fix(driver-galaxy): align package versions + record vendored-DLL provenance

Driver.Galaxy-015, -016, -017, -018 resolution (one logical change set).

Driver.Galaxy-016 (Medium, Perf/Resource):
  Reconciled the csproj PackageReferences with what the vendored
  MxGateway.Client.dll was actually built against, verified by
  reflecting Assembly.GetReferencedAssemblies() on the DLL:
    - Polly 8.5.2  →  Polly.Core 8.6.6
      (most consequential — Polly v7 fluent API vs Polly.Core v8
       resilience-pipeline API are DIFFERENT packages; the DLL was
       built against Polly.Core so the prior Polly reference would
       have failed at runtime with MissingMethodException the first
       time the gateway client's retry pipeline ran)
    - Grpc.Net.Client 2.71.0  →  2.76.0  (matches sibling Server/Worker)
    - Microsoft.Extensions.Logging.Abstractions 10.0.0  →  10.0.7
  Google.Protobuf 3.34.1 and Grpc.Core.Api 2.76.0 already matched —
  left unchanged.

Driver.Galaxy-015 (re-triaged from Medium-Security → Low-Documentation):
  Original framing was a security concern about unknown-provenance
  binaries. User clarified the DLLs are their own code, built from
  their own mxaccessgw project, not third-party. Re-triaged to a
  documentation / audit-trail concern. Fix:
    - Added a Provenance section to libs/README.md recording the
      source-commit SHA (dd7ca1634e2d2b8a866c81f0009bf87ee9427750,
      extracted from the AssemblyInformationalVersion baked into
      both DLLs by the original build) and SHA-256 checksums.
    - Documented the re-verification recipe (sha256sum + ilspycmd
      | grep AssemblyInformationalVersion).
  Recommendations about .gitattributes and CI hash-check deferred —
  the DLLs are frozen until an unwinding path is taken, so adding
  LFS or CI infrastructure now would need removal at unwinding.

Driver.Galaxy-018 (Low, Documentation):
  Most of the recommendation folded into the libs/README.md rewrite
  (pointed at sibling Server/Worker csproj as the live version source
  rather than the deleted MxGateway.Client.csproj; recorded source
  commit + SHA-256). <SpecificVersion>false</SpecificVersion> on the
  <Reference> items intentionally not added — MSBuild's default for
  HintPath references with bare-name Include attributes is already
  SpecificVersion=false, so explicitly setting it would be cosmetic
  without changing behaviour.

Driver.Galaxy-017 (Low, Design) — Deferred:
  Recommendation part (b) (record mxaccessgw source-commit SHA in
  libs/README.md) is satisfied by Driver.Galaxy-015's resolution.
  Parts (a) and (c) — a GetVersion RPC at session-open and a parity
  test against the live gateway's proto descriptor — are substantial
  new RPC + plumbing work not in scope for this code-review sweep.
  The risk surface is bounded because either of the libs/README.md
  unwinding paths closes the vendoring + this concern naturally.
  Re-open if neither path is taken within the next quarter and the
  live gateway evolves its proto under the driver.

Verification:
  - Build clean (Driver.Galaxy.csproj 0 errors, 0 warnings).
  - Driver.Galaxy.Tests: 245/245 pass against the corrected
    package set.
  - Solution-wide build remains clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Galaxy/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.csproj

@@ -37,14 +37,20 @@
     </ItemGroup>
 
     <ItemGroup>
-        <!-- Transitive deps the vendored DLLs need exposed at consumer level
-             (versions match the sibling mxaccessgw repo's
-             ZB.MOM.WW.MxGateway.Contracts.csproj so binary-compat is preserved). -->
+        <!-- Transitive deps the vendored MxGateway.Client.dll was actually built
+             against (verified by reflecting GetReferencedAssemblies on the DLL —
+             see libs/README.md). Versions align with the sibling mxaccessgw repo's
+             current Server / Worker projects so binary-compat stays close to what
+             the team uses elsewhere. Pre-Driver.Galaxy-016 the csproj declared
+             `Polly` (the v7 API) instead of `Polly.Core` (the v8 API the DLL was
+             built against) — a package-name mistake, not just a version skew —
+             which would surface as a runtime MissingMethodException the first
+             time the client's retry pipeline ran. -->
         <PackageReference Include="Google.Protobuf" Version="3.34.1" />
         <PackageReference Include="Grpc.Core.Api" Version="2.76.0" />
-        <PackageReference Include="Grpc.Net.Client" Version="2.71.0" />
-        <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0" />
-        <PackageReference Include="Polly" Version="8.5.2" />
+        <PackageReference Include="Grpc.Net.Client" Version="2.76.0" />
+        <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.7" />
+        <PackageReference Include="Polly.Core" Version="8.6.6" />
     </ItemGroup>
 
     <ItemGroup>

src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Galaxy/libs/README.md

@@ -5,7 +5,31 @@ This directory holds binary copies of `MxGateway.Client.dll` and
 build (May 2026). The DLLs are referenced from the driver's csproj as
 `<Reference HintPath="…" />` items rather than `ProjectReference`.
 
