fix(core): resolve Low code-review findings (Core-004,008,009,010,011,012)

- Core-004: add ConfigureAwait(false) to DriverHost.RegisterAsync /
  UnregisterAsync / DisposeAsync.
- Core-008: rewrite the BuildAddressSpaceAsync XML doc to correctly name
  the caller (OpcUaApplicationHost.PopulateAddressSpaces) that owns the
  per-driver isolation.
- Core-009: snapshot DriverResilienceOptions once per non-idempotent write
  in CapabilityInvoker.ExecuteWriteAsync.
- Core-010: switch DriverResilienceOptions.Resolve to TryGetValue with a
  diagnostic error message when a tier table is missing a capability.
- Core-011: add an optional diagnostic callback to PermissionTrieBuilder
  so production callers can surface scope-path mismatches.
- Core-012: correct the stale WedgeDetector ctor summary and add the
  Reconnecting row to DriverHealthReport's state matrix.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Core/ZB.MOM.WW.OtOpcUa.Core/Resilience/CapabilityInvoker.cs

@@ -118,11 +118,15 @@ public sealed class CapabilityInvoker
 
         if (!isIdempotent)
         {
-            var noRetryOptions = _optionsAccessor() with
+            // Snapshot the options exactly once per call — invoking _optionsAccessor twice can
+            // (a) observe two different snapshots if an Admin edit lands between them and
+            // (b) wastes an allocation on the per-write hot path (Phase 6.1 1% pipeline budget).
+            var snapshot = _optionsAccessor();
+            var noRetryOptions = snapshot with
             {
                 CapabilityPolicies = new Dictionary<DriverCapability, CapabilityPolicy>
                 {
-                    [DriverCapability.Write] = _optionsAccessor().Resolve(DriverCapability.Write) with { RetryCount = 0 },
+                    [DriverCapability.Write] = snapshot.Resolve(DriverCapability.Write) with { RetryCount = 0 },
                 },
             };
             var pipeline = _builder.GetOrCreate(_driverInstanceId, $"{hostName}::non-idempotent", DriverCapability.Write, noRetryOptions);

src/Core/ZB.MOM.WW.OtOpcUa.Core/Resilience/DriverResilienceOptions.cs

@@ -42,13 +42,27 @@ public sealed record DriverResilienceOptions
     ///     Look up the effective policy for a capability, falling back to tier defaults when no
     ///     override is configured. Never returns null.
     /// </summary>
+    /// <exception cref="KeyNotFoundException">
+    ///     Thrown when neither the override map nor the tier defaults carry an entry for the
+    ///     requested capability. The <c>TierDefaults_Cover_EveryCapability</c> invariant test
+    ///     in <c>DriverResilienceOptionsTests</c> guarantees every defined enum value is present
+    ///     in each tier's table, so this only fires when a caller passes an out-of-range value
+    ///     or someone adds a <see cref="DriverCapability"/> member without updating
+    ///     <see cref="GetTierDefaults"/>. The message names the missing capability and tier.
+    /// </exception>
     public CapabilityPolicy Resolve(DriverCapability capability)
     {
         if (CapabilityPolicies.TryGetValue(capability, out var policy))
             return policy;
 
         var defaults = GetTierDefaults(Tier);
-        return defaults[capability];
+        if (defaults.TryGetValue(capability, out var fallback))
+            return fallback;
+
+        throw new KeyNotFoundException(
+            $"No policy defined for capability '{capability}' under tier '{Tier}'. " +
+            $"This indicates a {nameof(DriverCapability)} enum value missing from {nameof(GetTierDefaults)} — " +
+            "add the capability to every tier's default table.");
     }
 
     /// <summary>