diff --git a/code-reviews/TemplateEngine/findings.md b/code-reviews/TemplateEngine/findings.md
index 212674a..57db1b8 100644
--- a/code-reviews/TemplateEngine/findings.md
+++ b/code-reviews/TemplateEngine/findings.md
@@ -8,7 +8,7 @@
 | Last reviewed | 2026-05-16 |
 | Reviewer | claude-agent |
 | Commit reviewed | `9c60592` |
-| Open findings | 14 |
+| Open findings | 10 |
 
 ## Summary
 
@@ -52,7 +52,7 @@ of attributes vs. alarms vs. scripts throughout the resolve/flatten/derive paths
 |--|--|
 | Severity | High |
 | Category | Correctness & logic bugs |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.TemplateEngine/Flattening/FlatteningService.cs:211`, `src/ScadaLink.TemplateEngine/Flattening/FlatteningService.cs:535`, `src/ScadaLink.TemplateEngine/Flattening/FlatteningService.cs:609` |
 
 **Description**
@@ -77,7 +77,13 @@ the recursion already in `TemplateResolver.AddComposedMembers` and
 
 **Resolution**
 
-_Unresolved._
+Resolved 2026-05-16 (commit `<pending>`): replaced the hand-unrolled
+one/two-level composition loops in `ResolveComposedAttributes`,
+`ResolveComposedAlarms`, and `ResolveComposedScripts` with single recursive
+walks (`*Recursive` helpers) carrying the accumulated path prefix and a
+`visited` set, so composed members at arbitrary nesting depth are resolved.
+Regression tests: `Flatten_ThreeLevelComposition_AttributesAlarmsScriptsAllResolved`,
+`Flatten_NestedComposedAlarm_TriggerAttributePrefixed`.
 
 ### TemplateEngine-002 — Derived templates omit all base alarms; composed alarms cannot be overridden per slot
 
@@ -110,7 +116,22 @@ already do.
 
 **Resolution**
 
-_Unresolved._
+_Unresolved (re-triaged 2026-05-16)._ Partially mis-stated and out of the
+current fix scope. Correction to the description: composed/inherited alarms
+are **not** dropped from the flattened deployment output — `FlatteningService`
+resolves alarms from the entire inheritance chain (`ResolveInheritedAlarms`
+walks `templateChain`, which includes the base of a derived template), so an
+instance of a derived template still receives the base template's alarms. The
+real, valid gap is narrower: there is no per-slot **alarm override**
+mechanism. The fix genuinely requires adding `IsInherited` / `LockedInDerived`
+fields to the `TemplateAlarm` entity, which lives in `ScadaLink.Commons`
+(a different module). Adding an alarm copy loop to `BuildDerivedTemplate`
+without those fields would be actively harmful: copied alarm rows on the
+derived template would shadow the live base alarm with stale data during
+flattening (`ResolveInheritedAlarms` has no `IsInherited` skip for alarms,
+unlike attributes/scripts). Resolving this safely is a cross-module change
+(`Commons` + `TemplateEngine`) and must be scheduled as a coordinated edit;
+left **Open** pending that.
 
 ### TemplateEngine-003 — `UpdateAttributeAsync` lets a non-locked attribute change its fixed DataType / DataSourceReference
 
@@ -118,7 +139,7 @@ _Unresolved._
 |--|--|
 | Severity | High |
 | Category | Correctness & logic bugs |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.TemplateEngine/TemplateService.cs:285` |
 
 **Description**
@@ -147,7 +168,12 @@ apply block.
 
 **Resolution**
 
-_Unresolved._
+Resolved 2026-05-16 (commit `<pending>`): removed the `&& existing.IsLocked`
+guard in `UpdateAttributeAsync` so the fixed-field granularity error is always
+honoured, and removed the unconditional `existing.DataType` /
+`existing.DataSourceReference` assignments from the apply block. Regression
+tests: `UpdateAttribute_UnlockedAttribute_DataTypeChangeRejected`,
+`UpdateAttribute_UnlockedAttribute_DataSourceReferenceChangeRejected`.
 
 ### TemplateEngine-004 — Alarm on-trigger script references are never resolved (empty placeholder)
 
@@ -155,7 +181,7 @@ _Unresolved._
 |--|--|
 | Severity | High |
 | Category | Correctness & logic bugs |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.TemplateEngine/Flattening/FlatteningService.cs:695` |
 
 **Description**
@@ -179,7 +205,15 @@ and implement that consistently.
 
 **Resolution**
 
-_Unresolved._
+Resolved 2026-05-16 (commit `<pending>`): implemented `ResolveAlarmScriptReferences`.
+Alarm resolution now records each resolved alarm's `OnTriggerScriptId` keyed by
+canonical name, and script resolution records each resolved `TemplateScript.Id`
+keyed by its canonical name (both honour composition path prefixes). Step 7
+joins the two maps to set `ResolvedAlarm.OnTriggerScriptCanonicalName`, so the
+revision hash, diff, and `SemanticValidator` on-trigger-script-exists check now
+all see the reference. Regression tests:
+`Flatten_AlarmOnTriggerScript_ResolvedToCanonicalName`,
+`Flatten_ComposedAlarmOnTriggerScript_ResolvedWithPrefix`.
 
