feat(siteruntime): per-node CertStore actor + trust broadcast to both site nodes (T17)

src/ZB.MOM.WW.ScadaBridge.Host/Actors/AkkaHostedService.cs

@@ -800,6 +800,21 @@ akka {{
             _logger.LogInformation("Data Connection Layer manager actor created");
         }
 
+        // T17 / D6 — per-node OPC UA certificate-store actor. Created on EVERY
+        // site node (NOT a singleton) at a well-known name so the Deployment
+        // Manager singleton can fan a trust/remove out to BOTH nodes' PKI stores
+        // (node-a + node-b) and keep them in lock-step across failover. It needs
+        // the same deployment-wide OpcUaGlobalOptions the DCL manager uses so a
+        // trusted cert lands in the exact store RealOpcUaClient validates against.
+        var certStoreOpcUaOptions = _serviceProvider
+            .GetService<IOptions<ZB.MOM.WW.ScadaBridge.DataConnectionLayer.OpcUaGlobalOptions>>()?.Value
+            ?? new ZB.MOM.WW.ScadaBridge.DataConnectionLayer.OpcUaGlobalOptions();
+        _actorSystem!.ActorOf(
+            Props.Create(() => new ZB.MOM.WW.ScadaBridge.SiteRuntime.Actors.CertStoreActor(certStoreOpcUaOptions)),
+            ZB.MOM.WW.ScadaBridge.SiteRuntime.Actors.CertStoreActor.WellKnownName);
+        _logger.LogInformation("Per-node CertStoreActor created at well-known name '{Name}' (T17/D6)",
+            ZB.MOM.WW.ScadaBridge.SiteRuntime.Actors.CertStoreActor.WellKnownName);
+
         // Resolve the health collector for the Deployment Manager
         var siteHealthCollector = _serviceProvider.GetService<ZB.MOM.WW.ScadaBridge.HealthMonitoring.ISiteHealthCollector>();
         siteHealthCollector?.SetNodeHostname(_nodeOptions.NodeHostname);