568 Commits

Author	SHA1	Message	Date
Joseph Doherty	4902295211	refactor(driver-ablegacy): extract AbLegacyDriverOptions to .Contracts ... Move AbLegacyDriverOptions, AbLegacyDataType enum, and AbLegacyPlcFamilyProfile (including AbLegacyPlcFamily enum) to a new Driver.AbLegacy.Contracts sibling project. All three files are zero-dep after splitting AbLegacyDataTypeExtensions (which uses DriverDataType from Core.Abstractions) into a new file that stays in the runtime driver. Drop the doc-comment <see cref="AbLegacyAddress.TryParse"/> reference and replace with <c>AbLegacyAddress.TryParse</c> per the approved decision. The PlcFamilies using directive is retained in the contracts project since both namespaces live there. The runtime Driver.AbLegacy project gains a ProjectReference to .Contracts; the .slnx is updated accordingly.	2026-05-28 08:59:21 -04:00
Joseph Doherty	b474d63335	refactor(driver-abcip): extract AbCipDriverOptions to .Contracts ... Move AbCipDriverOptions (and AbCipDataType enum) to a new Driver.AbCip.Contracts sibling project. AbCipDataTypeExtensions (which uses DriverDataType from Core.Abstractions) stays in the runtime driver as AbCipDataTypeExtensions.cs. Replace two doc-comment <see cref="Core.Abstractions.IAlarmSource"/> and <see cref="Core.Abstractions.IHostConnectivityProbe"/> with <c>X</c> per the approved decision — no compilable using was present. The runtime Driver.AbCip project gains a ProjectReference to .Contracts; the .slnx is updated accordingly.	2026-05-28 08:57:36 -04:00
Joseph Doherty	5058a56645	refactor(driver-modbus): extract ModbusDriverOptions to .Contracts ... Move ModbusDriverOptions (and companion option types) to a new Driver.Modbus.Contracts sibling project. The contracts project references only Driver.Modbus.Addressing (itself zero-dep and Admin-safe) because ModbusDriverOptions.Probe/Family/Region properties use enum types that live there. Drop 'using ZB.MOM.WW.OtOpcUa.Core.Abstractions' and replace <see cref="IHostConnectivityProbe"/> with <c>IHostConnectivityProbe</c> per the approved decision — the using was doc-comment-only. The runtime Driver.Modbus project gains a ProjectReference back to .Contracts; the .slnx is updated accordingly.	2026-05-28 08:50:17 -04:00
Joseph Doherty	64e3fbe035	docs: backfill XML documentation across 756 files ... Adds <summary>, <param>, <typeparam>, and <inheritdoc/> tags to public members surfaced by commentchecker — resolves 5,847 of 5,869 issues (99.6%) across three /fixdocs passes.	2026-05-28 08:10:17 -04:00
Joseph Doherty	f9fc7dd2e1	feat(host): wire UseWindowsService so sc.exe-installed service runs cleanly ... The v2 plan's blessed install path (scripts/install/Install-Services.ps1) registers the host via `sc.exe create binPath=...OtOpcUa.Host.exe`, but the binary never called `UseWindowsService`. Without it, the Service Control Manager waits ~30s for the process to call SetServiceStatus(Running) and then kills it — the install script's design was incomplete. Two changes: - Host.csproj: drop the `IsOSPlatform('Windows')` condition on the Microsoft.Extensions.Hosting.WindowsServices package reference so the package is always available. The runtime helper used by UseWindowsService gates on WindowsServiceHelpers.IsWindowsService() internally, so it's a no-op when running as a console app or under Linux/macOS — the binary stays cross-platform-buildable. - Program.cs: call builder.Host.UseWindowsService(options => options.ServiceName = "OtOpcUaHost") immediately after CreateBuilder. When the host is launched by SCM, WindowsServiceLifetime takes over the IHostLifetime slot and reports START/STOP correctly. When launched by `dotnet run` or `OtOpcUa.Host.exe` from a console, it's a no-op. Verified end-to-end on wonder-app-vd03.zmr.zimmer.com: `sc.exe create` followed by `sc.exe start OtOpcUaHost` transitions from START_PENDING to RUNNING; /login + /health/ready + /health/active all return 200; service survives SSH session close and auto-starts on boot per the AUTO_START flag set by the installer script.	2026-05-26 17:07:52 -04:00
Joseph Doherty	7dfbca6469	feat(opcua): materialise SystemPlatform tags (Galaxy) as OPC UA variables ... Closes the gap where Tag rows with EquipmentId=NULL + Namespace.Kind=SystemPlatform (Galaxy hierarchy) existed in ConfigDb but were never surfaced in the OPC UA address space. Now they materialise as Variable nodes under a folder named for their FolderPath, browseable through any OPC UA client. Layers touched: - IOpcUaAddressSpaceSink: new EnsureVariable(nodeId, parentFolderId, displayName, dataType) signature on the sink interface, NullSink, DeferredSink, SdkSink. - OtOpcUaNodeManager.EnsureVariable: creates a BaseDataVariableState parented under the named folder (or root), initial Value=null + StatusCode=BadWaitingForInitialData; resolves Tag.DataType strings to the matching OPC UA built-in NodeId. Idempotent. - Phase7CompositionResult: new GalaxyTags collection of GalaxyTagPlan records carrying (TagId, DriverInstanceId, FolderPath, DisplayName, DataType, MxAccessRef). Constructor overloads keep existing call sites compiling. - Phase7Composer.Compose: now takes Tag + Namespace inputs, filters for SystemPlatform-namespace tags with EquipmentId=NULL, emits GalaxyTagPlan rows with MXAccess ref "FolderPath.Name". - Phase7Plan: new AddedGalaxyTags / RemovedGalaxyTags / ChangedGalaxyTags collections + GalaxyTagDelta record; IsEmpty + needsRebuild updated. - Phase7Planner.Compute: diffs GalaxyTags by TagId via existing DiffById helper. - DeploymentArtifact.ParseComposition: reads the Tags + Namespaces + DriverInstances arrays the ConfigComposer already emits, applies the same SystemPlatform filter, returns the same GalaxyTagPlan list as the composer so artifact-side and compose-side plans agree. - Phase7Applier: new MaterialiseGalaxyTags pass that ensures one folder per distinct FolderPath then one Variable per tag. NodeId for the variable is "<FolderPath>.<Name>" matching the MXAccess ref so the future Galaxy SubscribeBulk wiring can address them directly. - OpcUaPublishActor.RebuildAddressSpace: invokes MaterialiseGalaxyTags after MaterialiseHierarchy. _lastApplied initialiser updated for the new ctor. - seed-clusters.sql: pre-existing TestMachine_001.TestAlarm001..003 rows needed no change — the composer/applier now picks them up automatically. Verified end-to-end via docker-dev: deploy click → driver-a logs "Phase7Applier: Galaxy tags materialised (tags=3, folders=1)" → OPC UA Client CLI browses the three Variable nodes under TestMachine_001 folder. Reads return BadWaitingForInitialData status (expected — Galaxy driver's SubscribeBulk wiring to push values into the nodes is the remaining follow-up).	2026-05-26 15:43:22 -04:00
Joseph Doherty	60beb9128e	feat(deploy,runtime): wire mxaccessgw connection — endpoint, key, seed row ... User confirmed the mxaccessgw client (Galaxy driver) doesn't need Windows — only the gateway worker has that constraint. This wires the Galaxy driver into the docker-dev fleet: - docker-compose.yml: GALAXY_MXGW_API_KEY env var on every host service (admin nodes harmlessly ignore it; driver-role nodes pick it up when the seeded DriverInstance resolves ApiKeySecretRef=env:GALAXY_MXGW_API_KEY). Default value matches the key the operator provided; override via shell env (GALAXY_MXGW_API_KEY=... docker compose up -d) to rotate without editing compose. - seed-clusters.sql: now creates a SystemPlatform Namespace (MAIN-galaxy, urn:zb:docker-dev:galaxy) plus a GalaxyMxGateway DriverInstance (MAIN-galaxy-mxgw) in the MAIN cluster pointing at http://10.100.0.48:5120 with UseTls=false. Idempotent via IF NOT EXISTS. - DriverInstanceActor.ShouldStub: clarified the doc comment — only the legacy "Galaxy" type name and "Historian.Wonderware" are Windows-only; the v2 "GalaxyMxGateway" driver is .NET 10 cross-platform (gRPC to an external gateway) and is NOT stubbed. - README: documents the final operator step — sign in, click "Deploy current configuration" on /deployments to materialise the seeded Galaxy driver into a running gRPC connection. Raw DriverInstance rows don't spawn drivers on their own; the v2 lifecycle requires a sealed Deployment first.	2026-05-26 14:58:02 -04:00
