1056 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Joseph Doherty	f9fc7dd2e1	feat(host): wire UseWindowsService so sc.exe-installed service runs cleanly ... The v2 plan's blessed install path (scripts/install/Install-Services.ps1) registers the host via `sc.exe create binPath=...OtOpcUa.Host.exe`, but the binary never called `UseWindowsService`. Without it, the Service Control Manager waits ~30s for the process to call SetServiceStatus(Running) and then kills it — the install script's design was incomplete. Two changes: - Host.csproj: drop the `IsOSPlatform('Windows')` condition on the Microsoft.Extensions.Hosting.WindowsServices package reference so the package is always available. The runtime helper used by UseWindowsService gates on WindowsServiceHelpers.IsWindowsService() internally, so it's a no-op when running as a console app or under Linux/macOS — the binary stays cross-platform-buildable. - Program.cs: call builder.Host.UseWindowsService(options => options.ServiceName = "OtOpcUaHost") immediately after CreateBuilder. When the host is launched by SCM, WindowsServiceLifetime takes over the IHostLifetime slot and reports START/STOP correctly. When launched by `dotnet run` or `OtOpcUa.Host.exe` from a console, it's a no-op. Verified end-to-end on wonder-app-vd03.zmr.zimmer.com: `sc.exe create` followed by `sc.exe start OtOpcUaHost` transitions from START_PENDING to RUNNING; /login + /health/ready + /health/active all return 200; service survives SSH session close and auto-starts on boot per the AUTO_START flag set by the installer script.	2026-05-26 17:07:52 -04:00
Joseph Doherty	7dfbca6469	feat(opcua): materialise SystemPlatform tags (Galaxy) as OPC UA variables ... Closes the gap where Tag rows with EquipmentId=NULL + Namespace.Kind=SystemPlatform (Galaxy hierarchy) existed in ConfigDb but were never surfaced in the OPC UA address space. Now they materialise as Variable nodes under a folder named for their FolderPath, browseable through any OPC UA client. Layers touched: - IOpcUaAddressSpaceSink: new EnsureVariable(nodeId, parentFolderId, displayName, dataType) signature on the sink interface, NullSink, DeferredSink, SdkSink. - OtOpcUaNodeManager.EnsureVariable: creates a BaseDataVariableState parented under the named folder (or root), initial Value=null + StatusCode=BadWaitingForInitialData; resolves Tag.DataType strings to the matching OPC UA built-in NodeId. Idempotent. - Phase7CompositionResult: new GalaxyTags collection of GalaxyTagPlan records carrying (TagId, DriverInstanceId, FolderPath, DisplayName, DataType, MxAccessRef). Constructor overloads keep existing call sites compiling. - Phase7Composer.Compose: now takes Tag + Namespace inputs, filters for SystemPlatform-namespace tags with EquipmentId=NULL, emits GalaxyTagPlan rows with MXAccess ref "FolderPath.Name". - Phase7Plan: new AddedGalaxyTags / RemovedGalaxyTags / ChangedGalaxyTags collections + GalaxyTagDelta record; IsEmpty + needsRebuild updated. - Phase7Planner.Compute: diffs GalaxyTags by TagId via existing DiffById helper. - DeploymentArtifact.ParseComposition: reads the Tags + Namespaces + DriverInstances arrays the ConfigComposer already emits, applies the same SystemPlatform filter, returns the same GalaxyTagPlan list as the composer so artifact-side and compose-side plans agree. - Phase7Applier: new MaterialiseGalaxyTags pass that ensures one folder per distinct FolderPath then one Variable per tag. NodeId for the variable is "<FolderPath>.<Name>" matching the MXAccess ref so the future Galaxy SubscribeBulk wiring can address them directly. - OpcUaPublishActor.RebuildAddressSpace: invokes MaterialiseGalaxyTags after MaterialiseHierarchy. _lastApplied initialiser updated for the new ctor. - seed-clusters.sql: pre-existing TestMachine_001.TestAlarm001..003 rows needed no change — the composer/applier now picks them up automatically. Verified end-to-end via docker-dev: deploy click → driver-a logs "Phase7Applier: Galaxy tags materialised (tags=3, folders=1)" → OPC UA Client CLI browses the three Variable nodes under TestMachine_001 folder. Reads return BadWaitingForInitialData status (expected — Galaxy driver's SubscribeBulk wiring to push values into the nodes is the remaining follow-up).	2026-05-26 15:43:22 -04:00