 ### TemplateEngine-005 — Collision validation is skipped when creating a child template
 
@@ -187,7 +221,7 @@ _Unresolved._
 |--|--|
 | Severity | High |
 | Category | Correctness & logic bugs |
-| Status | Open |
+| Status | Resolved |
 | Location | `src/ScadaLink.TemplateEngine/TemplateService.cs:56` |
 
 **Description**
@@ -210,7 +244,15 @@ that explicitly instead of leaving a no-op.
 
 **Resolution**
 
-_Unresolved._
+Resolved 2026-05-16 (commit `<pending>`): deleted the dead `if
+(parentTemplateId.HasValue)` block and its unused `GetAllTemplatesAsync`
+read in `CreateTemplateAsync`. A create-time collision check on a child is a
+guaranteed no-op — a freshly created template has no members of its own, the
+parent's members were already collision-validated on every member-mutating
+call, and a new child cannot be an ancestor of its parent. Replaced the no-op
+with an explanatory comment documenting that collision detection is enforced
+on `AddAttribute`/`AddAlarm`/`AddScript`/`AddComposition` and on rename.
+Regression test: `CreateTemplate_WithParent_DoesNotRunDeadCollisionQuery`.
 
 ### TemplateEngine-006 — Forbidden-API enforcement is a naive substring scan (bypassable and false-positive prone)
 
diff --git a/src/ScadaLink.TemplateEngine/Flattening/FlatteningService.cs b/src/ScadaLink.TemplateEngine/Flattening/FlatteningService.cs
index 3e96ed5..261a627 100644
--- a/src/ScadaLink.TemplateEngine/Flattening/FlatteningService.cs
+++ b/src/ScadaLink.TemplateEngine/Flattening/FlatteningService.cs
@@ -78,17 +78,23 @@ public class FlatteningService
             // Step 4: Apply connection bindings
             ApplyConnectionBindings(instance.ConnectionBindings, attributes, dataConnections);
 
-            // Step 5: Resolve alarms from inheritance chain
-            var alarms = ResolveInheritedAlarms(templateChain);
-            ResolveComposedAlarms(templateChain, compositionMap, composedTemplateChains, alarms);
+            // Step 5: Resolve alarms from inheritance chain.
+            // alarmScriptIds maps a resolved alarm's canonical name to the
+            // TemplateScript.Id of its on-trigger script (if any).
+            var alarmScriptIds = new Dictionary<string, int>(StringComparer.Ordinal);
+            var alarms = ResolveInheritedAlarms(templateChain, prefix: null, alarmScriptIds);
+            ResolveComposedAlarms(templateChain, compositionMap, composedTemplateChains, alarms, alarmScriptIds);
             ApplyInstanceAlarmOverrides(instance.AlarmOverrides, alarms);
 
-            // Step 6: Resolve scripts from inheritance chain
-            var scripts = ResolveInheritedScripts(templateChain);
-            ResolveComposedScripts(templateChain, compositionMap, composedTemplateChains, scripts);
+            // Step 6: Resolve scripts from inheritance chain.
+            // scriptCanonicalById maps a TemplateScript.Id to its resolved
+            // canonical name, used to wire up alarm on-trigger script refs.
+            var scriptCanonicalById = new Dictionary<int, string>();
+            var scripts = ResolveInheritedScripts(templateChain, prefix: null, scriptCanonicalById);
+            ResolveComposedScripts(templateChain, compositionMap, composedTemplateChains, scripts, scriptCanonicalById);
 
             // Step 7: Resolve alarm on-trigger script references to canonical names
-            ResolveAlarmScriptReferences(alarms, scripts);
+            ResolveAlarmScriptReferences(alarms, alarmScriptIds, scriptCanonicalById);
 
             // Step 8: Collect connection configurations for deployment packaging
             var connections = new Dictionary<string, ConnectionConfig>();
@@ -221,57 +227,56 @@ public class FlatteningService
                 continue;
 