Joseph Doherty	6884de9774	revert(adminui): restore 'OtOpcUa Admin' login title ... User chose to revert the MxAccess Gateway rebrand on the login card. Keep the layout fix from c064ec1 (no panel-head top strip; inline h1.login-title) and just put the original product name back.	2026-05-26 14:50:06 -04:00
Joseph Doherty	c064ec16cf	fix(security,adminui): logout redirects to /login + restyle login card ... Two small UX fixes: - AuthEndpoints.LogoutAsync now redirects browser callers to /login after SignOutAsync instead of returning 204 NoContent. 204 was correct for the REST contract but left browsers stuck on the page they came from (the cookie was cleared but no navigation happened, so "Sign out" appeared to do nothing). API callers can still opt into the status-only behavior by sending `Accept: application/json`. - Login.razor drops the .panel-head top strip; the sign-in card now reads as a self-contained form with an inline title "MxAccess Gateway Admin — sign in". Added a .login-title CSS class to site.css that matches the panel-head's typographic weight without the bar.	2026-05-26 14:47:53 -04:00
Joseph Doherty	ed1c17bc7b	fix(deploy,host): docker-dev bring-up — anon health probes, robust seeder ... Two fixes surfaced while bringing up the docker-dev stack end-to-end: - HealthEndpoints.MapOtOpcUaHealth now calls .AllowAnonymous() on /health/ready, /health/active, /healthz. Without it the AddOtOpcUaAuth fallback policy 401s every probe and Traefik marks every backend unhealthy → all three cluster routes return 503. - cluster-seed entrypoint no longer attempts to apply Migrate-To-V2.sql via sqlcmd. The EF-generated idempotent script puts CREATE PROCEDURE inside IF NOT EXISTS BEGIN ... END blocks (procs must be first in their batch), so sqlcmd fails with "Must declare the scalar variable @FromGenerationId". EF's own runner handles this; sqlcmd doesn't. The seed now just waits for the schema and applies row inserts. Migrations remain the operator's job: dotnet ef database update --project src/Core/.../Configuration \ --startup-project src/Server/.../Host Also: LDAP service removed (bitnami/openldap:2.6 image retired, legacy tag crashes mid-setup with exit 68); every host now runs with Authentication__Ldap__DevStubMode=true. Bumped LDAP+Traefik dashboard host ports to avoid collisions with the sister scadalink dev stack (3893→3894, 8080→8089). Confirmed working end-to-end: all three Traefik routes return HTTP 200, cluster-seed populates ServerCluster (MAIN/SITE-A/SITE-B) + ClusterNode (driver-a/b, site-a-1/2, site-b-1/2) rows on first boot.	2026-05-26 14:37:01 -04:00
Joseph Doherty	a1a7646b33	fix(adminui): refresh stale F9 stub copy on /alerts page ... ScriptedAlarmActor (Runtime/ScriptedAlarms) shipped a while back — the "Engine wiring (F9 ScriptedAlarmActor) is pending" stub message was misleading. Also drop the matching "(F9)" / "(future)" parentheticals in the intro panel and frame the empty state as a current-window condition, not a missing feature.	2026-05-26 13:53:09 -04:00
Joseph Doherty	e4d0d82f7f	feat(adminui): collapsible nav sidebar with cookie state + LoginLayout ... Port the ScadaLink CentralUI sidebar pattern into the OtOpcUa AdminUI: - Drop the top app-bar. Brand moves into the side rail's header — same visual rhythm as ScadaLink's NavMenu. - New NavSection.razor: collapsible eyebrow toggle (rail-eyebrow-toggle CSS) with a chevron + label. Mirrors ScadaLink/Components/Layout/NavSection. - New NavSidebar.razor: interactive island carrying the three section groups (Navigation / Scripting / Live) + session block. Marked @rendermode InteractiveServer; MainLayout itself stays static-rendered because layouts can't take a RenderFragment Body across an interactive boundary. - New wwwroot/js/nav-state.js: window.navState.get/.set persists the expanded-section list to the otopcua_nav cookie (one-year lifetime, SameSite=Lax). Same shape as ScadaLink's scadabridge_nav. - New LoginLayout.razor + @layout LoginLayout on Login.razor: the login page now renders without the side rail — clean centred card. - MainLayout.razor: slimmed down to the d-flex shell + hamburger toggle + <NavSidebar/> + @Body. - Login.razor: also drops the trailing "LDAP bind against the configured directory..." footer that the user asked to remove. - site.css: adds .side-rail .brand styles (mirrored from ScadaLink) and the .rail-eyebrow-toggle / .rail-eyebrow-chevron / .rail-section-body styles for the new collapsible UI. Auto-expand on page load: NavSidebar seeds the expanded set from the current URL's first path segment (in OnInitialized so it works even on the very first server render) and from the cookie (in OnAfterRenderAsync once JS interop is available). LocationChanged hooks keep the expanded state in sync as the user navigates between sections.	2026-05-26 13:48:35 -04:00
Joseph Doherty	2915755a7c	fix(host,security): wire static assets, DI lifetimes, form login, dev-stub LDAP ... Six interlocking fixes surfaced while smoke-testing the fused Host in a browser: - Host/Program.cs: UseStaticWebAssets() opts into the RCL static-asset pipeline in any environment (auto-only in Development), MapStaticAssets().AllowAnonymous() exempts CSS/JS from the AddOtOpcUaAuth fallback policy, and AddCascadingAuthenticationState() lets <AuthorizeView/> work inside interactive components (NavSidebar's session block). - Security/ServiceCollectionExtensions: ILdapAuthService Scoped → Singleton — consumed by the Singleton LdapOpcUaUserAuthenticator on driver-role nodes. Crash only surfaced in Development (ValidateOnBuild=true). - Security/Endpoints/AuthEndpoints: /auth/login now dispatches on Content-Type — application/json keeps the original 204/401/503 contract for tests, and application/x-www-form-urlencoded (the browser <form>) gets a redirect dance. DisableAntiforgery on the login endpoint (it's the entry point, no prior session) and AllowAnonymous to override the fallback policy. - Security/Ldap/LdapOptions + LdapAuthService: real DevStubMode property; when true the auth service bypasses the LDAP bind and returns a FleetAdmin role so dev/test can navigate the full Admin UI without GLAuth running. - AdminUI/EndpointRouteBuilderExtensions: doc-comment update about static-asset flow (the actual MapStaticAssets call lives in Host/Program.cs).	2026-05-26 13:48:18 -04:00
Joseph Doherty	cb936db7d6	fix(opcua): PopulateServerArray writes IServerInternal.ServerUris so clients see peers	2026-05-26 11:39:44 -04:00
Joseph Doherty	70ffd2849d	feat(opcua): OpcUaApplicationHost publishes peer URIs in Server.ServerArray	2026-05-26 11:21:11 -04:00
Joseph Doherty	898a47746d	feat(host): add per-role appsettings overlays for admin/driver/admin-driver	2026-05-26 11:19:10 -04:00
Joseph Doherty	05a0596fb1	feat(host): F9b RoslynScriptedAlarmEvaluator + #107 close engine DI ... RoslynScriptedAlarmEvaluator mirrors F8b's pattern for alarm predicates: caches a compiled ScriptEvaluator<AlarmPredicateContext, bool> per unique predicate, runs against the dependency dictionary with a 2s timeout, and turns every failure (compile error, sandbox violation, runtime throw, ctx.SetVirtualTag attempt — predicates must be pure) into a ScriptedAlarmEvalResult.Failure. ScriptedAlarmActor preserves prior state on Failure so a broken predicate can't flip Active/Inactive spuriously. Program.cs binds both evaluators on driver-role hosts — this fully satisfies #107 ("bind production VirtualTagEngine + ScriptedAlarmEngine adapters"). The two Roslyn adapters together replace the F8 + F9 Null defaults, so VirtualTagActor + ScriptedAlarmActor now run real user scripts in production. 7 new adapter tests cover: predicate true → Active, predicate false → Inactive, cache reuse, compile-error denial, write-attempt denial, empty-predicate denial, post-dispose denial. Host.IntegrationTests now 17/17 green. Closes #80 + #107. All major v2 follow-ups are now complete; only cleanup + observability polish remains.	2026-05-26 10:58:04 -04:00
