feat(alarms): route inbound Part 9 alarm methods through AlarmAck gate (T18)

Wire the materialised AlarmConditionState method handlers so a client calling
Acknowledge/Confirm/Shelve/AddComment is gated on the AlarmAck data-plane role
and, when allowed, routed back to the scripted-alarm engine via a new
`alarm-commands` DistributedPubSub topic.

- Commons: new AlarmCommand DTO (AlarmId/Operation/User/Comment/UnshelveAtUtc).
- ScriptedAlarmHostActor: add AlarmCommandsTopic const.
- OtOpcUaNodeManager: settable AlarmCommandRouter + wire OnAcknowledge/OnConfirm/
  OnAddComment/OnShelve/OnTimedUnshelve. Each resolves the principal off
  ISessionOperationContext.UserIdentity as RoleCarryingUserIdentity, fails closed
  (BadUserAccessDenied) when the AlarmAck role is absent or no identity, else maps
  + routes an AlarmCommand and returns Good. OnShelve discriminates OneShotShelve/
  TimedShelve/Unshelve from the SDK flags; TimedShelve expiry = UtcNow + ms.
  No Akka/IActorRef handle — only the Action<AlarmCommand> delegate. T20 de-dup
  note left; WriteAlarmCondition untouched.
- OpcUaServer.Security: OpcUaDataPlaneRoles.AlarmAck shared const (the role was a
  bare string everywhere; introduced one symbol for the gate + tests).
- OtOpcUaSdkServer: SetAlarmCommandRouter pass-through.
- Host: boot wiring publishes each command via mediator.Tell(Publish(...)) using a
  lazy ActorSystem accessor (mirrors DpsScriptLogPublisher).
- Tests: 11 new gate + mapping tests (OpcUaServer.Tests 88->99, all green).

src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OtOpcUaNodeManager.cs

@@ -2,6 +2,7 @@ using System.Collections.Concurrent;
 using Opc.Ua;
 using Opc.Ua.Server;
 using ZB.MOM.WW.OtOpcUa.Commons.OpcUa;
+using ZB.MOM.WW.OtOpcUa.OpcUaServer.Security;
 
 namespace ZB.MOM.WW.OtOpcUa.OpcUaServer;
 
@@ -52,6 +53,23 @@ public sealed class OtOpcUaNodeManager : CustomNodeManager2
     /// <summary>Gets the count of real Part 9 <see cref="AlarmConditionState"/> nodes currently managed.</summary>
     public int AlarmConditionCount => _alarmConditions.Count;
 
+    /// <summary>
+    ///     Reverse-path sink for inbound OPC UA Part 9 alarm method calls. When a client invokes a
+    ///     materialised condition's Acknowledge / Confirm / Shelve / AddComment method, the condition's
+    ///     handler (wired in <see cref="MaterialiseAlarmCondition"/>) gates on the caller's
+    ///     <c>AlarmAck</c> role and, when allowed, builds an <see cref="AlarmCommand"/> and invokes this
+    ///     delegate. The host sets it at boot to a non-blocking <c>mediator.Tell</c> onto the
+    ///     <c>alarm-commands</c> DistributedPubSub topic; T19's engine-side subscriber consumes it.
+    ///     <para>
+    ///         This is the ONLY reverse coupling out of the node manager — by design it is a plain
+    ///         <see cref="Action{AlarmCommand}"/> (no Akka / <c>IActorRef</c> / DI handle). The handler
+    ///         delegates run under the manager's <c>Lock</c>; the invoked action MUST be non-blocking
+    ///         (a fire-and-forget <c>Tell</c>) so there is no deadlock. Null (the default) makes every
+    ///         handler a safe no-op — it still gates + returns, just routes nowhere.
+    ///     </para>
+    /// </summary>
+    public Action<AlarmCommand>? AlarmCommandRouter { get; set; }
+
     /// <summary>Look up a materialised Part 9 alarm-condition node by its alarm node id (the
     /// ScriptedAlarmId), or null if not yet materialised. Exposed for tests + diagnostics.</summary>
     /// <param name="alarmNodeId">The alarm node identifier (== ScriptedAlarmId).</param>
@@ -316,6 +334,38 @@ public sealed class OtOpcUaNodeManager : CustomNodeManager2
             alarm.Message.Value = new LocalizedText(displayName);
             if (alarm.ConditionName is not null) alarm.ConditionName.Value = displayName;
 
