diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor
index 5c12aab..395c7d9 100644
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor
@@ -1,15 +1,32 @@
-@* ScadaLink-parity sidebar layout per decision #102 (Bootstrap 5, dark sidebar, main content area). *@
 @inherits LayoutComponentBase
 
 <div class="d-flex" style="min-height: 100vh;">
     <nav class="bg-dark text-light p-3" style="width: 220px;">
         <h5 class="mb-4">OtOpcUa Admin</h5>
         <ul class="nav flex-column">
+            <li class="nav-item"><a class="nav-link text-light" href="/">Overview</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/clusters">Clusters</a></li>
-            <li class="nav-item"><a class="nav-link text-light" href="/generations">Generations</a></li>
-            <li class="nav-item"><a class="nav-link text-light" href="/equipment">Equipment</a></li>
-            <li class="nav-item"><a class="nav-link text-light" href="/acls">ACLs</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/reservations">Reservations</a></li>
         </ul>
+
+        <div class="mt-5">
+            <AuthorizeView>
+                <Authorized>
+                    <div class="small text-light">
+                        Signed in as <strong>@context.User.Identity?.Name</strong>
+                    </div>
+                    <div class="small text-muted">
+                        @string.Join(", ", context.User.Claims.Where(c => c.Type.EndsWith("/role")).Select(c => c.Value))
+                    </div>
+                    <form method="post" action="/auth/logout">
+                        <button class="btn btn-sm btn-outline-light mt-2" type="submit">Sign out</button>
+                    </form>
+                </Authorized>
+                <NotAuthorized>
+                    <a class="btn btn-sm btn-outline-light" href="/login">Sign in</a>
+                </NotAuthorized>
+            </AuthorizeView>
+        </div>
     </nav>
     <main class="flex-grow-1 p-4">
         @Body
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters.razor
deleted file mode 100644
index d04e751..0000000
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters.razor
+++ /dev/null
@@ -1,42 +0,0 @@
-@page "/clusters"
-@using ZB.MOM.WW.OtOpcUa.Admin.Services
-@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
-@inject ClusterService ClusterSvc
-
-<h1 class="mb-4">Clusters</h1>
-
-@if (_clusters is null)
-{
-    <p>Loading…</p>
-}
-else if (_clusters.Count == 0)
-{
-    <p class="text-muted">No clusters yet. Use the stored-proc <code>sp_PublishGeneration</code> workflow to bootstrap.</p>
-}
-else
-{
-    <table class="table table-hover">
-        <thead><tr><th>ClusterId</th><th>Name</th><th>Enterprise/Site</th><th>RedundancyMode</th><th>Enabled</th></tr></thead>
-        <tbody>
-        @foreach (var c in _clusters)
-        {
-            <tr>
-                <td><code>@c.ClusterId</code></td>
-                <td>@c.Name</td>
-                <td>@c.Enterprise / @c.Site</td>
-                <td>@c.RedundancyMode</td>
-                <td>@(c.Enabled ? "Yes" : "No")</td>
-            </tr>
-        }
-        </tbody>
-    </table>
-}
-
-@code {
-    private List<ServerCluster>? _clusters;
-
-    protected override async Task OnInitializedAsync()
-    {
-        _clusters = await ClusterSvc.ListAsync(CancellationToken.None);
-    }
-}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AclsTab.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AclsTab.razor
new file mode 100644
index 0000000..3d7311d
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AclsTab.razor
@@ -0,0 +1,126 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject NodeAclService AclSvc
+
+<div class="d-flex justify-content-between mb-3">
+    <h4>Access-control grants</h4>
+    <button class="btn btn-sm btn-primary" @onclick="() => _showForm = true">Add grant</button>
+</div>
+
+@if (_acls is null) { <p>Loading…</p> }
+else if (_acls.Count == 0) { <p class="text-muted">No ACL grants in this draft. Publish will result in a cluster with no external access.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>LDAP group</th><th>Scope</th><th>Scope ID</th><th>Permissions</th><th></th></tr></thead>
+        <tbody>
+        @foreach (var a in _acls)
+        {
+            <tr>
+                <td>@a.LdapGroup</td>
+                <td>@a.ScopeKind</td>
+                <td><code>@(a.ScopeId ?? "-")</code></td>
+                <td><code>@a.PermissionFlags</code></td>
+                <td><button class="btn btn-sm btn-outline-danger" @onclick="() => RevokeAsync(a.NodeAclRowId)">Revoke</button></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_showForm)
+{
+    <div class="card">
+        <div class="card-body">
+            <div class="row g-3">
+                <div class="col-md-4">
+                    <label class="form-label">LDAP group</label>
+                    <input class="form-control" @bind="_group"/>
+                </div>
+                <div class="col-md-4">
+                    <label class="form-label">Scope kind</label>
+                    <select class="form-select" @bind="_scopeKind">
+                        @foreach (var k in Enum.GetValues<NodeAclScopeKind>()) { <option value="@k">@k</option> }
+                    </select>
+                </div>
+                <div class="col-md-4">
+                    <label class="form-label">Scope ID (empty for Cluster-wide)</label>
+                    <input class="form-control" @bind="_scopeId"/>
+                </div>
+                <div class="col-12">
+                    <label class="form-label">Permissions (bundled presets — per-flag editor in v2.1)</label>
+                    <select class="form-select" @bind="_preset">
+                        <option value="Read">Read (Browse + Read)</option>
+                        <option value="WriteOperate">Read + Write Operate</option>
+                        <option value="Engineer">Read + Write Tune + Write Configure</option>
+                        <option value="AlarmAck">Read + Alarm Ack</option>
+                        <option value="Full">Full (every flag)</option>
+                    </select>
+                </div>
+            </div>
+            @if (_error is not null) { <div class="alert alert-danger mt-3">@_error</div> }
+            <div class="mt-3">
+                <button class="btn btn-sm btn-primary" @onclick="SaveAsync">Save</button>
+                <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showForm = false">Cancel</button>
+            </div>
+        </div>
+    </div>
+}
+
+@code {
+    [Parameter] public long GenerationId { get; set; }
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+
+    private List<NodeAcl>? _acls;
+    private bool _showForm;
+    private string _group = string.Empty;
+    private NodeAclScopeKind _scopeKind = NodeAclScopeKind.Cluster;
+    private string _scopeId = string.Empty;
+    private string _preset = "Read";
+    private string? _error;
+
+    protected override async Task OnParametersSetAsync() =>
+        _acls = await AclSvc.ListAsync(GenerationId, CancellationToken.None);
+
+    private NodePermissions ResolvePreset() => _preset switch
+    {
+        "Read"          => NodePermissions.Browse | NodePermissions.Read,
+        "WriteOperate"  => NodePermissions.Browse | NodePermissions.Read | NodePermissions.WriteOperate,
+        "Engineer"      => NodePermissions.Browse | NodePermissions.Read | NodePermissions.WriteTune | NodePermissions.WriteConfigure,
+        "AlarmAck"      => NodePermissions.Browse | NodePermissions.Read | NodePermissions.AlarmRead | NodePermissions.AlarmAcknowledge,
+        "Full"          => unchecked((NodePermissions)(-1)),
+        _               => NodePermissions.Browse | NodePermissions.Read,
+    };
+
+    private async Task SaveAsync()
+    {
+        _error = null;
+        if (string.IsNullOrWhiteSpace(_group)) { _error = "LDAP group is required"; return; }
+
+        var scopeId = _scopeKind == NodeAclScopeKind.Cluster ? null
+                     : string.IsNullOrWhiteSpace(_scopeId) ? null : _scopeId;
+
+        if (_scopeKind != NodeAclScopeKind.Cluster && scopeId is null)
+        {
+            _error = $"ScopeId required for {_scopeKind}";
+            return;
+        }
+
+        try
+        {
+            await AclSvc.GrantAsync(GenerationId, ClusterId, _group, _scopeKind, scopeId,
+                ResolvePreset(), notes: null, CancellationToken.None);
+            _group = string.Empty; _scopeId = string.Empty;
+            _showForm = false;
+            _acls = await AclSvc.ListAsync(GenerationId, CancellationToken.None);
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+
+    private async Task RevokeAsync(Guid rowId)
+    {
+        await AclSvc.RevokeAsync(rowId, CancellationToken.None);
+        _acls = await AclSvc.ListAsync(GenerationId, CancellationToken.None);
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AuditTab.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AuditTab.razor
new file mode 100644
index 0000000..94b841c
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AuditTab.razor
@@ -0,0 +1,35 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject AuditLogService AuditSvc
+
+<h4>Recent audit log</h4>
+
+@if (_entries is null) { <p>Loading…</p> }
+else if (_entries.Count == 0) { <p class="text-muted">No audit entries for this cluster yet.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>When</th><th>Principal</th><th>Event</th><th>Node</th><th>Generation</th><th>Details</th></tr></thead>
+        <tbody>
+        @foreach (var a in _entries)
+        {
+            <tr>
+                <td>@a.Timestamp.ToString("u")</td>
+                <td>@a.Principal</td>
+                <td><code>@a.EventType</code></td>
+                <td>@a.NodeId</td>
+                <td>@a.GenerationId</td>
+                <td><small class="text-muted">@a.DetailsJson</small></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    private List<ConfigAuditLog>? _entries;
+
+    protected override async Task OnParametersSetAsync() =>
+        _entries = await AuditSvc.ListRecentAsync(ClusterId, limit: 100, CancellationToken.None);
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/ClusterDetail.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/ClusterDetail.razor
new file mode 100644
index 0000000..7b5ad59
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/ClusterDetail.razor
@@ -0,0 +1,123 @@
+@page "/clusters/{ClusterId}"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject ClusterService ClusterSvc
+@inject GenerationService GenerationSvc
+@inject NavigationManager Nav
+
+@if (_cluster is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    <div class="d-flex justify-content-between align-items-center mb-3">
+        <div>
+            <h1 class="mb-0">@_cluster.Name</h1>
+            <code class="text-muted">@_cluster.ClusterId</code>
+            @if (!_cluster.Enabled) { <span class="badge bg-secondary ms-2">Disabled</span> }
+        </div>
+        <div>
+            @if (_currentDraft is not null)
+            {
+                <a href="/clusters/@ClusterId/draft/@_currentDraft.GenerationId" class="btn btn-outline-primary">
