feat(historian-gateway): reshape ServerHistorianOptions to gateway form (Endpoint/ApiKey/Tls)

Claude-Session: https://claude.ai/code/session_012SDSQ3AcaXqPcBtDESBRii

src/Server/ZB.MOM.WW.OtOpcUa.Runtime/Historian/ServerHistorianOptions.cs

@@ -5,13 +5,17 @@ namespace ZB.MOM.WW.OtOpcUa.Runtime.Historian;
 /// <summary>
 ///     Binds the <c>ServerHistorian</c> configuration section that gates the server-side
 ///     HistoryRead backend. When <see cref="Enabled"/> is <c>true</c>, <c>AddServerHistorian</c>
-///     registers a read-only <c>WonderwareHistorianClient</c> (supplied by the Host) as the
-///     <c>IHistorianDataSource</c> in place of the <c>NullHistorianDataSource</c> default;
-///     otherwise the Null default survives and HistoryRead returns <c>GoodNoData</c>-empty.
+///     registers a read-only <c>HistorianGateway</c>-backed <c>IHistorianDataSource</c> (supplied by
+///     the Host) in place of the <c>NullHistorianDataSource</c> default; otherwise the Null default
+///     survives and HistoryRead returns <c>GoodNoData</c>-empty.
 ///     <para>
-///         This is the READ path only — there are no DatabasePath / drain / capacity / retention
-///         knobs (those belong to the write-side <c>AlarmHistorian</c> store-and-forward sink). The
-///         client's own <c>CallTimeout</c> bounds each read; the node manager adds no extra timeout.
+///         The read client talks gRPC to the <c>ZB.MOM.WW.HistorianGateway</c> sidecar
+///         (<c>historian_gateway.v1</c>) over <see cref="Endpoint"/>, authenticating with the
+///         peppered-HMAC <see cref="ApiKey"/> (<c>histgw_&lt;id&gt;_&lt;secret&gt;</c>) in the
+///         <c>Authorization: Bearer</c> header. This is the READ path only — there are no
+///         DatabasePath / drain / capacity / retention knobs (those belong to the write-side
+///         <c>AlarmHistorian</c> store-and-forward sink). The client's own <see cref="CallTimeout"/>
+///         bounds each read; the node manager adds no extra timeout.
 ///     </para>
 /// </summary>
 public sealed class ServerHistorianOptions
@@ -20,26 +24,38 @@ public sealed class ServerHistorianOptions
     public const string SectionName = "ServerHistorian";
 
     /// <summary>
-    ///     When <c>true</c>, the Wonderware read client is registered as the
+    ///     When <c>true</c>, the HistorianGateway read client is registered as the
     ///     <c>IHistorianDataSource</c>; when <c>false</c> (the default) the no-op
     ///     <c>NullHistorianDataSource</c> stays in place and HistoryRead returns empty.
     /// </summary>
     public bool Enabled { get; init; }
 
-    /// <summary>TCP hostname or IP address the Wonderware historian sidecar listens on.</summary>
-    public string Host { get; init; } = "localhost";
+    /// <summary>
+    ///     Absolute gateway endpoint URI the read client dials (e.g. <c>https://host:5222</c>).
+    ///     The scheme selects the transport: <c>https://</c> = TLS, <c>http://</c> = h2c plaintext.
+    ///     Required when <see cref="Enabled"/> is <c>true</c>.
+    /// </summary>
+    public string Endpoint { get; init; } = "";
 
-    /// <summary>TCP port the Wonderware historian sidecar listens on.</summary>
-    public int Port { get; init; } = 32569;
+    /// <summary>
+    ///     The peppered-HMAC API key (<c>histgw_&lt;id&gt;_&lt;secret&gt;</c>) the gateway validates
+    ///     in the <c>Authorization: Bearer</c> header. Supply via the environment variable
+    ///     <c>ServerHistorian__ApiKey</c> — never commit it to config. Required when
+    ///     <see cref="Enabled"/> is <c>true</c>.
+    /// </summary>
+    public string ApiKey { get; init; } = "";
 
-    /// <summary>When <c>true</c>, the client connects over TLS.</summary>
-    public bool UseTls { get; init; }
+    /// <summary>When <c>true</c> (the default), the client connects over TLS; must match the <see cref="Endpoint"/> scheme.</summary>
+    public bool UseTls { get; init; } = true;
 
-    /// <summary>Expected TLS server certificate thumbprint (hex, no spaces). Null or empty disables pinning.</summary>
-    public string? ServerCertThumbprint { get; init; }
+    /// <summary>When <c>true</c>, the client accepts a self-signed / untrusted server certificate (dev / on-prem only).</summary>
+    public bool AllowUntrustedServerCertificate { get; init; }
 
-    /// <summary>Per-process shared secret the sidecar verifies in the Hello frame.</summary>
-    public string SharedSecret { get; init; } = "";
+    /// <summary>Path to a PEM CA certificate that pins the gateway's TLS trust chain. Null or empty uses the OS trust store.</summary>
+    public string? CaCertificatePath { get; init; }
+
+    /// <summary>Per-call deadline applied to each unary gateway read. Defaults to 30 seconds.</summary>
+    public TimeSpan CallTimeout { get; init; } = TimeSpan.FromSeconds(30);
 
     /// <summary>
     ///     The upper bound on the bounded over-fetch the HistoryRead-Raw paging uses to page WITHIN an
@@ -54,15 +70,15 @@ public sealed class ServerHistorianOptions
 
     /// <summary>Returns operator-facing misconfiguration warnings for an <c>Enabled</c> historian
     /// (empty when disabled or correctly configured). Pure — the registration logs each entry.</summary>
-    /// <returns>Zero or more human-readable warning messages.</returns>
+    /// <returns>Zero or more human-readable warning messages (never carrying secret values).</returns>
     public IReadOnlyList<string> Validate()
     {
         var warnings = new List<string>();
         if (!Enabled) return warnings;
-        if (string.IsNullOrWhiteSpace(SharedSecret))
-            warnings.Add("ServerHistorian:SharedSecret is empty while the historian is enabled — the Wonderware sidecar Hello frame will carry an empty secret.");
-        if (Port <= 0)
-            warnings.Add($"ServerHistorian:Port is {Port} — must be > 0; the read client cannot dial the sidecar.");
+        if (string.IsNullOrWhiteSpace(Endpoint))
+            warnings.Add("ServerHistorian:Endpoint is empty while the historian is enabled — the read client has no gateway address to dial.");
+        if (string.IsNullOrWhiteSpace(ApiKey))
+            warnings.Add("ServerHistorian:ApiKey is empty while the historian is enabled — the gateway gRPC surface will reject unauthenticated calls.");
         // MaxTieClusterOverfetch is intentionally checked AFTER the Enabled early-return above:
         // the over-fetch code path only runs when a real IHistorianDataSource is wired in,
         // so a zero/negative value is harmless (and noise-free) when the historian is disabled.