             foreach (var composition in compositions)
+                ResolveComposedAttributesRecursive(
+                    composition, composition.InstanceName,
+                    compositionMap, composedTemplateChains, attributes, new HashSet<int>());
+        }
+    }
+
+    /// <summary>
+    /// Recursively resolves the attributes of a composed module and every
+    /// module nested inside it (to arbitrary depth), path-qualifying each
+    /// canonical name with the accumulated <paramref name="prefix"/>.
+    /// </summary>
+    private static void ResolveComposedAttributesRecursive(
+        TemplateComposition composition,
+        string prefix,
+        IReadOnlyDictionary<int, IReadOnlyList<TemplateComposition>> compositionMap,
+        IReadOnlyDictionary<int, IReadOnlyList<Template>> composedTemplateChains,
+        Dictionary<string, ResolvedAttribute> attributes,
+        HashSet<int> visited)
+    {
+        if (!composedTemplateChains.TryGetValue(composition.ComposedTemplateId, out var composedChain))
+            return;
+
+        var composedAttrs = ResolveInheritedAttributes(composedChain);
+        foreach (var (name, attr) in composedAttrs)
+        {
+            var canonicalName = $"{prefix}.{name}";
+            // Don't overwrite if already defined (most-derived wins)
+            if (!attributes.ContainsKey(canonicalName))
             {
-                if (!composedTemplateChains.TryGetValue(composition.ComposedTemplateId, out var composedChain))
-                    continue;
-
-                var prefix = composition.InstanceName;
-                var composedAttrs = ResolveInheritedAttributes(composedChain);
-
-                foreach (var (name, attr) in composedAttrs)
+                attributes[canonicalName] = attr with
                 {
-                    var canonicalName = $"{prefix}.{name}";
-                    // Don't overwrite if already defined (most-derived wins)
-                    if (!attributes.ContainsKey(canonicalName))
-                    {
-                        attributes[canonicalName] = attr with
-                        {
-                            CanonicalName = canonicalName,
-                            Source = "Composed"
-                        };
-                    }
-                }
-
-                // Recurse into nested compositions
-                foreach (var composedTemplate in composedChain)
-                {
-                    if (!compositionMap.TryGetValue(composedTemplate.Id, out var nestedCompositions))
-                        continue;
-
-                    foreach (var nested in nestedCompositions)
-                    {
-                        if (!composedTemplateChains.TryGetValue(nested.ComposedTemplateId, out var nestedChain))
-                            continue;
-
-                        var nestedPrefix = $"{prefix}.{nested.InstanceName}";
-                        var nestedAttrs = ResolveInheritedAttributes(nestedChain);
-
-                        foreach (var (name, attr) in nestedAttrs)
-                        {
-                            var canonicalName = $"{nestedPrefix}.{name}";
-                            if (!attributes.ContainsKey(canonicalName))
-                            {
-                                attributes[canonicalName] = attr with
-                                {
-                                    CanonicalName = canonicalName,
-                                    Source = "Composed"
-                                };
-                            }
-                        }
-                    }
-                }
+                    CanonicalName = canonicalName,
+                    Source = "Composed"
+                };
             }
         }
+
+        // Descend into nested compositions of every template in the chain.
+        foreach (var composedTemplate in composedChain)
+        {
+            if (!visited.Add(composedTemplate.Id))
+                continue;
+            if (!compositionMap.TryGetValue(composedTemplate.Id, out var nestedCompositions))
+                continue;
+
+            foreach (var nested in nestedCompositions)
+                ResolveComposedAttributesRecursive(
+                    nested, $"{prefix}.{nested.InstanceName}",
+                    compositionMap, composedTemplateChains, attributes, visited);
+        }
     }
 
     private static void ApplyInstanceOverrides(
@@ -356,10 +361,22 @@ public class FlatteningService
         }
     }
 
+    /// <summary>
+    /// Resolves alarms from an inheritance chain. When <paramref name="prefix"/>
+    /// is non-null the alarm names are returned bare (caller path-qualifies);
+    /// the keys of the returned dictionary are always bare alarm names.
+    /// <paramref name="alarmScriptIds"/> is populated with the on-trigger
+    /// script id of each resolved alarm keyed by the canonical name the alarm
+    /// will ultimately carry (bare name when <paramref name="prefix"/> is null,
+    /// otherwise <c>prefix.name</c>).
+    /// </summary>
     private static Dictionary<string, ResolvedAlarm> ResolveInheritedAlarms(
-        IReadOnlyList<Template> templateChain)
+        IReadOnlyList<Template> templateChain,
+        string? prefix,
+        Dictionary<string, int> alarmScriptIds)
     {
         var result = new Dictionary<string, ResolvedAlarm>(StringComparer.Ordinal);
+        var scriptIdByName = new Dictionary<string, int>(StringComparer.Ordinal);
 
         for (int i = templateChain.Count - 1; i >= 0; i--)
         {
@@ -394,9 +411,20 @@ public class FlatteningService
                     OnTriggerScriptCanonicalName = null, // Resolved later
                     Source = source
                 };
+
+                if (alarm.OnTriggerScriptId.HasValue)
+                    scriptIdByName[alarm.Name] = alarm.OnTriggerScriptId.Value;
+                else
+                    scriptIdByName.Remove(alarm.Name);
             }
         }
 
+        foreach (var (name, scriptId) in scriptIdByName)
+        {
+            var canonical = prefix == null ? name : $"{prefix}.{name}";
+            alarmScriptIds[canonical] = scriptId;
+        }
+
         return result;
     }
 
