fix(code-review): resolve Batch 2 open findings (AbCip, AbLegacy, Galaxy, FOCAS)

- Driver.AbCip.Contracts-001: parse 'writable' from TagConfig JSON (default true) instead of hardcoding
- Driver.AbCip.Contracts-002/-003: Dt type comment; drop dead [Display]/[Range] annotations
- Driver.AbCip.Contracts-004: dedicated AbCipEquipmentTagParser test class (+15)
- Driver.AbCip-017: document Tick severity Low-fallback on Bad severity read
- Driver.AbLegacy.Contracts-002/-003/-004: isArray-scalar remarks (+tests), MaxTagBytes/ForFamily docs
- Driver.Galaxy.Browser-003 + Driver.Galaxy.Contracts-003: extract ResolveApiKey -> GalaxySecretRef (dedup)
- Driver.Galaxy-019: cache buffered-interval only on Ok + ILogger warnings + ClassifyIntervalReply (+tests)
- Driver.FOCAS.Contracts-002: thread WriteIdempotent through DiscoverAsync (+test)

src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Browser/GalaxyDriverBrowser.cs

@@ -122,14 +122,14 @@ public sealed class GalaxyDriverBrowser : IDriverBrowser
     /// <summary>
     ///     Build the gateway client options from the form's Gateway section. Mirrors the
     ///     runtime driver's <c>GalaxyDriver.BuildClientOptions</c> field-for-field so the
-    ///     gateway sees an identical option shape. The API-key reference is resolved
-    ///     inline (a slim version of <c>GalaxyDriver.ResolveApiKey</c>) because the
-    ///     Browser project doesn't reference Driver.Galaxy.
+    ///     gateway sees an identical option shape. The API-key reference is resolved via
+    ///     the shared <see cref="GalaxySecretRef.ResolveApiKey"/> in Driver.Galaxy.Contracts
+    ///     (the same resolver the runtime driver uses), so browse and runtime stay in lock-step.
     /// </summary>
     private MxGatewayClientOptions BuildClientOptions(GalaxyGatewayOptions gw) => new()
     {
         Endpoint = new Uri(gw.Endpoint, UriKind.Absolute),
-        ApiKey = ResolveApiKey(gw.ApiKeySecretRef),
+        ApiKey = GalaxySecretRef.ResolveApiKey(gw.ApiKeySecretRef, _logger),
         UseTls = gw.UseTls,
         CaCertificatePath = gw.CaCertificatePath,
         ConnectTimeout = TimeSpan.FromSeconds(gw.ConnectTimeoutSeconds),
@@ -138,57 +138,4 @@ public sealed class GalaxyDriverBrowser : IDriverBrowser
             ? TimeSpan.FromSeconds(gw.StreamTimeoutSeconds)
             : null,
     };
-
-    /// <summary>
-    ///     Resolves <c>env:NAME</c>, <c>file:PATH</c>, and <c>dev:KEY</c> prefixes;
-    ///     anything else is treated as a literal cleartext key with a startup warning.
-    ///     Slim mirror of <c>GalaxyDriver.ResolveApiKey</c> — the runtime version lives
-    ///     in a sibling project the Browser intentionally doesn't reference.
-    /// </summary>
-    /// <param name="secretRef">The secret reference string to resolve.</param>
-    private string ResolveApiKey(string secretRef)
-    {
-        ArgumentException.ThrowIfNullOrEmpty(secretRef);
-
-        if (secretRef.StartsWith("env:", StringComparison.OrdinalIgnoreCase))
-        {
-            var name = secretRef[4..];
-            var value = Environment.GetEnvironmentVariable(name);
-            return !string.IsNullOrEmpty(value)
-                ? value
-                : throw new InvalidOperationException(
-                    $"Galaxy.Gateway.ApiKeySecretRef='{secretRef}' resolves to env var '{name}', but it is unset.");
-        }
-
-        if (secretRef.StartsWith("file:", StringComparison.OrdinalIgnoreCase))
-        {
-            var path = secretRef[5..];
-            if (!File.Exists(path))
-            {
-                throw new InvalidOperationException(
-                    $"Galaxy.Gateway.ApiKeySecretRef='{secretRef}' points at '{path}', which doesn't exist.");
-            }
-            var contents = File.ReadAllText(path).Trim();
-            return !string.IsNullOrEmpty(contents)
-                ? contents
-                : throw new InvalidOperationException(
-                    $"Galaxy.Gateway.ApiKeySecretRef='{secretRef}' file '{path}' is empty.");
-        }
-
-        if (secretRef.StartsWith("dev:", StringComparison.OrdinalIgnoreCase))
-        {
-            // Explicit dev opt-in — no warning, the operator deliberately chose a
-            // cleartext literal (dev box, parity rig).
-            return secretRef[4..];
-        }
-
-        // Back-compat literal arm. An unprefixed string is treated as the literal
-        // API key — but emit a warning so an operator who accidentally committed a
-        // cleartext key into DriverConfig sees it when they open the address picker.
-        _logger.LogWarning(
-            "Galaxy.Gateway.ApiKeySecretRef is being treated as a literal cleartext API key. " +
-            "Prefer env:NAME, file:PATH, or the explicit dev:KEY prefix for dev rigs — " +
-            "a literal key in DriverConfig JSON is stored in cleartext in the central config DB.");
-        return secretRef;
-    }
 }