Phase 2 PR 13 — port GalaxyRuntimeProbeManager state machine + wire per-platform ScanState probing. PR 8 gave operators the gateway-level transport signal (MxAccessClient.ConnectionStateChanged → OnHostStatusChanged tagged with the Wonderware client identity) — enough to detect when the entire MXAccess COM proxy dies, but silent when a specific or goes down while the gateway stays alive. This PR closes that gap: a pure-logic GalaxyRuntimeProbeManager (ported from v1's 472-LOC GalaxyRuntimeProbeManager.cs, distilled to ~240 LOC of state machine without the OPC UA node-manager entanglement) lives in Backend/Stability/, advises <TagName>.ScanState per WinPlatform + AppEngine gobject discovered during DiscoverAsync, runs the Unknown → Running → Stopped state machine with v1's documented semantics preserved verbatim, and raises a StateChanged event on transitions operators should react to. MxAccessGalaxyBackend instantiates the probe manager in the constructor with SubscribeAsync/UnsubscribeAsync delegate pointers into MxAccessClient, hooks StateChanged to forward each transition through the same OnHostStatusChanged IPC event the gateway signal uses (HostName = platform/engine TagName, RuntimeStatus = 'Running'|'Stopped'|'Unknown', LastObservedUtcUnixMs from the state-change timestamp), so Admin UI gets per-host signals flowing through the existing PR 8 wire with no additional IPC plumbing. State machine rules ported from v1 runtimestatus.md: (a) ScanState is on-change-only — a stably-Running host may go hours without a callback, so Running → Stopped is driven only by explicit ScanState=false, never by starvation; (b) Unknown → Running is a startup transition and does NOT fire StateChanged (would paint every host as 'just recovered' at startup, which is noise and can clear Bad quality set by a concurrently-stopping sibling); (c) Stopped → Running fires StateChanged for the real recovery case; (d) Running → Stopped fires StateChanged; (e) Unknown → Stopped fires StateChanged because that's the first-known-bad signal operators need when a host is down at our startup time. MxAccessGalaxyBackend.DiscoverAsync calls _probeManager.SyncAsync with the runtime-host subset of the hierarchy (CategoryId == 1 WinPlatform or 3 AppEngine) as a best-effort step after building the Discover response — probe failures are swallowed so Discover still returns the hierarchy even if a per-host advise fails; the gateway signal covers the critical rung. SyncAsync is idempotent (second call with the same set is a no-op) and handles the diff on re-Discover for tag rename / host add / host remove. Subscribe failure rolls back the host's state entry under the lock so a later probe callback for a never-advised tag can't transition a phantom state from Unknown to Stopped and fan out a false host-down signal (the same protection v1's GalaxyRuntimeProbeManager had at line 237-243 of v1 with a captured-probe-string comparison under the lock). MxAccessGalaxyBackend.Dispose unsubscribes the StateChanged handler before disposing the probe manager to prevent dangling invocation-list references across reconnects, same discipline as PR 8's ConnectionStateChanged and PR 6's SubscriptionReplayFailed. Tests (12 new GalaxyRuntimeProbeManagerTests): Sync_subscribes_to_ScanState_per_host verifies tag.ScanState subscriptions are advised per Platform/Engine; Sync_is_idempotent_on_repeat_call_with_same_set verifies no duplicate subscribes; Sync_unadvises_removed_hosts verifies the diff unadvises gone hosts; Subscribe_failure_rolls_back_host_entry_so_later_transitions_do_not_fire_stale_events covers the rollback-on-subscribe-fail guard; Unknown_to_Running_does_not_fire_StateChanged preserves the startup-noise rule; Running_to_Stopped_fires_StateChanged_with_both_states asserts OldState and NewState are both captured in the transition record; Stopped_to_Running_fires_StateChanged_for_recovery verifies the recovery case; Unknown_to_Stopped_fires_StateChanged_for_first_known_bad_signal preserves the first-bad rule; Repeated_Good_Running_callbacks_do_not_fire_duplicate_events verifies the state-tracking de-dup; Unknown_callback_for_non_tracked_probe_is_dropped asserts a foreign callback is silently ignored; Snapshot_reports_current_state_for_every_tracked_host covers the dashboard query hook; IsRuntimeHost_recognizes_WinPlatform_and_AppEngine_category_ids asserts the CategoryId filter. Galaxy.Host.Tests Unit suite 75 pass / 0 fail (12 new probe + 63 pre-existing). Galaxy.Host builds clean (0 errors / 0 warnings). Branches off v2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccessGalaxyBackend.cs