Joseph Doherty	44b8a9c7ff	fix(deploy): ClusterNode NodeId uses host:port + Traefik sticky cookie ... Two bring-up issues found while clicking through the operator Deploy flow on the docker-dev stack: - ConfigPublishCoordinator computes expected-ack NodeIds from Akka.Cluster.State.Members as "{host}:{port}" (e.g. "driver-a:4053") to match ClusterRoleInfo's NodeId derivation. The seed had been using the bare service name ("driver-a"), so NodeDeploymentState INSERT hit FK violation 547 on NodeDeploymentState.NodeId → ClusterNode.NodeId. Seed now writes the full host:port form for every ClusterNode row. - Blazor Server uses SignalR (WebSocket upgrade after the initial GET). Without sticky sessions, Traefik round-robins admin-a/admin-b and the WebSocket upgrade lands on the wrong backend, returning "No Connection with that ID: Status code '404'" so @onclick handlers never fire on the client. Added sticky.cookie (otopcua_lb, SameSite=Lax) to all three Traefik service loadBalancers so each session pins to one node. Verified end-to-end: clicked "Deploy current configuration" on /deployments → Deployment row sealed in ~70ms → driver-a + driver-b spawn GalaxyMxGateway driver (stub=False) → GalaxyDriver connects to http://10.100.0.48:5120 with the seeded ApiKeySecretRef=env:GALAXY_MXGW_API_KEY.	2026-05-26 15:10:11 -04:00
Joseph Doherty	60beb9128e	feat(deploy,runtime): wire mxaccessgw connection — endpoint, key, seed row ... User confirmed the mxaccessgw client (Galaxy driver) doesn't need Windows — only the gateway worker has that constraint. This wires the Galaxy driver into the docker-dev fleet: - docker-compose.yml: GALAXY_MXGW_API_KEY env var on every host service (admin nodes harmlessly ignore it; driver-role nodes pick it up when the seeded DriverInstance resolves ApiKeySecretRef=env:GALAXY_MXGW_API_KEY). Default value matches the key the operator provided; override via shell env (GALAXY_MXGW_API_KEY=... docker compose up -d) to rotate without editing compose. - seed-clusters.sql: now creates a SystemPlatform Namespace (MAIN-galaxy, urn:zb:docker-dev:galaxy) plus a GalaxyMxGateway DriverInstance (MAIN-galaxy-mxgw) in the MAIN cluster pointing at http://10.100.0.48:5120 with UseTls=false. Idempotent via IF NOT EXISTS. - DriverInstanceActor.ShouldStub: clarified the doc comment — only the legacy "Galaxy" type name and "Historian.Wonderware" are Windows-only; the v2 "GalaxyMxGateway" driver is .NET 10 cross-platform (gRPC to an external gateway) and is NOT stubbed. - README: documents the final operator step — sign in, click "Deploy current configuration" on /deployments to materialise the seeded Galaxy driver into a running gRPC connection. Raw DriverInstance rows don't spawn drivers on their own; the v2 lifecycle requires a sealed Deployment first.	2026-05-26 14:58:02 -04:00
Joseph Doherty	6884de9774	revert(adminui): restore 'OtOpcUa Admin' login title ... User chose to revert the MxAccess Gateway rebrand on the login card. Keep the layout fix from c064ec1 (no panel-head top strip; inline h1.login-title) and just put the original product name back.	2026-05-26 14:50:06 -04:00
Joseph Doherty	c064ec16cf	fix(security,adminui): logout redirects to /login + restyle login card ... Two small UX fixes: - AuthEndpoints.LogoutAsync now redirects browser callers to /login after SignOutAsync instead of returning 204 NoContent. 204 was correct for the REST contract but left browsers stuck on the page they came from (the cookie was cleared but no navigation happened, so "Sign out" appeared to do nothing). API callers can still opt into the status-only behavior by sending `Accept: application/json`. - Login.razor drops the .panel-head top strip; the sign-in card now reads as a self-contained form with an inline title "MxAccess Gateway Admin — sign in". Added a .login-title CSS class to site.css that matches the panel-head's typographic weight without the bar.	2026-05-26 14:47:53 -04:00
Joseph Doherty	ed1c17bc7b	fix(deploy,host): docker-dev bring-up — anon health probes, robust seeder ... Two fixes surfaced while bringing up the docker-dev stack end-to-end: - HealthEndpoints.MapOtOpcUaHealth now calls .AllowAnonymous() on /health/ready, /health/active, /healthz. Without it the AddOtOpcUaAuth fallback policy 401s every probe and Traefik marks every backend unhealthy → all three cluster routes return 503. - cluster-seed entrypoint no longer attempts to apply Migrate-To-V2.sql via sqlcmd. The EF-generated idempotent script puts CREATE PROCEDURE inside IF NOT EXISTS BEGIN ... END blocks (procs must be first in their batch), so sqlcmd fails with "Must declare the scalar variable @FromGenerationId". EF's own runner handles this; sqlcmd doesn't. The seed now just waits for the schema and applies row inserts. Migrations remain the operator's job: dotnet ef database update --project src/Core/.../Configuration \ --startup-project src/Server/.../Host Also: LDAP service removed (bitnami/openldap:2.6 image retired, legacy tag crashes mid-setup with exit 68); every host now runs with Authentication__Ldap__DevStubMode=true. Bumped LDAP+Traefik dashboard host ports to avoid collisions with the sister scadalink dev stack (3893→3894, 8080→8089). Confirmed working end-to-end: all three Traefik routes return HTTP 200, cluster-seed populates ServerCluster (MAIN/SITE-A/SITE-B) + ClusterNode (driver-a/b, site-a-1/2, site-b-1/2) rows on first boot.	2026-05-26 14:37:01 -04:00
