scripts+docs: Refresh-Services.ps1 for alarm-rig deploy refresh (PR D.1)

Seventeenth PR of the alarms-over-gateway epic
(docs/plans/alarms-over-gateway.md). Lands the script that the
plan calls for in Track D — the actual smoke-run validation
on the dev rig (publish, restart, fire alarms, capture artifacts)
remains operator work; this PR ships the automation that the
operator drives.

scripts/install/Refresh-Services.ps1 — single-shot refresh
script. Designed to run elevated on the deploy host
(DESKTOP-6JL3KKO today; production uses a separate runbook).
The script:

- Stops services in reverse-dependency order (OtOpcUa →
  OtOpcUaWonderwareHistorian → MxAccessGw) and force-kills any
  residual processes (avoids the publish-time MSB3027 file-lock
  the original install script hit).
- Snapshots existing C:\publish trees to
  C:\publish\.backup-YYYY-MM-DD-HHMMSS\ for rollback (skip with
  -SkipBackup).
- Builds + copies mxaccessgw worker (x86 net48) + server (net10.0)
  binaries from the sibling repo.
- Publishes OtOpcUa Server + Wonderware historian sidecar from
  this repo.
- Ensures OTOPCUA_HISTORIAN_ALARM_WRITE_ENABLED=true is set on
  the historian service env block (PR C.2 toggle).
- Starts services in forward-dependency order with the
  inter-service waits the original install used.
- Smoke-verifies (service status, listening ports 5120 / 4840
  / 4841, recent log tails).

Supports -WhatIf for dry-run inspection without touching the
running services.

docs/v2/dev-environment.md — new "Service Refresh —
Refresh-Services.ps1" section between Credential Management
and Test Data Seed. Cross-references the plan's Track D
functional verification scenarios.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/v2/dev-environment.md

@@ -408,6 +408,49 @@ For production:
 - Per-NodeId credentials in `ClusterNodeCredential` table (per decision #83)
 - Admin app uses LDAP (no SQL credential at all on the user-facing side)
 
+## Service Refresh — `Refresh-Services.ps1`
+
+The deploy host hosts three NSSM-wrapped services (`MxAccessGw`,
+`OtOpcUaWonderwareHistorian`, `OtOpcUa`) that consume binaries from
+`C:\publish\`. After landing changes in either repo, refresh the
+deployed bits with `scripts\install\Refresh-Services.ps1`:
+
+```powershell
+# Default invocation (dev rig).
+& C:\Users\dohertj2\Desktop\lmxopcua\scripts\install\Refresh-Services.ps1
+
+# Skip the timestamped backup (faster on iterative dev cycles).
+& Refresh-Services.ps1 -SkipBackup
+
+# Dry-run — print the actions without doing them.
+& Refresh-Services.ps1 -WhatIf
+```
+
+The script:
+
+1. Stops services in reverse-dependency order (`OtOpcUa` →
+   `OtOpcUaWonderwareHistorian` → `MxAccessGw`) and force-kills
+   any residual processes.
+2. Snapshots the existing `C:\publish\mxaccessgw\` and
+   `C:\publish\lmxopcua\` trees to `C:\publish\.backup-<timestamp>\`
+   for rollback (skip with `-SkipBackup`).
+3. Builds + copies mxaccessgw worker (x86 net48) + server (net10.0)
+   binaries from the sibling repo.
+4. `dotnet publish`-es the OtOpcUa server + Wonderware historian
+   sidecar from this repo.
+5. Ensures `OTOPCUA_HISTORIAN_ALARM_WRITE_ENABLED=true` is set on
+   the historian service env block (PR C.2 toggle).
+6. Starts services in forward-dependency order (`MxAccessGw` →
+   `OtOpcUaWonderwareHistorian` → `OtOpcUa`).
+7. Smoke-verifies — service status, listening ports (5120 / 4840 /
+   4841), recent log tails.
+
+Functional verification (alarm raise / scripted alarm historian
+round-trip / sub-attribute fallback) is the operator's next step
+after the refresh; see
+[docs/plans/alarms-over-gateway.md](../plans/alarms-over-gateway.md)
+§Track D for the scenarios.
+
 ## Test Data Seed
 
 Each environment needs a baseline data set so cross-developer tests are reproducible. Lives in `tests/ZB.MOM.WW.OtOpcUa.IntegrationTests/SeedData/`: