStreamGrpcClientTests.RegisterSubscription_ReusedCorrelationId_CancelsAndDisposesPriorCts`
+and `SiteStreamGrpcClientTests.RemoveSubscription_OnlyRemovesOwnCts_NotAReplacement`
+fail against the pre-fix logic and pass after.

 ### Communication-004 — Coordinator actors declare no SupervisorStrategy (design requires Resume)

@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-16 |
 | Reviewer | claude-agent |
 | Commit reviewed | `9c60592` |
-| Open findings | 11 |
+| Open findings | 10 |

 ## Summary

@@ -60,7 +60,7 @@ repositories (`TemplateEngineRepository`, `DeploymentManagerRepository`,
 |--|--|
 | Severity | High |
 | Category | Correctness & logic bugs |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.ConfigurationDatabase/Repositories/TemplateEngineRepository.cs:30-41` |

 **Description**
@@ -84,7 +84,28 @@ explicit result tuple/DTO so the loaded data reaches the caller.

 **Resolution**

-_Unresolved._
+Resolved 2026-05-16 (commit `<pending>`). Root cause confirmed against source: the
+method ran a `Where(t => t.ParentTemplateId == id)` query, assigned the result to a
+local `children` variable, and never used it — a misleading no-op that also issued an
+extra database round-trip per call.
+
+Triage of the three callers (`FlatteningPipeline.BuildTemplateChainAsync`,
+`ManagementActor.HandleGetTemplate`, `ManagementActor.HandleValidateTemplate`) showed
+none consume derived/sub-templates; they all need the template's *member* collections
+(Attributes/Alarms/Scripts/Compositions), which `GetTemplateByIdAsync` already
+eager-loads. The `Template` entity has no child-templates navigation collection, and
+adding one (plus changing the interface signature) would require editing
+`ScadaLink.Commons`, which is outside this module's scope.
+
+Fix applied the recommendation's secondary option: removed the dead query so the
+method no longer misleads or wastes a round-trip, and added an XML doc comment
+clarifying that "children" means the template's member collections. The method now
+honestly delegates to `GetTemplateByIdAsync`. Regression tests added in
+`TemplateEngineRepositoryTests.cs`:
+`GetTemplateWithChildrenAsync_ReturnsTemplateWithAllMemberCollectionsPopulated`,
+`GetTemplateWithChildrenAsync_PreservesParentTemplateId_ForInheritanceChainWalk`, and
+`GetTemplateWithChildrenAsync_ReturnsNull_WhenTemplateDoesNotExist` — pinning the
+template-aggregate contract the callers depend on.

 ### ConfigurationDatabase-002 — Hardcoded `sa` connection string with embedded password literal

@@ -40,21 +40,21 @@ module file and counted in **Total**.
 | Severity | Open findings |
 |----------|---------------|
 | Critical | 0 |
-| High | 46 |
+| High | 39 |
 | Medium | 100 |
 | Low | 89 |
-| **Total** | **235** |
+| **Total** | **228** |

 ## Module Status

 | Module | Last reviewed | Commit | Open (C/H/M/L) | Open | Total |
 |--------|---------------|--------|----------------|------|-------|
-| [CLI](CLI/findings.md) | 2026-05-16 | `9c60592` | 0/1/6/6 | 13 | 13 |
-| [CentralUI](CentralUI/findings.md) | 2026-05-16 | `9c60592` | 0/3/10/5 | 18 | 19 |
+| [CLI](CLI/findings.md) | 2026-05-16 | `9c60592` | 0/0/6/6 | 12 | 13 |
+| [CentralUI](CentralUI/findings.md) | 2026-05-16 | `9c60592` | 0/0/10/5 | 15 | 19 |
 | [ClusterInfrastructure](ClusterInfrastructure/findings.md) | 2026-05-16 | `9c60592` | 0/1/4/3 | 8 | 8 |
 | [Commons](Commons/findings.md) | 2026-05-16 | `9c60592` | 0/0/4/8 | 12 | 12 |
-| [Communication](Communication/findings.md) | 2026-05-16 | `9c60592` | 0/2/5/3 | 10 | 11 |
-| [ConfigurationDatabase](ConfigurationDatabase/findings.md) | 2026-05-16 | `9c60592` | 0/1/4/6 | 11 | 11 |
+| [Communication](Communication/findings.md) | 2026-05-16 | `9c60592` | 0/0/5/3 | 8 | 11 |
+| [ConfigurationDatabase](ConfigurationDatabase/findings.md) | 2026-05-16 | `9c60592` | 0/0/4/6 | 10 | 11 |
 | [DataConnectionLayer](DataConnectionLayer/findings.md) | 2026-05-16 | `9c60592` | 0/4/6/2 | 12 | 13 |
 | [DeploymentManager](DeploymentManager/findings.md) | 2026-05-16 | `9c60592` | 0/3/6/5 | 14 | 14 |
 | [ExternalSystemGateway](ExternalSystemGateway/findings.md) | 2026-05-16 | `9c60592` | 0/2/7/4 | 13 | 14 |
@@ -80,18 +80,11 @@ description, location, recommendation — lives in the module's `findings.md`.

 _None open._

-### High (46)
+### High (39)

 | ID | Module | Title |
 |----|--------|-------|
-| CLI-001 | [CLI](CLI/findings.md) | `SCADALINK_FORMAT` env var and config-file format are dead; format precedence broken |
-| CentralUI-002 | [CentralUI](CentralUI/findings.md) | Site-scoped Deployment permissions are issued but never enforced |
-| CentralUI-003 | [CentralUI](CentralUI/findings.md) | `Console.SetOut`/`SetError` mutates process-global state across concurrent circuits |
-| CentralUI-004 | [CentralUI](CentralUI/findings.md) | `CookieAuthenticationStateProvider` reads `HttpContext` for the life of the circuit |
 | ClusterInfrastructure-001 | [ClusterInfrastructure](ClusterInfrastructure/findings.md) | Module implements none of its documented responsibilities |
-| Communication-002 | [Communication](Communication/findings.md) | gRPC reconnect does not unsubscribe the previous stream, leaking site-side relay actors |
-| Communication-003 | [Communication](Communication/findings.md) | SiteStreamGrpcClient subscription map overwritten without disposal; reconnect can cancel the wrong stream |
-| ConfigurationDatabase-001 | [ConfigurationDatabase](ConfigurationDatabase/findings.md) | `GetTemplateWithChildrenAsync` loads child templates then discards them |
 | DataConnectionLayer-002 | [DataConnectionLayer](DataConnectionLayer/findings.md) | `Restart` supervision discards all subscription state on connection-actor crash |
 | DataConnectionLayer-003 | [DataConnectionLayer](DataConnectionLayer/findings.md) | `RealOpcUaClient` callback/monitored-item dictionaries mutated without synchronization |
 | DataConnectionLayer-004 | [DataConnectionLayer](DataConnectionLayer/findings.md) | Subscribe-time tag-resolution failure leaves the connection healthy but never recovers correctly |
@@ -15,8 +15,8 @@ internal static class CommandHelpers
        Option<string> passwordOption,
        object command)
    {
-        var format = result.GetValue(formatOption) ?? "json";
        var config = CliConfig.Load();
+        var format = ResolveFormat(result, formatOption, config);

        // Resolve management URL
        var url = result.GetValue(urlOption);
@@ -53,6 +53,27 @@ internal static class CommandHelpers
        return HandleResponse(response, format);
    }