@@ -536,7 +564,8 @@ public class FlatteningService
         IReadOnlyList<Template> templateChain,
         IReadOnlyDictionary<int, IReadOnlyList<TemplateComposition>> compositionMap,
         IReadOnlyDictionary<int, IReadOnlyList<Template>> composedTemplateChains,
-        Dictionary<string, ResolvedAlarm> alarms)
+        Dictionary<string, ResolvedAlarm> alarms,
+        Dictionary<string, int> alarmScriptIds)
     {
         foreach (var template in templateChain)
         {
@@ -544,34 +573,74 @@ public class FlatteningService
                 continue;
 
             foreach (var composition in compositions)
-            {
-                if (!composedTemplateChains.TryGetValue(composition.ComposedTemplateId, out var composedChain))
-                    continue;
-
-                var prefix = composition.InstanceName;
-                var composedAlarms = ResolveInheritedAlarms(composedChain);
-
-                foreach (var (name, alarm) in composedAlarms)
-                {
-                    var canonicalName = $"{prefix}.{name}";
-                    if (!alarms.ContainsKey(canonicalName))
-                    {
-                        alarms[canonicalName] = alarm with
-                        {
-                            CanonicalName = canonicalName,
-                            TriggerConfiguration = PrefixTriggerAttribute(alarm.TriggerConfiguration, prefix),
-                            Source = "Composed"
-                        };
-                    }
-                }
-            }
+                ResolveComposedAlarmsRecursive(
+                    composition, composition.InstanceName,
+                    compositionMap, composedTemplateChains, alarms, alarmScriptIds,
+                    new HashSet<int>());
         }
     }
 
+    /// <summary>
+    /// Recursively resolves the alarms of a composed module and every module
+    /// nested inside it, path-qualifying each canonical name with the
+    /// accumulated <paramref name="prefix"/>.
+    /// </summary>
+    private static void ResolveComposedAlarmsRecursive(
+        TemplateComposition composition,
+        string prefix,
+        IReadOnlyDictionary<int, IReadOnlyList<TemplateComposition>> compositionMap,
+        IReadOnlyDictionary<int, IReadOnlyList<Template>> composedTemplateChains,
+        Dictionary<string, ResolvedAlarm> alarms,
+        Dictionary<string, int> alarmScriptIds,
+        HashSet<int> visited)
+    {
+        if (!composedTemplateChains.TryGetValue(composition.ComposedTemplateId, out var composedChain))
+            return;
+
+        var composedAlarms = ResolveInheritedAlarms(composedChain, prefix, alarmScriptIds);
+        foreach (var (name, alarm) in composedAlarms)
+        {
+            var canonicalName = $"{prefix}.{name}";
+            if (!alarms.ContainsKey(canonicalName))
+            {
+                alarms[canonicalName] = alarm with
+                {
+                    CanonicalName = canonicalName,
+                    TriggerConfiguration = PrefixTriggerAttribute(alarm.TriggerConfiguration, prefix),
+                    Source = "Composed"
+                };
+            }
+        }
+
+        // Descend into nested compositions of every template in the chain.
+        foreach (var composedTemplate in composedChain)
+        {
+            if (!visited.Add(composedTemplate.Id))
+                continue;
+            if (!compositionMap.TryGetValue(composedTemplate.Id, out var nestedCompositions))
+                continue;
+
+            foreach (var nested in nestedCompositions)
+                ResolveComposedAlarmsRecursive(
+                    nested, $"{prefix}.{nested.InstanceName}",
+                    compositionMap, composedTemplateChains, alarms, alarmScriptIds, visited);
+        }
+    }
+
+    /// <summary>
+    /// Resolves scripts from an inheritance chain. The returned dictionary is
+    /// keyed by bare script name. <paramref name="scriptCanonicalById"/> is
+    /// populated with each resolved script's <see cref="TemplateScript.Id"/>
+    /// mapped to the canonical name it will ultimately carry (bare when
+    /// <paramref name="prefix"/> is null, otherwise <c>prefix.name</c>).
+    /// </summary>
     private static Dictionary<string, ResolvedScript> ResolveInheritedScripts(
-        IReadOnlyList<Template> templateChain)
+        IReadOnlyList<Template> templateChain,
+        string? prefix,
+        Dictionary<int, string> scriptCanonicalById)
     {
         var result = new Dictionary<string, ResolvedScript>(StringComparer.Ordinal);
+        var idByName = new Dictionary<string, int>(StringComparer.Ordinal);
 
         for (int i = templateChain.Count - 1; i >= 0; i--)
         {
@@ -600,9 +669,17 @@ public class FlatteningService
                     MinTimeBetweenRuns = script.MinTimeBetweenRuns,
                     Source = source
                 };
+                idByName[script.Name] = script.Id;
             }
         }
 
+        foreach (var (name, id) in idByName)
+        {
+            if (id == 0) continue; // unsaved row — no stable id to map
+            var canonical = prefix == null ? name : $"{prefix}.{name}";
+            scriptCanonicalById[id] = canonical;
+        }
+
         return result;
     }
 