Joseph Doherty	219d10a22d	feat(host): F8b RoslynVirtualTagEvaluator — production virtual-tag eval ... RoslynVirtualTagEvaluator wraps Core.Scripting.ScriptEvaluator + Core .VirtualTags.VirtualTagContext into a single-tag IVirtualTagEvaluator adapter. Caches the compiled ScriptEvaluator per unique expression so the second-and-onwards Evaluate is an in-process method call against the dependency dictionary. Compile/sandbox/runtime errors all surface as VirtualTagEvalResult.Failure rather than propagating exceptions through the VirtualTagActor message loop. Single-tag scope: cross-tag ctx.SetVirtualTag writes are dropped + logged because fan-out between actors is owned by DependencyMuxActor. Cycle detection + cascade ordering stay in Core.VirtualTags.VirtualTagEngine where they belong (loaded fleet-wide); this adapter keeps the actor message handler simple. Host adds Core.Scripting + Core.VirtualTags project refs, plus a TargetWarningsAsErrors NU1608 suppression — Microsoft.CodeAnalysis.CSharp .Scripting 4.12.0 pins Common to 4.12.0 but ASP.NET Core transitively brings Microsoft.CodeAnalysis.Common 5.0.0; the surface we use is stable across the drift (verified by Core.Scripting.Tests). Program.cs binds RoslynVirtualTagEvaluator → IVirtualTagEvaluator on driver-role hosts, replacing the F8-default NullVirtualTagEvaluator so VirtualTagActor evaluates real user scripts at runtime. 6 new adapter tests cover: simple expression sums, cache reuse across calls, compile-error denial, runtime-throw denial, empty-expression denial, post-dispose denial. Host.IntegrationTests now 10/10 green. Closes #79. F9b + #107 next.	2026-05-26 10:55:56 -04:00
Joseph Doherty	607dc51dec	feat(opcua): #85 UNS Area/Line/Equipment folder hierarchy in SDK ... Phase7Composer now carries UnsAreaProjection + UnsLineProjection lists so the applier can materialise the full UNS topology in the OPC UA address space. New IOpcUaAddressSpaceSink.EnsureFolder(folderNodeId, parentNodeId, displayName) seam (no-op default, recorded in tests, forwarded by DeferredAddressSpaceSink, implemented by SdkAddressSpaceSink). The SDK- side OtOpcUaNodeManager gains an EnsureFolder API that creates FolderState nodes with proper parent linkage; RebuildAddressSpace now clears folders too so re-applies don't accumulate stale topology. Phase7Applier.MaterialiseHierarchy walks composition.UnsAreas → composition.UnsLines → composition.EquipmentNodes, calling EnsureFolder with the correct parent at each level. Idempotent — calling twice with the same composition is a no-op. OpcUaPublishActor.HandleRebuild invokes it after Phase7Applier.Apply so OPC UA clients browsing the server now see Area/Line/Equipment as proper folders rather than flat tag ids. DeploymentArtifact.ParseComposition reads UnsAreas + UnsLines from the JSON snapshot the ControlPlane emits, populating the new fields when present. Phase7Composer.Compose now accepts UnsAreas + UnsLines; a 3-arg overload preserves the old signature for legacy callers + existing tests. The Phase7CompositionResult convenience ctor likewise keeps the planner tests working without UNS data. 3 new hierarchy tests (pure unit + boot-verify against a real OtOpcUaSdkServer); OpcUaServer suite is 48/48 green (was 45, +3), Runtime 74/74 unchanged. Closes #85.	2026-05-26 10:48:56 -04:00
Joseph Doherty	2697af31d1	feat(opcua,host): #81 ServiceLevel SDK publisher ... SdkServiceLevelPublisher writes Server.ServiceLevel through the SDK's ServerObjectState — the standard OPC UA non-transparent-redundancy signal clients use to pick a primary. Writes are guarded by DiagnosticsLock so concurrent SDK diagnostics scans don't fight with our updates. DeferredServiceLevelPublisher mirrors the DeferredAddressSpaceSink late- binding pattern: Akka actors resolve IServiceLevelPublisher at construction, hosted service swaps the SDK publisher in after StandardServer.Start. Host Program.cs registers DeferredServiceLevelPublisher as the singleton bound to IServiceLevelPublisher; OtOpcUaServerHostedService gets it injected and fills it once IServerInternal is available. Tests boot a real StandardServer on a free port (cross-platform), call Publish, then verify ServerObject.ServiceLevel.Value reflects the write. 5 new tests; OpcUaServer suite now 45/45 green (was 40, +5). Closes #81 residual. Unblocks Task 60 (OPC UA dual-endpoint + ServiceLevel tests).	2026-05-26 10:37:42 -04:00
Joseph Doherty	52997ee164	feat(observability): F13d Prometheus + OpenTelemetry instrumentation ... OtOpcUaTelemetry (Commons/Observability) centralizes the project's Meter + ActivitySource so all instrumentation points emit through a single named surface. Counters cover the hot paths: otopcua.deploy.applied (outcome=ack|reject) otopcua.deploy.apply.duration (s, histogram) otopcua.driver.lifecycle (event=spawn|spawn_stub|stop|fault) otopcua.virtualtag.eval (outcome=ok|fail|skip) otopcua.scriptedalarm.transition (state=activated|acknowledged|cleared) otopcua.opcua.sink.write (kind=value|alarm|rebuild) otopcua.redundancy.service_level_change (level=byte) Plus two ActivitySource spans: otopcua.deploy.apply wraps DriverHostActor.ApplyAndAck otopcua.opcua.address_space_rebuild wraps OpcUaPublishActor.HandleRebuild Instruments are no-op until a listener attaches, so tests + dev hosts pay nothing for unread telemetry. Host Program.cs gains AddOtOpcUaObservability() (binds the OtOpcUa Meter + ActivitySource to OpenTelemetry, attaches a Prometheus exporter) and MapOtOpcUaMetrics() (mounts /metrics scrape endpoint). Driver-side internals + ASP.NET request metrics deliberately stay off — the scrape payload is scoped to OtOpcUa signals only. Tests use MeterListener + ActivityListener to verify VirtualTagActor.eval, OpcUaPublishActor.AttributeValueUpdate, and RebuildAddressSpace actually emit on the central instruments. Runtime suite is 72 / 72 green (+3). Closes #105. Path A (F13b/c/d) complete; next batch options: #85 UNS folder hierarchy in SDK, or F8b/F9b production engine bindings.	2026-05-26 10:29:40 -04:00
Joseph Doherty	21eac21409	feat(opcua,host): F13c LDAP-bound UserName validator ... Adds IOpcUaUserAuthenticator seam in OpcUaServer.Security with a deny-all NullOpcUaUserAuthenticator default. OpcUaApplicationHost subscribes to SessionManager.ImpersonateUser after _application.Start so UserName tokens flow through the authenticator and either attach a UserIdentity to the session (Allow) or set IdentityValidationError = BadIdentityTokenRejected (Deny / authenticator exception). Anonymous + X509 tokens fall through to SDK defaults. LdapOpcUaUserAuthenticator (Host project) bridges to the same ILdapAuthService that AddOtOpcUaAuth uses for Admin cookies / JWT, so a single LDAP source-of-truth governs both Admin control plane and OPC UA data plane. Program.cs registers LdapOptions + LdapAuthService + IOpcUaUserAuthenticator on driver-role hosts; admin-only nodes are unchanged. OtOpcUaServerHostedService threads the resolved authenticator into OpcUaApplicationHost so the seam respects Host DI. 10 new tests: 6 in OpcUaServer.Tests cover the pure HandleImpersonation static method (success / denial / anonymous fallthrough / authenticator- throw / null-username / Null authenticator); 4 in Host.IntegrationTests cover the LdapOpcUaUserAuthenticator adapter (LDAP allow → Allow with roles, LDAP deny → Deny, exception → backend-error denial, display-name fallback). OpcUaServer suite is 40 / 40 green. Closes #104. Unblocks Task 60 (dual-endpoint + ServiceLevel tests) once #81 residual lands.	2026-05-26 10:21:37 -04:00
Joseph Doherty	8b08566f41	feat(opcua): F13b endpoint security profiles — Sign + SignAndEncrypt ... OpcUaApplicationHost.BuildConfigurationAsync now populates ServerConfiguration.SecurityPolicies + UserTokenPolicies from the new OpcUaSecurityProfile enum on OpcUaApplicationHostOptions. Defaults expose all three baseline profiles (None + Basic256Sha256-Sign + Basic256Sha256-SignAndEncrypt) matching docs/security.md. UserName tokens are SDK-encrypted with the server cert so they work on None endpoints too; F13c will plug the LDAP validator into SessionManager. AutoAcceptUntrustedClientCertificates surfaces as an option for dev flows; production keeps the default (false) and operators promote rejected certs through the Admin UI. InternalsVisibleTo added so BuildSecurityPolicies / BuildUserTokenPolicies stay encapsulated but unit-testable. 6 new tests cover the pure builders + two boot-verify cases (3-profile default + hardened single-profile), bringing the suite to 34 / 34 passing. Closes #103. Unblocks #104 (F13c LDAP user-token validator).	2026-05-26 10:15:04 -04:00