Joseph Doherty	1e64488c0d	Merge branch 'v2-gap-closeout' — close audit gaps + dev-UX polish ... Closes the four gaps from the 2026-05-26 hosting-alignment audit and adds the supporting dev infrastructure that surfaced while smoke-testing the fused Host: Audit-gap closure: - feat(host): per-role appsettings overlays for admin / driver / admin-driver - feat(opcua): OpcUaApplicationHost.PeerApplicationUris populates Server.ServerArray via IServerInternal.ServerUris.Append; unit test + new OpcUaServer.IntegrationTests project carrying DualEndpointTests (real OPCFoundation client reads both peer URIs) - refactor(test): rename FailoverScenarioTests → FailoverDuringDeployTests - chore(cleanup): remove stale bin/obj shells for deleted v1 Server/Admin projects - ci(v2): integration matrix now runs both Host.IntegrationTests and OpcUaServer.IntegrationTests Doc audit + refresh: - 3 commits rewriting stale paths and adding v2 architecture coverage across Redundancy / ServiceHosting / Cluster / OpcUaServer / security / Architecture-v2 / v2-release-readiness / phase-7-status / README and 7 driver-touched doc files Dev-UX (surfaced while smoke-testing in Chrome): - fix(host,security): UseStaticWebAssets, MapStaticAssets().AllowAnonymous, AddCascadingAuthenticationState, ILdapAuthService Scoped→Singleton, /auth/login Content-Type dispatch + DisableAntiforgery, real LdapOptions.DevStubMode - feat(adminui): ScadaLink-style sidebar — drop the top app-bar, brand in side rail, collapsible NavSection sections with cookie state (otopcua_nav), new LoginLayout (no rail), NavSidebar as the interactive island so MainLayout stays static-rendered - fix(adminui): refresh stale F9 stub copy on /alerts page docker-dev deployment: - feat(deploy): add site-a + site-b 2-node clusters (fused admin+driver) — three isolated Akka meshes (disjoint seed lists) sharing the single OtOpcUa ConfigDb; Traefik routes via Host(`site-a.localhost`) / Host(`site-b.localhost`) - feat(deploy): one-shot cluster-seed Compose service applies an idempotent SQL seed (3 ServerCluster rows + 6 ClusterNode rows) so operators don't have to pre-populate via the Admin UI on every fresh bring-up 19 commits, all conventional-commits format. Branch was pushed and reviewed on gitea before the merge.	2026-05-26 14:08:29 -04:00
Joseph Doherty	f02071c9a2	feat(deploy): bake the ServerCluster/ClusterNode seed into docker-compose ... Adds a one-shot cluster-seed service to docker-dev/docker-compose.yml that pre-populates the three Akka clusters' scope rows in the shared OtOpcUa ConfigDb so operators don't have to click through /clusters + /hosts on every fresh bring-up. Seed contents: ServerCluster MAIN (Warm/2), SITE-A (Warm/2), SITE-B (Warm/2) ClusterNode driver-a + driver-b → MAIN site-a-1 + site-a-2 → SITE-A site-b-1 + site-b-2 → SITE-B NodeCount + RedundancyMode honour the CK_ServerCluster check constraint. ApplicationUri follows the urn:OtOpcUa:<NodeId> convention; uniqueness across the fleet satisfies UX_ClusterNode_ApplicationUri. Mechanism: - docker-dev/seed/seed-clusters.sql — idempotent INSERTs (IF NOT EXISTS guards on every row). - docker-dev/seed/entrypoint.sh — bash wrapper that waits for SQL to accept connections, then polls until dbo.ServerCluster exists (the host containers' EF auto-migration creates it on first boot), then applies the SQL script. - cluster-seed service uses mcr.microsoft.com/mssql-tools as the base image (bash + sqlcmd available), restart: "no" so it runs once. Re-running `docker compose up` is safe: the seed exits cleanly on the second run because every INSERT is guarded. Manual re-seed: `docker compose run --rm cluster-seed`.	2026-05-26 14:06:47 -04:00