+    /// <summary>
+    /// Resolves the output format using the documented precedence chain:
+    /// an explicitly supplied <c>--format</c> option wins, otherwise the
+    /// config-file / environment-variable default (<see cref="CliConfig.DefaultFormat"/>)
+    /// is used, otherwise <c>json</c>. The <c>--format</c> option must not declare a
+    /// <c>DefaultValueFactory</c> — that would mask whether the flag was supplied.
+    /// </summary>
+    internal static string ResolveFormat(ParseResult result, Option<string> formatOption, CliConfig config)
+    {
+        // GetResult returns non-null only when the option was actually present on the
+        // command line, letting an explicit --format override the config default.
+        if (result.GetResult(formatOption) != null)
+        {
+            var explicitValue = result.GetValue(formatOption);
+            if (!string.IsNullOrWhiteSpace(explicitValue))
+                return explicitValue;
+        }
+
+        return string.IsNullOrWhiteSpace(config.DefaultFormat) ? "json" : config.DefaultFormat;
+    }
+
    internal static int HandleResponse(ManagementResponse response, string format)
    {
        if (response.JsonData != null)
@@ -42,8 +42,8 @@ public static class DebugCommands
        cmd.SetAction(async (ParseResult result) =>
        {
            var instanceId = result.GetValue(idOption);
-            var format = result.GetValue(formatOption) ?? "json";
            var config = CliConfig.Load();
+            var format = CommandHelpers.ResolveFormat(result, formatOption, config);

            var url = result.GetValue(urlOption);
            if (string.IsNullOrWhiteSpace(url))
@@ -7,8 +7,9 @@ var rootCommand = new RootCommand("ScadaLink CLI — manage the ScadaLink SCADA
 var urlOption = new Option<string>("--url") { Description = "Management API URL", Recursive = true };
 var usernameOption = new Option<string>("--username") { Description = "LDAP username", Recursive = true };
 var passwordOption = new Option<string>("--password") { Description = "LDAP password", Recursive = true };
+// No DefaultValueFactory: format precedence (explicit --format -> config/env -> "json")
+// is resolved by CommandHelpers.ResolveFormat, which needs to distinguish an absent flag.
 var formatOption = new Option<string>("--format") { Description = "Output format (json or table)", Recursive = true };
-formatOption.DefaultValueFactory = _ => "json";

 rootCommand.Add(urlOption);
 rootCommand.Add(usernameOption);
@@ -7,23 +7,37 @@ namespace ScadaLink.CentralUI.Auth;

 /// <summary>
 /// Bridges ASP.NET Core cookie authentication with Blazor Server's auth state.
-/// The cookie middleware has already validated and decrypted the cookie by the time
-/// the Blazor circuit is established, so we just read HttpContext.User.
+/// <para>
+/// The cookie middleware validates and decrypts the cookie during the initial
+/// HTTP request that establishes the Blazor circuit. This provider is registered
+/// <c>Scoped</c>, so it is constructed within that request's DI scope while
+/// <see cref="IHttpContextAccessor.HttpContext"/> is still valid. We snapshot
+/// the authenticated principal <b>once</b> in the constructor and serve that
+/// snapshot for the lifetime of the circuit.
+/// </para>
+/// <para>
+/// We must NOT read <see cref="IHttpContextAccessor"/> on every
+/// <see cref="GetAuthenticationStateAsync"/> call (CentralUI-004): for the
+/// lifetime of a long-lived SignalR circuit <c>HttpContext</c> is <c>null</c>
+/// (or, worse, a stale/foreign context), so a later re-evaluation —
+/// e.g. <c>&lt;AuthorizeView&gt;</c> re-rendering — would otherwise see an
+/// unauthenticated principal and render the wrong UI.
+/// </para>
 /// </summary>
 public class CookieAuthenticationStateProvider : ServerAuthenticationStateProvider
 {
-    private readonly IHttpContextAccessor _httpContextAccessor;
+    private readonly Task<AuthenticationState> _circuitAuthState;

    public CookieAuthenticationStateProvider(IHttpContextAccessor httpContextAccessor)
    {
-        _httpContextAccessor = httpContextAccessor;
+        // Snapshot the principal at circuit-construction time. HttpContext is
+        // valid here (initial HTTP request) and will not be afterwards.
+        var user = httpContextAccessor.HttpContext?.User
+            ?? new ClaimsPrincipal(new ClaimsIdentity());
+
+        _circuitAuthState = Task.FromResult(new AuthenticationState(user));
    }

    public override Task<AuthenticationState> GetAuthenticationStateAsync()
-    {
-        var user = _httpContextAccessor.HttpContext?.User
-            ?? new ClaimsPrincipal(new ClaimsIdentity());
-
-        return Task.FromResult(new AuthenticationState(user));
-    }
+        => _circuitAuthState;
 }
@@ -0,0 +1,93 @@
+using Microsoft.AspNetCore.Components.Authorization;
+using ScadaLink.Commons.Entities.Sites;
+using ScadaLink.Security;
+
+namespace ScadaLink.CentralUI.Auth;
+
+/// <summary>
+/// Resolves the set of sites the current user is permitted to operate on, from
+/// the <c>SiteId</c> claims attached at login (CentralUI-002).
+/// <para>
+/// The design (Component-CentralUI, CLAUDE.md "Security &amp; Auth") makes the
+/// Deployment role site-scoped: a Deployment user mapped through an LDAP group
+/// with site-scope rules carries one <see cref="JwtTokenService.SiteIdClaimType"/>
+/// claim per permitted site (the claim value is the integer <c>Site.Id</c>).
+/// A Deployment user with no <c>SiteId</c> claim — and any Admin/Design user — is
+/// system-wide.
+/// </para>
+/// <para>
+/// Deployment and Monitoring pages must filter every site/instance list through
+/// <see cref="FilterSitesAsync"/> and re-check <see cref="IsSiteAllowedAsync"/>
+/// before any cross-site command, so a scoped user cannot view or act on sites
+/// outside their grant.
+/// </para>
+/// </summary>
+public sealed class SiteScopeService
+{
+    private readonly AuthenticationStateProvider _authStateProvider;
+    private (bool IsSystemWide, IReadOnlySet<int> Sites)? _cached;
+
+    public SiteScopeService(AuthenticationStateProvider authStateProvider)
+    {
+        _authStateProvider = authStateProvider;
+    }
+
+    /// <summary>
+    /// True when the user is not restricted to a site subset (no <c>SiteId</c>
+    /// claims). System-wide users see and act on every site.
+    /// </summary>
+    public async Task<bool> IsSystemWideAsync()
+        => (await ResolveAsync()).IsSystemWide;
+
+    /// <summary>
+    /// The set of <c>Site.Id</c> values the user may operate on. Empty for a
+    /// system-wide user (callers should consult <see cref="IsSystemWideAsync"/>
+    /// or use the filter/allowed helpers, which already account for that).
+    /// </summary>
+    public async Task<IReadOnlySet<int>> PermittedSiteIdsAsync()
+        => (await ResolveAsync()).Sites;
+
+    /// <summary>
+    /// Returns the subset of <paramref name="sites"/> the user is permitted to
+    /// see. A system-wide user gets the full list back unchanged.
+    /// </summary>
+    public async Task<List<Site>> FilterSitesAsync(IEnumerable<Site> sites)
+    {
+        var (isSystemWide, allowed) = await ResolveAsync();
+        if (isSystemWide)
+            return sites.ToList();
+        return sites.Where(s => allowed.Contains(s.Id)).ToList();
+    }
+
+    /// <summary>
+    /// True when the user may operate on the site with the given <c>Site.Id</c>.
+    /// Must be re-checked server-side before any mutating cross-site command.
+    /// </summary>
+    public async Task<bool> IsSiteAllowedAsync(int siteId)
+    {
+        var (isSystemWide, allowed) = await ResolveAsync();
+        return isSystemWide || allowed.Contains(siteId);
+    }
+
+    private async Task<(bool IsSystemWide, IReadOnlySet<int> Sites)> ResolveAsync()
+    {
+        if (_cached is { } cached)
+            return cached;
+
+        var state = await _authStateProvider.GetAuthenticationStateAsync();
+        var siteClaims = state.User.FindAll(JwtTokenService.SiteIdClaimType);
+
+        var ids = new HashSet<int>();
+        foreach (var claim in siteClaims)
+        {
+            if (int.TryParse(claim.Value, out var id))
+                ids.Add(id);
+        }
+
+        // No SiteId claims => system-wide. This mirrors SiteScopeAuthorizationHandler:
+        // absence of scope rules means an unrestricted deployer.
+        var result = (IsSystemWide: ids.Count == 0, Sites: (IReadOnlySet<int>)ids);
+        _cached = result;
+        return result;
+    }
+}
@@ -11,6 +11,7 @@
@attribute [Authorize(Policy = AuthorizationPolicies.RequireDeployment)]
@inject ITemplateEngineRepository TemplateEngineRepository
@inject ISiteRepository SiteRepository
+@inject ScadaLink.CentralUI.Auth.SiteScopeService SiteScope
@inject DebugStreamService DebugStreamService
@inject IJSRuntime JS
@implements IDisposable
@@ -296,7 +297,9 @@
    {
        try
        {
-            _sites = (await SiteRepository.GetAllSitesAsync()).ToList();
+            // Site scoping (CentralUI-002): a scoped Deployment user may only
+            // debug sites they are permitted on.
+            _sites = await SiteScope.FilterSitesAsync(await SiteRepository.GetAllSitesAsync());
        }
        catch (Exception ex)
        {
@@ -358,6 +361,14 @@
        _siteInstances.Clear();
        _selectedInstanceId = 0;
        if (_selectedSiteId == 0) return;
+        // Site scoping (CentralUI-002): re-check the claim server-side — a query
+        // string or stale localStorage value could name a site outside the grant.
+        if (!await SiteScope.IsSiteAllowedAsync(_selectedSiteId))
+        {
+            _selectedSiteId = 0;
+            _toast.ShowError("You are not permitted to debug instances on that site.");
+            return;
+        }
        try
        {
            _siteInstances = (await TemplateEngineRepository.GetInstancesBySiteIdAsync(_selectedSiteId))
@@ -7,6 +7,7 @@
@attribute [Authorize(Policy = AuthorizationPolicies.RequireDeployment)]
@inject IDeploymentManagerRepository DeploymentManagerRepository
@inject ITemplateEngineRepository TemplateEngineRepository
+@inject ScadaLink.CentralUI.Auth.SiteScopeService SiteScope
@implements IDisposable