+                    Edit current draft (gen @_currentDraft.GenerationId)
+                </a>
+            }
+            else
+            {
+                <button class="btn btn-primary" @onclick="CreateDraftAsync" disabled="@_busy">New draft</button>
+            }
+        </div>
+    </div>
+
+    <ul class="nav nav-tabs mb-3">
+        <li class="nav-item"><button class="nav-link @Tab("overview")" @onclick='() => _tab = "overview"'>Overview</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("generations")" @onclick='() => _tab = "generations"'>Generations</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("equipment")" @onclick='() => _tab = "equipment"'>Equipment</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("uns")" @onclick='() => _tab = "uns"'>UNS Structure</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("namespaces")" @onclick='() => _tab = "namespaces"'>Namespaces</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("drivers")" @onclick='() => _tab = "drivers"'>Drivers</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("acls")" @onclick='() => _tab = "acls"'>ACLs</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("audit")" @onclick='() => _tab = "audit"'>Audit</button></li>
+    </ul>
+
+    @if (_tab == "overview")
+    {
+        <dl class="row">
+            <dt class="col-sm-3">Enterprise / Site</dt><dd class="col-sm-9">@_cluster.Enterprise / @_cluster.Site</dd>
+            <dt class="col-sm-3">Redundancy</dt><dd class="col-sm-9">@_cluster.RedundancyMode (@_cluster.NodeCount node@(_cluster.NodeCount == 1 ? "" : "s"))</dd>
+            <dt class="col-sm-3">Current published</dt>
+            <dd class="col-sm-9">
+                @if (_currentPublished is not null) { <span>@_currentPublished.GenerationId (@_currentPublished.PublishedAt?.ToString("u"))</span> }
+                else { <span class="text-muted">none published yet</span> }
+            </dd>
+            <dt class="col-sm-3">Created</dt><dd class="col-sm-9">@_cluster.CreatedAt.ToString("u") by @_cluster.CreatedBy</dd>
+        </dl>
+    }
+    else if (_tab == "generations")
+    {
+        <Generations ClusterId="@ClusterId"/>
+    }
+    else if (_tab == "equipment" && _currentDraft is not null)
+    {
+        <EquipmentTab GenerationId="@_currentDraft.GenerationId"/>
+    }
+    else if (_tab == "uns" && _currentDraft is not null)
+    {
+        <UnsTab GenerationId="@_currentDraft.GenerationId" ClusterId="@ClusterId"/>
+    }
+    else if (_tab == "namespaces" && _currentDraft is not null)
+    {
+        <NamespacesTab GenerationId="@_currentDraft.GenerationId" ClusterId="@ClusterId"/>
+    }
+    else if (_tab == "drivers" && _currentDraft is not null)
+    {
+        <DriversTab GenerationId="@_currentDraft.GenerationId" ClusterId="@ClusterId"/>
+    }
+    else if (_tab == "acls" && _currentDraft is not null)
+    {
+        <AclsTab GenerationId="@_currentDraft.GenerationId" ClusterId="@ClusterId"/>
+    }
+    else if (_tab == "audit")
+    {
+        <AuditTab ClusterId="@ClusterId"/>
+    }
+    else
+    {
+        <p class="text-muted">Open a draft to edit this cluster's content.</p>
+    }
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    private ServerCluster? _cluster;
+    private ConfigGeneration? _currentDraft;
+    private ConfigGeneration? _currentPublished;
+    private string _tab = "overview";
+    private bool _busy;
+
+    private string Tab(string key) => _tab == key ? "active" : string.Empty;
+
+    protected override async Task OnInitializedAsync() => await LoadAsync();
+
+    private async Task LoadAsync()
+    {
+        _cluster = await ClusterSvc.FindAsync(ClusterId, CancellationToken.None);
+        var gens = await GenerationSvc.ListRecentAsync(ClusterId, 50, CancellationToken.None);
+        _currentDraft = gens.FirstOrDefault(g => g.Status == GenerationStatus.Draft);
+        _currentPublished = gens.FirstOrDefault(g => g.Status == GenerationStatus.Published);
+    }
+
+    private async Task CreateDraftAsync()
+    {
+        _busy = true;
+        try
+        {
+            var draft = await GenerationSvc.CreateDraftAsync(ClusterId, createdBy: "admin-ui", CancellationToken.None);
+            Nav.NavigateTo($"/clusters/{ClusterId}/draft/{draft.GenerationId}");
+        }
+        finally { _busy = false; }
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/ClustersList.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/ClustersList.razor
new file mode 100644
index 0000000..8448328
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/ClustersList.razor
@@ -0,0 +1,56 @@
+@page "/clusters"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject ClusterService ClusterSvc
+
+<div class="d-flex justify-content-between align-items-center mb-4">
+    <h1>Clusters</h1>
+    <a href="/clusters/new" class="btn btn-primary">New cluster</a>
+</div>
+
+@if (_clusters is null)
+{
+    <p>Loading…</p>
+}
+else if (_clusters.Count == 0)
+{
+    <p class="text-muted">No clusters yet. Create the first one.</p>
+}
+else
+{
+    <table class="table table-hover">
+        <thead>
+            <tr>
+                <th>ClusterId</th><th>Name</th><th>Enterprise</th><th>Site</th>
+                <th>RedundancyMode</th><th>NodeCount</th><th>Enabled</th><th></th>
+            </tr>
+        </thead>
+        <tbody>
+        @foreach (var c in _clusters)
+        {
+            <tr>
+                <td><code>@c.ClusterId</code></td>
+                <td>@c.Name</td>
+                <td>@c.Enterprise</td>
+                <td>@c.Site</td>
+                <td>@c.RedundancyMode</td>
+                <td>@c.NodeCount</td>
+                <td>
+                    @if (c.Enabled) { <span class="badge bg-success">Active</span> }
+                    else { <span class="badge bg-secondary">Disabled</span> }
+                </td>
+                <td><a href="/clusters/@c.ClusterId" class="btn btn-sm btn-outline-primary">Open</a></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    private List<ServerCluster>? _clusters;
+
+    protected override async Task OnInitializedAsync()
+    {
+        _clusters = await ClusterSvc.ListAsync(CancellationToken.None);
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DiffViewer.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DiffViewer.razor
new file mode 100644
index 0000000..a9633c0
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DiffViewer.razor
@@ -0,0 +1,73 @@
+@page "/clusters/{ClusterId}/draft/{GenerationId:long}/diff"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject GenerationService GenerationSvc
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <div>
+        <h1 class="mb-0">Draft diff</h1>
+        <small class="text-muted">
+            Cluster <code>@ClusterId</code> — from last published (@(_fromLabel)) → to draft @GenerationId
+        </small>
+    </div>
+    <a class="btn btn-outline-secondary" href="/clusters/@ClusterId/draft/@GenerationId">Back to editor</a>
+</div>
+
+@if (_rows is null)
+{
+    <p>Computing diff…</p>
+}
+else if (_error is not null)
+{
+    <div class="alert alert-danger">@_error</div>
+}
+else if (_rows.Count == 0)
+{
+    <p class="text-muted">No differences — draft is structurally identical to the last published generation.</p>
+}
+else
+{
+    <table class="table table-hover table-sm">
+        <thead><tr><th>Table</th><th>LogicalId</th><th>ChangeKind</th></tr></thead>
+        <tbody>
+        @foreach (var r in _rows)
+        {
+            <tr>
+                <td>@r.TableName</td>
+                <td><code>@r.LogicalId</code></td>
+                <td>
+                    @switch (r.ChangeKind)
+                    {
+                        case "Added":    <span class="badge bg-success">@r.ChangeKind</span> break;
+                        case "Removed":  <span class="badge bg-danger">@r.ChangeKind</span> break;
+                        case "Modified": <span class="badge bg-warning text-dark">@r.ChangeKind</span> break;
+                        default:         <span class="badge bg-secondary">@r.ChangeKind</span> break;
+                    }
+                </td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    [Parameter] public long GenerationId { get; set; }
+
+    private List<DiffRow>? _rows;
+    private string _fromLabel = "(empty)";
+    private string? _error;
+
+    protected override async Task OnParametersSetAsync()
+    {
+        try
+        {
+            var all = await GenerationSvc.ListRecentAsync(ClusterId, 50, CancellationToken.None);
+            var from = all.FirstOrDefault(g => g.Status == GenerationStatus.Published);
+            _fromLabel = from is null ? "(empty)" : $"gen {from.GenerationId}";
+            _rows = await GenerationSvc.ComputeDiffAsync(from?.GenerationId ?? 0, GenerationId, CancellationToken.None);
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DraftEditor.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DraftEditor.razor
new file mode 100644
index 0000000..49d90eb
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DraftEditor.razor
@@ -0,0 +1,103 @@
+@page "/clusters/{ClusterId}/draft/{GenerationId:long}"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Validation
+@inject GenerationService GenerationSvc
+@inject DraftValidationService ValidationSvc
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <div>
+        <h1 class="mb-0">Draft editor</h1>
+        <small class="text-muted">Cluster <code>@ClusterId</code> · generation @GenerationId</small>
+    </div>
+    <div>
+        <a class="btn btn-outline-secondary" href="/clusters/@ClusterId">Back to cluster</a>
+        <a class="btn btn-outline-primary ms-2" href="/clusters/@ClusterId/draft/@GenerationId/diff">View diff</a>
+        <button class="btn btn-primary ms-2" disabled="@(_errors.Count != 0 || _busy)" @onclick="PublishAsync">Publish</button>
+    </div>
+</div>
+
+<ul class="nav nav-tabs mb-3">
+    <li class="nav-item"><button class="nav-link @Active("equipment")" @onclick='() => _tab = "equipment"'>Equipment</button></li>
+    <li class="nav-item"><button class="nav-link @Active("uns")" @onclick='() => _tab = "uns"'>UNS</button></li>
+    <li class="nav-item"><button class="nav-link @Active("namespaces")" @onclick='() => _tab = "namespaces"'>Namespaces</button></li>
+    <li class="nav-item"><button class="nav-link @Active("drivers")" @onclick='() => _tab = "drivers"'>Drivers</button></li>
+    <li class="nav-item"><button class="nav-link @Active("acls")" @onclick='() => _tab = "acls"'>ACLs</button></li>
+</ul>
+
+<div class="row">
+    <div class="col-md-8">
+        @if (_tab == "equipment") { <EquipmentTab GenerationId="@GenerationId"/> }
+        else if (_tab == "uns") { <UnsTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
+        else if (_tab == "namespaces") { <NamespacesTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
+        else if (_tab == "drivers") { <DriversTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
+        else if (_tab == "acls") { <AclsTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
+    </div>
+    <div class="col-md-4">
+        <div class="card sticky-top">
+            <div class="card-header d-flex justify-content-between align-items-center">
+                <strong>Validation</strong>
+                <button class="btn btn-sm btn-outline-secondary" @onclick="RevalidateAsync">Re-run</button>
+            </div>
+            <div class="card-body">
+                @if (_validating) { <p class="text-muted">Checking…</p> }
+                else if (_errors.Count == 0) { <div class="alert alert-success mb-0">No validation errors — safe to publish.</div> }
+                else
+                {
+                    <div class="alert alert-danger mb-2">@_errors.Count error@(_errors.Count == 1 ? "" : "s")</div>
+                    <ul class="list-unstyled">
+                        @foreach (var e in _errors)
+                        {
+                            <li class="mb-2">
+                                <span class="badge bg-danger me-1">@e.Code</span>
+                                <small>@e.Message</small>
+                                @if (!string.IsNullOrEmpty(e.Context)) { <div class="text-muted"><code>@e.Context</code></div> }
+                            </li>
+                        }
+                    </ul>
+                }
+            </div>
+        </div>
+
+        @if (_publishError is not null) { <div class="alert alert-danger mt-3">@_publishError</div> }
+    </div>
+</div>
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    [Parameter] public long GenerationId { get; set; }
+
+    private string _tab = "equipment";
+    private List<ValidationError> _errors = [];
+    private bool _validating;
+    private bool _busy;
+    private string? _publishError;
+
+    private string Active(string k) => _tab == k ? "active" : string.Empty;
+
+    protected override async Task OnParametersSetAsync() => await RevalidateAsync();
+
+    private async Task RevalidateAsync()
+    {
+        _validating = true;
+        try
+        {
+            var errors = await ValidationSvc.ValidateAsync(GenerationId, CancellationToken.None);
+            _errors = errors.ToList();
+        }
+        finally { _validating = false; }
+    }
+
+    private async Task PublishAsync()
+    {
+        _busy = true;
+        _publishError = null;
+        try
+        {
+            await GenerationSvc.PublishAsync(ClusterId, GenerationId, notes: "Published via Admin UI", CancellationToken.None);
+            Nav.NavigateTo($"/clusters/{ClusterId}");
+        }
+        catch (Exception ex) { _publishError = ex.Message; }
+        finally { _busy = false; }
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DriversTab.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DriversTab.razor
new file mode 100644
index 0000000..901e77b
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DriversTab.razor
@@ -0,0 +1,107 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject DriverInstanceService DriverSvc
+@inject NamespaceService NsSvc
+
+<div class="d-flex justify-content-between mb-3">
+    <h4>DriverInstances</h4>
+    <button class="btn btn-sm btn-primary" @onclick="() => _showForm = true">Add driver</button>
+</div>
+
+@if (_drivers is null) { <p>Loading…</p> }
+else if (_drivers.Count == 0) { <p class="text-muted">No drivers configured in this draft.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>DriverInstanceId</th><th>Name</th><th>Type</th><th>Namespace</th></tr></thead>
+        <tbody>
+        @foreach (var d in _drivers)
+        {
+            <tr><td><code>@d.DriverInstanceId</code></td><td>@d.Name</td><td>@d.DriverType</td><td><code>@d.NamespaceId</code></td></tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_showForm && _namespaces is not null)
+{
+    <div class="card">
+        <div class="card-body">
+            <div class="row g-3">
+                <div class="col-md-3">
+                    <label class="form-label">Name</label>
+                    <input class="form-control" @bind="_name"/>
+                </div>
+                <div class="col-md-3">
+                    <label class="form-label">DriverType</label>
+                    <select class="form-select" @bind="_type">
+                        <option>Galaxy</option>
+                        <option>ModbusTcp</option>
+                        <option>AbCip</option>
+                        <option>AbLegacy</option>
+                        <option>S7</option>
+                        <option>Focas</option>
+                        <option>OpcUaClient</option>
+                    </select>
+                </div>
+                <div class="col-md-6">
+                    <label class="form-label">Namespace</label>
+                    <select class="form-select" @bind="_nsId">
+                        @foreach (var n in _namespaces) { <option value="@n.NamespaceId">@n.Kind — @n.NamespaceUri</option> }
+                    </select>
+                </div>
+                <div class="col-12">
+                    <label class="form-label">DriverConfig JSON (schemaless per driver type)</label>
+                    <textarea class="form-control font-monospace" rows="6" @bind="_config"></textarea>
+                    <div class="form-text">Phase 1: generic JSON editor — per-driver schema validation arrives in each driver's phase (decision #94).</div>
+                </div>
+            </div>
+            @if (_error is not null) { <div class="alert alert-danger mt-3">@_error</div> }
+            <div class="mt-3">
+                <button class="btn btn-sm btn-primary" @onclick="SaveAsync">Save</button>
+                <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showForm = false">Cancel</button>
+            </div>
+        </div>
+    </div>
+}
+
+@code {
+    [Parameter] public long GenerationId { get; set; }
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+
+    private List<DriverInstance>? _drivers;
+    private List<Namespace>? _namespaces;
+    private bool _showForm;
+    private string _name = string.Empty;
+    private string _type = "ModbusTcp";
+    private string _nsId = string.Empty;
+    private string _config = "{}";
+    private string? _error;
+
+    protected override async Task OnParametersSetAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync()
+    {
+        _drivers = await DriverSvc.ListAsync(GenerationId, CancellationToken.None);
+        _namespaces = await NsSvc.ListAsync(GenerationId, CancellationToken.None);
+        _nsId = _namespaces.FirstOrDefault()?.NamespaceId ?? string.Empty;
+    }
+
+    private async Task SaveAsync()
+    {
+        _error = null;
+        if (string.IsNullOrWhiteSpace(_name) || string.IsNullOrWhiteSpace(_nsId))
+        {
+            _error = "Name and Namespace are required";
+            return;
+        }
+        try
+        {
+            await DriverSvc.AddAsync(GenerationId, ClusterId, _nsId, _name, _type, _config, CancellationToken.None);
+            _name = string.Empty; _config = "{}";
+            _showForm = false;
+            await ReloadAsync();
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/EquipmentTab.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/EquipmentTab.razor
new file mode 100644
index 0000000..fdc28f1
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/EquipmentTab.razor
@@ -0,0 +1,152 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Validation
+@inject EquipmentService EquipmentSvc
+
+<div class="d-flex justify-content-between mb-3">
+    <h4>Equipment (draft gen @GenerationId)</h4>
+    <button class="btn btn-primary btn-sm" @onclick="StartAdd">Add equipment</button>
+</div>
+
+@if (_equipment is null)
+{
+    <p>Loading…</p>
+}
+else if (_equipment.Count == 0 && !_showForm)
+{
+    <p class="text-muted">No equipment in this draft yet.</p>
+}
+else if (_equipment.Count > 0)
+{
+    <table class="table table-sm table-hover">
+        <thead>
+            <tr>
+                <th>EquipmentId</th><th>Name</th><th>MachineCode</th><th>ZTag</th><th>SAPID</th>
+                <th>Manufacturer / Model</th><th>Serial</th><th></th>
+            </tr>
+        </thead>
+        <tbody>
+        @foreach (var e in _equipment)
+        {
+            <tr>
+                <td><code>@e.EquipmentId</code></td>
+                <td>@e.Name</td>
+                <td>@e.MachineCode</td>
+                <td>@e.ZTag</td>
+                <td>@e.SAPID</td>
+                <td>@e.Manufacturer / @e.Model</td>
+                <td>@e.SerialNumber</td>
+                <td><button class="btn btn-sm btn-outline-danger" @onclick="() => DeleteAsync(e.EquipmentRowId)">Remove</button></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_showForm)
+{
+    <div class="card mt-3">
+        <div class="card-body">
+            <h5>New equipment</h5>
+            <EditForm Model="_draft" OnValidSubmit="SaveAsync" FormName="new-equipment">
+                <DataAnnotationsValidator/>
+                <div class="row g-3">
+                    <div class="col-md-4">
+                        <label class="form-label">Name (UNS segment)</label>
+                        <InputText @bind-Value="_draft.Name" class="form-control"/>
+                        <ValidationMessage For="() => _draft.Name"/>
+                    </div>
+                    <div class="col-md-4">
+                        <label class="form-label">MachineCode</label>
+                        <InputText @bind-Value="_draft.MachineCode" class="form-control"/>
+                    </div>
+                    <div class="col-md-4">
+                        <label class="form-label">DriverInstanceId</label>
+                        <InputText @bind-Value="_draft.DriverInstanceId" class="form-control"/>
+                    </div>
+                    <div class="col-md-4">
+                        <label class="form-label">UnsLineId</label>
+                        <InputText @bind-Value="_draft.UnsLineId" class="form-control"/>
+                    </div>
+                    <div class="col-md-4">
+                        <label class="form-label">ZTag</label>
+                        <InputText @bind-Value="_draft.ZTag" class="form-control"/>
+                    </div>
+                    <div class="col-md-4">
+                        <label class="form-label">SAPID</label>
+                        <InputText @bind-Value="_draft.SAPID" class="form-control"/>
+                    </div>
+                </div>
+
+                <h6 class="mt-4">OPC 40010 Identification</h6>
+                <div class="row g-3">
+                    <div class="col-md-4"><label class="form-label">Manufacturer</label><InputText @bind-Value="_draft.Manufacturer" class="form-control"/></div>
+                    <div class="col-md-4"><label class="form-label">Model</label><InputText @bind-Value="_draft.Model" class="form-control"/></div>
+                    <div class="col-md-4"><label class="form-label">Serial number</label><InputText @bind-Value="_draft.SerialNumber" class="form-control"/></div>
+                    <div class="col-md-4"><label class="form-label">Hardware rev</label><InputText @bind-Value="_draft.HardwareRevision" class="form-control"/></div>
+                    <div class="col-md-4"><label class="form-label">Software rev</label><InputText @bind-Value="_draft.SoftwareRevision" class="form-control"/></div>
