fix(driver-twincat): resolve Low code-review findings (Driver.TwinCAT-004,006,014,015,016)

- Driver.TwinCAT-004: corrected the IEC time-type inline comments;
  documented that the driver currently surfaces them as raw UInt32
  counters.
- Driver.TwinCAT-006: ResolveHost returns a documented UnresolvedHost
  sentinel when no devices are configured instead of returning the
  logical DriverInstanceId (which never matches GetHostStatuses).
- Driver.TwinCAT-014: wired Probe.Timeout into the probe-loop call and
  added a NotificationMaxDelayMs config knob threaded through
  AddNotificationAsync.
- Driver.TwinCAT-015: Dispose() runs a genuinely synchronous teardown
  with bounded waits (no sync-over-async deadlock pattern).
- Driver.TwinCAT-016: pinned the Structure-tag rejection and the
  probe-loop vs read disposal race with regression tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.TwinCAT/TwinCATDriver.cs

@@ -377,6 +377,7 @@ public sealed class TwinCATDriver : IDriver, IReadable, IWritable, ITagDiscovery
 
                 var reg = await client.AddNotificationAsync(
                     symbolName, def.DataType, bitIndex, publishingInterval,
+                    _options.NotificationMaxDelayMs,
                     (_, value) => OnDataChange?.Invoke(this,
                         new DataChangeEventArgs(handle, reference, new DataValueSnapshot(
                             value, TwinCATStatusMapper.Good, DateTime.UtcNow, DateTime.UtcNow))),
@@ -433,7 +434,10 @@ public sealed class TwinCATDriver : IDriver, IReadable, IWritable, ITagDiscovery
             var success = false;
             try
             {
-                var client = await EnsureConnectedAsync(state, ct).ConfigureAwait(false);
+                // Probe-initiated connects honor TwinCATProbeOptions.Timeout — distinct from
+                // the driver-wide _options.Timeout used by reads/writes (Driver.TwinCAT-014).
+                var client = await EnsureConnectedAsync(state, ct, _options.Probe.Timeout)
+                    .ConfigureAwait(false);
                 success = await client.ProbeAsync(ct).ConfigureAwait(false);
             }
             catch (OperationCanceledException) when (ct.IsCancellationRequested) { break; }
@@ -469,11 +473,25 @@ public sealed class TwinCATDriver : IDriver, IReadable, IWritable, ITagDiscovery
 
     // ---- IPerCallHostResolver ----
 
+    /// <summary>
+    ///     Documented sentinel returned by <see cref="ResolveHost"/> when neither the tag nor a
+    ///     fallback device is configured. Empty-string never matches an
+    ///     <see cref="HostConnectivityStatus.HostName"/> emitted by this driver (every real
+    ///     host is an <c>ads://…</c> URI), so it cleanly signals "unresolved" without colliding
+    ///     with a real host key. Used to be <see cref="DriverInstanceId"/>, which is a logical
+    ///     config-DB identifier — that collided with consumers who expected the resolver and the
+    ///     connectivity-status table to share keys (Driver.TwinCAT-006).
+    /// </summary>
+    public const string UnresolvedHostSentinel = "";
+
     public string ResolveHost(string fullReference)
     {
         if (_tagsByName.TryGetValue(fullReference, out var def))
             return def.DeviceHostAddress;
-        return _options.Devices.FirstOrDefault()?.HostAddress ?? DriverInstanceId;
+        // First device's HostAddress when one exists; otherwise the unresolved sentinel —
+        // intentionally NOT DriverInstanceId, which is a config-DB key, not a host address
+        // (Driver.TwinCAT-006).
+        return _options.Devices.FirstOrDefault()?.HostAddress ?? UnresolvedHostSentinel;
     }
 