 <div class="container-fluid mt-3">
@@ -245,13 +246,23 @@
        _errorMessage = null;
        try
        {
-            _records = (await DeploymentManagerRepository.GetAllDeploymentRecordsAsync())
-                .OrderByDescending(r => r.DeployedAt)
-                .ToList();
-
-            // Build instance name lookup
+            // Build instance lookups first — site scoping (CentralUI-002) filters
+            // deployment records by the site of their instance.
            var instances = await TemplateEngineRepository.GetAllInstancesAsync();
            _instanceNames = instances.ToDictionary(i => i.Id, i => i.UniqueName);
+            var instanceSiteIds = instances.ToDictionary(i => i.Id, i => i.SiteId);
+
+            var systemWide = await SiteScope.IsSystemWideAsync();
+            var permittedSiteIds = systemWide
+                ? null
+                : await SiteScope.PermittedSiteIdsAsync();
+
+            _records = (await DeploymentManagerRepository.GetAllDeploymentRecordsAsync())
+                .Where(r => permittedSiteIds == null
+                    || (instanceSiteIds.TryGetValue(r.InstanceId, out var sid)
+                        && permittedSiteIds.Contains(sid)))
+                .OrderByDescending(r => r.DeployedAt)
+                .ToList();

            _totalPages = Math.Max(1, (int)Math.Ceiling(_records.Count / (double)PageSize));
            if (_currentPage > _totalPages) _currentPage = 1;
@@ -11,6 +11,7 @@
@attribute [Authorize(Policy = AuthorizationPolicies.RequireDeployment)]
@inject ITemplateEngineRepository TemplateEngineRepository
@inject ISiteRepository SiteRepository
+@inject ScadaLink.CentralUI.Auth.SiteScopeService SiteScope
@inject InstanceService InstanceService
@inject IFlatteningPipeline FlatteningPipeline
@inject AuthenticationStateProvider AuthStateProvider
@@ -377,6 +378,17 @@
                return;
            }

+            // Site scoping (CentralUI-002): a scoped Deployment user must not be
+            // able to configure or deploy an instance on a site outside their
+            // grant by navigating straight to its URL.
+            if (!await SiteScope.IsSiteAllowedAsync(_instance.SiteId))
+            {
+                _instance = null;
+                _errorMessage = "You are not permitted to manage instances on this site.";
+                _loading = false;
+                return;
+            }
+
            // Identity
            var template = await TemplateEngineRepository.GetTemplateByIdAsync(_instance.TemplateId);
            _templateName = template?.Name ?? $"#{_instance.TemplateId}";
@@ -8,6 +8,7 @@
@attribute [Authorize(Policy = AuthorizationPolicies.RequireDeployment)]
@inject ITemplateEngineRepository TemplateEngineRepository
@inject ISiteRepository SiteRepository
+@inject ScadaLink.CentralUI.Auth.SiteScopeService SiteScope
@inject InstanceService InstanceService
@inject AuthenticationStateProvider AuthStateProvider
@inject NavigationManager NavigationManager
@@ -93,7 +94,9 @@
        try
        {
            _templates = (await TemplateEngineRepository.GetAllTemplatesAsync()).ToList();
-            _sites = (await SiteRepository.GetAllSitesAsync()).ToList();
+            // Site scoping (CentralUI-002): a scoped Deployment user may only
+            // create instances on sites they are permitted on.
+            _sites = await SiteScope.FilterSitesAsync(await SiteRepository.GetAllSitesAsync());

            _allAreas.Clear();
            foreach (var site in _sites)
@@ -124,6 +127,13 @@
        if (string.IsNullOrWhiteSpace(_createName)) { _formError = "Instance name is required."; return; }
        if (_createTemplateId == 0) { _formError = "Select a template."; return; }
        if (_createSiteId == 0) { _formError = "Select a site."; return; }
+        // Site scoping (CentralUI-002): re-check server-side before the mutating
+        // command, independent of what the site dropdown was populated with.
+        if (!await SiteScope.IsSiteAllowedAsync(_createSiteId))
+        {
+            _formError = "You are not permitted to create instances on the selected site.";
+            return;
+        }

        try
        {
@@ -17,6 +17,7 @@
@inject AreaService AreaService
@inject InstanceService InstanceService
@inject AuthenticationStateProvider AuthStateProvider
+@inject ScadaLink.CentralUI.Auth.SiteScopeService SiteScope
@inject NavigationManager NavigationManager
@inject IJSRuntime JSRuntime
@inject IDialogService Dialog
@@ -225,8 +226,13 @@
        _errorMessage = null;
        try
        {
-            _allInstances = (await TemplateEngineRepository.GetAllInstancesAsync()).ToList();
-            _sites = (await SiteRepository.GetAllSitesAsync()).ToList();
+            // Site scoping (CentralUI-002): a scoped Deployment user only sees the
+            // sites — and therefore the areas/instances — they are permitted on.
+            _sites = await SiteScope.FilterSitesAsync(await SiteRepository.GetAllSitesAsync());
+            var permittedSiteIds = _sites.Select(s => s.Id).ToHashSet();
+            _allInstances = (await TemplateEngineRepository.GetAllInstancesAsync())
+                .Where(i => permittedSiteIds.Contains(i.SiteId))
+                .ToList();
            _templates = (await TemplateEngineRepository.GetAllTemplatesAsync()).ToList();

            _allAreas.Clear();
@@ -5,6 +5,7 @@
@using ScadaLink.Commons.Messages.RemoteQuery
@using ScadaLink.Communication
@inject ISiteRepository SiteRepository
+@inject ScadaLink.CentralUI.Auth.SiteScopeService SiteScope
@inject CommunicationService CommunicationService