+                    <div class="col-md-4">
+                        <label class="form-label">Year of construction</label>
+                        <InputNumber @bind-Value="_draft.YearOfConstruction" class="form-control"/>
+                    </div>
+                </div>
+
+                @if (_error is not null) { <div class="alert alert-danger mt-3">@_error</div> }
+
+                <div class="mt-3">
+                    <button type="submit" class="btn btn-primary btn-sm">Save</button>
+                    <button type="button" class="btn btn-secondary btn-sm ms-2" @onclick="() => _showForm = false">Cancel</button>
+                </div>
+            </EditForm>
+        </div>
+    </div>
+}
+
+@code {
+    [Parameter] public long GenerationId { get; set; }
+    private List<Equipment>? _equipment;
+    private bool _showForm;
+    private Equipment _draft = NewBlankDraft();
+    private string? _error;
+
+    private static Equipment NewBlankDraft() => new()
+    {
+        EquipmentId = string.Empty, DriverInstanceId = string.Empty,
+        UnsLineId = string.Empty, Name = string.Empty, MachineCode = string.Empty,
+    };
+
+    protected override async Task OnParametersSetAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync()
+    {
+        _equipment = await EquipmentSvc.ListAsync(GenerationId, CancellationToken.None);
+    }
+
+    private void StartAdd()
+    {
+        _draft = NewBlankDraft();
+        _error = null;
+        _showForm = true;
+    }
+
+    private async Task SaveAsync()
+    {
+        _error = null;
+        _draft.EquipmentUuid = Guid.NewGuid();
+        _draft.EquipmentId = DraftValidator.DeriveEquipmentId(_draft.EquipmentUuid);
+        _draft.GenerationId = GenerationId;
+        try
+        {
+            await EquipmentSvc.CreateAsync(GenerationId, _draft, CancellationToken.None);
+            _showForm = false;
+            await ReloadAsync();
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+
+    private async Task DeleteAsync(Guid id)
+    {
+        await EquipmentSvc.DeleteAsync(id, CancellationToken.None);
+        await ReloadAsync();
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/Generations.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/Generations.razor
new file mode 100644
index 0000000..55a226c
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/Generations.razor
@@ -0,0 +1,73 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject GenerationService GenerationSvc
+@inject NavigationManager Nav
+
+<h4>Generations</h4>
+
+@if (_generations is null) { <p>Loading…</p> }
+else if (_generations.Count == 0) { <p class="text-muted">No generations in this cluster yet.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead>
+            <tr><th>ID</th><th>Status</th><th>Created</th><th>Published</th><th>PublishedBy</th><th>Notes</th><th></th></tr>
+        </thead>
+        <tbody>
+        @foreach (var g in _generations)
+        {
+            <tr>
+                <td><code>@g.GenerationId</code></td>
+                <td>@StatusBadge(g.Status)</td>
+                <td><small>@g.CreatedAt.ToString("u") by @g.CreatedBy</small></td>
+                <td><small>@(g.PublishedAt?.ToString("u") ?? "-")</small></td>
+                <td><small>@g.PublishedBy</small></td>
+                <td><small>@g.Notes</small></td>
+                <td>
+                    @if (g.Status == GenerationStatus.Draft)
+                    {
+                        <a class="btn btn-sm btn-primary" href="/clusters/@ClusterId/draft/@g.GenerationId">Open</a>
+                    }
+                    else if (g.Status is GenerationStatus.Published or GenerationStatus.Superseded)
+                    {
+                        <button class="btn btn-sm btn-outline-warning" @onclick="() => RollbackAsync(g.GenerationId)">Roll back to this</button>
+                    }
+                </td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_error is not null) { <div class="alert alert-danger">@_error</div> }
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    private List<ConfigGeneration>? _generations;
+    private string? _error;
+
+    protected override async Task OnParametersSetAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync() =>
+        _generations = await GenerationSvc.ListRecentAsync(ClusterId, 100, CancellationToken.None);
+
+    private async Task RollbackAsync(long targetId)
+    {
+        _error = null;
+        try
+        {
+            await GenerationSvc.RollbackAsync(ClusterId, targetId, notes: $"Rollback via Admin UI", CancellationToken.None);
+            await ReloadAsync();
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+
+    private static MarkupString StatusBadge(GenerationStatus s) => s switch
+    {
+        GenerationStatus.Draft      => new MarkupString("<span class='badge bg-info'>Draft</span>"),
+        GenerationStatus.Published  => new MarkupString("<span class='badge bg-success'>Published</span>"),
+        GenerationStatus.Superseded => new MarkupString("<span class='badge bg-secondary'>Superseded</span>"),
+        _                           => new MarkupString($"<span class='badge bg-light text-dark'>{s}</span>"),
+    };
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/NamespacesTab.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/NamespacesTab.razor
new file mode 100644
index 0000000..d3ecd61
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/NamespacesTab.razor
@@ -0,0 +1,69 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject NamespaceService NsSvc
+
+<div class="d-flex justify-content-between mb-3">
+    <h4>Namespaces</h4>
+    <button class="btn btn-sm btn-primary" @onclick="() => _showForm = true">Add namespace</button>
+</div>
+
+@if (_namespaces is null) { <p>Loading…</p> }
+else if (_namespaces.Count == 0) { <p class="text-muted">No namespaces defined in this draft.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>NamespaceId</th><th>Kind</th><th>URI</th><th>Enabled</th></tr></thead>
+        <tbody>
+        @foreach (var n in _namespaces)
+        {
+            <tr><td><code>@n.NamespaceId</code></td><td>@n.Kind</td><td>@n.NamespaceUri</td><td>@(n.Enabled ? "yes" : "no")</td></tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_showForm)
+{
+    <div class="card">
+        <div class="card-body">
+            <div class="row g-3">
+                <div class="col-md-6"><label class="form-label">NamespaceUri</label><input class="form-control" @bind="_uri"/></div>
+                <div class="col-md-6">
+                    <label class="form-label">Kind</label>
+                    <select class="form-select" @bind="_kind">
+                        <option value="@NamespaceKind.Equipment">Equipment</option>
+                        <option value="@NamespaceKind.SystemPlatform">SystemPlatform (Galaxy)</option>
+                    </select>
+                </div>
+            </div>
+            <div class="mt-3">
+                <button class="btn btn-sm btn-primary" @onclick="SaveAsync">Save</button>
+                <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showForm = false">Cancel</button>
+            </div>
+        </div>
+    </div>
+}
+
+@code {
+    [Parameter] public long GenerationId { get; set; }
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    private List<Namespace>? _namespaces;
+    private bool _showForm;
+    private string _uri = string.Empty;
+    private NamespaceKind _kind = NamespaceKind.Equipment;
+
+    protected override async Task OnParametersSetAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync() =>
+        _namespaces = await NsSvc.ListAsync(GenerationId, CancellationToken.None);
+
+    private async Task SaveAsync()
+    {
+        if (string.IsNullOrWhiteSpace(_uri)) return;
+        await NsSvc.AddAsync(GenerationId, ClusterId, _uri, _kind, CancellationToken.None);
+        _uri = string.Empty;
+        _showForm = false;
+        await ReloadAsync();
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/NewCluster.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/NewCluster.razor
new file mode 100644
index 0000000..1c2c6f7
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/NewCluster.razor
@@ -0,0 +1,104 @@
+@page "/clusters/new"
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject ClusterService ClusterSvc
+@inject GenerationService GenerationSvc
+@inject NavigationManager Nav
+
+<h1 class="mb-4">New cluster</h1>
+
+<EditForm Model="_input" OnValidSubmit="CreateAsync" FormName="new-cluster">
+    <DataAnnotationsValidator/>
+
+    <div class="row g-3">
+        <div class="col-md-6">
+            <label class="form-label">ClusterId <span class="text-danger">*</span></label>
+            <InputText @bind-Value="_input.ClusterId" class="form-control"/>
+            <div class="form-text">Stable internal ID. Lowercase alphanumeric + hyphens; ≤ 64 chars.</div>
+            <ValidationMessage For="() => _input.ClusterId"/>
+        </div>
+        <div class="col-md-6">
+            <label class="form-label">Display name <span class="text-danger">*</span></label>
+            <InputText @bind-Value="_input.Name" class="form-control"/>
+            <ValidationMessage For="() => _input.Name"/>
+        </div>
+        <div class="col-md-4">
+            <label class="form-label">Enterprise</label>
+            <InputText @bind-Value="_input.Enterprise" class="form-control"/>
+        </div>
+        <div class="col-md-4">
+            <label class="form-label">Site</label>
+            <InputText @bind-Value="_input.Site" class="form-control"/>
+        </div>
+        <div class="col-md-4">
+            <label class="form-label">Redundancy</label>
+            <InputSelect @bind-Value="_input.RedundancyMode" class="form-select">
+                <option value="@RedundancyMode.None">None (single node)</option>
+                <option value="@RedundancyMode.Warm">Warm (2 nodes)</option>
+                <option value="@RedundancyMode.Hot">Hot (2 nodes)</option>
+            </InputSelect>
+        </div>
+    </div>
+
+    @if (!string.IsNullOrEmpty(_error))
+    {
+        <div class="alert alert-danger mt-3">@_error</div>
+    }
+
+    <div class="mt-4">
+        <button type="submit" class="btn btn-primary" disabled="@_submitting">Create cluster</button>
+        <a href="/clusters" class="btn btn-secondary ms-2">Cancel</a>
+    </div>
+</EditForm>
+
+@code {
+    private sealed class Input
+    {
+        [Required, RegularExpression("^[a-z0-9-]{1,64}$", ErrorMessage = "Lowercase alphanumeric + hyphens only")]
+        public string ClusterId { get; set; } = string.Empty;
+
+        [Required, StringLength(128)]
+        public string Name { get; set; } = string.Empty;
+
+        [StringLength(32)] public string Enterprise { get; set; } = "zb";
+        [StringLength(32)] public string Site { get; set; } = "dev";
+        public RedundancyMode RedundancyMode { get; set; } = RedundancyMode.None;
+    }
+
+    private Input _input = new();
+    private bool _submitting;
+    private string? _error;
+
+    private async Task CreateAsync()
+    {
+        _submitting = true;
+        _error = null;