Joseph Doherty	50787823d3	feat(host,runtime): #108 Host DI bindings — OPC UA server + deferred sink ... Wires the OPC UA SDK into the fused Host's lifecycle on driver-role nodes + spawns OpcUaPublishActor with the proper sink/publisher/dbFactory/ applier resolution. The full read+write data path is now live in production: Deploy → DriverHost → OpcUaPublish → SDK NodeManager → subscribed OPC UA clients. DeferredAddressSpaceSink (Commons.OpcUa): - Thread-safe wrapper IOpcUaAddressSpaceSink that delegates to an inner sink swapped in at runtime. Needed because Akka actors resolve the sink at construction time, but the production sink (SdkAddressSpaceSink wrapping OtOpcUaNodeManager) only exists after the SDK StandardServer has started. - Defaults to NullOpcUaAddressSpaceSink so calls before swap are safe; SetSink(null) reverts (for graceful shutdown). OtOpcUaServerHostedService (Host.OpcUa): - IHostedService that owns the OPC UA SDK lifecycle. Reads OpcUaApplicationHostOptions from the 'OpcUa' config section, creates an OtOpcUaSdkServer, boots it through OpcUaApplicationHost, then swaps a real SdkAddressSpaceSink into the DeferredAddressSpaceSink singleton. - SDK boot failure is logged + non-fatal — the rest of the host (admin UI, driver actors) keeps running. Stop reverts to null sink. WithOtOpcUaRuntimeActors (Runtime): - Now spawns OpcUaPublishActor (new actor) + threads its ActorRef into DriverHostActor's Props so successful applies trigger the address-space rebuild pipeline. - Phase7Applier is constructed here from the resolved sink + a logger; OpcUaPublishActor takes both. - Prepends the opcua-synchronized-dispatcher HOCON so the extension is self-contained — consumers (Host, tests) don't need to redeclare the dispatcher block. - New OpcUaPublishActorKey + OpcUaPublishActorName for actor-registry resolution. - AddOtOpcUaRuntime now also TryAddSingleton's NullOpcUaAddressSpaceSink + NullServiceLevelPublisher so admin-only nodes (or tests that don't bind the Deferred sink) stay safe. Host.Program.cs (driver-role only): - Binds DeferredAddressSpaceSink as singleton + as IOpcUaAddressSpaceSink - AddHostedService<OtOpcUaServerHostedService>() Tests: OpcUaServer 24 -> 28 (+4 DeferredAddressSpaceSink unit tests), Runtime 69 -> 69 (existing ServiceCollectionExtensionsTests extended to verify the new mux + publish actor registration). All 6 v2 test suites green: 177 tests passing. Closes #108. Engine-wiring is now production-bound end-to-end on driver-role nodes — Deploy reaches real OPC UA Variable nodes that subscribed clients see.	2026-05-26 10:02:15 -04:00
Joseph Doherty	7e22e2250c	feat(runtime): #109 OpcUaPublishActor — load artifact, compose, plan-diff, apply ... Closes the loop between F10b (SDK NodeManager) and F14 (Phase7Plan + Phase7Applier). DriverHostActor's successful apply now triggers a RebuildAddressSpace on the publish actor, which loads the latest deployment artifact + walks composer → planner → applier through the sink. The OPC UA address space tracks the deployed composition. DeploymentArtifact: - New ParseComposition(blob) → Phase7CompositionResult that decodes Equipment + DriverInstance + ScriptedAlarm arrays into the projection records Phase7Planner consumes. Pascal-case property names mirror ConfigComposer.SnapshotAndFlattenAsync's output. - Each entity reader is tolerant: missing-id rows are dropped, natural-key sort matches Phase7Composer's contract. OpcUaPublishActor: - New Props params: dbFactory + applier. When wired, RebuildAddressSpace does: 1. LoadLatestArtifact (most recent Sealed Deployment.ArtifactBlob) 2. ParseComposition → Phase7CompositionResult 3. Phase7Planner.Compute(lastApplied, next) → Phase7Plan 4. Empty plan ⇒ no-op (deploy of unchanged composition is benign) 5. applier.Apply(plan) drives sink.RebuildAddressSpace + WriteAlarmState for removed nodes 6. lastApplied = next so the next rebuild diffs forward - Without dbFactory/applier wiring, falls back to raw sink.RebuildAddressSpace — the dev/Mac path before #108 binds prod. DriverHostActor: - New Props param opcUaPublishActor (IActorRef?). After successful ApplyAndAck (status Applied, ACK sent), tells the publish actor RebuildAddressSpace with the same correlation id so the audit trail threads through. Null publish actor ⇒ no trigger (admin-only nodes). Tests: Runtime 63 -> 69 (+6): - ParseComposition reads Equipment/Driver/Alarm sorted by natural key - ParseComposition returns empty for empty blob - Rebuild with dbFactory + sealed deployment artifact triggers exactly one sink.Rebuild call (Equipment topology added) - Rebuild with no artifact is idempotent no-op - Second rebuild with same composition is empty-plan no-op - Rebuild without dbFactory falls back to raw sink.Rebuild (legacy path) All 6 v2 test suites green: 173 tests passing. Closes #109. Engine-wiring data flow is now end-to-end through: Deploy → DriverHostActor.ApplyAndAck → driver spawn + ACK + RebuildAddressSpace → OpcUaPublishActor → Phase7Applier → SDK NodeManager → subscribed OPC UA clients see the change.	2026-05-26 09:55:11 -04:00
Joseph Doherty	d21f6947e1	feat(opcua): F10b SDK NodeManager binding — real OPC UA address-space writes ... OtOpcUaNodeManager + SdkAddressSpaceSink: the v2 IOpcUaAddressSpaceSink seam now has a production adapter against a real Opc.Ua.Server CustomNodeManager2. Writes through OpcUaPublishActor's sink materialise as real OPC UA Variable updates that subscribed clients see via the standard ClearChangeMasks notification path. OtOpcUaNodeManager (CustomNodeManager2): - Owns a ConcurrentDictionary<string, BaseDataVariableState> under a single namespace (https://zb.com/otopcua/ns) hung off Objects/. - WriteValue lazy-creates the variable on first write, sets Value + StatusCode (mapped from OpcUaQuality severity bits) + SourceTimestamp, then ClearChangeMasks to notify subscribers. - WriteAlarmState surfaces a [active, acknowledged] pair on a dedicated node id — full AlarmConditionState/event firing comes with #85 F14b (EquipmentNodeWalker SDK integration). - RebuildAddressSpace tears down every registered variable + clears the dictionary so the next write-pass starts fresh. - Address-space root folder is materialised in CreateAddressSpace. SdkAddressSpaceSink: thin IOpcUaAddressSpaceSink → OtOpcUaNodeManager bridge. Production DI binding (#108) constructs this once the host's StandardServer has booted. OtOpcUaSdkServer (StandardServer subclass): overrides CreateMasterNodeManager to inject OtOpcUaNodeManager via the MasterNodeManager additionalManagers ctor. NodeManager property exposes the live instance so OpcUaApplicationHost callers can wrap it in a sink. Tests: OpcUaServer 20 -> 24 (+4): - WriteValue creates + updates variables in the manager - WriteAlarmState creates a node distinct from value writes - RebuildAddressSpace clears everything; subsequent writes start fresh - NullOpcUaAddressSpaceSink no-op sanity Each test boots a real OpcUaApplicationHost on a free port with the SDK certificate auto-create flow (F13a) intact — full integration slice on macOS. All 6 v2 test suites green: 167 tests passing. F10 status updated to reflect SDK binding shipped. Residuals: - #109 OpcUaPublishActor.RebuildAddressSpace → Phase7Applier wiring - #108 Host DI default to SdkAddressSpaceSink when hasDriver - #85 F14b EquipmentNodeWalker integration (proper AlarmConditionState + folder hierarchy) - IServiceLevelPublisher SDK binding (writes Server.ServiceLevel node)	2026-05-26 09:49:44 -04:00