@@ -7,6 +7,7 @@ using MessagePack;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Stability;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
 
 namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
@@ -40,6 +41,8 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend, IDisposable
     public event System.EventHandler<HostConnectivityStatus>? OnHostStatusChanged;
 
     private readonly System.EventHandler<bool> _onConnectionStateChanged;
+    private readonly GalaxyRuntimeProbeManager _probeManager;
+    private readonly System.EventHandler<HostStateTransition> _onProbeStateChanged;
 
     public MxAccessGalaxyBackend(GalaxyRepository repository, MxAccessClient mx, IHistorianDataSource? historian = null)
     {
@@ -62,8 +65,39 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend, IDisposable
             });
         };
         _mx.ConnectionStateChanged += _onConnectionStateChanged;
+
+        // PR 13: per-platform runtime probes. ScanState subscriptions fire OnProbeCallback,
+        // which runs the state machine and raises StateChanged on transitions we care about.
+        // We forward each transition through the same OnHostStatusChanged IPC event that the
+        // gateway-level ConnectionStateChanged uses — tagged with the platform's TagName so the
+        // Admin UI can show per-host health independently from the top-level transport status.
+        _probeManager = new GalaxyRuntimeProbeManager(
+            subscribe: (probe, cb) => _mx.SubscribeAsync(probe, cb),
+            unsubscribe: probe => _mx.UnsubscribeAsync(probe));
+        _onProbeStateChanged = (_, t) =>
+        {
+            OnHostStatusChanged?.Invoke(this, new HostConnectivityStatus
+            {
+                HostName = t.TagName,
+                RuntimeStatus = t.NewState switch
+                {
+                    HostRuntimeState.Running => "Running",
+                    HostRuntimeState.Stopped => "Stopped",
+                    _ => "Unknown",
+                },
+                LastObservedUtcUnixMs = new DateTimeOffset(t.AtUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+            });
+        };
+        _probeManager.StateChanged += _onProbeStateChanged;
     }
 
+    /// <summary>
+    ///     Exposed for tests. Production flow: DiscoverAsync completes → backend calls
+    ///     <c>SyncProbesAsync</c> with the runtime hosts (WinPlatform + AppEngine gobjects) to
+    ///     advise ScanState per host.
+    /// </summary>
+    internal GalaxyRuntimeProbeManager ProbeManager => _probeManager;
+
     public async Task<OpenSessionResponse> OpenSessionAsync(OpenSessionRequest req, CancellationToken ct)
     {
         try
@@ -103,6 +137,21 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend, IDisposable
                 Attributes = attrsByGobject.TryGetValue(o.GobjectId, out var a) ? a : Array.Empty<GalaxyAttributeInfo>(),
             }).ToArray();
 
+            // PR 13: Sync the per-platform probe manager against the just-discovered hierarchy
+            // so ScanState subscriptions track the current runtime set. Best-effort — probe
+            // failures don't block Discover from returning, since the gateway-level signal from
+            // MxAccessClient.ConnectionStateChanged still flows and the Admin UI degrades to
+            // that level if any per-host probe couldn't advise.
+            try
+            {
+                var targets = hierarchy
+                    .Where(o => o.CategoryId == GalaxyRuntimeProbeManager.CategoryWinPlatform
+                             || o.CategoryId == GalaxyRuntimeProbeManager.CategoryAppEngine)
+                    .Select(o => new HostProbeTarget(o.TagName, o.CategoryId));
+                await _probeManager.SyncAsync(targets).ConfigureAwait(false);
+            }
+            catch { /* swallow — Discover succeeded; probes are a diagnostic enrichment */ }
+
             return new DiscoverHierarchyResponse { Success = true, Objects = objects };
         }
         catch (Exception ex)
@@ -405,6 +454,8 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend, IDisposable
 
     public void Dispose()
     {
+        _probeManager.StateChanged -= _onProbeStateChanged;
+        _probeManager.Dispose();
         _mx.ConnectionStateChanged -= _onConnectionStateChanged;
         _historian?.Dispose();
     }