+
+        try
+        {
+            var cluster = new ServerCluster
+            {
+                ClusterId = _input.ClusterId,
+                Name = _input.Name,
+                Enterprise = _input.Enterprise,
+                Site = _input.Site,
+                RedundancyMode = _input.RedundancyMode,
+                NodeCount = _input.RedundancyMode == RedundancyMode.None ? (byte)1 : (byte)2,
+                Enabled = true,
+                CreatedBy = "admin-ui",
+            };
+
+            await ClusterSvc.CreateAsync(cluster, createdBy: "admin-ui", CancellationToken.None);
+            await GenerationSvc.CreateDraftAsync(cluster.ClusterId, createdBy: "admin-ui", CancellationToken.None);
+
+            Nav.NavigateTo($"/clusters/{cluster.ClusterId}");
+        }
+        catch (Exception ex)
+        {
+            _error = ex.Message;
+        }
+        finally { _submitting = false; }
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/UnsTab.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/UnsTab.razor
new file mode 100644
index 0000000..6c29a82
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/UnsTab.razor
@@ -0,0 +1,115 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject UnsService UnsSvc
+
+<div class="row">
+    <div class="col-md-6">
+        <div class="d-flex justify-content-between mb-2">
+            <h4>UNS Areas</h4>
+            <button class="btn btn-sm btn-primary" @onclick="() => _showAreaForm = true">Add area</button>
+        </div>
+
+        @if (_areas is null) { <p>Loading…</p> }
+        else if (_areas.Count == 0) { <p class="text-muted">No areas yet.</p> }
+        else
+        {
+            <table class="table table-sm">
+                <thead><tr><th>AreaId</th><th>Name</th></tr></thead>
+                <tbody>
+                @foreach (var a in _areas)
+                {
+                    <tr><td><code>@a.UnsAreaId</code></td><td>@a.Name</td></tr>
+                }
+                </tbody>
+            </table>
+        }
+
+        @if (_showAreaForm)
+        {
+            <div class="card">
+                <div class="card-body">
+                    <div class="mb-2"><label class="form-label">Name (lowercase segment)</label><input class="form-control" @bind="_newAreaName"/></div>
+                    <button class="btn btn-sm btn-primary" @onclick="AddAreaAsync">Save</button>
+                    <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showAreaForm = false">Cancel</button>
+                </div>
+            </div>
+        }
+    </div>
+    <div class="col-md-6">
+        <div class="d-flex justify-content-between mb-2">
+            <h4>UNS Lines</h4>
+            <button class="btn btn-sm btn-primary" @onclick="() => _showLineForm = true" disabled="@(_areas is null || _areas.Count == 0)">Add line</button>
+        </div>
+
+        @if (_lines is null) { <p>Loading…</p> }
+        else if (_lines.Count == 0) { <p class="text-muted">No lines yet.</p> }
+        else
+        {
+            <table class="table table-sm">
+                <thead><tr><th>LineId</th><th>Area</th><th>Name</th></tr></thead>
+                <tbody>
+                @foreach (var l in _lines)
+                {
+                    <tr><td><code>@l.UnsLineId</code></td><td><code>@l.UnsAreaId</code></td><td>@l.Name</td></tr>
+                }
+                </tbody>
+            </table>
+        }
+
+        @if (_showLineForm && _areas is not null)
+        {
+            <div class="card">
+                <div class="card-body">
+                    <div class="mb-2">
+                        <label class="form-label">Area</label>
+                        <select class="form-select" @bind="_newLineAreaId">
+                            @foreach (var a in _areas) { <option value="@a.UnsAreaId">@a.Name (@a.UnsAreaId)</option> }
+                        </select>
+                    </div>
+                    <div class="mb-2"><label class="form-label">Name</label><input class="form-control" @bind="_newLineName"/></div>
+                    <button class="btn btn-sm btn-primary" @onclick="AddLineAsync">Save</button>
+                    <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showLineForm = false">Cancel</button>
+                </div>
+            </div>
+        }
+    </div>
+</div>
+
+@code {
+    [Parameter] public long GenerationId { get; set; }
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+
+    private List<UnsArea>? _areas;
+    private List<UnsLine>? _lines;
+    private bool _showAreaForm;
+    private bool _showLineForm;
+    private string _newAreaName = string.Empty;
+    private string _newLineName = string.Empty;
+    private string _newLineAreaId = string.Empty;
+
+    protected override async Task OnParametersSetAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync()
+    {
+        _areas = await UnsSvc.ListAreasAsync(GenerationId, CancellationToken.None);
+        _lines = await UnsSvc.ListLinesAsync(GenerationId, CancellationToken.None);
+    }
+
+    private async Task AddAreaAsync()
+    {
+        if (string.IsNullOrWhiteSpace(_newAreaName)) return;
+        await UnsSvc.AddAreaAsync(GenerationId, ClusterId, _newAreaName, notes: null, CancellationToken.None);
+        _newAreaName = string.Empty;
+        _showAreaForm = false;
+        await ReloadAsync();
+    }
+
+    private async Task AddLineAsync()
+    {
+        if (string.IsNullOrWhiteSpace(_newLineName) || string.IsNullOrWhiteSpace(_newLineAreaId)) return;
+        await UnsSvc.AddLineAsync(GenerationId, _newLineAreaId, _newLineName, notes: null, CancellationToken.None);
+        _newLineName = string.Empty;
+        _showLineForm = false;
+        await ReloadAsync();
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Home.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Home.razor
index 111c238..6ef2ff7 100644
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Home.razor
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Home.razor
@@ -1,16 +1,72 @@
 @page "/"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject ClusterService ClusterSvc
+@inject GenerationService GenerationSvc
+@inject NavigationManager Nav
 
-<h1 class="mb-4">OtOpcUa fleet overview</h1>
-<p class="text-muted">Phase 1 scaffold — full dashboard lands in Phase 1 Stream E completion.</p>
+<h1 class="mb-4">Fleet overview</h1>
 
-<div class="row g-3">
-    <div class="col-md-4">
-        <div class="card"><div class="card-body"><h5 class="card-title">Clusters</h5><a href="/clusters" class="btn btn-primary btn-sm">Manage</a></div></div>
+@if (_clusters is null)
+{
+    <p>Loading…</p>
+}
+else if (_clusters.Count == 0)
+{
+    <div class="alert alert-info">
+        No clusters configured yet. <a href="/clusters/new">Create the first cluster</a>.
     </div>
-    <div class="col-md-4">
-        <div class="card"><div class="card-body"><h5 class="card-title">Generations</h5><a href="/generations" class="btn btn-primary btn-sm">Manage</a></div></div>
+}
+else
+{
+    <div class="row g-3 mb-4">
+        <div class="col-md-3">
+            <div class="card"><div class="card-body"><h6 class="text-muted">Clusters</h6><div class="fs-2">@_clusters.Count</div></div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card"><div class="card-body"><h6 class="text-muted">Active drafts</h6><div class="fs-2">@_activeDraftCount</div></div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card"><div class="card-body"><h6 class="text-muted">Published generations</h6><div class="fs-2">@_publishedCount</div></div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card"><div class="card-body"><h6 class="text-muted">Disabled clusters</h6><div class="fs-2">@_clusters.Count(c => !c.Enabled)</div></div></div>
+        </div>
     </div>
-    <div class="col-md-4">
-        <div class="card"><div class="card-body"><h5 class="card-title">Equipment</h5><a href="/equipment" class="btn btn-primary btn-sm">Manage</a></div></div>
-    </div>
-</div>
+
+    <h4 class="mt-4 mb-3">Clusters</h4>
+    <table class="table table-hover">
+        <thead><tr><th>ClusterId</th><th>Name</th><th>Enterprise / Site</th><th>Redundancy</th><th>Enabled</th><th></th></tr></thead>
+        <tbody>
+        @foreach (var c in _clusters)
+        {
+            <tr style="cursor: pointer;">
+                <td><code>@c.ClusterId</code></td>
+                <td>@c.Name</td>
+                <td>@c.Enterprise / @c.Site</td>
+                <td>@c.RedundancyMode</td>
+                <td>@(c.Enabled ? "Yes" : "No")</td>
+                <td><a href="/clusters/@c.ClusterId" class="btn btn-sm btn-outline-primary">Open</a></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    private List<ServerCluster>? _clusters;
+    private int _activeDraftCount;
+    private int _publishedCount;
+
+    protected override async Task OnInitializedAsync()
+    {
+        _clusters = await ClusterSvc.ListAsync(CancellationToken.None);
+
+        foreach (var c in _clusters)
+        {
+            var gens = await GenerationSvc.ListRecentAsync(c.ClusterId, 50, CancellationToken.None);
+            _activeDraftCount += gens.Count(g => g.Status.ToString() == "Draft");
+            _publishedCount += gens.Count(g => g.Status.ToString() == "Published");
+        }
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Login.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Login.razor
new file mode 100644
index 0000000..18f4408
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Login.razor
@@ -0,0 +1,74 @@
+@page "/login"
+@using System.Security.Claims
+@using Microsoft.AspNetCore.Authentication
+@using Microsoft.AspNetCore.Authentication.Cookies
+@using Microsoft.AspNetCore.Components.Authorization
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@inject IHttpContextAccessor Http
+
+<div class="row justify-content-center mt-5">
+    <div class="col-md-5">
+        <div class="card">
+            <div class="card-body">
+                <h4 class="mb-4">OtOpcUa Admin — sign in</h4>
+
+                <EditForm Model="_input" OnValidSubmit="SignInAsync" FormName="login">
+                    <div class="mb-3">
+                        <label class="form-label">Username</label>
+                        <InputText @bind-Value="_input.Username" class="form-control"/>
+                    </div>
+                    <div class="mb-3">
+                        <label class="form-label">Password</label>
+                        <InputText type="password" @bind-Value="_input.Password" class="form-control"/>
+                    </div>
+
+                    @if (_error is not null) { <div class="alert alert-danger">@_error</div> }
+
+                    <button class="btn btn-primary w-100" type="submit">Sign in</button>
+                </EditForm>
+
+                <hr/>
+                <small class="text-muted">
+                    <strong>Phase 1 note:</strong> real LDAP bind is deferred. This scaffold accepts
+                    any non-empty credentials and issues a <code>FleetAdmin</code> cookie. Replace the
+                    <code>LdapAuthService</code> stub with the ScadaLink-parity implementation before
+                    production deployment.