Joseph Doherty	7fa863f6da	feat(runtime): #113 DependencyMuxActor — drivers → virtual-tag fan-out ... End-to-end data path is now wired on the read side: driver subscriptions fire AttributeValuePublished → DriverHostActor → DependencyMuxActor → DependencyValueChanged to every interested VirtualTagActor. Previously the publish hit a dead-letter at the host. DependencyMuxActor: - Per-node fan-out router. Maintains tagRef → Set<IActorRef> with a reverse subscriber → refs index so unregister/replace are O(refs). - Watches subscribers; Terminated triggers automatic unregister so dead virtual-tag actors stop receiving publishes. - Re-register replaces the prior interest set — no stale-ref leaks on actor restart. - Drops publishes for refs with no interested subscribers. VirtualTagActor: - New Props params: dependencyRefs + mux ActorRef. - PreStart sends RegisterInterest to the mux; PostStop sends UnregisterInterest. Default both null so older callers stay quiet. DriverHostActor: - New dependencyMux Props param. Steady + Applying states now receive AttributeValuePublished from their DriverInstance children and forward to the mux. Null mux is a no-op (dev/Mac). ServiceCollectionExtensions: - WithOtOpcUaRuntimeActors spawns DependencyMuxActor before DriverHostActor and threads its ActorRef into the host's Props. New DependencyMuxActorKey + DependencyMuxActorName. Tests: Runtime 57 -> 63 (+6): - Mux forwards to only subscribers interested in each ref - Publish for unregistered ref is dropped silently - Unregister stops forwarding - Re-register replaces prior interest set - VirtualTagActor PreStart registration drives end-to-end eval (uses AwaitAssert to race-safely settle the PreStart Tell) - DriverHostActor forwards AttributeValuePublished through to mux All 6 v2 test suites green: 163 tests passing. F8 (#79) state updated — dep subscribe seam shipped, Core.VirtualTags production engine binding (compile + ITagUpstreamSource subscribe) is the residual.	2026-05-26 09:43:06 -04:00
Joseph Doherty	f427dc4f26	feat(runtime): #112 ScriptedAlarmActor state persistence via IAlarmActorStateStore ... ScriptedAlarmActor now survives actor restart: PreStart loads from the configured store + restores in-memory state; every Transition() fires a fire-and-forget save. ActiveState still re-derives from the evaluator on first tick (Phase 7 decision #14), but Acked state + lastAckUser persist verbatim so operators don't re-ack across an outage. Three pieces: - IAlarmActorStateStore seam in Commons.Engines, with the AlarmActorStateSnapshot record (alarmId / state / lastTransitionUtc / lastAckUser) and NullAlarmActorStateStore default. - EfAlarmActorStateStore in Runtime.ScriptedAlarms — production adapter over the existing ScriptedAlarmState table in ConfigDb. Maps the actor's 3-state enum to the table's AckedState column (Active⇒Unacknowledged, Acknowledged⇒Acknowledged, Inactive⇒ Acknowledged). Concurrency conflicts are logged + dropped — the next transition writes again. - ScriptedAlarmActor PreStart load (async, piped back as StateRestored) + Transition save. New Props overload takes the store; default is NullAlarmActorStateStore so tests stay quiet. Tests: Runtime 52 -> 57 (+5): - Transition writes Active then Acknowledged snapshots with lastAckUser populated - PreStart with persisted Active state restores so a subsequent AcknowledgeAlarm fires (not ignored as it would be from Inactive) - Empty store boots Inactive (AcknowledgeAlarm correctly ignored) - EfAlarmActorStateStore Save + Load round-trips via in-memory EF - Load for unknown alarmId returns null All 6 v2 test suites green: 157 tests passing. Closes #112. F9 (#80) remaining residual is predicate binding to Core.ScriptedAlarms.ScriptedAlarmEngine — split as F9b in tasks JSON.	2026-05-26 09:34:37 -04:00
Joseph Doherty	3e3f7588bd	feat(runtime,host): close F7 — driver subscribe + write paths + Host DI ... Three pieces landed in one batch, closing F7-residual + Host DI #106: Runtime/DriverInstanceActor: - Subscribe / Unsubscribe message contracts; the Connected state handles them via IDriver.ISubscribable. On every OnDataChange event the actor publishes AttributeValuePublished to its parent (DriverHostActor → OpcUaPublishActor). OPC UA StatusCode is mapped to the 3-state OpcUaQuality enum via severity bits (00=Good, 01=Uncertain, 10/11=Bad). - DetachSubscription tears the handler off the driver on DisconnectObserved, Unsubscribe, and PostStop so a stale handler never pushes to a dead actor. - WriteAttribute now dispatches IWritable.WriteAsync (batch of one) with a 5s CancellationTokenSource; status-code propagated to WriteAttributeResult on non-Good results. Host: - New ProjectReferences to Core + every cross-platform driver assembly (AbCip/AbLegacy/FOCAS/Galaxy/Modbus/S7/TwinCAT). Galaxy is net10 (gRPC client to mxaccessgw); the COM-bound net48 Wonderware Historian driver stays out of the Host's reference closure — its .Client gRPC wrapper is what binds for historian needs. - New DriverFactoryBootstrap.AddOtOpcUaDriverFactories() registers a singleton DriverFactoryRegistry, invokes each driver's Register(registry, loggerFactory), and binds IDriverFactory to DriverFactoryRegistryAdapter. Replaces the F7 NullDriverFactory default so deploys actually materialise real IDriver instances on driver-role nodes. ShouldStub() still gates per-platform behaviour at spawn time. - Program.cs wires AddOtOpcUaDriverFactories() before AddAkka so the runtime extension can resolve IDriverFactory from DI. Tests: Runtime 46 -> 52 (+6): - Write returns success when StatusCode = Good - Write propagates non-Good status code in failure Reason - Subscribe forwards OnDataChange to parent as AttributeValuePublished - Quality translation: Uncertain (0x40...) and Bad (0x80...) - Subscribe against non-ISubscribable returns failure - DisconnectObserved detaches handler so late events are dropped All 6 v2 test suites green: 152 tests passing. Closes F7. F7-residual sub-tasks #110 (subscribe) and #111 (write) both shipped. Host DI binding #106 shipped.	2026-05-26 09:28:34 -04:00
Joseph Doherty	c02f016f1d	feat(opcua): F14 Phase7Plan + Phase7Applier ... Splits the side-effecting half of Phase7Composer (deferred at Task 47) into two pieces that mirror DriverHostActor's spawn-plan pattern: Phase7Plan + Phase7Planner.Compute (pure): Diff two Phase7CompositionResult snapshots by stable id (EquipmentId, DriverInstanceId, ScriptedAlarmId). Emits Added/Removed/Changed lists per entity class. Added/Removed are sorted by id for deterministic apply order. Changed wraps both Previous and Current projections so consumers can decide between in-place mutation and tear-down + rebuild. Phase7Applier (side-effecting): Drives an IOpcUaAddressSpaceSink against a plan. Removed equipment/ alarms get an inactive AlarmState write per id; Added/Removed of Equipment or ScriptedAlarm triggers RebuildAddressSpace. Driver-only changes correctly skip the rebuild — those flow through DriverHost- Actor's spawn-plan in Runtime. Sink exceptions are caught + logged so one bad node doesn't abort the apply. Tests: OpcUaServer 6 -> 20 (+14): - Phase7PlannerTests x9 (empty-in/empty-out, add/remove/change per entity class, mixed changes, deterministic ordering) - Phase7ApplierTests x5 (empty plan no-op, removal writes inactive states + rebuild, added equipment triggers rebuild, driver-only skips rebuild, sink fault is non-fatal) The remaining piece is the EquipmentNodeWalker integration against a real SDK NodeManager — split as F14b, gated on F10b's SDK builder. All 6 v2 test suites green: 146 tests passing.	2026-05-26 09:16:08 -04:00