Joseph Doherty	993e012e55	fix(deploy): site clusters share the single OtOpcUa ConfigDb ... The previous commit (961e094) gave each site cluster its own database (OtOpcUa_SiteA / OtOpcUa_SiteB). That fights the architecture — ConfigDb is multi-tenant by design: one schema with a ServerCluster table whose rows scope the rest of the configuration via ClusterId. Per-cluster databases would split the schema and force every singleton/coordinator to point at a different connection string. Correct model: one ConfigDb, three ServerCluster rows (MAIN / SITE-A / SITE-B), each Akka cluster's ClusterNode rows pointing back at the matching ClusterId. Akka mesh isolation is still enforced by the disjoint seed-node lists (unchanged from the previous commit). Compose: all eight host nodes now point at Server=sql,1433;Database=OtOpcUa and the README documents the post-boot ServerCluster + ClusterNode rows operators need to create via /clusters and /hosts before the runtime can resolve its scope.	2026-05-26 14:02:24 -04:00
Joseph Doherty	961e09430a	feat(deploy): add site-a + site-b 2-node clusters to docker-dev ... Extends the docker-dev compose with two additional, fully-isolated Akka clusters representing distinct sites. Each site is a 2-node fused admin+driver cluster (OTOPCUA_ROLES=admin,driver on both nodes), backed by its own ConfigDb database so configuration state stays separate from the main cluster and from the other site. Cluster isolation: the three meshes share the same Akka system name "otopcua" and remoting port 4053 (inside each container's own network namespace), but their seed-node lists are disjoint — main seeds at admin-a, site-a seeds at site-a-1, site-b seeds at site-b-1 — so gossip doesn't cross between them. Layout: Main cluster ConfigDb=OtOpcUa admin-a, admin-b, driver-a, driver-b Site A ConfigDb=OtOpcUa_SiteA site-a-1, site-a-2 (fused admin+driver) Site B ConfigDb=OtOpcUa_SiteB site-b-1, site-b-2 (fused admin+driver) OPC UA endpoints exposed on host ports 4840-4845. Admin UIs reachable through Traefik via Host-header routing: http://localhost → main cluster (PathPrefix default) http://site-a.localhost → site A http://site-b.localhost → site B `*.localhost` auto-resolves on macOS; Linux users add the two hosts to /etc/hosts (or rely on the resolver's RFC 6761 behaviour).	2026-05-26 13:59:23 -04:00
Joseph Doherty	a1a7646b33	fix(adminui): refresh stale F9 stub copy on /alerts page ... ScriptedAlarmActor (Runtime/ScriptedAlarms) shipped a while back — the "Engine wiring (F9 ScriptedAlarmActor) is pending" stub message was misleading. Also drop the matching "(F9)" / "(future)" parentheticals in the intro panel and frame the empty state as a current-window condition, not a missing feature.	2026-05-26 13:53:09 -04:00
Joseph Doherty	e4d0d82f7f	feat(adminui): collapsible nav sidebar with cookie state + LoginLayout ... Port the ScadaLink CentralUI sidebar pattern into the OtOpcUa AdminUI: - Drop the top app-bar. Brand moves into the side rail's header — same visual rhythm as ScadaLink's NavMenu. - New NavSection.razor: collapsible eyebrow toggle (rail-eyebrow-toggle CSS) with a chevron + label. Mirrors ScadaLink/Components/Layout/NavSection. - New NavSidebar.razor: interactive island carrying the three section groups (Navigation / Scripting / Live) + session block. Marked @rendermode InteractiveServer; MainLayout itself stays static-rendered because layouts can't take a RenderFragment Body across an interactive boundary. - New wwwroot/js/nav-state.js: window.navState.get/.set persists the expanded-section list to the otopcua_nav cookie (one-year lifetime, SameSite=Lax). Same shape as ScadaLink's scadabridge_nav. - New LoginLayout.razor + @layout LoginLayout on Login.razor: the login page now renders without the side rail — clean centred card. - MainLayout.razor: slimmed down to the d-flex shell + hamburger toggle + <NavSidebar/> + @Body. - Login.razor: also drops the trailing "LDAP bind against the configured directory..." footer that the user asked to remove. - site.css: adds .side-rail .brand styles (mirrored from ScadaLink) and the .rail-eyebrow-toggle / .rail-eyebrow-chevron / .rail-section-body styles for the new collapsible UI. Auto-expand on page load: NavSidebar seeds the expanded set from the current URL's first path segment (in OnInitialized so it works even on the very first server render) and from the cookie (in OnAfterRenderAsync once JS interop is available). LocationChanged hooks keep the expanded state in sync as the user navigates between sections.	2026-05-26 13:48:35 -04:00