+                </small>
+            </div>
+        </div>
+    </div>
+</div>
+
+@code {
+    private sealed class Input
+    {
+        public string Username { get; set; } = string.Empty;
+        public string Password { get; set; } = string.Empty;
+    }
+
+    private Input _input = new();
+    private string? _error;
+
+    private async Task SignInAsync()
+    {
+        if (string.IsNullOrWhiteSpace(_input.Username) || string.IsNullOrWhiteSpace(_input.Password))
+        {
+            _error = "Username and password are required";
+            return;
+        }
+
+        var ctx = Http.HttpContext
+            ?? throw new InvalidOperationException("HttpContext unavailable for sign-in");
+
+        var claims = new List<Claim>
+        {
+            new(ClaimTypes.Name, _input.Username),
+            new(ClaimTypes.Role, AdminRoles.FleetAdmin),
+        };
+        var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
+        await ctx.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme,
+            new ClaimsPrincipal(identity));
+
+        ctx.Response.Redirect("/");
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Reservations.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Reservations.razor
new file mode 100644
index 0000000..4e79ea8
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Reservations.razor
@@ -0,0 +1,114 @@
+@page "/reservations"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using Microsoft.AspNetCore.Authorization
+@attribute [Authorize(Policy = "CanPublish")]
+@inject ReservationService ReservationSvc
+
+<h1 class="mb-4">External-ID reservations</h1>
+<p class="text-muted">
+    Fleet-wide ZTag + SAPID reservation state (decision #124). Releasing a reservation is a
+    FleetAdmin-only audit-logged action — only release when the physical asset is permanently
+    retired and its ID needs to be reused by a different equipment.
+</p>
+
+<h4 class="mt-4">Active</h4>
+@if (_active is null) { <p>Loading…</p> }
+else if (_active.Count == 0) { <p class="text-muted">No active reservations.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>Kind</th><th>Value</th><th>EquipmentUuid</th><th>Cluster</th><th>First published</th><th>Last published</th><th></th></tr></thead>
+        <tbody>
+        @foreach (var r in _active)
+        {
+            <tr>
+                <td><code>@r.Kind</code></td>
+                <td><code>@r.Value</code></td>
+                <td><code>@r.EquipmentUuid</code></td>
+                <td>@r.ClusterId</td>
+                <td><small>@r.FirstPublishedAt.ToString("u") by @r.FirstPublishedBy</small></td>
+                <td><small>@r.LastPublishedAt.ToString("u")</small></td>
+                <td><button class="btn btn-sm btn-outline-danger" @onclick='() => OpenReleaseDialog(r)'>Release…</button></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+<h4 class="mt-4">Released (most recent 100)</h4>
+@if (_released is null) { <p>Loading…</p> }
+else if (_released.Count == 0) { <p class="text-muted">No released reservations yet.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>Kind</th><th>Value</th><th>Released at</th><th>By</th><th>Reason</th></tr></thead>
+        <tbody>
+        @foreach (var r in _released)
+        {
+            <tr><td><code>@r.Kind</code></td><td><code>@r.Value</code></td><td>@r.ReleasedAt?.ToString("u")</td><td>@r.ReleasedBy</td><td>@r.ReleaseReason</td></tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_releasing is not null)
+{
+    <div class="modal show d-block" tabindex="-1" style="background-color: rgba(0,0,0,0.5);">
+        <div class="modal-dialog">
+            <div class="modal-content">
+                <div class="modal-header">
+                    <h5 class="modal-title">Release reservation <code>@_releasing.Kind</code> = <code>@_releasing.Value</code></h5>
+                </div>
+                <div class="modal-body">
+                    <p>This makes the (Kind, Value) pair available for a different EquipmentUuid in a future publish. Audit-logged.</p>
+                    <label class="form-label">Reason (required)</label>
+                    <textarea class="form-control" rows="3" @bind="_reason"></textarea>
+                    @if (_error is not null) { <div class="alert alert-danger mt-2">@_error</div> }
+                </div>
+                <div class="modal-footer">
+                    <button class="btn btn-secondary" @onclick='() => _releasing = null'>Cancel</button>
+                    <button class="btn btn-danger" @onclick="ReleaseAsync" disabled="@_busy">Release</button>
+                </div>
+            </div>
+        </div>
+    </div>
+}
+
+@code {
+    private List<ExternalIdReservation>? _active;
+    private List<ExternalIdReservation>? _released;
+    private ExternalIdReservation? _releasing;
+    private string _reason = string.Empty;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync()
+    {
+        _active = await ReservationSvc.ListActiveAsync(CancellationToken.None);
+        _released = await ReservationSvc.ListReleasedAsync(CancellationToken.None);
+    }
+
+    private void OpenReleaseDialog(ExternalIdReservation r)
+    {
+        _releasing = r;
+        _reason = string.Empty;
+        _error = null;
+    }
+
+    private async Task ReleaseAsync()
+    {
+        if (_releasing is null || string.IsNullOrWhiteSpace(_reason)) { _error = "Reason is required"; return; }
+        _busy = true;
+        try
+        {
+            await ReservationSvc.ReleaseAsync(_releasing.Kind.ToString(), _releasing.Value, _reason, CancellationToken.None);
+            _releasing = null;
+            await ReloadAsync();
+        }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/_Imports.razor b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/_Imports.razor
index d17869a..10288f9 100644
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/_Imports.razor
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/_Imports.razor
@@ -4,7 +4,11 @@
 @using Microsoft.AspNetCore.Components.Routing
 @using Microsoft.AspNetCore.Components.Web
 @using Microsoft.AspNetCore.Components.Web.Virtualization
+@using Microsoft.AspNetCore.Components.Authorization
+@using Microsoft.AspNetCore.Http
 @using Microsoft.JSInterop
 @using ZB.MOM.WW.OtOpcUa.Admin
 @using ZB.MOM.WW.OtOpcUa.Admin.Components
 @using ZB.MOM.WW.OtOpcUa.Admin.Components.Layout
+@using ZB.MOM.WW.OtOpcUa.Admin.Components.Pages
+@using ZB.MOM.WW.OtOpcUa.Admin.Components.Pages.Clusters
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs b/src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs
index 9c9fec6..bcd9e70 100644
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs
@@ -1,3 +1,4 @@
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.EntityFrameworkCore;
 using Serilog;
@@ -13,6 +14,7 @@ builder.Host.UseSerilog((ctx, cfg) => cfg
     .WriteTo.File("logs/otopcua-admin-.log", rollingInterval: RollingInterval.Day));
 
 builder.Services.AddRazorComponents().AddInteractiveServerComponents();
+builder.Services.AddHttpContextAccessor();
 
 builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
     .AddCookie(o =>
@@ -26,12 +28,22 @@ builder.Services.AddAuthorizationBuilder()
     .AddPolicy("CanEdit", p => p.RequireRole(AdminRoles.ConfigEditor, AdminRoles.FleetAdmin))
     .AddPolicy("CanPublish", p => p.RequireRole(AdminRoles.FleetAdmin));
 
+builder.Services.AddCascadingAuthenticationState();
+
 builder.Services.AddDbContext<OtOpcUaConfigDbContext>(opt =>
     opt.UseSqlServer(builder.Configuration.GetConnectionString("ConfigDb")
         ?? throw new InvalidOperationException("ConnectionStrings:ConfigDb not configured")));
 
 builder.Services.AddScoped<ClusterService>();
 builder.Services.AddScoped<GenerationService>();
+builder.Services.AddScoped<EquipmentService>();
+builder.Services.AddScoped<UnsService>();
+builder.Services.AddScoped<NamespaceService>();
+builder.Services.AddScoped<DriverInstanceService>();
+builder.Services.AddScoped<NodeAclService>();
+builder.Services.AddScoped<ReservationService>();
+builder.Services.AddScoped<DraftValidationService>();
+builder.Services.AddScoped<AuditLogService>();
 
 var app = builder.Build();
 
@@ -41,9 +53,14 @@ app.UseAuthentication();
 app.UseAuthorization();
 app.UseAntiforgery();
 
+app.MapPost("/auth/logout", async (HttpContext ctx) =>
+{
+    await ctx.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+    ctx.Response.Redirect("/");
+});
+
 app.MapRazorComponents<App>().AddInteractiveServerRenderMode();
 
 await app.RunAsync();
 
-// Public for WebApplicationFactory testability.
 public partial class Program;
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/AuditLogService.cs b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/AuditLogService.cs
new file mode 100644
index 0000000..384f2fd
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/AuditLogService.cs
@@ -0,0 +1,15 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+public sealed class AuditLogService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<ConfigAuditLog>> ListRecentAsync(string? clusterId, int limit, CancellationToken ct)
+    {
+        var q = db.ConfigAuditLogs.AsNoTracking();
+        if (clusterId is not null) q = q.Where(a => a.ClusterId == clusterId);
+        return q.OrderByDescending(a => a.Timestamp).Take(limit).ToListAsync(ct);
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/DraftValidationService.cs b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/DraftValidationService.cs
new file mode 100644
index 0000000..1aba5ba
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/DraftValidationService.cs
@@ -0,0 +1,45 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Validation;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Runs the managed <see cref="DraftValidator"/> against a draft's snapshot loaded from the
+///     Configuration DB. Used by the draft editor's inline validation panel and by the publish
+///     dialog's pre-check. Structural-only SQL checks live in <c>sp_ValidateDraft</c>; this layer
+///     owns the content / cross-generation / regex rules.
+/// </summary>
+public sealed class DraftValidationService(OtOpcUaConfigDbContext db)
+{
+    public async Task<IReadOnlyList<ValidationError>> ValidateAsync(long draftId, CancellationToken ct)
+    {
+        var draft = await db.ConfigGenerations.AsNoTracking()
+            .FirstOrDefaultAsync(g => g.GenerationId == draftId, ct)
+            ?? throw new InvalidOperationException($"Draft {draftId} not found");
+
+        var snapshot = new DraftSnapshot
+        {
+            GenerationId = draft.GenerationId,
+            ClusterId = draft.ClusterId,
+            Namespaces = await db.Namespaces.AsNoTracking().Where(n => n.GenerationId == draftId).ToListAsync(ct),
+            DriverInstances = await db.DriverInstances.AsNoTracking().Where(d => d.GenerationId == draftId).ToListAsync(ct),
+            Devices = await db.Devices.AsNoTracking().Where(d => d.GenerationId == draftId).ToListAsync(ct),
+            UnsAreas = await db.UnsAreas.AsNoTracking().Where(a => a.GenerationId == draftId).ToListAsync(ct),
+            UnsLines = await db.UnsLines.AsNoTracking().Where(l => l.GenerationId == draftId).ToListAsync(ct),
+            Equipment = await db.Equipment.AsNoTracking().Where(e => e.GenerationId == draftId).ToListAsync(ct),
+            Tags = await db.Tags.AsNoTracking().Where(t => t.GenerationId == draftId).ToListAsync(ct),
+            PollGroups = await db.PollGroups.AsNoTracking().Where(p => p.GenerationId == draftId).ToListAsync(ct),
+
+            PriorEquipment = await db.Equipment.AsNoTracking()
+                .Where(e => e.GenerationId != draftId
+                         && db.ConfigGenerations.Any(g => g.GenerationId == e.GenerationId && g.ClusterId == draft.ClusterId))
+                .ToListAsync(ct),
+            ActiveReservations = await db.ExternalIdReservations.AsNoTracking()
+                .Where(r => r.ReleasedAt == null)
+                .ToListAsync(ct),
+        };
+
+        return DraftValidator.Validate(snapshot);
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/DriverInstanceService.cs b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/DriverInstanceService.cs
new file mode 100644
index 0000000..75833bb
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/DriverInstanceService.cs
@@ -0,0 +1,33 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+public sealed class DriverInstanceService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<DriverInstance>> ListAsync(long generationId, CancellationToken ct) =>
+        db.DriverInstances.AsNoTracking()
+            .Where(d => d.GenerationId == generationId)
+            .OrderBy(d => d.DriverInstanceId)
+            .ToListAsync(ct);
+
+    public async Task<DriverInstance> AddAsync(
+        long draftId, string clusterId, string namespaceId, string name, string driverType,
+        string driverConfigJson, CancellationToken ct)
+    {
+        var di = new DriverInstance
+        {
+            GenerationId = draftId,
+            DriverInstanceId = $"drv-{Guid.NewGuid():N}"[..20],
+            ClusterId = clusterId,
+            NamespaceId = namespaceId,
+            Name = name,
+            DriverType = driverType,
+            DriverConfig = driverConfigJson,
+        };
+        db.DriverInstances.Add(di);
+        await db.SaveChangesAsync(ct);
+        return di;
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentService.cs b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentService.cs
new file mode 100644
index 0000000..ee93822
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentService.cs
@@ -0,0 +1,75 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Validation;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Equipment CRUD scoped to a generation. The Admin app writes against Draft generations only;
+///     Published generations are read-only (to create changes, clone to a new draft via
+///     <see cref="GenerationService.CreateDraftAsync"/>).