@@ -610,7 +687,8 @@ public class FlatteningService
         IReadOnlyList<Template> templateChain,
         IReadOnlyDictionary<int, IReadOnlyList<TemplateComposition>> compositionMap,
         IReadOnlyDictionary<int, IReadOnlyList<Template>> composedTemplateChains,
-        Dictionary<string, ResolvedScript> scripts)
+        Dictionary<string, ResolvedScript> scripts,
+        Dictionary<int, string> scriptCanonicalById)
     {
         foreach (var template in templateChain)
         {
@@ -618,28 +696,58 @@ public class FlatteningService
                 continue;
 
             foreach (var composition in compositions)
+                ResolveComposedScriptsRecursive(
+                    composition, composition.InstanceName,
+                    compositionMap, composedTemplateChains, scripts, scriptCanonicalById,
+                    new HashSet<int>());
+        }
+    }
+
+    /// <summary>
+    /// Recursively resolves the scripts of a composed module and every module
+    /// nested inside it, path-qualifying each canonical name with the
+    /// accumulated <paramref name="prefix"/>.
+    /// </summary>
+    private static void ResolveComposedScriptsRecursive(
+        TemplateComposition composition,
+        string prefix,
+        IReadOnlyDictionary<int, IReadOnlyList<TemplateComposition>> compositionMap,
+        IReadOnlyDictionary<int, IReadOnlyList<Template>> composedTemplateChains,
+        Dictionary<string, ResolvedScript> scripts,
+        Dictionary<int, string> scriptCanonicalById,
+        HashSet<int> visited)
+    {
+        if (!composedTemplateChains.TryGetValue(composition.ComposedTemplateId, out var composedChain))
+            return;
+
+        var composedScripts = ResolveInheritedScripts(composedChain, prefix, scriptCanonicalById);
+        foreach (var (name, script) in composedScripts)
+        {
+            var canonicalName = $"{prefix}.{name}";
+            if (!scripts.ContainsKey(canonicalName))
             {
-                if (!composedTemplateChains.TryGetValue(composition.ComposedTemplateId, out var composedChain))
-                    continue;
-
-                var prefix = composition.InstanceName;
-                var composedScripts = ResolveInheritedScripts(composedChain);
-
-                foreach (var (name, script) in composedScripts)
+                scripts[canonicalName] = script with
                 {
-                    var canonicalName = $"{prefix}.{name}";
-                    if (!scripts.ContainsKey(canonicalName))
-                    {
-                        scripts[canonicalName] = script with
-                        {
-                            CanonicalName = canonicalName,
-                            Source = "Composed",
-                            Scope = new Commons.Types.Scripts.ScriptScope(SelfPath: prefix, ParentPath: "")
-                        };
-                    }
-                }
+                    CanonicalName = canonicalName,
+                    Source = "Composed",
+                    Scope = new Commons.Types.Scripts.ScriptScope(SelfPath: prefix, ParentPath: "")
+                };
             }
         }
+
+        // Descend into nested compositions of every template in the chain.
+        foreach (var composedTemplate in composedChain)
+        {
+            if (!visited.Add(composedTemplate.Id))
+                continue;
+            if (!compositionMap.TryGetValue(composedTemplate.Id, out var nestedCompositions))
+                continue;
+
+            foreach (var nested in nestedCompositions)
+                ResolveComposedScriptsRecursive(
+                    nested, $"{prefix}.{nested.InstanceName}",
+                    compositionMap, composedTemplateChains, scripts, scriptCanonicalById, visited);
+        }
     }
 
     /// <summary>
@@ -688,18 +796,30 @@ public class FlatteningService
     }
 
     /// <summary>
-    /// Resolves alarm on-trigger script references from script IDs to canonical names.
-    /// This is done by finding the script in the template chain whose ID matches the alarm's OnTriggerScriptId,
-    /// then mapping to the corresponding canonical name in the resolved scripts.
+    /// Resolves alarm on-trigger script references from <see cref="TemplateScript.Id"/>
+    /// values to the canonical (path-qualified) names of the corresponding
+    /// resolved scripts. <paramref name="alarmScriptIds"/> maps an alarm's
+    /// canonical name to the id of its on-trigger script; <paramref name="scriptCanonicalById"/>
+    /// maps a script id to the canonical name it carries in the flattened
+    /// configuration. An alarm whose on-trigger script id has no matching
+    /// resolved script is left with a <c>null</c> reference — semantic
+    /// validation then reports the dangling reference.
     /// </summary>
     private static void ResolveAlarmScriptReferences(
         Dictionary<string, ResolvedAlarm> alarms,
-        Dictionary<string, ResolvedScript> scripts)
+        Dictionary<string, int> alarmScriptIds,
+        Dictionary<int, string> scriptCanonicalById)
     {
-        // Build a lookup of script names (we only have canonical names at this point)
-        // The alarm's OnTriggerScriptCanonicalName will be set by the caller or validation step
-        // For now, this is a placeholder — the actual resolution depends on how alarm trigger configs
-        // reference scripts (by name within the same scope).
-        // The trigger configuration JSON may contain a "scriptName" field.
+        foreach (var (alarmCanonicalName, scriptId) in alarmScriptIds)
+        {
+            if (!alarms.TryGetValue(alarmCanonicalName, out var alarm))
+                continue;
+
+            scriptCanonicalById.TryGetValue(scriptId, out var scriptCanonicalName);
+            alarms[alarmCanonicalName] = alarm with
+            {
+                OnTriggerScriptCanonicalName = scriptCanonicalName
+            };
+        }
     }
 }
diff --git a/src/ScadaLink.TemplateEngine/TemplateService.cs b/src/ScadaLink.TemplateEngine/TemplateService.cs
index 17cc646..345f593 100644
--- a/src/ScadaLink.TemplateEngine/TemplateService.cs
+++ b/src/ScadaLink.TemplateEngine/TemplateService.cs
@@ -51,15 +51,12 @@ public class TemplateService
             FolderId = folderId
         };
 
