Phase 6.1 Stream A.1/A.2/A.6 — Polly resilience foundation: pipeline builder + per-tier policy defaults + WriteIdempotent attribute

Lands the first chunk of the Phase 6.1 Stream A resilience layer per
docs/v2/implementation/phase-6-1-resilience-and-observability.md §Stream A.
Downstream CapabilityInvoker (A.3) + driver-dispatch wiring land in follow-up
PRs on the same branch.

Core.Abstractions additions:
- WriteIdempotentAttribute — marker for tag-definition records that opt into
  auto-retry on IWritable.WriteAsync. Absence = no retry per decisions #44, #45,
  #143. Read once via reflection at driver-init time; no per-write cost.
- DriverCapability enum — enumerates the 8 capability surface points
  (Read / Write / Discover / Subscribe / Probe / AlarmSubscribe / AlarmAcknowledge
  / HistoryRead). AlarmAcknowledge is write-shaped (no retry by default).
- DriverTier enum — A/B/C per driver-stability.md §2-4. Stream B.1 wires this
  into DriverTypeMetadata; surfaced here because the resilience policy defaults
  key on it.

Core.Resilience new namespace:
- DriverResilienceOptions — per-tier × per-capability policy defaults.
  GetTierDefaults(tier) is the source of truth:
    * Tier A: Read 2s/3 retries, Write 2s/0 retries, breaker threshold 5
    * Tier B: Read 4s/3, Write 4s/0, breaker threshold 5
    * Tier C: Read 10s/1, Write 10s/0, breaker threshold 0 (supervisor handles
      process-level breaker per decision #68)
  Resolve(capability) overlays CapabilityPolicies on top of the defaults.
- DriverResiliencePipelineBuilder — composes Timeout → Retry (capability-
  permitting, never on cancellation) → CircuitBreaker (tier-permitting) →
  Bulkhead. Pipelines cached in a lock-free ConcurrentDictionary keyed on
  (DriverInstanceId, HostName, DriverCapability) per decision #144 — one dead
  PLC behind a multi-device driver does not open the breaker for healthy
  siblings. Invalidate(driverInstanceId) supports Admin-triggered reload.

Tests (30 new, all pass):
- DriverResilienceOptionsTests: tier-default coverage for every capability,
  Write + AlarmAcknowledge never retry at any tier, Tier C disables breaker,
  resolve-with-override layering.
- DriverResiliencePipelineBuilderTests: Read retries transients, Write does NOT
  retry on failure (decision #44 guard), dead-host isolation from sibling hosts,
  pipeline reuse for same triple, per-capability isolation, breaker opens after
  threshold on Tier A, timeout fires, cancellation is not retried,
  invalidation scoped to matching instance.

Polly.Core 8.6.6 added to Core.csproj. Full solution dotnet test: 936 passing
(baseline 906 + 30 new). One pre-existing Client.CLI Subscribe flake unchanged
by this PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/DriverCapability.cs

@@ -0,0 +1,42 @@
+namespace ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+/// <summary>
+///     Enumerates the driver-capability surface points guarded by Phase 6.1 resilience pipelines.
+///     Each value corresponds to one method (or tightly-related method group) on the
+///     <c>Core.Abstractions</c> capability interfaces (<see cref="IReadable"/>, <see cref="IWritable"/>,
+///     <see cref="ITagDiscovery"/>, <see cref="ISubscribable"/>, <see cref="IHostConnectivityProbe"/>,
+///     <see cref="IAlarmSource"/>, <see cref="IHistoryProvider"/>).
+/// </summary>
+/// <remarks>
+///     Per <c>docs/v2/plan.md</c> decision #143 (per-capability retry policy): Read / HistoryRead /
+///     Discover / Probe / AlarmSubscribe auto-retry; <see cref="Write"/> does NOT retry unless the
+///     tag-definition carries <see cref="WriteIdempotentAttribute"/>. Alarm-acknowledge is treated
+///     as a write for retry semantics (an alarm-ack is not idempotent at the plant-floor acknowledgement
+///     level even if the OPC UA spec permits re-issue).
+/// </remarks>
+public enum DriverCapability
+{
+    /// <summary>Batch <see cref="IReadable.ReadAsync"/>. Retries by default.</summary>
+    Read,
+
+    /// <summary>Batch <see cref="IWritable.WriteAsync"/>. Does not retry unless tag is <see cref="WriteIdempotentAttribute">idempotent</see>.</summary>
+    Write,
+
+    /// <summary><see cref="ITagDiscovery.DiscoverAsync"/>. Retries by default.</summary>
+    Discover,
+
+    /// <summary><see cref="ISubscribable.SubscribeAsync"/> and unsubscribe. Retries by default.</summary>
+    Subscribe,
+
+    /// <summary><see cref="IHostConnectivityProbe"/> probe loop. Retries by default.</summary>
+    Probe,
+
+    /// <summary><see cref="IAlarmSource.SubscribeAlarmsAsync"/>. Retries by default.</summary>
+    AlarmSubscribe,
+
+    /// <summary><see cref="IAlarmSource.AcknowledgeAsync"/>. Does NOT retry — ack is a write-shaped operation (decision #143).</summary>
+    AlarmAcknowledge,
+
+    /// <summary><see cref="IHistoryProvider"/> reads (Raw/Processed/AtTime/Events). Retries by default.</summary>
+    HistoryRead,
+}