 <div class="container-fluid mt-3">
@@ -212,9 +213,16 @@

    protected override async Task OnInitializedAsync()
    {
-        _sites = (await SiteRepository.GetAllSitesAsync()).ToList();
+        // Site scoping (CentralUI-002): a scoped Deployment user may only query
+        // event logs for the sites they are permitted on.
+        _sites = await SiteScope.FilterSitesAsync(await SiteRepository.GetAllSitesAsync());
    }

+    // _sites is already filtered, so membership IS the scope check.
+    private bool SelectedSiteIsPermitted =>
+        !string.IsNullOrEmpty(_selectedSiteId)
+        && _sites.Any(s => s.SiteIdentifier == _selectedSiteId);
+
    private async Task Search()
    {
        _entries = new();
@@ -237,6 +245,14 @@
    {
        _searching = true;
        _errorMessage = null;
+        // Site scoping (CentralUI-002): re-check before querying — the dropdown is
+        // filtered, but the selection must not be trusted on its own.
+        if (!SelectedSiteIsPermitted)
+        {
+            _errorMessage = "You are not permitted to view event logs for that site.";
+            _searching = false;
+            return;
+        }
        try
        {
            var request = new EventLogQueryRequest(
@@ -6,6 +6,7 @@
@using ScadaLink.Commons.Types.Enums
@using ScadaLink.Communication
@inject ISiteRepository SiteRepository
+@inject ScadaLink.CentralUI.Auth.SiteScopeService SiteScope
@inject CommunicationService CommunicationService
@inject IJSRuntime JS
@inject IDialogService Dialog
@@ -360,9 +361,17 @@

    protected override async Task OnInitializedAsync()
    {
-        _sites = (await SiteRepository.GetAllSitesAsync()).ToList();
+        // Site scoping (CentralUI-002): a scoped Deployment user may only inspect
+        // and act on parked messages for the sites they are permitted on.
+        _sites = await SiteScope.FilterSitesAsync(await SiteRepository.GetAllSitesAsync());
    }

+    // True only when the currently selected SiteIdentifier is one this user is
+    // permitted on. _sites is already filtered, so membership IS the scope check.
+    private bool SelectedSiteIsPermitted =>
+        !string.IsNullOrEmpty(_selectedSiteId)
+        && _sites.Any(s => s.SiteIdentifier == _selectedSiteId);
+
    private async Task OnSiteChanged(ChangeEventArgs e)
    {
        _selectedSiteId = e.Value?.ToString() ?? string.Empty;
@@ -393,6 +402,15 @@
    {
        _searching = true;
        _errorMessage = null;
+        // Site scoping (CentralUI-002): re-check before querying — the dropdown is
+        // filtered, but the selection must not be trusted on its own.
+        if (!SelectedSiteIsPermitted)
+        {
+            _errorMessage = "You are not permitted to view parked messages for that site.";
+            _messages = null;
+            _searching = false;
+            return;
+        }
        try
        {
            var request = new ParkedMessageQueryRequest(
@@ -557,6 +575,7 @@
    {
        var ids = _selectedIds.ToList();
        if (ids.Count == 0) return;
+        if (!SelectedSiteIsPermitted) { _toast.ShowError("Not permitted for this site."); return; }

        var confirmed = await Dialog.ConfirmAsync(
            "Retry parked messages",
@@ -587,6 +606,7 @@
    {
        var ids = _selectedIds.ToList();
        if (ids.Count == 0) return;
+        if (!SelectedSiteIsPermitted) { _toast.ShowError("Not permitted for this site."); return; }

        var confirmed = await Dialog.ConfirmAsync(
            "Discard parked messages",
@@ -618,6 +638,7 @@

    private async Task RetrySingle(ParkedMessageEntry msg)
    {
+        if (!SelectedSiteIsPermitted) { _toast.ShowError("Not permitted for this site."); return; }
        _actionInProgress = true;
        _activeAction = "Retry";
        try
@@ -638,6 +659,7 @@

    private async Task<bool> DiscardSingle(ParkedMessageEntry msg)
    {
+        if (!SelectedSiteIsPermitted) { _toast.ShowError("Not permitted for this site."); return false; }
        var confirmed = await Dialog.ConfirmAsync(
            "Discard parked message",
            $"Permanently discard message {ShortId(msg.MessageId)}? This cannot be undone.",
@@ -0,0 +1,106 @@
+using System.Text;
+
+namespace ScadaLink.CentralUI.ScriptAnalysis;
+
+/// <summary>
+/// Per-call console capture for the Test Run sandbox.
+/// <para>
+/// Sandbox scripts use <c>System.Console.WriteLine</c> for ad-hoc output. The
+/// sandbox needs to capture that output per execution. <c>Console.Out</c> is,
+/// however, <b>process-global</b>: redirecting it with <c>Console.SetOut</c> for
+/// the duration of one run corrupts any other run executing concurrently —
+/// outputs interleave, and whichever run finishes first restores
+/// <c>Console.Out</c> while the others are still writing (CentralUI-003).
+/// </para>
+/// <para>
+/// This writer is installed into <c>Console.Out</c>/<c>Console.Error</c>
+/// <b>exactly once</b> (see <see cref="Install"/>) and never removed. Each
+/// concurrent run pushes its own buffer onto an <see cref="AsyncLocal{T}"/>
+/// scope via <see cref="BeginCapture"/>; writes on that run's logical call-tree
+/// land in that run's buffer only. Writes made on threads with no active
+/// capture scope (i.e. genuine host-process console output) fall through to the
+/// original writer. No process-global mutation happens per run.
+/// </para>
+/// </summary>
+internal sealed class SandboxConsoleCapture : TextWriter
+{
+    private static readonly object InstallLock = new();
+    private static SandboxConsoleCapture? _outInstance;
+    private static SandboxConsoleCapture? _errorInstance;
+
+    private readonly TextWriter _fallback;
+    private readonly AsyncLocal<StringWriter?> _current = new();
+
+    private SandboxConsoleCapture(TextWriter fallback) => _fallback = fallback;
+
+    public override Encoding Encoding => _fallback.Encoding;
+
+    /// <summary>
+    /// Installs the routing writers into <see cref="Console.Out"/> and
+    /// <see cref="Console.Error"/> once for the process. Idempotent and
+    /// thread-safe. Subsequent calls return the already-installed instances.
+    /// </summary>
+    public static (SandboxConsoleCapture Out, SandboxConsoleCapture Error) Install()
+    {
+        if (_outInstance != null && _errorInstance != null)
+            return (_outInstance, _errorInstance);
+
+        lock (InstallLock)
+        {
+            if (_outInstance == null)
+            {
+                _outInstance = new SandboxConsoleCapture(Console.Out);
+                Console.SetOut(_outInstance);
+            }
+
+            if (_errorInstance == null)
+            {
+                _errorInstance = new SandboxConsoleCapture(Console.Error);
+                Console.SetError(_errorInstance);
+            }
+        }
+
+        return (_outInstance, _errorInstance);
+    }
+
+    /// <summary>
+    /// Begins a capture scope on the current logical (async) call-tree. All
+    /// console writes from this point until the returned scope is disposed are
+    /// routed into <paramref name="buffer"/> instead of the original writer.
+    /// The scope is restored on dispose, so nesting and concurrent scopes on
+    /// other call-trees are unaffected.
+    /// </summary>
+    public CaptureScope BeginCapture(StringWriter buffer)
+    {
+        var previous = _current.Value;
+        _current.Value = buffer;
+        return new CaptureScope(this, previous);
+    }
+
+    public override void Write(char value) => Target.Write(value);
+
+    public override void Write(string? value) => Target.Write(value);
+
+    public override void Write(char[] buffer, int index, int count) =>
+        Target.Write(buffer, index, count);
+
+    public override void WriteLine() => Target.WriteLine();
+
+    public override void WriteLine(string? value) => Target.WriteLine(value);
+
+    private TextWriter Target => _current.Value ?? _fallback;
+
+    internal readonly struct CaptureScope : IDisposable
+    {
+        private readonly SandboxConsoleCapture _owner;
+        private readonly StringWriter? _previous;
+
+        internal CaptureScope(SandboxConsoleCapture owner, StringWriter? previous)
+        {
+            _owner = owner;
+            _previous = previous;
+        }
+
+        public void Dispose() => _owner._current.Value = _previous;
+    }
+}
@@ -165,8 +165,10 @@ public class ScriptAnalysisService
    /// because a shared script has no template siblings in this context.
    /// For the SandboxInboundScriptHost surface, every <c>Route</c> call throws
    /// because cross-site routing needs a deployed site.
-    /// Console.Out / Console.Error are redirected per-call so writes from
-    /// the script land in the result.
+    /// Console.Out / Console.Error are captured per-call via an AsyncLocal
+    /// scope (see <see cref="SandboxConsoleCapture"/>) so writes from the script
+    /// land in the result without mutating process-global Console state — two
+    /// concurrent Test Runs do not interfere with each other.
    /// </summary>
    public async Task<SandboxRunResult> RunInSandboxAsync(SandboxRunRequest request, CancellationToken ct)
    {
@@ -377,16 +379,19 @@ public class ScriptAnalysisService
                Instance = instanceContext,
            };

