feat(install): historian TCP env + firewall rule

Replace OTOPCUA_HISTORIAN_PIPE/OTOPCUA_ALLOWED_SID with TCP transport
env (OTOPCUA_HISTORIAN_TCP_PORT, OTOPCUA_HISTORIAN_BIND,
OTOPCUA_HISTORIAN_TLS_ENABLED, OTOPCUA_HISTORIAN_TLS_CERT/PASSWORD)
in Install-Services.ps1; add idempotent Windows Firewall inbound rule
for the TCP port. Add new params for all TCP/TLS options with cert
provisioning guidance. Update Refresh-Services.ps1 Step 4b comment
(PipeServer → TcpFrameServer) and add a Step 5 note clarifying that
TCP/TLS env is set at install time, not on refresh.

scripts/install/Refresh-Services.ps1

@@ -125,7 +125,7 @@ Run {
 # `dotnet publish` above) silently drops the net48 binding-redirect
 # .exe.config and the transitive runtime DLLs MessagePack needs — most
 # notably System.Memory.dll. The sidecar then JIT-load-faults inside
-# PipeServer.RunOneConnectionAsync ("FileNotFoundException: System.Memory,
+# TcpFrameServer.RunOneConnectionAsync ("FileNotFoundException: System.Memory,
 # Version=4.0.1.2") and NSSM crash-loops it (exit 2 every ~2 min, ~120 s of
 # retry backoff before it gives up). Fail loudly here so an incomplete deploy
 # is caught at publish time instead of by a production crash-loop.
@@ -158,6 +158,11 @@ if (-not $WhatIf) {
 # ------------------------------------------------------------------------
 # Step 5: Service env block — ensure OTOPCUA_HISTORIAN_ALARM_WRITE_ENABLED
 # is set on the Wonderware historian service (PR C.2 toggle).
+# Note: the TCP transport env (OTOPCUA_HISTORIAN_TCP_PORT, OTOPCUA_HISTORIAN_BIND,
+# OTOPCUA_HISTORIAN_TLS_ENABLED, OTOPCUA_HISTORIAN_TLS_CERT) and the Windows
+# Firewall rule are set once at install time by Install-Services.ps1 and are
+# not touched here on refresh; re-run Install-Services.ps1 to change them.
+# OTOPCUA_ALLOWED_SID is no longer used (TCP transport retired the named pipe).
 # ------------------------------------------------------------------------
 
 if (Test-NssmService 'OtOpcUaWonderwareHistorian') {