Joseph Doherty	2915755a7c	fix(host,security): wire static assets, DI lifetimes, form login, dev-stub LDAP ... Six interlocking fixes surfaced while smoke-testing the fused Host in a browser: - Host/Program.cs: UseStaticWebAssets() opts into the RCL static-asset pipeline in any environment (auto-only in Development), MapStaticAssets().AllowAnonymous() exempts CSS/JS from the AddOtOpcUaAuth fallback policy, and AddCascadingAuthenticationState() lets <AuthorizeView/> work inside interactive components (NavSidebar's session block). - Security/ServiceCollectionExtensions: ILdapAuthService Scoped → Singleton — consumed by the Singleton LdapOpcUaUserAuthenticator on driver-role nodes. Crash only surfaced in Development (ValidateOnBuild=true). - Security/Endpoints/AuthEndpoints: /auth/login now dispatches on Content-Type — application/json keeps the original 204/401/503 contract for tests, and application/x-www-form-urlencoded (the browser <form>) gets a redirect dance. DisableAntiforgery on the login endpoint (it's the entry point, no prior session) and AllowAnonymous to override the fallback policy. - Security/Ldap/LdapOptions + LdapAuthService: real DevStubMode property; when true the auth service bypasses the LDAP bind and returns a FleetAdmin role so dev/test can navigate the full Admin UI without GLAuth running. - AdminUI/EndpointRouteBuilderExtensions: doc-comment update about static-asset flow (the actual MapStaticAssets call lives in Host/Program.cs).	2026-05-26 13:48:18 -04:00
Joseph Doherty	a5c6ce279e	docs(v2): finish path corrections in phase-7-status, admin-ui, OpcUaClient fixture	2026-05-26 12:09:47 -04:00
Joseph Doherty	59b3d9f295	docs: rewrite stale src/Server/Server|Admin/ paths to v2 project locations	2026-05-26 12:06:59 -04:00
Joseph Doherty	89095c15e3	docs(v2): update for gap-closeout — peer-URI discovery, role overlays, release status	2026-05-26 11:58:06 -04:00
Joseph Doherty	bdae749b2b	docs(plans): mark gap-closeout tasks complete	2026-05-26 11:48:05 -04:00
Joseph Doherty	e8c4f18607	ci(v2): include OpcUaServer.IntegrationTests in integration matrix	2026-05-26 11:42:44 -04:00
Joseph Doherty	cb936db7d6	fix(opcua): PopulateServerArray writes IServerInternal.ServerUris so clients see peers	2026-05-26 11:39:44 -04:00
Joseph Doherty	a5412c16a3	fix(test): align DualEndpointTests SDK to 1.5.374.126 + sync API	2026-05-26 11:34:01 -04:00
Joseph Doherty	dce2528c68	test(opcua): DualEndpointTests — real client reads peer URIs from Server.ServerArray	2026-05-26 11:29:53 -04:00
Joseph Doherty	83eda9e826	test(opcua): scaffold OtOpcUa.OpcUaServer.IntegrationTests project	2026-05-26 11:23:21 -04:00
Joseph Doherty	70ffd2849d	feat(opcua): OpcUaApplicationHost publishes peer URIs in Server.ServerArray	2026-05-26 11:21:11 -04:00
Joseph Doherty	898a47746d	feat(host): add per-role appsettings overlays for admin/driver/admin-driver	2026-05-26 11:19:10 -04:00
Joseph Doherty	25ce111981	refactor(test): rename FailoverScenarioTests → FailoverDuringDeployTests for plan parity	2026-05-26 11:18:13 -04:00
Joseph Doherty	7209bc99e2	docs(plans): gap-closeout plan + task persistence file	2026-05-26 11:15:59 -04:00
Joseph Doherty	2c49f18442	Merge branch 'v2-akka-fuse' — Akka + fused-host v2 architecture ... 129 commits implementing the v2 plan in full plus every load-bearing follow-up. v2-akka-fuse is feature-complete and 210 tests green at 05a0596. Architecture - Single fused-host process (OtOpcUa.Host) replacing the v1 multi-process Server + Admin + Galaxy.Host split. Roles (admin, driver, historian) gate which Akka actors + ASP.NET surfaces wire up at boot. - Akka.NET cluster (DistributedPubSub for fleet topics) with singleton AdminOperationsActor + ConfigPublishCoordinator on admin-role nodes; DriverHostActor + per-driver DriverInstanceActor + VirtualTagActor + ScriptedAlarmActor + OpcUaPublishActor on driver-role nodes. - New AdminUI Razor class library (~42 pages, single-page edit-or-create + RowVersion concurrency) replaces the 47 legacy admin pages. Production data path (end-to-end) - ControlPlane composes deployment artifact → DistributedPubSub dispatch → DriverHostActor reconciles drivers → DriverInstanceActor binds real IDriver instances (read/subscribe/write) → AttributeValueUpdate flows to OpcUaPublishActor → SDK NodeManager writes visible to OPC UA clients with proper UNS Area/Line/Equipment folder hierarchy. Security - OPC UA transport: None / Basic256Sha256-Sign / SignAndEncrypt all exposed; auto-accept-untrusted-cert option for dev. - LDAP-bound UserName auth via ImpersonateUser handler (same ILdapAuthService as Admin cookie/JWT). - Cert auto-creation in PKI tree on first start. Observability - OtOpcUaTelemetry Meter + ActivitySource; 6 counters + histogram + 2 spans across deploy / driver-lifecycle / virtual-tag-eval / alarm- transition / sink-write / service-level paths. Prometheus