-        // Check acyclicity (inheritance) — for new templates this is mostly a parent-exists check,
-        // but we validate anyway for consistency
-        if (parentTemplateId.HasValue)
-        {
-            var allTemplates = await _repository.GetAllTemplatesAsync(cancellationToken);
-            // The new template doesn't exist yet, so we simulate by adding it to the list
-            // with a temporary ID. Since it has no children yet, the only cycle would be
-            // if parentTemplateId somehow pointed at itself (already handled above).
-        }
+        // No collision or acyclicity check is needed here: a freshly created
+        // template has no members of its own, the parent (validated above to
+        // exist) was already collision-checked when its members were added,
+        // and a brand-new child cannot be an ancestor of its parent. Naming
+        // collisions are enforced on every member-mutating call (AddAttribute,
+        // AddAlarm, AddScript, AddComposition) and on rename in UpdateTemplate.
 
         await _repository.AddTemplateAsync(template, cancellationToken);
         await _auditService.LogAsync(user, "Create", "Template", "0", name, template, cancellationToken);
@@ -281,17 +278,19 @@ public class TemplateService
         if (lockError != null)
             return Result<TemplateAttribute>.Failure(lockError);
 
-        // Validate fixed-field granularity
+        // Validate fixed-field granularity. DataType and DataSourceReference are
+        // fixed by the defining level for every attribute — locked or not — so
+        // the error is always honoured (a locked attribute is already rejected
+        // earlier inside the helper).
         var granularityError = LockEnforcer.ValidateAttributeOverride(existing, proposed);
-        if (granularityError != null && existing.IsLocked)
+        if (granularityError != null)
             return Result<TemplateAttribute>.Failure(granularityError);
 
