harden(historian): nullable HistorizeToAveva (missing→historize) for rolling-restart-safe deserialize + middle-link test

src/Server/ZB.MOM.WW.OtOpcUa.Runtime/Historian/HistorianAdapterActor.cs

@@ -71,13 +71,12 @@ public sealed class HistorianAdapterActor : ReceiveActor
         // ShouldHistorize gate keeps only the Primary writing ⇒ exactly-once across the warm pair.
         // NOTE: Translate is intentionally inside the gate so Secondary/Detached nodes never allocate a
         // discarded AlarmHistorianEvent.
-        // t.HistorizeToAveva=false is a per-alarm opt-out of DURABLE historization only — the live `alerts`
-        // fan-out already happened upstream (the publish is NOT gated on this flag), so we gate the SINK
-        // write here, not the publish. Rolling-restart-safe: the node that WRITES is always the same-version
-        // node that PUBLISHED (Primary or boot window), so a cross-version old→new flow only reaches the
-        // Secondary, which never writes — an old-format message deserializing HistorizeToAveva as the CLR
-        // default (false) cannot drop a Primary's historization.
-        Receive<AlarmTransitionEvent>(t => { if (ShouldHistorize() && t.HistorizeToAveva) _ = EnqueueAsync(Translate(t)); });
+        // t.HistorizeToAveva is not false: only explicit false suppresses the durable sink write. null
+        // (CLR default for bool?) and true both historize. null is the rolling-restart / cross-version case:
+        // an old-format message missing the field deserializes to null and is historized (default-on), so no
+        // audit row is dropped at a handover — same posture as the AlarmTypeName null-coalesce in Translate.
+        // The producer (ScriptedAlarmHostActor) always sets a concrete true/false.
+        Receive<AlarmTransitionEvent>(t => { if (ShouldHistorize() && t.HistorizeToAveva is not false) _ = EnqueueAsync(Translate(t)); });
 
         Receive<GetStatus>(_ => Sender.Tell(_sink.GetStatus()));