Joseph Doherty	a1325299ce	feat(runtime): F10 OpcUaPublishActor sink seams + redundancy-driven ServiceLevel ... OpcUaPublishActor now routes through pluggable seams instead of just incrementing a counter: - IOpcUaAddressSpaceSink (Commons.OpcUa) — WriteValue / WriteAlarmState / RebuildAddressSpace. OpcUaQuality enum moved here from the actor's nested type so producers don't have to reference the actor itself. - IServiceLevelPublisher — Publish(byte). NullServiceLevelPublisher retains the last level for inspection. - The actor subscribes to the redundancy-state DPS topic in PreStart and maps the local node's NodeRedundancyState to a coarse ServiceLevel (Primary+leader=240, Primary=200, Secondary=100, Detached=0). This keeps the local SDK's ServiceLevel node honest without round-tripping back through the admin-singleton calculator. - ServiceLevelChanged dedupes identical levels so the SDK doesn't see redundant writes. - Sink + publisher exceptions are caught and logged; the actor never crashes its own dispatcher. - PropsForTests gets optional sink/publisher/localNode params and skips the DPS subscribe so unit tests stay on a vanilla TestKit cluster. Production binding to a real SDK NodeManager + Variable nodes is the remaining residual — split as F10b. Task 60 still blocked on F10b. Tests: Runtime 40 -> 46 (+6): - AttributeValueUpdate routes to sink - AlarmStateUpdate routes to sink - RebuildAddressSpace calls sink.Rebuild - ServiceLevelChanged dedupes - RedundancyStateChanged for primary-leader publishes 240 - RedundancyStateChanged for secondary publishes 100 All 6 v2 test suites green: 132 tests passing.	2026-05-26 09:10:55 -04:00
Joseph Doherty	14fb2b05ed	feat(runtime): F8/F9 engine evaluator seams + DPS fan-out ... VirtualTagActor and ScriptedAlarmActor now route through pluggable evaluator interfaces and fan out to the cluster's live-tail topics shipped in F15.3: - IVirtualTagEvaluator + NullVirtualTagEvaluator in Commons.Engines. VirtualTagActor calls evaluator on every DependencyValueChanged, dedupes unchanged values, forwards EvaluationResult to its parent, and publishes ScriptLogEntry Warning to the script-logs DPS topic whenever the evaluator fails. - IScriptedAlarmEvaluator + NullScriptedAlarmEvaluator. ScriptedAlarmActor takes an AlarmConfig (id/name/equipment-path/severity/predicate) and publishes both an AlarmTransitionEvent (alerts topic) and a ScriptLogEntry (script-logs topic) at every transition. Manual ConditionMet/Acknowledge/Cleared still flow through the same Transition() so callers without engine bindings still drive the state machine; the legacy single-string Props() overload routes through a default AlarmConfig. The Null* defaults keep the actors safe when no engine is bound — unconfigured nodes never spuriously alarm. Production binding to Core.VirtualTags.VirtualTagEngine and Core.ScriptedAlarms is the remaining residual (F8b/F9b — split in tasks JSON). Tests: Runtime 34 -> 40 (+6): - VirtualTagActorTests x3 (evaluator drives EvaluationResult, unchanged-value dedup, failure publishes Warning ScriptLogEntry) - ScriptedAlarmActorTests x3 (engine threshold drives Activated + Cleared on alerts topic, manual Acknowledge attribution). All 6 v2 test suites green: 126 tests passing.	2026-05-26 09:05:04 -04:00
Joseph Doherty	da141497f8	feat(runtime): F7 spawn lifecycle + F20 ShouldStub gate ... DriverHostActor.ApplyAndAck now reads the deployment artifact and reconciles its set of DriverInstanceActor children — spawn the missing, ApplyDelta to those with changed config, stop the removed/disabled. The diff lives in pure DriverSpawnPlanner so it can be unit-tested without an ActorSystem. Adds IDriverFactory in Core.Abstractions (consumed by Runtime) + DriverFactoryRegistryAdapter in Core.Hosting that wraps the existing v1 DriverFactoryRegistry — Runtime stays decoupled from Polly/Serilog, the Host wires the adapter once driver assemblies have registered. ShouldStub(type, roles) is now actually called on every spawn — Galaxy + Wonderware-Historian boot stubbed on macOS/Linux or whenever the host carries the dev role. Missing factory ⇒ stub fallback, never a crash. Tests: 24 → 34 in Runtime (+10): - DriverSpawnPlannerTests x7 (diff cases, type change ⇒ stop+respawn) - DeploymentArtifactTests x5 (empty/malformed/missing fields tolerant) - DriverHostActorReconcileTests x4 (spawn count, stub fallback, ShouldStub gate, second-apply stops the removed) All 6 v2 test suites green: 120 tests passing. Closes F20 (ShouldStub wired). F7 marked partial — subscription publishing + write path still stubbed in DriverInstanceActor itself.	2026-05-26 08:57:16 -04:00
Joseph Doherty	59858129cb	feat(adminui): F15.3 closes F15 — live alerts/script-log, CSV import, Monaco editor ... Final F15 batch wires up the SignalR-backed live pages, ports the bulk equipment importer, and progressively enhances the Script source editor with Monaco. Message contracts: - Commons.Messages.Alerts.AlarmTransitionEvent — fires on every alarm state transition; published on the `alerts` DPS topic by future ScriptedAlarmActor (F9) emits. - Commons.Messages.Logging.ScriptLogEntry — one log line emitted by a hosted script; published on the `script-logs` DPS topic by future VirtualTagActor (F8) + ScriptedAlarmActor (F9) emits. (Folder named "Logging" to dodge .gitignore's "logs/" rule.) SignalR plumbing: - AlertHub gains MethodName + bridge actor (AlertSignalRBridge) - ScriptLogHub introduced; ScriptLogSignalRBridge follows the same DPS-subscribe → IHubContext fan-out pattern as FleetStatusSignalRBridge - WithOtOpcUaSignalRBridges now spawns all three bridges - MapOtOpcUaHubs maps /hubs/script-log alongside the existing hubs Pages: - /alerts live alarm tail, 200-row capacity - /script-log live script-log tail with level + script filter, 500-row capacity - /clusters/{id}/equipment/import — CSV bulk Equipment add with preview (Name/MachineCode/UnsLineId/Driver + optional ZTag/SAPID/Manufacturer/Model; skips rows whose MachineCode already exists in the fleet) - ScriptEdit progressively enhanced with Monaco editor via JSInterop — the textarea remains Blazor's source of truth and Monaco syncs into it on every keystroke so @bind keeps working; falls back gracefully if the CDN is unreachable. MainLayout nav gains a "Live" section (Deployments, Alerts, Alarms historian) and a "Scripts" link under Scripting. ClusterEquipment surfaces the new Import CSV button. Tally: F15 ships ~42 razor pages + 3 SignalR hubs + 3 bridge actors. Microsoft.AspNetCore.SignalR.Client added (was already in central PM). All 104 v2 tests remain green.	2026-05-26 08:39:17 -04:00
Joseph Doherty	ae980aef5d	feat(adminui): F15.2 batch 4 — closes live-edit forms (Acl/VirtualTag/ScriptedAlarm/Script) ... Final batch of F15.2. After this commit every entity surfaced by the Phase A-D read views has a matching new/edit/delete form. - AclEdit.razor /clusters/{id}/acls/{new|aclId} - NodePermissions [Flags] enum surfaced as per-bit checkboxes plus one-click bundle buttons (ReadOnly / Operator / Engineer / Admin) - ScopeKind select + ScopeId free-text target (null = cluster-wide) - VirtualTagEdit.razor /virtual-tags/{new|virtualTagId} - Trigger validation: enforces at least one of ChangeTriggered or TimerIntervalMs is set - ScriptedAlarmEdit.razor /scripted-alarms/{new|scriptedAlarmId} - AlarmType select with OPC UA Part 9 subtypes - MessageTemplate is a textarea (template tokens are server-resolved) - ScriptEdit.razor /scripts/{new|scriptId} - SHA-256 hash computed from SourceCode on save (operator never sees or edits SourceHash directly) - InputTextArea now; Monaco syntax editor is a future enhancement List pages (ClusterAcls / VirtualTags / ScriptedAlarms / Scripts) all gain New + per-row Edit affordances. Tally: F15.2 shipped CRUD for 11 entities — Cluster, ClusterNode, UnsArea, UnsLine, Namespace, DriverInstance, Equipment, Tag, NodeAcl, VirtualTag, ScriptedAlarm, Script. All 9 integration tests still green.	2026-05-26 08:27:56 -04:00
Joseph Doherty	2662ac08e4	feat(adminui): F15.2 batch 3 — Equipment + Tag CRUD (operator surfaces) ... The two most-edited entities for daily operator workflows. Both follow the same single-page edit-or-create pattern from batches 1 + 2 with RowVersion optimistic concurrency. - EquipmentEdit.razor /clusters/{id}/equipment/{new|EquipmentId} - EquipmentId is system-generated on create (decision #125): EQ-{first 12 hex chars of a new EquipmentUuid}. - UNS line + driver instance selects are scoped to the cluster. - All 9 OPC 40010 identification fields surfaced as an optional panel. - MachineCode uniqueness checked client-side before EF unique index enforces it server-side. - TagEdit.razor /clusters/{id}/tags/{new|TagId} - Equipment vs FolderPath input switches based on the selected driver's namespace kind — Equipment-kind requires EquipmentId, SystemPlatform-kind requires FolderPath (decision #110 invariant enforced client-side; sp_ValidateDraft re-enforces server-side at deploy). - DataType select uses the OPC UA built-in primitive type names. - TagConfig validated as JSON pre-flight. ClusterEquipment + ClusterTags list pages get New / Edit affordances. All 9 integration tests still green.	2026-05-26 08:22:51 -04:00
