Galaxy IPC unblock — live dev-box E2E path

Three root-cause fixes to get an elevated dev-box shell past session open
through to real MXAccess reads:

1. PipeAcl — drop BUILTIN\Administrators deny ACE. UAC's filtered token
   carries the Admins SID as deny-only, so the deny fired even from
   non-elevated admin-account shells. The per-connection SID check in
   PipeServer.VerifyCaller remains the real authorization boundary.

2. PipeServer — swap the Hello-read / VerifyCaller order. ImpersonateNamedPipeClient
   returns ERROR_CANNOT_IMPERSONATE until at least one frame has been read
   from the pipe; reading Hello first satisfies that rule. Previously the
   ACL deny-first path masked this race — removing the deny ACE exposed it.

3. GalaxyIpcClient — add a background reader + single pending-response
   slot. A RuntimeStatusChange event between OpenSessionRequest and
   OpenSessionResponse used to satisfy the caller's single ReadFrameAsync
   and fail CallAsync with "Expected OpenSessionResponse, got
   RuntimeStatusChange". The reader now routes response kinds (and
   ErrorResponse) to the pending TCS and everything else to a handler the
   driver registers in InitializeAsync. The Proxy was already set up to
   raise managed events from RaiseDataChange / RaiseAlarmEvent /
   OnHostConnectivityUpdate — those helpers had no caller until now.

4. RedundancyPublisherHostedService — swallow BadServerHalted while
   polling host.Server.CurrentInstance. StandardServer throws that code
   during startup rather than returning null, so the first poll attempt
   crashed the BackgroundService (and the host) before OnServerStarted
   ran. This race was latent behind the Galaxy init failure above.

Updates docs that described the Admins deny ACE + mandatory non-elevated
shells, and drops the admin-skip guards from every Galaxy integration +
E2E fixture that had them (IpcHandshakeIntegrationTests, EndToEndIpcTests,
ParityFixture, LiveStackFixture, HostSubprocessParityTests).

Adds GalaxyIpcClientRoutingTests covering the router's
request/response match, ErrorResponse, event-between-call, idle event,
and peer-close paths.

Verified live on the dev box against the p7-smoke cluster (gen 6):
driver registered=1 failedInit=0, Phase 7 bridge subscribed, OPC UA
server up on 4840, MXAccess read round-trip returns real data with
Status=0x00000000.

Task #112 — partial: Galaxy live stack is functional end-to-end. The
supplied test-galaxy.ps1 script still fails because the UNS walker
encodes TagConfig JSON as the tag's NodeId instead of the seeded TagId
(pre-existing; separate issue from this commit).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Ipc/PipeAcl.cs

@@ -8,9 +8,18 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
 /// <summary>
 ///     Builds the <see cref="PipeSecurity"/> required by <c>driver-stability.md §"IPC Security"</c>:
 ///     only the configured OtOpcUa server principal SID gets <c>ReadWrite | Synchronize</c>;
-///     LocalSystem and Administrators are explicitly denied. Any other authenticated user falls
-///     through to the implicit deny.
+///     LocalSystem is explicitly denied. Any other authenticated user falls through to the
+///     implicit deny.
 /// </summary>
+/// <remarks>
+///     Earlier revisions also denied <c>BUILTIN\Administrators</c>, which broke live testing
+///     on dev boxes where the allowed user (<c>dohertj2</c>) is also a member of the local
+///     Administrators group — UAC's filtered token still carries the Admins SID as deny-only,
+///     so the deny ACE fired even from non-elevated shells. The per-connection
+///     <see cref="PipeServer.VerifyCaller"/> check already gates on the exact allowed SID,
+///     which is the real authorization boundary, so the Admins deny added no defence in depth
+///     in that topology.
+/// </remarks>
 public static class PipeAcl
 {
     public static PipeSecurity Create(SecurityIdentifier allowedSid)
@@ -25,12 +34,8 @@ public static class PipeAcl
             AccessControlType.Allow));
 
         var localSystem = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
-        var admins      = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
-
         if (allowedSid != localSystem)
             security.AddAccessRule(new PipeAccessRule(localSystem, PipeAccessRights.FullControl, AccessControlType.Deny));
-        if (allowedSid != admins)
-            security.AddAccessRule(new PipeAccessRule(admins,      PipeAccessRights.FullControl, AccessControlType.Deny));
 
         // Owner = allowed SID so the deny rules can't be removed without write-DACL rights.
         security.SetOwner(allowedSid);

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Ipc/PipeServer.cs

@@ -56,17 +56,12 @@ public sealed class PipeServer : IDisposable
         {
             await _current.WaitForConnectionAsync(linked.Token).ConfigureAwait(false);
 
-            if (!VerifyCaller(_current, out var reason))
-            {
-                _logger.Warning("IPC caller rejected: {Reason}", reason);
-                _current.Disconnect();
-                return;
-            }
-
             using var reader = new FrameReader(_current, leaveOpen: true);
             using var writer = new FrameWriter(_current, leaveOpen: true);
 
-            // First frame must be a Hello with the correct shared secret.
+            // First frame must be a Hello with the correct shared secret. Reading it before
+            // the caller-SID impersonation check satisfies Windows' ERROR_CANNOT_IMPERSONATE
+            // rule — ImpersonateNamedPipeClient fails until at least one frame has been read.
             var first = await reader.ReadFrameAsync(linked.Token).ConfigureAwait(false);
             if (first is null || first.Value.Kind != MessageKind.Hello)
             {
@@ -74,6 +69,13 @@ public sealed class PipeServer : IDisposable
                 return;
             }
 
+            if (!VerifyCaller(_current, out var reason))
+            {
+                _logger.Warning("IPC caller rejected: {Reason}", reason);
+                _current.Disconnect();
+                return;
+            }
+
             var hello = MessagePackSerializer.Deserialize<Hello>(first.Value.Body);
             if (!string.Equals(hello.SharedSecret, _sharedSecret, StringComparison.Ordinal))
             {