-        var originalOut = Console.Out;
-        var originalError = Console.Error;
+        // Console capture is routed per-call via an AsyncLocal scope (CentralUI-003).
+        // Console.Out is process-global, so it must NOT be redirected per run — two
+        // concurrent Test Runs would interleave output and the first to finish would
+        // restore Console.Out while the other is still writing. SandboxConsoleCapture
+        // installs routing writers once and scopes capture to this call-tree only.
+        var (captureOut, captureError) = SandboxConsoleCapture.Install();
        var captured = new StringWriter();
+        using var outScope = captureOut.BeginCapture(captured);
+        using var errorScope = captureError.BeginCapture(captured);

        var stopwatch = Stopwatch.StartNew();
        try
        {
-            Console.SetOut(captured);
-            Console.SetError(captured);
-
            // Run on a thread-pool thread with no SynchronizationContext: a
            // bound script's Instance.SetAttribute / Attributes[...] block
            // synchronously on cross-site I/O (the API surface is sync by
@@ -437,11 +442,9 @@ public class ScriptAnalysisService
                $"{inner.GetType().Name}: {inner.Message}",
                SandboxErrorKind.RuntimeError, stopwatch.ElapsedMilliseconds, null);
        }
-        finally
-        {
-            Console.SetOut(originalOut);
-            Console.SetError(originalError);
-        }
+        // outScope / errorScope are disposed by their `using` declarations when the
+        // method returns, restoring the previous capture scope on this call-tree
+        // without touching process-global Console state.
    }

    private static Dictionary<string, object?> ConvertJsonParameters(
@@ -18,6 +18,10 @@ public static class ServiceCollectionExtensions
        services.AddScoped<AuthenticationStateProvider, CookieAuthenticationStateProvider>();
        services.AddCascadingAuthenticationState();

+        // Resolves the current user's permitted site set from their SiteId claims
+        // so Deployment/Monitoring pages can enforce site scoping (CentralUI-002).
+        services.AddScoped<SiteScopeService>();
+
        // Centralised dialog service: pages inject IDialogService and a single
        // <DialogHost /> in MainLayout renders the active dialog. See
        // Components/Shared/IDialogService.cs.
@@ -183,6 +183,15 @@ public class DebugStreamBridgeActor : ReceiveActor, IWithTimers
            return;
        }

+        // Unsubscribe the failed stream on the *previous* endpoint before reconnecting.
+        // This cancels the local subscription CTS and -- where the channel is still
+        // alive -- propagates gRPC cancellation to the site so its SiteStreamGrpcServer
+        // stops the StreamRelayActor for this correlation ID, rather than leaving a
+        // zombie relay actor until TCP RST / keepalive eventually detects the loss.
+        var previousEndpoint = _useNodeA ? _grpcNodeAAddress : _grpcNodeBAddress;
+        var previousClient = _grpcFactory.GetOrCreate(_siteIdentifier, previousEndpoint);
+        previousClient.Unsubscribe(_correlationId);
+
        // Flip to the other node
        _useNodeA = !_useNodeA;

@@ -57,6 +57,32 @@ public class SiteStreamGrpcClient : IAsyncDisposable
        _subscriptions[correlationId] = cts;
    }

+    /// <summary>
+    /// Registers a subscription's CancellationTokenSource for a correlation ID.
+    /// If an entry already exists for that correlation ID (a reconnect race where two
+    /// <see cref="SubscribeAsync"/> calls briefly share an ID), the prior CTS is
+    /// cancelled and disposed so it cannot leak. Internal for testability.
+    /// </summary>
+    internal void RegisterSubscription(string correlationId, CancellationTokenSource cts)
+    {
+        if (_subscriptions.TryGetValue(correlationId, out var prior) && !ReferenceEquals(prior, cts))
+        {
+            prior.Cancel();
+            prior.Dispose();
+        }
+        _subscriptions[correlationId] = cts;
+    }
+
+    /// <summary>
+    /// Removes the subscription entry for a correlation ID only if the stored CTS is
+    /// exactly the one supplied. A racing replacement stream may already own the slot,
+    /// in which case this is a no-op. Internal for testability.
+    /// </summary>
+    internal void RemoveSubscription(string correlationId, CancellationTokenSource cts)
+    {
+        _subscriptions.TryRemove(new KeyValuePair<string, CancellationTokenSource>(correlationId, cts));
+    }
+
    /// <summary>
    /// Opens a server-streaming subscription for a specific instance.
    /// This is a long-running async method; the caller launches it as a background task.
@@ -74,7 +100,7 @@ public class SiteStreamGrpcClient : IAsyncDisposable
            throw new InvalidOperationException("Cannot subscribe on a test-only client.");

        var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
-        _subscriptions[correlationId] = cts;
+        RegisterSubscription(correlationId, cts);

        var request = new InstanceStreamRequest
        {
@@ -103,7 +129,8 @@ public class SiteStreamGrpcClient : IAsyncDisposable
        }
        finally
        {
-            _subscriptions.TryRemove(correlationId, out _);
+            // Remove only our own entry -- a racing reconnect may already own the slot.
+            RemoveSubscription(correlationId, cts);
        }
    }

@@ -27,17 +27,15 @@ public class TemplateEngineRepository : ITemplateEngineRepository
            .FirstOrDefaultAsync(t => t.Id == id, cancellationToken);
    }

+    /// <summary>
+    /// Loads a template together with its child members — Attributes, Alarms,
+    /// Scripts and Compositions — eager-loaded so callers get the full template
+    /// aggregate in a single round-trip. "Children" here refers to the template's
+    /// member collections, not derived/sub templates.
+    /// </summary>
    public async Task<Template?> GetTemplateWithChildrenAsync(int id, CancellationToken cancellationToken = default)
    {
-        var template = await GetTemplateByIdAsync(id, cancellationToken);
-        if (template == null) return null;
-
-        // Load all templates that have this template as parent
-        var children = await _context.Templates
-            .Where(t => t.ParentTemplateId == id)
-            .ToListAsync(cancellationToken);
-
-        return template;
+        return await GetTemplateByIdAsync(id, cancellationToken);
    }