Joseph Doherty	45740578c9	feat(adminui): F15.2 batch 2 — topology entity CRUD ... Same single-page edit-or-create pattern as batch 1, applied to the foundational topology entities. After this batch the whole hierarchy (cluster → nodes → UNS areas → UNS lines → namespaces → drivers) is fully editable through the UI. - ClusterEdit.razor /clusters/{id}/edit Update + delete for an existing cluster. NodeCount stays coupled to RedundancyMode (None→1, Warm/Hot→2). ModifiedBy taken from AuthenticationStateProvider. - NodeEdit.razor /clusters/{id}/nodes/{new|nodeId} Full ClusterNode CRUD. ApplicationUri uniqueness is enforced by EF index; ServiceLevelBase defaults to 200 (primary preference) on create; per-node DriverConfigOverridesJson validated as JSON. - UnsAreaEdit.razor /clusters/{id}/uns/areas/{new|id} - UnsLineEdit.razor /clusters/{id}/uns/lines/{new|id} UNS structure CRUD; Lines pick their parent Area from a select that loads the cluster's areas. List pages updated: - ClusterOverview now shows an "Edit cluster" button + a "New node" action on the nodes panel + per-row Edit buttons. - ClusterUns gains New/Edit affordances for both Areas and Lines. All 9 integration tests still green; no regressions.	2026-05-26 08:18:49 -04:00
Joseph Doherty	5ae67a48ba	feat(adminui): F15.2 batch 1 — Namespace + DriverInstance live-edit CRUD ... Pattern proof for the live-edit forms gated by Phases A–D's read views. Each entity gets a single edit page handling both create (route param omitted) and update (route param present) modes, with RowVersion-based optimistic concurrency checked against EF Core's DbUpdateConcurrencyException. Pattern: - @page "/clusters/{id}/<thing>/new" - @page "/clusters/{id}/<thing>/{rowId}" - IsNew computed from rowId presence - EditForm + DataAnnotations validation - byte[] RowVersion stashed on FormModel; assigned to Entry(e).Property(e => e.RowVersion).OriginalValue before SaveChanges - Delete button (edit mode only) flows through the same RowVersion check - Concurrency conflict surfaces as an inline error panel; user reloads This batch: - NamespaceEdit.razor — small entity, validates the pattern - DriverEdit.razor — keystone for everything downstream (Equipment/Tag/VirtualTag/ScriptedAlarm), JSON config editor per Q1 with reformat on save and validation pre-flight - ClusterNamespaces row gains an Edit button + New action - ClusterDrivers expanded view gains an Edit button + New action Equipment/UnsArea/UnsLine/Tag/ACL/VirtualTag/ScriptedAlarm/Script forms follow this same template in subsequent F15.2 batches. All 9 integration tests still green; no v2 test regressions.	2026-05-26 08:14:36 -04:00
Joseph Doherty	74161f9460	feat(adminui): F15 Phase D — logic + ops pages ... - ClusterAudit (/clusters/{id}/audit) — reads ConfigAuditLog with the EventId/CorrelationId columns added in F3; shown as a Cluster tab - VirtualTags (/virtual-tags) — fleet-wide read view - ScriptedAlarms (/scripted-alarms) — fleet-wide read view - Scripts (/scripts) — fleet-wide; expandable code preview - RoleGrants (/role-grants) — per Q4, surfaces the fleet-wide LDAP-group → role mapping from Authentication:Ldap:GroupToRole (read-only; reload via host restart) - Certificates (/certificates) — own/trusted/issuer/rejected store contents resolved against OpcUa:PkiStoreRoot config (F13a) - Reservations (/reservations) — ExternalIdReservation table - AlarmsHistorian (/alarms-historian) — live HistorianAdapterActor sink status via the F11 GetStatus query; 5s polling ScriptLog deferred (needs the F16-deferred ScriptLogHub bridge). ClusterNav extended with the Audit tab. Adds an AdminUI → Runtime project reference so the historian status page can inject IRequiredActor<HistorianAdapterActorKey>. NuGet audit suppression for the transitive Opc.Ua.Core advisory mirrored from the Runtime project. All 104 v2 tests still green.	2026-05-26 08:01:23 -04:00
Joseph Doherty	396052a126	feat(adminui): F15 Phase C — config-tab read views (Equipment/UNS/Namespaces/Drivers/Tags/ACLs) ... Per Q3 of the rebuild plan, each v1 ClusterDetail tab becomes a separate route under /clusters/{id}/<tab>. This batch adds read-only table views for the six core config entity types; live-edit forms with RowVersion concurrency land in Phase C.2 once the read-view shape is reviewed. - ClusterEquipment /clusters/{id}/equipment — joins via DriverInstance so the cluster scope works - ClusterUns /clusters/{id}/uns — Areas + Lines tables - ClusterNamespaces /clusters/{id}/namespaces — Kind + URI + Enabled chip - ClusterDrivers /clusters/{id}/drivers — collapsed list with JSON config expandable per Q1 (typed editors deferred) - ClusterTags /clusters/{id}/tags — first 200 by name + filter - ClusterAcls /clusters/{id}/acls — LDAP group + scope + NodePermissions bits Shared ClusterNav.razor extracted; ClusterOverview + ClusterRedundancy updated to use it. _Imports.razor adds Components.Shared so the shared nav is in scope across pages.	2026-05-26 07:56:39 -04:00
Joseph Doherty	fd0cc4dfdb	feat(adminui): F15 Phase B — cluster CRUD + Overview/Redundancy routes ... - ClustersList (/clusters) — table view, row-click opens detail - NewCluster (/clusters/new) — EditForm with DataAnnotations; redundancy mode + node-count coupling enforced client-side (None→1, Warm/Hot→2); CreatedBy taken from AuthenticationStateProvider - ClusterOverview (/clusters/{id}) — cluster details + last-deployment badge + node list. Per Q3, the legacy 10-tab monolith is split into separate routes; this page hosts the Overview "tab" as its primary slot - ClusterRedundancy (/clusters/{id}/redundancy) — static ServiceLevelBase config view; live ServiceLevel comes via RedundancyStateActor DPS topic (deferred to its own follow-up once the SignalR bridge lands) The other 8 v1 cluster tabs (Equipment, UNS, Namespaces, Drivers, Tags, ACLs, ScriptedAlarms, Scripts, Audit) land in Phase C/D.	2026-05-26 07:52:41 -04:00
Joseph Doherty	850d6774ea	feat(adminui): F15 Phase A — shell + auth + fleet + hosts pages ... Implements Phase A of the F15 rebuild plan: minimum-viable Admin surface with a working sign-in path and a fleet-state landing page. Decisions Q1–Q5 of docs/v2/AdminUI-rebuild-plan.md were taken as recommended. - App.razor (moved into AdminUI library from the Host stub; vendored Bootstrap from RCL wwwroot — no public CDN, air-gap safe) - Routes.razor (AuthorizeRouteView enforces page-level [Authorize]) - RedirectToLogin.razor (preserves returnUrl through the auth hop) - Login.razor (static SSR, posts to /auth/login; Q5 wording about generic-vs-specific LDAP errors) - Account.razor (identity + fleet roles + raw LDAP groups; Q4 — no per-cluster grants; fleet-wide LDAP-group → role mapping only) - Fleet.razor (per-node deployment status: reads NodeDeploymentState + unions with IClusterRoleInfo.MembersWithRole("driver") so freshly- joined nodes appear as "waiting"; 10s auto-refresh) - Hosts.razor (Akka cluster topology: members, status, roles, role- leader; 5s auto-refresh) Host's stub App.razor deleted; Program.cs now points at AdminUI.Components.App via an added using. All 104 v2 tests remain green.	2026-05-26 07:49:35 -04:00
Joseph Doherty	36c4751571	feat(opcua): F13a — cert auto-creation in OpcUaApplicationHost ... Adds OPC UA SDK's CheckApplicationInstanceCertificate call to OpcUaApplicationHost.StartAsync, removing the v1 friction of needing to pre-create the PKI directory tree before booting. - New OpcUaApplicationHostOptions.PkiStoreRoot (defaults to "pki") - BuildConfigurationAsync now derives own/issuer/trusted/rejected from PkiStoreRoot so the cert paths are configurable + consistent - EnsureApplicationCertificateAsync runs before StandardServer.Start, and fails fast with a clear message if the SDK can't produce a valid cert - 2 new tests: fresh-tree creates a cert, second boot reuses it Partial slice of follow-up F13. Endpoint-security, user-token validator, and observability wiring still pending in the F13 follow-up. OpcUaServer tests: 4 → 6.	2026-05-26 07:34:48 -04:00