exporter mounted at /metrics. Engines (production) - RoslynVirtualTagEvaluator + RoslynScriptedAlarmEvaluator: compile user-script bodies through Core.Scripting sandbox, cache per expression, surface failures as Failure results without throwing. Redundancy - ServiceLevel through SdkServiceLevelPublisher → ServerObject.Service Level so clients see the real role-derived byte (240 primary-leader, 100 secondary). Tests - 210 v2 tests across Cluster (15), ControlPlane (29), Runtime (74), Security (27), OpcUaServer (48), Host.IntegrationTests (26). Plus 2-node integration harness covering deploy + failover scenarios. See docs/plans/2026-05-26-akka-hosting-alignment-plan.md for the full task list (66/66) and docs/plans/2026-05-26-akka-hosting-alignment- design.md for the design.	2026-05-26 11:00:53 -04:00
Joseph Doherty	05a0596fb1	feat(host): F9b RoslynScriptedAlarmEvaluator + #107 close engine DI ... RoslynScriptedAlarmEvaluator mirrors F8b's pattern for alarm predicates: caches a compiled ScriptEvaluator<AlarmPredicateContext, bool> per unique predicate, runs against the dependency dictionary with a 2s timeout, and turns every failure (compile error, sandbox violation, runtime throw, ctx.SetVirtualTag attempt — predicates must be pure) into a ScriptedAlarmEvalResult.Failure. ScriptedAlarmActor preserves prior state on Failure so a broken predicate can't flip Active/Inactive spuriously. Program.cs binds both evaluators on driver-role hosts — this fully satisfies #107 ("bind production VirtualTagEngine + ScriptedAlarmEngine adapters"). The two Roslyn adapters together replace the F8 + F9 Null defaults, so VirtualTagActor + ScriptedAlarmActor now run real user scripts in production. 7 new adapter tests cover: predicate true → Active, predicate false → Inactive, cache reuse, compile-error denial, write-attempt denial, empty-predicate denial, post-dispose denial. Host.IntegrationTests now 17/17 green. Closes #80 + #107. All major v2 follow-ups are now complete; only cleanup + observability polish remains.	2026-05-26 10:58:04 -04:00
Joseph Doherty	219d10a22d	feat(host): F8b RoslynVirtualTagEvaluator — production virtual-tag eval ... RoslynVirtualTagEvaluator wraps Core.Scripting.ScriptEvaluator + Core .VirtualTags.VirtualTagContext into a single-tag IVirtualTagEvaluator adapter. Caches the compiled ScriptEvaluator per unique expression so the second-and-onwards Evaluate is an in-process method call against the dependency dictionary. Compile/sandbox/runtime errors all surface as VirtualTagEvalResult.Failure rather than propagating exceptions through the VirtualTagActor message loop. Single-tag scope: cross-tag ctx.SetVirtualTag writes are dropped + logged because fan-out between actors is owned by DependencyMuxActor. Cycle detection + cascade ordering stay in Core.VirtualTags.VirtualTagEngine where they belong (loaded fleet-wide); this adapter keeps the actor message handler simple. Host adds Core.Scripting + Core.VirtualTags project refs, plus a TargetWarningsAsErrors NU1608 suppression — Microsoft.CodeAnalysis.CSharp .Scripting 4.12.0 pins Common to 4.12.0 but ASP.NET Core transitively brings Microsoft.CodeAnalysis.Common 5.0.0; the surface we use is stable across the drift (verified by Core.Scripting.Tests). Program.cs binds RoslynVirtualTagEvaluator → IVirtualTagEvaluator on driver-role hosts, replacing the F8-default NullVirtualTagEvaluator so VirtualTagActor evaluates real user scripts at runtime. 6 new adapter tests cover: simple expression sums, cache reuse across calls, compile-error denial, runtime-throw denial, empty-expression denial, post-dispose denial. Host.IntegrationTests now 10/10 green. Closes #79. F9b + #107 next.	2026-05-26 10:55:56 -04:00
Joseph Doherty	607dc51dec	feat(opcua): #85 UNS Area/Line/Equipment folder hierarchy in SDK ... Phase7Composer now carries UnsAreaProjection + UnsLineProjection lists so the applier can materialise the full UNS topology in the OPC UA address space. New IOpcUaAddressSpaceSink.EnsureFolder(folderNodeId, parentNodeId, displayName) seam (no-op default, recorded in tests, forwarded by DeferredAddressSpaceSink, implemented by SdkAddressSpaceSink). The SDK- side OtOpcUaNodeManager gains an EnsureFolder API that creates FolderState nodes with proper parent linkage; RebuildAddressSpace now clears folders too so re-applies don't accumulate stale topology. Phase7Applier.MaterialiseHierarchy walks composition.UnsAreas → composition.UnsLines → composition.EquipmentNodes, calling EnsureFolder with the correct parent at each level. Idempotent — calling