    public async Task<IReadOnlyList<Template>> GetAllTemplatesAsync(CancellationToken cancellationToken = default)
@@ -0,0 +1,54 @@
+using System.CommandLine;
+using ScadaLink.CLI;
+using ScadaLink.CLI.Commands;
+
+namespace ScadaLink.CLI.Tests;
+
+public class FormatResolutionTests
+{
+    private static (Option<string> formatOption, RootCommand root) BuildHarness()
+    {
+        var formatOption = new Option<string>("--format") { Recursive = true };
+        var root = new RootCommand();
+        root.Add(formatOption);
+        return (formatOption, root);
+    }
+
+    [Fact]
+    public void ResolveFormat_ExplicitFlag_OverridesConfig()
+    {
+        var (formatOption, root) = BuildHarness();
+        var result = root.Parse(new[] { "--format", "table" });
+        var config = new CliConfig { DefaultFormat = "json" };
+
+        var format = CommandHelpers.ResolveFormat(result, formatOption, config);
+
+        Assert.Equal("table", format);
+    }
+
+    [Fact]
+    public void ResolveFormat_FlagAbsent_UsesConfigDefaultFormat()
+    {
+        // Regression for CLI-001: when --format is not supplied, the config-file /
+        // env-var DefaultFormat must be honoured instead of always falling back to "json".
+        var (formatOption, root) = BuildHarness();
+        var result = root.Parse(Array.Empty<string>());
+        var config = new CliConfig { DefaultFormat = "table" };
+
+        var format = CommandHelpers.ResolveFormat(result, formatOption, config);
+
+        Assert.Equal("table", format);
+    }
+
+    [Fact]
+    public void ResolveFormat_FlagAbsent_AndNoConfig_DefaultsToJson()
+    {
+        var (formatOption, root) = BuildHarness();
+        var result = root.Parse(Array.Empty<string>());
+        var config = new CliConfig { DefaultFormat = "json" };
+
+        var format = CommandHelpers.ResolveFormat(result, formatOption, config);
+
+        Assert.Equal("json", format);
+    }
+}
@@ -0,0 +1,79 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+using ScadaLink.CentralUI.Auth;
+
+namespace ScadaLink.CentralUI.Tests.Auth;
+
+/// <summary>
+/// Regression tests for CentralUI-004. The provider used to read
+/// <see cref="IHttpContextAccessor.HttpContext"/> on every call; once the Blazor
+/// circuit is established that context is gone, so later re-evaluations saw an
+/// unauthenticated principal. The provider must snapshot the principal once at
+/// construction (during the initial HTTP request) and serve it for the circuit.
+/// </summary>
+public class CookieAuthenticationStateProviderTests
+{
+    private static ClaimsPrincipal AuthenticatedUser(string name)
+    {
+        var identity = new ClaimsIdentity(
+            new[] { new Claim(ClaimTypes.Name, name) },
+            authenticationType: "TestCookie");
+        return new ClaimsPrincipal(identity);
+    }
+
+    [Fact]
+    public async Task GetAuthenticationStateAsync_ReturnsAuthenticatedUser_WhenHttpContextPresent()
+    {
+        var accessor = new HttpContextAccessor
+        {
+            HttpContext = new DefaultHttpContext { User = AuthenticatedUser("alice") }
+        };
+
+        var provider = new CookieAuthenticationStateProvider(accessor);
+        var state = await provider.GetAuthenticationStateAsync();
+
+        Assert.True(state.User.Identity?.IsAuthenticated);
+        Assert.Equal("alice", state.User.Identity?.Name);
+    }
+
+    [Fact]
+    public async Task GetAuthenticationStateAsync_StillReturnsUser_AfterHttpContextIsGone()
+    {
+        // The circuit is built during the HTTP request: HttpContext is valid then.
+        var accessor = new HttpContextAccessor
+        {
+            HttpContext = new DefaultHttpContext { User = AuthenticatedUser("bob") }
+        };
+        var provider = new CookieAuthenticationStateProvider(accessor);
+
+        // After the request completes, IHttpContextAccessor.HttpContext is null for
+        // the life of the long-lived SignalR circuit.
+        accessor.HttpContext = null;
+
+        var state = await provider.GetAuthenticationStateAsync();
+
+        // The pre-fix implementation returned an anonymous principal here.
+        Assert.True(state.User.Identity?.IsAuthenticated);
+        Assert.Equal("bob", state.User.Identity?.Name);
+    }
+
+    [Fact]
+    public async Task GetAuthenticationStateAsync_IsStableAcrossCalls_IgnoringStaleForeignContext()
+    {
+        var accessor = new HttpContextAccessor
+        {
+            HttpContext = new DefaultHttpContext { User = AuthenticatedUser("carol") }
+        };
+        var provider = new CookieAuthenticationStateProvider(accessor);
+
+        // A stale/foreign context leaking through the AsyncLocal accessor must NOT
+        // change what this circuit's provider reports.
+        accessor.HttpContext = new DefaultHttpContext { User = AuthenticatedUser("intruder") };
+
+        var first = await provider.GetAuthenticationStateAsync();
+        var second = await provider.GetAuthenticationStateAsync();
+
+        Assert.Equal("carol", first.User.Identity?.Name);
+        Assert.Equal("carol", second.User.Identity?.Name);
+    }
+}
@@ -0,0 +1,93 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Components.Authorization;
+using ScadaLink.CentralUI.Auth;
+using ScadaLink.Commons.Entities.Sites;
+using ScadaLink.Security;
+
+namespace ScadaLink.CentralUI.Tests.Auth;
+
+/// <summary>
+/// Regression tests for CentralUI-002. Site-scoped Deployment permissions are
+/// written as <c>SiteId</c> claims at login but were never read — Deployment
+/// pages listed and acted on every site. <see cref="SiteScopeService"/> is the
+/// shared helper that reads those claims; these tests pin its behaviour.
+/// </summary>
+public class SiteScopeServiceTests
+{
+    private sealed class StubAuthStateProvider : AuthenticationStateProvider
+    {
+        private readonly ClaimsPrincipal _user;
+        public StubAuthStateProvider(ClaimsPrincipal user) => _user = user;
+        public override Task<AuthenticationState> GetAuthenticationStateAsync()
+            => Task.FromResult(new AuthenticationState(_user));
+    }
+
+    private static SiteScopeService ForUser(params Claim[] claims)
+    {
+        var identity = new ClaimsIdentity(claims, authenticationType: "TestCookie");
+        return new SiteScopeService(new StubAuthStateProvider(new ClaimsPrincipal(identity)));
+    }
+
+    private static Claim Role(string role) => new(JwtTokenService.RoleClaimType, role);
+    private static Claim SiteClaim(int id) => new(JwtTokenService.SiteIdClaimType, id.ToString());
+
+    private static List<Site> Sites(params int[] ids)
+        => ids.Select(id => new Site($"Site{id}", $"SITE-{id}") { Id = id }).ToList();
+
+    [Fact]
+    public async Task DeploymentUserWithNoSiteClaims_IsSystemWide()
+    {
+        var svc = ForUser(Role("Deployment"));
+
+        Assert.True(await svc.IsSystemWideAsync());
+        Assert.Empty(await svc.PermittedSiteIdsAsync());
+    }
+
+    [Fact]
+    public async Task SystemWideUser_FilterSites_ReturnsAllSites()
+    {
+        var svc = ForUser(Role("Deployment"));
+
+        var filtered = await svc.FilterSitesAsync(Sites(1, 2, 3));
+
+        Assert.Equal(new[] { 1, 2, 3 }, filtered.Select(s => s.Id));
+    }
+
+    [Fact]
+    public async Task ScopedUser_FilterSites_ReturnsOnlyPermittedSites()
+    {
+        // Regression: a Deployment user scoped to sites 1 and 3 must NOT see site 2.
+        var svc = ForUser(Role("Deployment"), SiteClaim(1), SiteClaim(3));
+
+        var filtered = await svc.FilterSitesAsync(Sites(1, 2, 3, 4));
+
+        Assert.Equal(new[] { 1, 3 }, filtered.Select(s => s.Id).OrderBy(x => x));
+    }
+
+    [Fact]
+    public async Task ScopedUser_IsSiteAllowed_OnlyForGrantedSites()
+    {
+        var svc = ForUser(Role("Deployment"), SiteClaim(5));
+
+        Assert.True(await svc.IsSiteAllowedAsync(5));
+        Assert.False(await svc.IsSiteAllowedAsync(6));
+    }
+
+    [Fact]
+    public async Task ScopedUser_IsNotSystemWide_AndReportsItsPermittedIds()
+    {
+        var svc = ForUser(Role("Deployment"), SiteClaim(7), SiteClaim(9));
+
+        Assert.False(await svc.IsSystemWideAsync());
+        Assert.Equal(new[] { 7, 9 }, (await svc.PermittedSiteIdsAsync()).OrderBy(x => x));
+    }
+
+    [Fact]
+    public async Task SystemWideUser_IsSiteAllowed_ForAnySite()
+    {
+        var svc = ForUser(Role("Deployment"));
+
+        Assert.True(await svc.IsSiteAllowedAsync(1));
+        Assert.True(await svc.IsSiteAllowedAsync(999));
+    }
+}
@@ -465,4 +465,89 @@ public class ScriptAnalysisServiceTests
        Assert.True(result.Success);
        Assert.Equal("42", result.ReturnValueJson);
    }
+
+    [Fact]
+    public async Task RunInSandbox_CapturesConsoleOutput()
+    {
+        var result = await _svc.RunInSandboxAsync(
+            new SandboxRunRequest(
+                "System.Console.WriteLine(\"hello-sandbox\"); return 1;",
+                Parameters: null,
+                TimeoutSeconds: null),
+            CancellationToken.None);
+
+        Assert.True(result.Success);
+        Assert.Contains("hello-sandbox", result.ConsoleOutput);
+    }
+
+    [Fact]
+    public async Task RunInSandbox_ConcurrentRuns_DoNotCrossContaminateConsoleOutput()
+    {
+        // Regression test for CentralUI-003. RunInSandboxAsync used to redirect the
+        // process-global Console.Out/Error to a per-call StringWriter. While one run
+        // is mid-flight, any concurrent run's `finally` restores Console.Out to the
+        // ORIGINAL writer — so the long run loses every Console.WriteLine it makes
+        // after that point, and short runs cross-contaminate each other. The fix
+        // routes capture per-call via an AsyncLocal writer without mutating
+        // process-global Console state.
+
+        // A long-running script: writes its tag, then burns CPU, then writes again,
+        // repeatedly. While it spins, many short runs start and finish around it.
+        async Task<string> RunLong()
+        {
+            var code = @"
+                for (int i = 0; i < 40; i++)
+                {
+                    System.Console.WriteLine(""LONG"");
+                    long acc = 0;
+                    for (long j = 0; j < 2_000_000; j++) acc += j;
+                    System.Console.WriteLine(""LONG"" + acc);
+                }
+                return 0;";
+            var r = await _svc.RunInSandboxAsync(
+                new SandboxRunRequest(code, Parameters: null, TimeoutSeconds: 30),
+                CancellationToken.None);
+            Assert.True(r.Success, r.Error);
+            return r.ConsoleOutput;
+        }
+
+        async Task<string> RunShort(int id)
+        {
+            var code = $"for (int i = 0; i < 30; i++) System.Console.WriteLine(\"S{id}\"); return 0;";
+            var r = await _svc.RunInSandboxAsync(
+                new SandboxRunRequest(code, Parameters: null, TimeoutSeconds: 30),
+                CancellationToken.None);
+            Assert.True(r.Success, r.Error);
+            return r.ConsoleOutput;
+        }
+
+        var longTask = RunLong();
+        var shortTasks = new List<Task<string>>();
+        for (var round = 0; round < 12; round++)
+        {
+            for (var k = 0; k < 4; k++)
+                shortTasks.Add(RunShort(round * 4 + k));
+            await Task.Yield();
+        }
+
+        var longOut = await longTask;
+        var shortOuts = await Task.WhenAll(shortTasks);
+
+        // The long run must have captured ALL 80 of its own writes (40 plain + 40 acc).
+        var longLines = longOut.Split('\n', StringSplitOptions.RemoveEmptyEntries)
+            .Count(l => l.StartsWith("LONG"));
+        Assert.Equal(80, longLines);
+
+        // No short run's output must have leaked into the long run's capture.
+        for (var i = 0; i < shortOuts.Length; i++)
+            Assert.DoesNotContain($"S{i}", longOut);
+
+        // Each short run captured exactly its own 30 lines and nothing else.
+        for (var i = 0; i < shortOuts.Length; i++)
+        {
+            var lines = shortOuts[i].Split('\n', StringSplitOptions.RemoveEmptyEntries);
+            Assert.Equal(30, lines.Length);
+            Assert.All(lines, l => Assert.Equal($"S{i}", l.Trim()));
+        }
+    }
 }
@@ -65,6 +65,10 @@ public class TopologyPageTests : BunitContext
        // DI registration still has to satisfy the [Inject].
        Services.AddScoped<IDialogService, DialogService>();