Joseph Doherty	686138123f	feat(runtime): F11 — HistorianAdapterActor wired to IAlarmHistorianSink ... Reshapes the placeholder buffered-counter actor into a thin fire-and-forget bridge over the existing IAlarmHistorianSink contract. Default sink is NullAlarmHistorianSink; production deployments override the DI binding to SqliteStoreAndForwardSink wrapping WonderwareHistorianClient (the v1 components in src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware* are reused verbatim — actor is just a mailbox-friendly entry point). - HistorianAdapterActor.Props(IAlarmHistorianSink?) — null defaults to NullAlarmHistorianSink - Receive<AlarmHistorianEvent>: fire-and-forget sink.EnqueueAsync - Receive<GetStatus>: returns sink.GetStatus() (queue depth + drain state) - ServiceCollectionExtensions.AddOtOpcUaRuntime registers the default sink - WithOtOpcUaRuntimeActors spawns the actor + registers HistorianAdapterActorKey - Program.cs calls AddOtOpcUaRuntime when hasDriver Tests: 2 new (forward-to-sink + GetStatus). Runtime suite 17 → 18.	2026-05-26 07:18:08 -04:00
Joseph Doherty	f18c285cca	feat(adminui): FleetStatusSignalRBridge — DPS → SignalR forwarding (F16) ... New per-admin-node actor that subscribes to the fleet-status DistributedPubSub topic + forwards every FleetStatusChanged snapshot to all SignalR clients connected to FleetStatusHub via IHubContext. Wired via WithOtOpcUaSignalRBridges (new AkkaConfigurationBuilder extension in AdminUI.Hubs) — Program.cs calls it inside the if(hasAdmin) block alongside WithOtOpcUaControlPlaneSingletons. Per-node subscription rather than cluster-singleton: every admin node forwards its own snapshots to its own connected clients. Simpler than singleton coordination + acceptable because the messages are small and SignalR fan-out is per-node anyway.	2026-05-26 07:01:08 -04:00
Joseph Doherty	8f32b89fb9	feat(adminui): FleetDiagnosticsClient real Akka ActorSelection round-trip (F17) ... - New Commons.Messages.Fleet.GetDiagnostics request record. - DriverHostActor handles GetDiagnostics in all three states (Steady, Applying, Stale); replies with a NodeDiagnosticsSnapshot built from _currentRevision + the local NodeId. Drivers list is empty until F7 wires the per-instance children. - FleetDiagnosticsClient now resolves the target via ActorSelection at akka.tcp://{system}@{nodeId}/user/driver-host and Asks with a 3s timeout. On timeout/peer-down it returns an empty snapshot so the UI degrades gracefully rather than throwing. Two new integration tests in Host.IntegrationTests: - GetDiagnostics_returns_snapshot_with_target_NodeId verifies the cross-node Ask/Reply works. - GetDiagnostics_after_deploy_reports_current_revision exercises the end-to-end path: AdminOps starts a deployment, both DriverHostActors apply, then diagnostics reports the new revision on both nodes. All 98 v2 tests pass (was 96 + 2 new).	2026-05-26 06:58:11 -04:00
Joseph Doherty	b06e3ae740	feat(runtime): PeerOpcUaProbeActor real TCP-connect probe (F12) ... Replaces the Ok=true stub with a TCP connect to the peer's OPC UA port (4840 default) with a 2s timeout. A successful connect indicates the OPC UA server process is up + accepting connections — enough for the redundancy calculator to treat the peer as live. A full secure-channel Hello/Acknowledge handshake is overkill for what the redundancy calc consumes and would pull in the OPC UA Client SDK + a PKI setup. Upgrade later if a deeper liveness signal is ever required. Probe extracts the host from NodeId by stripping the :port suffix (commit 5cfbe8b encoded host:port into NodeId for cluster-member identity). Tests: 2 new tests — Ok=true against a live TcpListener on a chosen port, Ok=false against an unreachable endpoint. All 17 Runtime tests pass (was 16 covering only the message-contract surface).	2026-05-26 06:54:51 -04:00
Joseph Doherty	f57f61deac	feat(audit): EventId + CorrelationId columns + filtered unique index (F3 + F4) ... ConfigAuditLog gains two nullable columns (EventId, CorrelationId) + a filtered unique index UX_ConfigAuditLog_EventId. EF migration 20260526105027_AddConfigAuditLogEventIdColumns is additive (nullable + filtered index = legacy rows backfill cleanly). AuditWriterActor now writes EventId + CorrelationId into the dedicated columns instead of synthesising a JSON wrapper into DetailsJson. Cross-restart dedup is now real: a retry of an already-flushed batch hits the unique index and SaveChanges throws; the existing catch drops the duplicate without losing the rest of the batch. WrapDetails helper deleted — F4 (its JSON hardening) becomes moot. AuditWriterActorTests.Details_wrapper_embeds_eventId_and_correlationId renamed + rewritten to assert against the columns. All 29 ControlPlane tests pass, all 95 v2 tests green.	2026-05-26 06:52:53 -04:00
Joseph Doherty	5cfbe8b5dd	test(host): deploy happy-path + idempotency integration tests (Task 59) ... DeployHappyPathTests exercises the full deploy pipeline on the 2-node harness: AdminOperationsActor → ConfigPublishCoordinator → DistributedPubSub → DriverHostActor on both nodes → ApplyAck → coordinator seals. Verifies both NodeDeploymentState rows reach Applied and Deployment.Status reaches Sealed. Exposed + fixed two production bugs along the way: 1. Coordinator was publishing DispatchDeployment on the "deployments" topic but never subscribed to anything — DriverHostActor ACKs published on the same topic could not reach it. Added dedicated "deployment-acks" topic with coordinator subscription in PreStart, and DriverHostActor publishes ACKs there. 2. NodeId derivation used member.Address.Host only — two cluster members on a shared loopback host (test harness, dev VMs) collided to one identity. The coordinator's expected-ack set became {1} and the system sealed after only half the nodes acked. Switched to host:port everywhere (ClusterRoleInfo + coordinator) so loopback nodes stay distinct and production identities are harmlessly more specific. Tests: 95 v2 tests pass (was 93 + 2 deploy tests), 0 skipped. Failover scenarios (design §8 cases 3-7: node-kill-mid-apply, split-brain, restart-during-deploy) deferred — they need controlled node-down primitives on the harness. Tracked as F22 (failover scenario test cases).	2026-05-26 06:34:36 -04:00
Joseph Doherty	d6fac2d81d	test(host): 2-node integration test harness + consolidate to one ActorSystem (Task 58) ... Builds TwoNodeClusterHarness: two in-process Host-equivalent nodes sharing an in-memory ConfigDb. Forms a 2-member Akka cluster. ClusterFormationTests proves both nodes see each other as admin+driver role members. Fixes a real production bug uncovered while wiring the harness — Program.cs ran two separate ActorSystems (one from AddOtOpcUaCluster.AkkaHostedService with cluster HOCON, one from Akka.Hosting.AddAkka with bare HOCON). Cluster singletons landed on the bare ActorSystem and could not actually form a cluster ("Configuration does not contain `akka.cluster` node"). Consolidation: - AddOtOpcUaCluster now only binds AkkaClusterOptions + registers IClusterRoleInfo - New WithOtOpcUaClusterBootstrap pushes embedded HOCON + Remote/Cluster options into Akka.Hosting's AkkaConfigurationBuilder - AkkaHostedService.cs deleted — Akka.Hosting now owns the lifecycle - Program.cs + harness call WithOtOpcUaClusterBootstrap inside AddAkka Why not WebApplicationFactory<Program>? Program.cs reads OTOPCUA_ROLES from process env (shared across in-process WAFs); the harness replays Program.cs's DI graph from a clean WebApplicationBuilder per node with per-node config overrides. Same production extensions, isolated config + Kestrel + Akka ports. Tests: 93 v2 tests pass (was 91 + 2 new cluster formation), 0 skipped.	2026-05-26 06:27:04 -04:00