-## Why
+## Provenance
+
+Both DLLs are built from this team's own `mxaccessgw` source tree — they are
+not third-party binaries. The build commit + checksums below are recorded so
+future readers can verify the artefacts match the expected source without
+needing to ask the original author.
+
+| File | Source commit | SHA-256 |
+|---|---|---|
+| `MxGateway.Client.dll` | `dd7ca1634e2d2b8a866c81f0009bf87ee9427750` (mxaccessgw repo, pre-restructure) | `3507f770adc8c1b27b2fc4645079c6e4e02d5c65b9545c12d637cd2a080a00bd` |
+| `MxGateway.Contracts.dll` | `dd7ca1634e2d2b8a866c81f0009bf87ee9427750` (mxaccessgw repo, pre-restructure) | `437dc6cb6994c7c4d858c82f69af890732c7ffbfa0463fbd8a63ce7930d251b4` |
+
+The build commit is the same for both DLLs and is embedded as
+`AssemblyInformationalVersion` inside each binary — re-verify by running:
+`ilspycmd <dll> | grep AssemblyInformationalVersion`.
+
+To re-verify the checksums (e.g. after a clone):
+```bash
+sha256sum libs/MxGateway.Client.dll libs/MxGateway.Contracts.dll
+```
+
+If either SHA-256 or the embedded source commit no longer matches what's
+listed above, the artefact has been replaced — verify before trusting.
+
+## Why vendored
 
 The sibling `mxaccessgw` repo restructured: the `clients/dotnet/MxGateway.Client`
 project the driver previously referenced via path-based `ProjectReference` no
@@ -17,32 +41,46 @@ the `MxGatewayClient` / `MxGatewaySession` / `GalaxyRepositoryClient` types the
 old client library provided (the sibling repo dropped the client library
 entirely, keeping only the contracts).
 
-Vendoring the binaries unblocks the build in minutes instead of hours, freezes
+Vendoring the binaries unblocked the build in minutes instead of hours, freezes
 the gateway contract surface at a known-good version, and preserves the option
 to migrate properly later without an emergency rewrite.
 
 ## What's vendored
 
-| File | Source | Built against |
-|---|---|---|
-| `MxGateway.Client.dll` | mxaccessgw repo, `clients/dotnet/MxGateway.Client/` (pre-restructure) | net10.0, `MxGateway.Contracts.dll` |
-| `MxGateway.Contracts.dll` | mxaccessgw repo, `src/MxGateway.Contracts/` (pre-restructure) | net10.0, proto namespace `MxGateway.Contracts.Proto[.Galaxy]` |
+| File | Built against |
+|---|---|
+| `MxGateway.Client.dll` | net10.0, references `MxGateway.Contracts.dll` |
+| `MxGateway.Contracts.dll` | net10.0, proto namespace `MxGateway.Contracts.Proto[.Galaxy]` |
 
-The NuGet packages the vendored DLLs need transitively (Google.Protobuf,
-Grpc.Core.Api, Grpc.Net.Client, Microsoft.Extensions.Logging.Abstractions,
-Polly) are declared as direct `PackageReference` in the driver csproj — when
-the dropped `ProjectReference` was in place those packages were transitively
-provided; with binary references the consumer must declare them explicitly.
-Versions match what the sibling repo's `ZB.MOM.WW.MxGateway.Contracts.csproj`
-uses so the gRPC + proto runtime stays binary-compatible.
+The NuGet packages the vendored DLLs reference (verified by reflecting
+`Assembly.GetReferencedAssemblies()` against `MxGateway.Client.dll`) are
+declared as direct `PackageReference` in the driver csproj — when the dropped
+`ProjectReference` was in place those packages were transitively provided;
+with binary references the consumer must declare them explicitly:
+
+| Package | Reason |
+|---|---|
+| `Google.Protobuf` 3.34.1 | Proto message types in `MxGateway.Contracts.dll` |
+| `Grpc.Core.Api` 2.76.0 | Base gRPC client types in `MxGateway.Client.dll` |
+| `Grpc.Net.Client` 2.76.0 | HTTP/2 transport used by `MxGatewayClient` |
+| `Microsoft.Extensions.Logging.Abstractions` 10.0.7 | `ILogger` used by the client |
+| `Polly.Core` 8.6.6 | Retry pipeline used by `MxGatewayClient` |
+
+Versions match the sibling mxaccessgw repo's current Server / Worker
+projects (`ZB.MOM.WW.MxGateway.Server.csproj`,
+`ZB.MOM.WW.MxGateway.Worker.csproj`) so the runtime versions stay close to
+what the gateway team uses. The pre-Driver.Galaxy-016 declarations were
+incorrect — most visibly `Polly 8.5.2` was declared where the DLL actually
+needs `Polly.Core` (a different package: `Polly` v7 is the older fluent API;
+`Polly.Core` v8 is the modern resilience-pipeline API the gateway client was
+built against). A `Polly` reference would have failed at runtime with
+`MissingMethodException` the first time a retry pipeline ran.
 
 ## Decompiled-source archive
 
 The vendored DLLs are byte-for-byte the build output. The full source can be
 recovered with `ilspycmd MxGateway.Client.dll > MxGateway.Client.cs` if a code
-review or audit needs it. There is no proprietary code in either DLL — they
-are the OtOpcUa team's own client implementation against the gateway's open
-proto contracts.
+review or audit needs it.
 
 ## How to unwind