src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/DriverTier.cs

@@ -0,0 +1,34 @@
+namespace ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+/// <summary>
+///     Stability tier of a driver type. Determines which cross-cutting runtime protections
+///     apply — per-tier retry defaults, memory-tracking thresholds, and whether out-of-process
+///     supervision with process-level recycle is in play.
+/// </summary>
+/// <remarks>
+///     Per <c>docs/v2/driver-stability.md</c> §2-4 and <c>docs/v2/plan.md</c> decisions #63-74.
+///
+///     <list type="bullet">
+///         <item><b>A</b> — managed, known-good SDK; low blast radius. In-process. Fast retries.
+///             Examples: OPC UA Client (OPCFoundation stack), S7 (S7NetPlus).</item>
+///         <item><b>B</b> — native or semi-trusted SDK with an in-process footprint. Examples: Modbus.</item>
+///         <item><b>C</b> — unmanaged SDK with COM/STA constraints, leak risk, or other out-of-process
+///             requirements. Must run as a separate Host process behind a Proxy with a supervisor that
+///             can recycle the process on hard-breach. Example: Galaxy (MXAccess COM).</item>
+///     </list>
+///
+///     <para>Process-kill protections (<c>MemoryRecycle</c>, <c>ScheduledRecycleScheduler</c>) are
+///     Tier C only per decisions #73-74 and #145 — killing an in-process Tier A/B driver also kills
+///     every OPC UA session and every co-hosted driver, blast-radius worse than the leak.</para>
+/// </remarks>
+public enum DriverTier
+{
+    /// <summary>Managed SDK, in-process, low blast radius.</summary>
+    A,
+
+    /// <summary>Native or semi-trusted SDK, in-process.</summary>
+    B,
+
+    /// <summary>Unmanaged SDK, out-of-process required with Proxy+Host+Supervisor.</summary>
+    C,
+}

src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/WriteIdempotentAttribute.cs

@@ -0,0 +1,19 @@
+namespace ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+/// <summary>
+///     Opts a tag-definition record into auto-retry on <see cref="IWritable.WriteAsync"/> failures.
+///     Absence of this attribute means writes are <b>not</b> retried — a timed-out write may have
+///     already succeeded at the device, and replaying pulses, alarm acks, counter increments, or
+///     recipe-step advances can duplicate irreversible field actions.
+/// </summary>
+/// <remarks>
+///     Per <c>docs/v2/plan.md</c> decisions #44, #45, and #143. Applied to tag-definition POCOs
+///     (e.g. <c>ModbusTagDefinition</c>, <c>S7TagDefinition</c>, OPC UA client tag rows) at the
+///     property or record level. The <c>CapabilityInvoker</c> in <c>ZB.MOM.WW.OtOpcUa.Core.Resilience</c>
+///     reads this attribute via reflection once at driver-init time and caches the result; no
+///     per-write reflection cost.
+/// </remarks>
+[AttributeUsage(AttributeTargets.Property | AttributeTargets.Class | AttributeTargets.Struct, AllowMultiple = false, Inherited = true)]
+public sealed class WriteIdempotentAttribute : Attribute
+{
+}