+        // Site scoping (CentralUI-002): Topology injects SiteScopeService to
+        // filter the tree by the user's permitted sites.
+        Services.AddScoped<ScadaLink.CentralUI.Auth.SiteScopeService>();
+
        // TreeView persists expansion state via JS interop. Stub the calls so render doesn't throw.
        JSInterop.Setup<string?>("treeviewStorage.load", _ => true).SetResult(null);
        JSInterop.SetupVoid("treeviewStorage.save", _ => true);
@@ -194,6 +198,52 @@ public class TopologyPageTests : BunitContext
        Assert.Contains(dimmedNodes, n => n.TextContent.Contains("Boilers"));
    }

+    [Fact]
+    public void SiteScoping_ScopedDeploymentUser_OnlySeesPermittedSites()
+    {
+        // Regression test for CentralUI-002. The SiteId claims issued at login were
+        // never read, so a Deployment user scoped to one site could view (and act
+        // on) every site's topology. Topology now filters the tree by the user's
+        // permitted sites via SiteScopeService.
+        var scopedUser = new ClaimsPrincipal(new ClaimsIdentity(new[]
+        {
+            new Claim("Username", "scoped-tester"),
+            new Claim(ScadaLink.Security.JwtTokenService.RoleClaimType, "Deployment"),
+            // Permitted on site 1 only.
+            new Claim(ScadaLink.Security.JwtTokenService.SiteIdClaimType, "1"),
+        }, "TestAuth"));
+        // Last AuthenticationStateProvider registration wins on resolution.
+        Services.AddSingleton<AuthenticationStateProvider>(new TestAuthStateProvider(scopedUser));
+
+        SeedRepos(sites: new[]
+        {
+            new Site("Plant-A", "plant-a") { Id = 1 },
+            new Site("Plant-B", "plant-b") { Id = 2 },
+        });
+
+        var cut = Render<TopologyPage>();
+
+        // The permitted site is rendered; the non-permitted site is not.
+        Assert.Contains("Plant-A", cut.Markup);
+        Assert.DoesNotContain("Plant-B", cut.Markup);
+    }
+
+    [Fact]
+    public void SiteScoping_SystemWideDeploymentUser_SeesAllSites()
+    {
+        // A Deployment user with no SiteId claims is system-wide and sees every site.
+        SeedRepos(sites: new[]
+        {
+            new Site("Plant-A", "plant-a") { Id = 1 },
+            new Site("Plant-B", "plant-b") { Id = 2 },
+        });
+
+        var cut = Render<TopologyPage>();
+
+        Assert.Contains("Plant-A", cut.Markup);
+        Assert.Contains("Plant-B", cut.Markup);
+    }
+
    [Fact]
    public void DoubleClick_OnAreaLabel_EntersRenameMode()
    {
@@ -159,6 +159,34 @@ public class DebugStreamBridgeActorTests : TestKit
        Assert.Equal("corr-1", ctx.MockGrpcClient.SubscribeCalls[1].CorrelationId);
    }