-        // Apply overridable fields
+        // Apply overridable fields. DataType / DataSourceReference are fixed and
+        // are deliberately not copied from the proposed attribute.
         existing.Value = proposed.Value;
         existing.Description = proposed.Description;
         existing.IsLocked = proposed.IsLocked;
-        existing.DataType = proposed.DataType;
-        existing.DataSourceReference = proposed.DataSourceReference;
         if (template?.IsDerived == true)
             existing.IsInherited = proposed.IsInherited;
         else
diff --git a/tests/ScadaLink.TemplateEngine.Tests/Flattening/FlatteningServiceTests.cs b/tests/ScadaLink.TemplateEngine.Tests/Flattening/FlatteningServiceTests.cs
index 07ff458..051447a 100644
--- a/tests/ScadaLink.TemplateEngine.Tests/Flattening/FlatteningServiceTests.cs
+++ b/tests/ScadaLink.TemplateEngine.Tests/Flattening/FlatteningServiceTests.cs
@@ -370,4 +370,154 @@ public class FlatteningServiceTests
         var script = result.Value.Scripts.First(s => s.CanonicalName == "Sample");
         Assert.Equal("return base;", script.Code);
     }
+
+    // ── TemplateEngine-001: deep composition nesting ───────────────────────
+
+    [Fact]
+    public void Flatten_ThreeLevelComposition_AttributesAlarmsScriptsAllResolved()
+    {
+        // Station composes Pump (level 1); Pump composes Motor (level 2);
+        // Motor composes Bearing (level 3).
+        var bearing = CreateTemplate(4, "Bearing");
+        bearing.Attributes.Add(new TemplateAttribute("Vibration") { DataType = DataType.Double, Value = "0.1" });
+        bearing.Alarms.Add(new TemplateAlarm("HighVibration")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            TriggerConfiguration = "{\"attributeName\":\"Vibration\",\"high\":5}",
+            PriorityLevel = 1
+        });
+        bearing.Scripts.Add(new TemplateScript("MonitorBearing", "// monitor") { Id = 40 });
+
+        var motor = CreateTemplate(3, "Motor");
+        motor.Attributes.Add(new TemplateAttribute("Current") { DataType = DataType.Double, Value = "10" });
+
+        var pump = CreateTemplate(2, "Pump");
+        pump.Attributes.Add(new TemplateAttribute("RPM") { DataType = DataType.Double, Value = "1500" });
+
+        var station = CreateTemplate(1, "Station");
+
+        var compositions = new Dictionary<int, IReadOnlyList<TemplateComposition>>
+        {
+            [1] = new List<TemplateComposition> { new("MainPump") { ComposedTemplateId = 2 } },
+            [2] = new List<TemplateComposition> { new("DriveMotor") { ComposedTemplateId = 3 } },
+            [3] = new List<TemplateComposition> { new("FrontBearing") { ComposedTemplateId = 4 } },
+        };
+        var composedChains = new Dictionary<int, IReadOnlyList<Template>>
+        {
+            [2] = [pump],
+            [3] = [motor],
+            [4] = [bearing],
+        };
+
+        var instance = CreateInstance();
+        var result = _sut.Flatten(instance, [station], compositions, composedChains,
+            new Dictionary<int, DataConnection>());
+
+        Assert.True(result.IsSuccess);
+        // Level 3 attribute must be present with the full path-qualified name.
+        Assert.Contains(result.Value.Attributes,
+            a => a.CanonicalName == "MainPump.DriveMotor.FrontBearing.Vibration");
+        // Level 3 alarm must be present (was dropped entirely before).
+        Assert.Contains(result.Value.Alarms,
+            a => a.CanonicalName == "MainPump.DriveMotor.FrontBearing.HighVibration");
+        // Level 3 script must be present (was dropped entirely before).
+        Assert.Contains(result.Value.Scripts,
+            s => s.CanonicalName == "MainPump.DriveMotor.FrontBearing.MonitorBearing");
+    }
+
+    [Fact]
+    public void Flatten_NestedComposedAlarm_TriggerAttributePrefixed()
+    {
+        var bearing = CreateTemplate(4, "Bearing");
+        bearing.Attributes.Add(new TemplateAttribute("Vibration") { DataType = DataType.Double, Value = "0.1" });
+        bearing.Alarms.Add(new TemplateAlarm("HighVibration")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            TriggerConfiguration = "{\"attributeName\":\"Vibration\",\"high\":5}",
+            PriorityLevel = 1
+        });
+
+        var motor = CreateTemplate(3, "Motor");
+        var pump = CreateTemplate(2, "Pump");
+        var station = CreateTemplate(1, "Station");
+
+        var compositions = new Dictionary<int, IReadOnlyList<TemplateComposition>>
+        {
+            [1] = new List<TemplateComposition> { new("MainPump") { ComposedTemplateId = 2 } },
+            [2] = new List<TemplateComposition> { new("DriveMotor") { ComposedTemplateId = 3 } },
+            [3] = new List<TemplateComposition> { new("FrontBearing") { ComposedTemplateId = 4 } },
+        };
+        var composedChains = new Dictionary<int, IReadOnlyList<Template>>
+        {
+            [2] = [pump], [3] = [motor], [4] = [bearing],
+        };
+
+        var instance = CreateInstance();
+        var result = _sut.Flatten(instance, [station], compositions, composedChains,
+            new Dictionary<int, DataConnection>());
+
+        Assert.True(result.IsSuccess);
+        var alarm = result.Value.Alarms.First(a => a.CanonicalName.EndsWith("HighVibration"));
+        // The trigger's attribute reference must carry the full nested prefix.
+        Assert.Contains("MainPump.DriveMotor.FrontBearing.Vibration", alarm.TriggerConfiguration);
+    }
+
+    // ── TemplateEngine-004: alarm on-trigger script resolution ─────────────
+
+    [Fact]
+    public void Flatten_AlarmOnTriggerScript_ResolvedToCanonicalName()
+    {
+        var template = CreateTemplate(1, "Base");
+        template.Scripts.Add(new TemplateScript("HandleAlarm", "// handle") { Id = 50 });
+        template.Alarms.Add(new TemplateAlarm("HighTemp")
+        {
+            TriggerType = AlarmTriggerType.RangeViolation,
+            TriggerConfiguration = "{\"attributeName\":\"Temp\",\"high\":100}",
+            PriorityLevel = 1,
+            OnTriggerScriptId = 50
+        });
+
+        var instance = CreateInstance();
+        var result = _sut.Flatten(instance, [template],
+            new Dictionary<int, IReadOnlyList<TemplateComposition>>(),
+            new Dictionary<int, IReadOnlyList<Template>>(),
+            new Dictionary<int, DataConnection>());
+
+        Assert.True(result.IsSuccess);
+        var alarm = result.Value.Alarms.First(a => a.CanonicalName == "HighTemp");
+        Assert.Equal("HandleAlarm", alarm.OnTriggerScriptCanonicalName);
+    }
+
+    [Fact]
+    public void Flatten_ComposedAlarmOnTriggerScript_ResolvedWithPrefix()
+    {
+        var composedTemplate = CreateTemplate(2, "Pump");
+        composedTemplate.Scripts.Add(new TemplateScript("PumpAlarmHandler", "// h") { Id = 60 });
+        composedTemplate.Alarms.Add(new TemplateAlarm("PumpFault")
+        {
+            TriggerType = AlarmTriggerType.ValueMatch,
+            TriggerConfiguration = "{\"attributeName\":\"State\",\"value\":\"FAULT\"}",
+            PriorityLevel = 5,
+            OnTriggerScriptId = 60
+        });
+
+        var station = CreateTemplate(1, "Station");
+
+        var compositions = new Dictionary<int, IReadOnlyList<TemplateComposition>>
+        {
+            [1] = new List<TemplateComposition> { new("MainPump") { ComposedTemplateId = 2 } }
+        };
+        var composedChains = new Dictionary<int, IReadOnlyList<Template>>
+        {
+            [2] = [composedTemplate]
+        };
+
+        var instance = CreateInstance();
+        var result = _sut.Flatten(instance, [station], compositions, composedChains,
+            new Dictionary<int, DataConnection>());
+
+        Assert.True(result.IsSuccess);
+        var alarm = result.Value.Alarms.First(a => a.CanonicalName == "MainPump.PumpFault");
+        Assert.Equal("MainPump.PumpAlarmHandler", alarm.OnTriggerScriptCanonicalName);
+    }
 }
diff --git a/tests/ScadaLink.TemplateEngine.Tests/TemplateServiceTests.cs b/tests/ScadaLink.TemplateEngine.Tests/TemplateServiceTests.cs
index e3cff5d..f04b0d0 100644
--- a/tests/ScadaLink.TemplateEngine.Tests/TemplateServiceTests.cs
+++ b/tests/ScadaLink.TemplateEngine.Tests/TemplateServiceTests.cs
@@ -60,6 +60,23 @@ public class TemplateServiceTests
         Assert.Equal(1, result.Value.ParentTemplateId);
     }
 