     /// <summary>
@@ -484,7 +502,8 @@ public sealed class TwinCATDriver : IDriver, IReadable, IWritable, ITagDiscovery
     ///     AB-CIP drivers serialize device access the same way; single-connection-per-PLC is
     ///     also what docs/v2/driver-specs.md recommends.
     /// </summary>
-    private async Task<ITwinCATClient> EnsureConnectedAsync(DeviceState device, CancellationToken ct)
+    private async Task<ITwinCATClient> EnsureConnectedAsync(
+        DeviceState device, CancellationToken ct, TimeSpan? timeoutOverride = null)
     {
         // Fast path — already connected, no gate needed.
         if (device.Client is { IsConnected: true } fast) return fast;
@@ -504,9 +523,13 @@ public sealed class TwinCATDriver : IDriver, IReadable, IWritable, ITagDiscovery
 
             var client = _clientFactory.Create();
             client.OnSymbolVersionChanged += HandleSymbolVersionChanged;
+            // timeoutOverride lets the probe loop use TwinCATProbeOptions.Timeout for probe-
+            // initiated connects rather than the driver-level _options.Timeout
+            // (Driver.TwinCAT-014). Reads / writes pass null and get the driver default.
+            var effectiveTimeout = timeoutOverride ?? _options.Timeout;
             try
             {
-                await client.ConnectAsync(device.ParsedAddress, _options.Timeout, ct)
+                await client.ConnectAsync(device.ParsedAddress, effectiveTimeout, ct)
                     .ConfigureAwait(false);
                 _logger.LogInformation(
                     "TwinCAT driver '{DriverInstanceId}' connected to {HostAddress}",
@@ -542,7 +565,43 @@ public sealed class TwinCATDriver : IDriver, IReadable, IWritable, ITagDiscovery
             "TwinCAT symbol-version-changed (DeviceSymbolVersionInvalid 0x0711) — PLC program re-downloaded",
             ScopeHint: "TwinCAT"));
 
-    public void Dispose() => DisposeAsync().AsTask().GetAwaiter().GetResult();
+    /// <summary>
+    ///     Synchronous teardown — no <c>await</c>, no captured sync context. The OPC UA stack
+    ///     thread can call <see cref="Dispose"/>; routing through <c>DisposeAsync().GetResult()</c>
+    ///     can deadlock on a single-threaded sync context (Driver.TwinCAT-015,
+    ///     docs/v2/driver-stability.md). The operations here are all genuinely synchronous —
+    ///     cancel tokens, wait on task handles with a hard timeout, dispose clients — so a
+    ///     synchronous path does the right thing without re-entering the scheduler.
+    /// </summary>
+    public void Dispose()
+    {
+        // Dispose native subscriptions first — handle disposal is sync.
+        foreach (var sub in _nativeSubs.Values)
+            foreach (var r in sub.Registrations) { try { r.Dispose(); } catch { } }
+        _nativeSubs.Clear();
+
+        // PollGroupEngine.DisposeAsync awaits loop tasks; we drive that synchronously here
+        // (bounded wait — same 5s ceiling DisposeAsync uses internally) using Wait() on the
+        // returned ValueTask so no sync-context capture happens.
+        try { _poll.DisposeAsync().AsTask().Wait(TimeSpan.FromSeconds(5)); } catch { }
+
+        foreach (var state in _devices.Values)
+        {
+            try { state.ProbeCts?.Cancel(); } catch { }
+            if (state.ProbeTask is Task pt)
+            {
+                try { pt.Wait(TimeSpan.FromSeconds(2)); } catch { /* probe-cancel races are expected */ }
+            }
+            state.ProbeCts?.Dispose();
+            state.ProbeCts = null;
+            state.DisposeClient();
+            state.DisposeGate();
+        }
+        _devices.Clear();
+        _tagsByName.Clear();
+        _health = new DriverHealth(DriverState.Unknown, _health.LastSuccessfulRead, null);
+    }
+
     public async ValueTask DisposeAsync() => await ShutdownAsync(CancellationToken.None).ConfigureAwait(false);
 
     internal sealed class DeviceState(TwinCATAmsAddress parsedAddress, TwinCATDeviceOptions options)