twice with the same composition is a no-op. OpcUaPublishActor.HandleRebuild invokes it after Phase7Applier.Apply so OPC UA clients browsing the server now see Area/Line/Equipment as proper folders rather than flat tag ids. DeploymentArtifact.ParseComposition reads UnsAreas + UnsLines from the JSON snapshot the ControlPlane emits, populating the new fields when present. Phase7Composer.Compose now accepts UnsAreas + UnsLines; a 3-arg overload preserves the old signature for legacy callers + existing tests. The Phase7CompositionResult convenience ctor likewise keeps the planner tests working without UNS data. 3 new hierarchy tests (pure unit + boot-verify against a real OtOpcUaSdkServer); OpcUaServer suite is 48/48 green (was 45, +3), Runtime 74/74 unchanged. Closes #85.	2026-05-26 10:48:56 -04:00
Joseph Doherty	9d86287d08	test(opcua): Task 60 ServiceLevel end-to-end through SDK ... Boots a real StandardServer + OpcUaApplicationHost, wires SdkServiceLevelPublisher into a DeferredServiceLevelPublisher (production binding pattern), spawns OpcUaPublishActor against the deferred publisher, sends RedundancyStateChanged snapshots, and asserts that ServerObject.ServiceLevel.Value reflects the role-derived byte: Primary + RoleLeaderForDriver → 240 Secondary → 100 Together with the F13b endpoint-security tests (which already verify ServerConfiguration.SecurityPolicies populates the three baseline profiles), this closes Task 60's "dual-endpoint + ServiceLevel" scope. Cross-node failover tests stay in the 2-node integration harness (Task 59 / FailoverScenarioTests). Runtime suite now 74 / 74 green (+2). Closes Task 60.	2026-05-26 10:40:58 -04:00
Joseph Doherty	2697af31d1	feat(opcua,host): #81 ServiceLevel SDK publisher ... SdkServiceLevelPublisher writes Server.ServiceLevel through the SDK's ServerObjectState — the standard OPC UA non-transparent-redundancy signal clients use to pick a primary. Writes are guarded by DiagnosticsLock so concurrent SDK diagnostics scans don't fight with our updates. DeferredServiceLevelPublisher mirrors the DeferredAddressSpaceSink late- binding pattern: Akka actors resolve IServiceLevelPublisher at construction, hosted service swaps the SDK publisher in after StandardServer.Start. Host Program.cs registers DeferredServiceLevelPublisher as the singleton bound to IServiceLevelPublisher; OtOpcUaServerHostedService gets it injected and fills it once IServerInternal is available. Tests boot a real StandardServer on a free port (cross-platform), call Publish, then verify ServerObject.ServiceLevel.Value reflects the write. 5 new tests; OpcUaServer suite now 45/45 green (was 40, +5). Closes #81 residual. Unblocks Task 60 (OPC UA dual-endpoint + ServiceLevel tests).	2026-05-26 10:37:42 -04:00
Joseph Doherty	52997ee164	feat(observability): F13d Prometheus + OpenTelemetry instrumentation ... OtOpcUaTelemetry (Commons/Observability) centralizes the project's Meter + ActivitySource so all instrumentation points emit through a single named surface. Counters cover the hot paths: otopcua.deploy.applied (outcome=ack|reject) otopcua.deploy.apply.duration (s, histogram) otopcua.driver.lifecycle (event=spawn|spawn_stub|stop|fault) otopcua.virtualtag.eval (outcome=ok|fail|skip) otopcua.scriptedalarm.transition (state=activated|acknowledged|cleared) otopcua.opcua.sink.write (kind=value|alarm|rebuild) otopcua.redundancy.service_level_change (level=byte) Plus two ActivitySource spans: otopcua.deploy.apply wraps DriverHostActor.ApplyAndAck otopcua.opcua.address_space_rebuild wraps OpcUaPublishActor.HandleRebuild Instruments are no-op until a listener attaches, so tests + dev hosts pay nothing for unread telemetry. Host Program.cs gains AddOtOpcUaObservability() (binds the OtOpcUa Meter + ActivitySource to OpenTelemetry, attaches a Prometheus exporter) and MapOtOpcUaMetrics() (mounts /metrics scrape endpoint). Driver-side internals + ASP.NET request metrics deliberately stay off — the scrape payload is scoped to OtOpcUa signals only. Tests use MeterListener + ActivityListener to verify VirtualTagActor.eval, OpcUaPublishActor.AttributeValueUpdate, and RebuildAddressSpace actually emit on the central instruments. Runtime suite is 72 / 72 green (+3). Closes #105. Path A (F13b/c/d) complete; next batch options: #85 UNS folder hierarchy in SDK, or F8b/F9b production engine bindings.	2026-05-26 10:29:40 -04:00