+    [Fact]
+    public async Task CreateTemplate_WithParent_DoesNotRunDeadCollisionQuery()
+    {
+        // A freshly created child has no members of its own, and the parent's
+        // members were already collision-validated when they were added — so
+        // create-time collision detection on a child is a guaranteed no-op.
+        // The previous code allocated an unused full-table read; the fix
+        // removes it. This guards against the dead query being reintroduced.
+        var parent = new Template("Base") { Id = 1 };
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(parent);
+
+        var result = await _service.CreateTemplateAsync("Child", null, 1, "admin");
+
+        Assert.True(result.IsSuccess);
+        _repoMock.Verify(r => r.GetAllTemplatesAsync(It.IsAny<CancellationToken>()), Times.Never);
+    }
+
     [Fact]
     public async Task CreateTemplate_NonexistentParent_Fails()
     {
@@ -668,6 +685,54 @@ public class TemplateServiceTests
         Assert.True(result.Value.IsLocked);
     }
 
+    [Fact]
+    public async Task UpdateAttribute_UnlockedAttribute_DataTypeChangeRejected()
+    {
+        // An unlocked attribute must still not be able to change its fixed DataType.
+        var existing = new TemplateAttribute("Temperature")
+        {
+            Id = 1, TemplateId = 1, DataType = DataType.Float, IsLocked = false
+        };
+        _repoMock.Setup(r => r.GetTemplateAttributeByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(existing);
+        var template = new Template("Pump") { Id = 1 };
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(template);
+
+        var proposed = new TemplateAttribute("Temperature")
+        {
+            DataType = DataType.Int32, IsLocked = false, Value = "42"
+        };
+        var result = await _service.UpdateAttributeAsync(1, proposed, "admin");
+
+        Assert.True(result.IsFailure);
+        Assert.Contains("DataType", result.Error);
+        // The fixed field must not have been mutated.
+        Assert.Equal(DataType.Float, existing.DataType);
+    }
+
+    [Fact]
+    public async Task UpdateAttribute_UnlockedAttribute_DataSourceReferenceChangeRejected()
+    {
+        var existing = new TemplateAttribute("Temperature")
+        {
+            Id = 1, TemplateId = 1, DataType = DataType.Float, IsLocked = false,
+            DataSourceReference = "/Motor/Temp"
+        };
+        _repoMock.Setup(r => r.GetTemplateAttributeByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(existing);
+        var template = new Template("Pump") { Id = 1 };
+        _repoMock.Setup(r => r.GetTemplateByIdAsync(1, It.IsAny<CancellationToken>())).ReturnsAsync(template);
+
+        var proposed = new TemplateAttribute("Temperature")
+        {
+            DataType = DataType.Float, IsLocked = false, Value = "42",
+            DataSourceReference = "/Motor/Other"
+        };
+        var result = await _service.UpdateAttributeAsync(1, proposed, "admin");
+
+        Assert.True(result.IsFailure);
+        Assert.Contains("DataSourceReference", result.Error);
+        Assert.Equal("/Motor/Temp", existing.DataSourceReference);
+    }
+
     [Fact]
     public async Task UpdateAttribute_ParentLocked_CannotOverride()
     {