docs(audit): OpcUaClient-Test-Fixture.md — accuracy pass

STALE-STATUS (OpcPlcFixture.cs:39):
- "What the fixture is": opc.tcp://localhost:50000 → opc.tcp://10.100.0.35:50000
  (shared Docker host migrated 2026-04-28; fixture already defaults to 10.100.0.35)

CODE-REALITY (OpcUaClientSmokeTests.cs — 3 integration tests open real Secure Channels):
- "What it does NOT cover" §1 ("No UA Secure Channel is ever opened") was wrong
  for the integration suite which does open real channels. Rewritten to scope the
  no-Secure-Channel claim to the unit suite and list what the integration suite
  still doesn't exercise (non-anonymous security policies, signing/encryption,
  chunk assembly, keep-alive).
- "When to trust" table: added Integration (opc-plc) column; noted that real OPC UA
  read + subscribe ARE covered by integration tests; write not yet exercised on wire.

NOTE on IRediscoverable: OpcUaClientDriver does NOT implement IRediscoverable
(verified: no reference in src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient/).
Doc makes no such claim — no change needed for that aspect.

INLINE COMPLETENESS:
- "Key fixture / config files": added OpcPlcFixture.cs, OpcUaClientSmokeTests.cs,
  and Docker/docker-compose.yml entries with correct endpoints and flags.
- Added explicit note in OpcUaClientDriver.cs entry: implements IAlarmSource +
  IHistoryProvider (unique among drivers); does NOT implement IRediscoverable.

STRUCTURAL: no rows in links-report.md for this doc.
VERIFY: check_links.py — 0 rows for OpcUaClient-Test-Fixture.md.

docs/drivers/OpcUaClient-Test-Fixture.md

@@ -20,7 +20,8 @@ image (follow-up).
 **Integration layer** (task #215):
 `tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.IntegrationTests/` stands up
 `mcr.microsoft.com/iotedge/opc-plc:2.14.10` via `Docker/docker-compose.yml`
-on `opc.tcp://localhost:50000`. `OpcPlcFixture` probes the port at
+on `opc.tcp://10.100.0.35:50000` (the shared Docker host; override via
+`OPCUA_SIM_ENDPOINT`). `OpcPlcFixture` probes the port at
 collection init + skips tests with a clear message when the container's
 not running (matches the Modbus/pymodbus + S7/python-snap7 skip pattern).
 Docker is the launcher — no PowerShell wrapper needed because opc-plc
@@ -81,12 +82,15 @@ Capability surfaces whose contract is verified: `IDriver`, `ITagDiscovery`,
 
 ## What it does NOT cover
 
-### 1. Real stack exchange
+### 1. Full real-stack exchange (unit tests only)
 
-No UA Secure Channel is ever opened. Every test mocks `Session.ReadAsync`,
-`Session.CreateSubscription`, `Session.AddItem`, etc. — the SDK itself is
-trusted. Certificate validation, signing, nonce handling, chunk assembly,
-keep-alive cadence — all SDK-internal and untested here.
+The **unit** suite mocks `Session.ReadAsync`, `Session.CreateSubscription`,
+`Session.AddItem`, etc. — no UA Secure Channel is opened. The **integration**
+suite (`OpcUaClientSmokeTests`, task #215) does open a real Secure Channel
+against opc-plc and exercises Read + Subscribe end-to-end. What remains
+untested even in the integration suite: certificate validation under
+non-anonymous security policies, signing/encryption, nonce handling, chunk
+assembly, keep-alive cadence — all SDK-internal.
 
 ### 2. Subscription transfer across reconnect
 
@@ -124,14 +128,16 @@ ConditionType events (non-base `BaseEventType`) is not verified.
 
 ## When to trust OpcUaClient tests, when to reach for a server
 
-| Question | Unit tests | Real upstream server |
-| --- | --- | --- |
-| "Does severity 750 bucket as High?" | yes | yes |
-| "Does the driver call `TransferSubscriptions` after reconnect?" | yes | yes |
-| "Does a real OPC UA read/write round-trip work?" | no | yes (required) |
-| "Does event-filter-based alarm subscription return ConditionType events?" | no | yes (required) |
-| "Does history read from AVEVA Historian return correct aggregates?" | no | yes (required) |
-| "Does the SDK's publish queue lose notifications under load?" | no | yes (stress) |
+| Question | Unit tests | Integration (opc-plc) | Real upstream server |
+| --- | --- | --- | --- |
+| "Does severity 750 bucket as High?" | yes | - | yes |
+| "Does the driver call `TransferSubscriptions` after reconnect?" | yes | - | yes |
+| "Does a real OPC UA read round-trip work?" | no | yes | yes |
+| "Does a real OPC UA subscribe deliver changes?" | no | yes | yes |
+| "Does write round-trip work against a live server?" | no | no (not yet exercised) | yes (required) |
+| "Does event-filter-based alarm subscription return ConditionType events?" | no | no | yes (required) |
+| "Does history read from AVEVA Historian return correct aggregates?" | no | no | yes (required) |
+| "Does the SDK's publish queue lose notifications under load?" | no | no | yes (stress) |
 
 ## Follow-up candidates
 
@@ -164,8 +170,17 @@ Beyond that:
 
 - `tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.Tests/` — unit tests with
   mocked `Session`
+- `tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.IntegrationTests/OpcPlcFixture.cs`
+  — collection fixture; parses `OPCUA_SIM_ENDPOINT` (default
+  `opc.tcp://10.100.0.35:50000`), TCP-probes at collection init, records
+  `SkipReason` when unreachable
+- `tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.IntegrationTests/OpcUaClientSmokeTests.cs`
+  — wire-level test suite (3 `[Fact]` methods: read, batch read, subscribe)
+- `tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.IntegrationTests/Docker/docker-compose.yml`
+  — `mcr.microsoft.com/iotedge/opc-plc:2.14.10` with `--ut --aa --alm --pn=50000`
 - `src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient/OpcUaClientDriver.cs` — ctor +
-  session-factory seam tests mock through
+  session-factory seam tests mock through; implements `IAlarmSource` +
+  `IHistoryProvider` (unique among drivers); does NOT implement `IRediscoverable`
 - `tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/DualEndpointTests.cs` —
   the v2 dual-endpoint integration harness a future loopback client test could
   piggyback on (v1 `OpcUaServerIntegrationTests.cs` retired with the v1 server project)