+/// </summary>
+public sealed class EquipmentService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<Equipment>> ListAsync(long generationId, CancellationToken ct) =>
+        db.Equipment.AsNoTracking()
+            .Where(e => e.GenerationId == generationId)
+            .OrderBy(e => e.Name)
+            .ToListAsync(ct);
+
+    public Task<Equipment?> FindAsync(long generationId, string equipmentId, CancellationToken ct) =>
+        db.Equipment.AsNoTracking()
+            .FirstOrDefaultAsync(e => e.GenerationId == generationId && e.EquipmentId == equipmentId, ct);
+
+    /// <summary>
+    ///     Creates a new equipment row in the given draft. The EquipmentId is auto-derived from
+    ///     a fresh EquipmentUuid per decision #125; operator-supplied IDs are rejected upstream.
+    /// </summary>
+    public async Task<Equipment> CreateAsync(long draftId, Equipment input, CancellationToken ct)
+    {
+        input.GenerationId = draftId;
+        input.EquipmentUuid = input.EquipmentUuid == Guid.Empty ? Guid.NewGuid() : input.EquipmentUuid;
+        input.EquipmentId = DraftValidator.DeriveEquipmentId(input.EquipmentUuid);
+        db.Equipment.Add(input);
+        await db.SaveChangesAsync(ct);
+        return input;
+    }
+
+    public async Task UpdateAsync(Equipment updated, CancellationToken ct)
+    {
+        // Only editable fields are persisted; EquipmentId + EquipmentUuid are immutable once set.
+        var existing = await db.Equipment
+            .FirstOrDefaultAsync(e => e.EquipmentRowId == updated.EquipmentRowId, ct)
+            ?? throw new InvalidOperationException($"Equipment row {updated.EquipmentRowId} not found");
+
+        existing.Name = updated.Name;
+        existing.MachineCode = updated.MachineCode;
+        existing.ZTag = updated.ZTag;
+        existing.SAPID = updated.SAPID;
+        existing.Manufacturer = updated.Manufacturer;
+        existing.Model = updated.Model;
+        existing.SerialNumber = updated.SerialNumber;
+        existing.HardwareRevision = updated.HardwareRevision;
+        existing.SoftwareRevision = updated.SoftwareRevision;
+        existing.YearOfConstruction = updated.YearOfConstruction;
+        existing.AssetLocation = updated.AssetLocation;
+        existing.ManufacturerUri = updated.ManufacturerUri;
+        existing.DeviceManualUri = updated.DeviceManualUri;
+        existing.DriverInstanceId = updated.DriverInstanceId;
+        existing.DeviceId = updated.DeviceId;
+        existing.UnsLineId = updated.UnsLineId;
+        existing.EquipmentClassRef = updated.EquipmentClassRef;
+        existing.Enabled = updated.Enabled;
+
+        await db.SaveChangesAsync(ct);
+    }
+
+    public async Task DeleteAsync(Guid equipmentRowId, CancellationToken ct)
+    {
+        var row = await db.Equipment.FirstOrDefaultAsync(e => e.EquipmentRowId == equipmentRowId, ct);
+        if (row is null) return;
+        db.Equipment.Remove(row);
+        await db.SaveChangesAsync(ct);
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/NamespaceService.cs b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/NamespaceService.cs
new file mode 100644
index 0000000..fbb7a90
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/NamespaceService.cs
@@ -0,0 +1,31 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+public sealed class NamespaceService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<Namespace>> ListAsync(long generationId, CancellationToken ct) =>
+        db.Namespaces.AsNoTracking()
+            .Where(n => n.GenerationId == generationId)
+            .OrderBy(n => n.NamespaceId)
+            .ToListAsync(ct);
+
+    public async Task<Namespace> AddAsync(
+        long draftId, string clusterId, string namespaceUri, NamespaceKind kind, CancellationToken ct)
+    {
+        var ns = new Namespace
+        {
+            GenerationId = draftId,
+            NamespaceId = $"ns-{Guid.NewGuid():N}"[..20],
+            ClusterId = clusterId,
+            NamespaceUri = namespaceUri,
+            Kind = kind,
+        };
+        db.Namespaces.Add(ns);
+        await db.SaveChangesAsync(ct);
+        return ns;
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/NodeAclService.cs b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/NodeAclService.cs
new file mode 100644
index 0000000..7835055
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/NodeAclService.cs
@@ -0,0 +1,44 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+public sealed class NodeAclService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<NodeAcl>> ListAsync(long generationId, CancellationToken ct) =>
+        db.NodeAcls.AsNoTracking()
+            .Where(a => a.GenerationId == generationId)
+            .OrderBy(a => a.LdapGroup)
+            .ThenBy(a => a.ScopeKind)
+            .ToListAsync(ct);
+
+    public async Task<NodeAcl> GrantAsync(
+        long draftId, string clusterId, string ldapGroup, NodeAclScopeKind scopeKind, string? scopeId,
+        NodePermissions permissions, string? notes, CancellationToken ct)
+    {
+        var acl = new NodeAcl
+        {
+            GenerationId = draftId,
+            NodeAclId = $"acl-{Guid.NewGuid():N}"[..20],
+            ClusterId = clusterId,
+            LdapGroup = ldapGroup,
+            ScopeKind = scopeKind,
+            ScopeId = scopeId,
+            PermissionFlags = permissions,
+            Notes = notes,
+        };
+        db.NodeAcls.Add(acl);
+        await db.SaveChangesAsync(ct);
+        return acl;
+    }
+
+    public async Task RevokeAsync(Guid nodeAclRowId, CancellationToken ct)
+    {
+        var row = await db.NodeAcls.FirstOrDefaultAsync(a => a.NodeAclRowId == nodeAclRowId, ct);
+        if (row is null) return;
+        db.NodeAcls.Remove(row);
+        await db.SaveChangesAsync(ct);
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/ReservationService.cs b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/ReservationService.cs
new file mode 100644
index 0000000..955dde2
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/ReservationService.cs
@@ -0,0 +1,38 @@
+using Microsoft.Data.SqlClient;
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Fleet-wide external-ID reservation inspector + FleetAdmin-only release flow per
+///     <c>admin-ui.md §"Release an external-ID reservation"</c>. Release is audit-logged
+///     (<see cref="ConfigAuditLog"/>) via <c>sp_ReleaseExternalIdReservation</c>.
+/// </summary>
+public sealed class ReservationService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<ExternalIdReservation>> ListActiveAsync(CancellationToken ct) =>
+        db.ExternalIdReservations.AsNoTracking()
+            .Where(r => r.ReleasedAt == null)
+            .OrderBy(r => r.Kind).ThenBy(r => r.Value)
+            .ToListAsync(ct);
+
+    public Task<List<ExternalIdReservation>> ListReleasedAsync(CancellationToken ct) =>
+        db.ExternalIdReservations.AsNoTracking()
+            .Where(r => r.ReleasedAt != null)
+            .OrderByDescending(r => r.ReleasedAt)
+            .Take(100)
+            .ToListAsync(ct);
+
+    public async Task ReleaseAsync(string kind, string value, string reason, CancellationToken ct)
+    {
+        if (string.IsNullOrWhiteSpace(reason))
+            throw new ArgumentException("ReleaseReason is required (audit invariant)", nameof(reason));
+
+        await db.Database.ExecuteSqlRawAsync(
+            "EXEC dbo.sp_ReleaseExternalIdReservation @Kind = {0}, @Value = {1}, @ReleaseReason = {2}",
+            [kind, value, reason],
+            ct);
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/UnsService.cs b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/UnsService.cs
new file mode 100644
index 0000000..c66ff17
--- /dev/null
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/UnsService.cs
@@ -0,0 +1,50 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+public sealed class UnsService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<UnsArea>> ListAreasAsync(long generationId, CancellationToken ct) =>
+        db.UnsAreas.AsNoTracking()
+            .Where(a => a.GenerationId == generationId)
+            .OrderBy(a => a.Name)
+            .ToListAsync(ct);
+
+    public Task<List<UnsLine>> ListLinesAsync(long generationId, CancellationToken ct) =>
+        db.UnsLines.AsNoTracking()
+            .Where(l => l.GenerationId == generationId)
+            .OrderBy(l => l.Name)
+            .ToListAsync(ct);
+
+    public async Task<UnsArea> AddAreaAsync(long draftId, string clusterId, string name, string? notes, CancellationToken ct)
+    {
+        var area = new UnsArea
+        {
+            GenerationId = draftId,
+            UnsAreaId = $"area-{Guid.NewGuid():N}"[..20],
+            ClusterId = clusterId,
+            Name = name,
+            Notes = notes,
+        };
+        db.UnsAreas.Add(area);
+        await db.SaveChangesAsync(ct);
+        return area;
+    }
+
+    public async Task<UnsLine> AddLineAsync(long draftId, string unsAreaId, string name, string? notes, CancellationToken ct)
+    {
+        var line = new UnsLine
+        {
+            GenerationId = draftId,
+            UnsLineId = $"line-{Guid.NewGuid():N}"[..20],
+            UnsAreaId = unsAreaId,
+            Name = name,
+            Notes = notes,
+        };
+        db.UnsLines.Add(line);
+        await db.SaveChangesAsync(ct);
+        return line;
+    }
+}
diff --git a/src/ZB.MOM.WW.OtOpcUa.Admin/appsettings.json b/src/ZB.MOM.WW.OtOpcUa.Admin/appsettings.json
index 9ae83f6..0cd1da8 100644
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/appsettings.json
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/appsettings.json
@@ -1,6 +1,6 @@
 {
   "ConnectionStrings": {
-    "ConfigDb": "Server=localhost,14330;Database=OtOpcUaConfig;Integrated Security=True;TrustServerCertificate=True;Encrypt=False;"
+    "ConfigDb": "Server=localhost,14330;Database=OtOpcUaConfig;User Id=sa;Password=OtOpcUaDev_2026!;TrustServerCertificate=True;Encrypt=False;"
   },
   "Serilog": {
     "MinimumLevel": "Information"
diff --git a/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/AdminServicesIntegrationTests.cs b/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/AdminServicesIntegrationTests.cs
new file mode 100644
index 0000000..50340c9
--- /dev/null
+++ b/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/AdminServicesIntegrationTests.cs
@@ -0,0 +1,192 @@
+using Microsoft.EntityFrameworkCore;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Admin.Services;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Tests;
+
+/// <summary>
+///     Ties Admin services end-to-end against a throwaway per-run database — mirrors the
+///     Configuration fixture pattern. Spins up a fresh DB, applies migrations, exercises the
+///     create-cluster → add-equipment → validate → publish → rollback happy path, then drops the
+///     DB in Dispose. Confirms the stored procedures and managed validators agree with the UI
+///     services.