+    [Fact]
+    public void On_GrpcError_Unsubscribes_Old_Stream_Before_Reconnect()
+    {
+        // Communication-002 regression: a reconnect must unsubscribe the previous
+        // stream so the old node does not keep a zombie relay actor / subscription.
+        var ctx = CreateBridgeActor();
+        ctx.CommProbe.ExpectMsg<SiteEnvelope>();
+
+        var snapshot = new DebugViewSnapshot(
+            InstanceName,
+            new List<AttributeValueChanged>(),
+            new List<AlarmStateChanged>(),
+            DateTimeOffset.UtcNow);
+
+        ctx.BridgeActor.Tell(snapshot);
+        AwaitCondition(() => ctx.MockGrpcClient.SubscribeCalls.Count == 1, TimeSpan.FromSeconds(3));
+
+        // Simulate gRPC error → reconnect
+        ctx.MockGrpcClient.SubscribeCalls[0].OnError(new Exception("Stream broken"));
+
+        // Should resubscribe...
+        AwaitCondition(() => ctx.MockGrpcClient.SubscribeCalls.Count == 2, TimeSpan.FromSeconds(5));
+
+        // ...and must have unsubscribed the prior correlation ID so the old node's
+        // relay actor is released rather than left zombie.
+        Assert.Contains("corr-1", ctx.MockGrpcClient.UnsubscribedCorrelationIds);
+    }
+
    [Fact]
    public void After_MaxRetries_Terminates()
    {
@@ -176,4 +176,49 @@ public class SiteStreamGrpcClientTests
        Assert.True(cts1.IsCancellationRequested);
        Assert.True(cts2.IsCancellationRequested);
    }
+
+    // --- Communication-003 regression tests ---
+
+    [Fact]
+    public void RegisterSubscription_ReusedCorrelationId_CancelsAndDisposesPriorCts()
+    {
+        // Two SubscribeAsync calls briefly sharing a correlation ID (reconnect race).
+        // Inserting the second must cancel + dispose the first so it does not leak.
+        var client = SiteStreamGrpcClient.CreateForTesting();
+
+        var first = new CancellationTokenSource();
+        var second = new CancellationTokenSource();
+
+        client.RegisterSubscription("corr-shared", first);
+        client.RegisterSubscription("corr-shared", second);
+
+        Assert.True(first.IsCancellationRequested);
+        // Disposed CTS throws ObjectDisposedException when its token is touched.
+        Assert.Throws<ObjectDisposedException>(() => _ = first.Token);
+
+        // The second (live) CTS must remain intact.
+        Assert.False(second.IsCancellationRequested);
+    }
+
+    [Fact]
+    public void RemoveSubscription_OnlyRemovesOwnCts_NotAReplacement()
+    {
+        // First call's finally must NOT remove the second call's live entry.
+        var client = SiteStreamGrpcClient.CreateForTesting();
+
+        var first = new CancellationTokenSource();
+        var second = new CancellationTokenSource();
+
+        client.RegisterSubscription("corr-shared", first);
+        // A racing second SubscribeAsync replaces the entry.
+        client.RegisterSubscription("corr-shared", second);
+
+        // The first call's finally runs and tries to remove its (already-replaced) entry.
+        client.RemoveSubscription("corr-shared", first);
+
+        // The live (second) subscription must still be cancellable via Unsubscribe.
+        Assert.False(second.IsCancellationRequested);
+        client.Unsubscribe("corr-shared");
+        Assert.True(second.IsCancellationRequested);
+    }
 }
@@ -0,0 +1,90 @@
+using Microsoft.EntityFrameworkCore;
+using ScadaLink.Commons.Entities.Templates;
+using ScadaLink.ConfigurationDatabase;
+using ScadaLink.ConfigurationDatabase.Repositories;
+
+namespace ScadaLink.ConfigurationDatabase.Tests;
+
+public class TemplateEngineRepositoryTests : IDisposable
+{
+    private readonly ScadaLinkDbContext _context;
+    private readonly TemplateEngineRepository _repository;
+
+    public TemplateEngineRepositoryTests()
+    {
+        var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
+            .UseSqlite("DataSource=:memory:")
+            .Options;
+
+        _context = new ScadaLinkDbContext(options);
+        _context.Database.OpenConnection();
+        _context.Database.EnsureCreated();
+        _repository = new TemplateEngineRepository(_context);
+    }
+
+    public void Dispose()
+    {
+        _context.Database.CloseConnection();
+        _context.Dispose();
+    }
+
+    [Fact]
+    public async Task GetTemplateWithChildrenAsync_ReturnsTemplateWithAllMemberCollectionsPopulated()
+    {
+        // Arrange: a template with one attribute, one alarm, one script and one composition.
+        var composed = new Template("ComposedTemplate");
+        _context.Templates.Add(composed);
+        await _context.SaveChangesAsync();
+
+        var template = new Template("ParentTemplate");
+        template.Attributes.Add(new TemplateAttribute("Attr1"));
+        template.Alarms.Add(new TemplateAlarm("Alarm1"));
+        template.Scripts.Add(new TemplateScript("Script1", "return 1;"));
+        template.Compositions.Add(new TemplateComposition("Slot1") { ComposedTemplateId = composed.Id });
+        _context.Templates.Add(template);
+        await _context.SaveChangesAsync();
+
+        // Act
+        var loaded = await _repository.GetTemplateWithChildrenAsync(template.Id);
+
+        // Assert: the method must deliver the template's child members to the caller,
+        // not silently drop them. Regression guard for ConfigurationDatabase-001.
+        Assert.NotNull(loaded);
+        Assert.Equal(template.Id, loaded!.Id);
+        Assert.Single(loaded.Attributes);
+        Assert.Equal("Attr1", loaded.Attributes.First().Name);
+        Assert.Single(loaded.Alarms);
+        Assert.Equal("Alarm1", loaded.Alarms.First().Name);
+        Assert.Single(loaded.Scripts);
+        Assert.Equal("Script1", loaded.Scripts.First().Name);
+        Assert.Single(loaded.Compositions);
+        Assert.Equal("Slot1", loaded.Compositions.First().InstanceName);
+    }
+
+    [Fact]
+    public async Task GetTemplateWithChildrenAsync_ReturnsNull_WhenTemplateDoesNotExist()
+    {
+        var loaded = await _repository.GetTemplateWithChildrenAsync(9999);
+
+        Assert.Null(loaded);
+    }
+
+    [Fact]
+    public async Task GetTemplateWithChildrenAsync_PreservesParentTemplateId_ForInheritanceChainWalk()
+    {
+        // FlatteningPipeline.BuildTemplateChainAsync walks ParentTemplateId upward.
+        // The result of GetTemplateWithChildrenAsync must carry that link intact.
+        var baseTemplate = new Template("BaseTemplate");
+        _context.Templates.Add(baseTemplate);
+        await _context.SaveChangesAsync();
+
+        var derived = new Template("DerivedTemplate") { ParentTemplateId = baseTemplate.Id };
+        _context.Templates.Add(derived);
+        await _context.SaveChangesAsync();
+
+        var loaded = await _repository.GetTemplateWithChildrenAsync(derived.Id);
+
+        Assert.NotNull(loaded);
+        Assert.Equal(baseTemplate.Id, loaded!.ParentTemplateId);
+    }
+}
Author	SHA1	Message	Date
Joseph Doherty	d7630d80fe	docs(code-reviews): regenerate index after batch 1 High fixes	2026-05-16 19:33:11 -04:00
Joseph Doherty	db08c6eb38	docs(code-reviews): re-triage ClusterInfrastructure-001 — bootstrap lives in Host, needs design decision	2026-05-16 19:33:09 -04:00
Joseph Doherty	9043f0089b	fix(configuration-database): resolve ConfigurationDatabase-001 — remove dead child-template query in GetTemplateWithChildrenAsync	2026-05-16 19:33:09 -04:00
Joseph Doherty	301e7fb854	fix(communication): resolve Communication-002/003 — gRPC reconnect stream cleanup and subscription map safety	2026-05-16 19:33:09 -04:00
Joseph Doherty	87f14c190a	fix(central-ui): resolve CentralUI-002/003/004 — site-scope enforcement, per-circuit console capture, cached auth state	2026-05-16 19:33:09 -04:00
Joseph Doherty	5a08b04535	fix(cli): resolve CLI-001 — honor SCADALINK_FORMAT and config-file format precedence	2026-05-16 19:33:09 -04:00