+            // T18 — inbound Part 9 method handlers. Create() materialised the Acknowledge/Confirm/
+            // AddComment/Shelve/Unshelve method nodes and the condition types wired their built-in OnCall
+            // routing; these delegates are the veto/permission seam the SDK invokes BEFORE applying the
+            // state change. Each gates on the caller's AlarmAck role (fails closed) and, when allowed,
+            // routes a mapped AlarmCommand to the engine via AlarmCommandRouter, then returns Good so the
+            // SDK applies its node state + auto-fires its own event.
+            // T20: the engine re-projects that same logical transition through WriteAlarmCondition, which
+            // also fires — the resulting double-emit is de-duped in a later task (T20), NOT here.
+            alarm.OnAcknowledge = (context, condition, _, comment) =>
+                HandleAlarmCommand(context, condition, "Acknowledge", comment, unshelveAt: null);
+            alarm.OnConfirm = (context, condition, _, comment) =>
+                HandleAlarmCommand(context, condition, "Confirm", comment, unshelveAt: null);
+            alarm.OnAddComment = (context, condition, _, comment) =>
+                HandleAlarmCommand(context, condition, "AddComment", comment, unshelveAt: null);
+            alarm.OnShelve = (context, condition, shelving, oneShot, shelvingTime) =>
+            {
+                // SDK invocation shapes (verified against the decompiled AlarmConditionState):
+                //   OneShotShelve → (shelving:true, oneShot:true, 0.0)   ⇒ OneShotShelve, no expiry
+                //   TimedShelve   → (shelving:true, oneShot:false, ms)   ⇒ TimedShelve, expiry = UtcNow + ms
+                //   Unshelve      → (shelving:false, oneShot:false, 0.0) ⇒ Unshelve, no expiry
+                // shelvingTime is an OPC UA Duration (milliseconds).
+                var (operation, unshelveAt) =
+                    !shelving ? ("Unshelve", (DateTime?)null)
+                    : oneShot ? ("OneShotShelve", null)
+                    : ("TimedShelve", DateTime.UtcNow + TimeSpan.FromMilliseconds(shelvingTime));
+                return HandleAlarmCommand(context, condition, operation, comment: null, unshelveAt);
+            };
+            // The auto-unshelve timer firing is an unshelve transition driven by the SDK (no client user);
+            // route it as Unshelve so the engine clears its shelve state. Same AlarmAck gate applies.
+            alarm.OnTimedUnshelve = (context, condition) =>
+                HandleAlarmCommand(context, condition, "Unshelve", comment: null, unshelveAt: null);
+
             parent.AddChild(alarm);
 
             // Promote the equipment folder to an event notifier + register it as a root notifier so
@@ -328,6 +378,49 @@ public sealed class OtOpcUaNodeManager : CustomNodeManager2
         }
     }
 
+    /// <summary>
+    ///     Shared body for every inbound Part 9 alarm method handler (T18). Resolves the calling
+    ///     principal off the SDK <paramref name="context"/>, applies the <c>AlarmAck</c> role gate
+    ///     (<b>fails closed</b>: a missing identity or a missing role is denied), and on success builds a
+    ///     mapped <see cref="AlarmCommand"/> and routes it through <see cref="AlarmCommandRouter"/>.
+    /// </summary>
+    /// <param name="context">The SDK context the handler delegate was invoked with — a
+    /// <c>ServerSystemContext</c> (an <see cref="ISessionOperationContext"/>) carrying the session
+    /// identity. T17 attached the LDAP roles as a <see cref="RoleCarryingUserIdentity"/>.</param>
+    /// <param name="condition">The condition the method targets; its <c>NodeId</c> identifier is the
+    /// ScriptedAlarmId (T14 aligned them), which becomes <see cref="AlarmCommand.AlarmId"/>.</param>
+    /// <param name="operation">The Part 9 operation name (e.g. <c>Acknowledge</c>, <c>TimedShelve</c>).</param>
+    /// <param name="comment">The call's comment text, or <c>null</c> when none was supplied.</param>
+    /// <param name="unshelveAt">For <c>TimedShelve</c>, the computed UTC expiry; otherwise <c>null</c>.</param>
+    /// <returns><c>ServiceResult.Good</c> when allowed (the SDK then applies state + auto-fires its
+    /// event); <c>BadUserAccessDenied</c> when the gate vetoes (no route, no state mutation).</returns>
+    private ServiceResult HandleAlarmCommand(
+        ISystemContext context, ConditionState condition, string operation, LocalizedText? comment, DateTime? unshelveAt)
+    {
+        // Resolve the principal the SAME way the SDK's own GetCurrentUserId does, then narrow to the
+        // role-carrying identity T17 attached. Anonymous / non-role-carrying identities ⇒ null ⇒ denied.
+        var identity = (context as ISessionOperationContext)?.UserIdentity as RoleCarryingUserIdentity;
+        if (identity is null || !identity.Roles.Contains(OpcUaDataPlaneRoles.AlarmAck, StringComparer.OrdinalIgnoreCase))
+        {
+            // Fail closed: no role / no identity ⇒ veto. Returning a bad ServiceResult aborts the SDK's
+            // state change and surfaces the status to the client; we never route or mutate.
+            return new ServiceResult(StatusCodes.BadUserAccessDenied);
+        }
+
+        var cmd = new AlarmCommand(
+            AlarmId: condition.NodeId.Identifier?.ToString() ?? string.Empty,
+            Operation: operation,
+            User: identity.DisplayName ?? string.Empty,
+            Comment: comment?.Text,
+            UnshelveAtUtc: unshelveAt);
+
+        // Non-blocking by contract (host wires a fire-and-forget mediator.Tell); safe to call under Lock.
+        AlarmCommandRouter?.Invoke(cmd);
+
+        // Good ⇒ the SDK applies the node-state change + auto-fires its own condition event.
+        return ServiceResult.Good;
+    }
+
     /// <summary>Map our domain <c>AlarmType</c> string to the matching SDK condition subtype. Script
     /// alarms have no OPC limit/setpoint values, so limit-style types fall back to the base
     /// <see cref="AlarmConditionState"/> (see <see cref="MaterialiseAlarmCondition"/> remarks).</summary>