+/// </summary>
+[Trait("Category", "Integration")]
+public sealed class AdminServicesIntegrationTests : IDisposable
+{
+    private const string DefaultServer = "localhost,14330";
+    private const string DefaultSaPassword = "OtOpcUaDev_2026!";
+
+    private readonly string _databaseName = $"OtOpcUaAdminTest_{Guid.NewGuid():N}";
+    private readonly string _connectionString;
+
+    public AdminServicesIntegrationTests()
+    {
+        var server = Environment.GetEnvironmentVariable("OTOPCUA_CONFIG_TEST_SERVER") ?? DefaultServer;
+        var password = Environment.GetEnvironmentVariable("OTOPCUA_CONFIG_TEST_SA_PASSWORD") ?? DefaultSaPassword;
+        _connectionString =
+            $"Server={server};Database={_databaseName};User Id=sa;Password={password};TrustServerCertificate=True;Encrypt=False;";
+
+        using var ctx = NewContext();
+        ctx.Database.Migrate();
+    }
+
+    public void Dispose()
+    {
+        using var conn = new Microsoft.Data.SqlClient.SqlConnection(
+            new Microsoft.Data.SqlClient.SqlConnectionStringBuilder(_connectionString)
+            { InitialCatalog = "master" }.ConnectionString);
+        conn.Open();
+        using var cmd = conn.CreateCommand();
+        cmd.CommandText = $@"
+IF DB_ID(N'{_databaseName}') IS NOT NULL
+BEGIN
+    ALTER DATABASE [{_databaseName}] SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
+    DROP DATABASE [{_databaseName}];
+END";
+        cmd.ExecuteNonQuery();
+    }
+
+    private OtOpcUaConfigDbContext NewContext()
+    {
+        var opts = new DbContextOptionsBuilder<OtOpcUaConfigDbContext>()
+            .UseSqlServer(_connectionString)
+            .Options;
+        return new OtOpcUaConfigDbContext(opts);
+    }
+
+    [Fact]
+    public async Task Create_cluster_add_equipment_validate_publish_roundtrips_the_full_admin_flow()
+    {
+        // 1. Create cluster + draft.
+        await using (var ctx = NewContext())
+        {
+            var clusterSvc = new ClusterService(ctx);
+            await clusterSvc.CreateAsync(new ServerCluster
+            {
+                ClusterId = "flow-1", Name = "Flow test", Enterprise = "zb", Site = "dev",
+                NodeCount = 1, RedundancyMode = RedundancyMode.None, Enabled = true,
+                CreatedBy = "test",
+            }, createdBy: "test", CancellationToken.None);
+        }
+
+        long draftId;
+        await using (var ctx = NewContext())
+        {
+            var genSvc = new GenerationService(ctx);
+            var draft = await genSvc.CreateDraftAsync("flow-1", "test", CancellationToken.None);
+            draftId = draft.GenerationId;
+        }
+
+        // 2. Add namespace + UNS + driver + equipment.
+        await using (var ctx = NewContext())
+        {
+            var nsSvc = new NamespaceService(ctx);
+            var unsSvc = new UnsService(ctx);
+            var drvSvc = new DriverInstanceService(ctx);
+            var eqSvc = new EquipmentService(ctx);
+
+            var ns = await nsSvc.AddAsync(draftId, "flow-1", "urn:flow:ns", NamespaceKind.Equipment, CancellationToken.None);
+            var area = await unsSvc.AddAreaAsync(draftId, "flow-1", "line-a", null, CancellationToken.None);
+            var line = await unsSvc.AddLineAsync(draftId, area.UnsAreaId, "cell-1", null, CancellationToken.None);
+            var driver = await drvSvc.AddAsync(draftId, "flow-1", ns.NamespaceId, "modbus", "ModbusTcp", "{}", CancellationToken.None);
+
+            await eqSvc.CreateAsync(draftId, new Equipment
+            {
+                EquipmentUuid = Guid.NewGuid(),
+                EquipmentId = string.Empty,
+                DriverInstanceId = driver.DriverInstanceId,
+                UnsLineId = line.UnsLineId,
+                Name = "eq-1",
+                MachineCode = "M001",
+            }, CancellationToken.None);
+        }
+
+        // 3. Validate — should be error-free.
+        await using (var ctx = NewContext())
+        {
+            var validationSvc = new DraftValidationService(ctx);
+            var errors = await validationSvc.ValidateAsync(draftId, CancellationToken.None);
+            errors.ShouldBeEmpty("draft with matched namespace/driver should validate clean");
+        }
+
+        // 4. Publish + verify status flipped.
+        await using (var ctx = NewContext())
+        {
+            var genSvc = new GenerationService(ctx);
+            await genSvc.PublishAsync("flow-1", draftId, "first publish", CancellationToken.None);
+        }
+
+        await using (var ctx = NewContext())
+        {
+            var status = await ctx.ConfigGenerations
+                .Where(g => g.GenerationId == draftId)
+                .Select(g => g.Status)
+                .FirstAsync();
+            status.ShouldBe(GenerationStatus.Published);
+        }
+
+        // 5. Rollback creates a new Published generation cloned from the target.
+        await using (var ctx = NewContext())
+        {
+            var genSvc = new GenerationService(ctx);
+            await genSvc.RollbackAsync("flow-1", draftId, "rollback test", CancellationToken.None);
+        }
+
+        await using (var ctx = NewContext())
+        {
+            var publishedCount = await ctx.ConfigGenerations
+                .CountAsync(g => g.ClusterId == "flow-1" && g.Status == GenerationStatus.Published);
+            publishedCount.ShouldBe(1, "rollback supersedes the prior publish with a new one");
+
+            var supersededCount = await ctx.ConfigGenerations
+                .CountAsync(g => g.ClusterId == "flow-1" && g.Status == GenerationStatus.Superseded);
+            supersededCount.ShouldBeGreaterThanOrEqualTo(1);
+        }
+    }
+
+    [Fact]
+    public async Task Validate_draft_surfaces_cross_cluster_namespace_binding_violation()
+    {
+        await using (var ctx = NewContext())
+        {
+            await new ClusterService(ctx).CreateAsync(new ServerCluster
+            {
+                ClusterId = "c-A", Name = "A", Enterprise = "zb", Site = "dev",
+                NodeCount = 1, RedundancyMode = RedundancyMode.None, Enabled = true, CreatedBy = "t",
+            }, "t", CancellationToken.None);
+
+            await new ClusterService(ctx).CreateAsync(new ServerCluster
+            {
+                ClusterId = "c-B", Name = "B", Enterprise = "zb", Site = "dev",
+                NodeCount = 1, RedundancyMode = RedundancyMode.None, Enabled = true, CreatedBy = "t",
+            }, "t", CancellationToken.None);
+        }
+
+        long draftId;
+        await using (var ctx = NewContext())
+        {
+            var draft = await new GenerationService(ctx).CreateDraftAsync("c-A", "t", CancellationToken.None);
+            draftId = draft.GenerationId;
+        }
+
+        await using (var ctx = NewContext())
+        {
+            // Namespace rooted in c-B, driver in c-A — decision #122 violation.
+            var ns = await new NamespaceService(ctx)
+                .AddAsync(draftId, "c-B", "urn:cross", NamespaceKind.Equipment, CancellationToken.None);
+            await new DriverInstanceService(ctx)
+                .AddAsync(draftId, "c-A", ns.NamespaceId, "drv", "ModbusTcp", "{}", CancellationToken.None);
+        }
+
+        await using (var ctx = NewContext())
+        {
+            var errors = await new DraftValidationService(ctx).ValidateAsync(draftId, CancellationToken.None);
+            errors.ShouldContain(e => e.Code == "BadCrossClusterNamespaceBinding");
+        }
+    }
+}
diff --git a/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/ZB.MOM.WW.OtOpcUa.Admin.Tests.csproj b/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/ZB.MOM.WW.OtOpcUa.Admin.Tests.csproj
index 7956b2d..5c8d455 100644
--- a/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/ZB.MOM.WW.OtOpcUa.Admin.Tests.csproj
+++ b/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/ZB.MOM.WW.OtOpcUa.Admin.Tests.csproj
@@ -21,6 +21,7 @@
 
     <ItemGroup>
         <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Admin\ZB.MOM.WW.OtOpcUa.Admin.csproj"/>
+        <PackageReference Include="Microsoft.Data.SqlClient" Version="6.1.1"/>
     </ItemGroup>
 
     <ItemGroup>