Joseph Doherty	21eac21409	feat(opcua,host): F13c LDAP-bound UserName validator ... Adds IOpcUaUserAuthenticator seam in OpcUaServer.Security with a deny-all NullOpcUaUserAuthenticator default. OpcUaApplicationHost subscribes to SessionManager.ImpersonateUser after _application.Start so UserName tokens flow through the authenticator and either attach a UserIdentity to the session (Allow) or set IdentityValidationError = BadIdentityTokenRejected (Deny / authenticator exception). Anonymous + X509 tokens fall through to SDK defaults. LdapOpcUaUserAuthenticator (Host project) bridges to the same ILdapAuthService that AddOtOpcUaAuth uses for Admin cookies / JWT, so a single LDAP source-of-truth governs both Admin control plane and OPC UA data plane. Program.cs registers LdapOptions + LdapAuthService + IOpcUaUserAuthenticator on driver-role hosts; admin-only nodes are unchanged. OtOpcUaServerHostedService threads the resolved authenticator into OpcUaApplicationHost so the seam respects Host DI. 10 new tests: 6 in OpcUaServer.Tests cover the pure HandleImpersonation static method (success / denial / anonymous fallthrough / authenticator- throw / null-username / Null authenticator); 4 in Host.IntegrationTests cover the LdapOpcUaUserAuthenticator adapter (LDAP allow → Allow with roles, LDAP deny → Deny, exception → backend-error denial, display-name fallback). OpcUaServer suite is 40 / 40 green. Closes #104. Unblocks Task 60 (dual-endpoint + ServiceLevel tests) once #81 residual lands.	2026-05-26 10:21:37 -04:00
Joseph Doherty	8b08566f41	feat(opcua): F13b endpoint security profiles — Sign + SignAndEncrypt ... OpcUaApplicationHost.BuildConfigurationAsync now populates ServerConfiguration.SecurityPolicies + UserTokenPolicies from the new OpcUaSecurityProfile enum on OpcUaApplicationHostOptions. Defaults expose all three baseline profiles (None + Basic256Sha256-Sign + Basic256Sha256-SignAndEncrypt) matching docs/security.md. UserName tokens are SDK-encrypted with the server cert so they work on None endpoints too; F13c will plug the LDAP validator into SessionManager. AutoAcceptUntrustedClientCertificates surfaces as an option for dev flows; production keeps the default (false) and operators promote rejected certs through the Admin UI. InternalsVisibleTo added so BuildSecurityPolicies / BuildUserTokenPolicies stay encapsulated but unit-testable. 6 new tests cover the pure builders + two boot-verify cases (3-profile default + hardened single-profile), bringing the suite to 34 / 34 passing. Closes #103. Unblocks #104 (F13c LDAP user-token validator).	2026-05-26 10:15:04 -04:00
Joseph Doherty	50787823d3	feat(host,runtime): #108 Host DI bindings — OPC UA server + deferred sink ... Wires the OPC UA SDK into the fused Host's lifecycle on driver-role nodes + spawns OpcUaPublishActor with the proper sink/publisher/dbFactory/ applier resolution. The full read+write data path is now live in production: Deploy → DriverHost → OpcUaPublish → SDK NodeManager → subscribed OPC UA clients. DeferredAddressSpaceSink (Commons.OpcUa): - Thread-safe wrapper IOpcUaAddressSpaceSink that delegates to an inner sink swapped in at runtime. Needed because Akka actors resolve the sink at construction time, but the production sink (SdkAddressSpaceSink wrapping OtOpcUaNodeManager) only exists after the SDK StandardServer has started. - Defaults to NullOpcUaAddressSpaceSink so calls before swap are safe; SetSink(null) reverts (for graceful shutdown). OtOpcUaServerHostedService (Host.OpcUa): - IHostedService that owns the OPC UA SDK lifecycle. Reads OpcUaApplicationHostOptions from the 'OpcUa' config section, creates an OtOpcUaSdkServer, boots it through OpcUaApplicationHost, then swaps a real SdkAddressSpaceSink into the DeferredAddressSpaceSink singleton. - SDK boot failure is logged + non-fatal — the rest of the host (admin UI, driver actors) keeps running. Stop reverts to null sink. WithOtOpcUaRuntimeActors (Runtime): - Now spawns OpcUaPublishActor (new actor) + threads its ActorRef into DriverHostActor's Props so successful applies trigger the address-space rebuild pipeline. - Phase7Applier is constructed here from the resolved sink + a logger; OpcUaPublishActor takes both. - Prepends the opcua-synchronized-dispatcher HOCON so the extension is self-contained — consumers (Host, tests) don't need to redeclare the dispatcher block. - New OpcUaPublishActorKey + OpcUaPublishActorName for actor-registry resolution. - AddOtOpcUaRuntime now also TryAddSingleton's NullOpcUaAddressSpaceSink + NullServiceLevelPublisher so admin-only nodes (or tests that don't bind the Deferred sink) stay safe. Host.Program.cs (driver-role only): - Binds DeferredAddressSpaceSink as singleton + as IOpcUaAddressSpaceSink - AddHostedService<OtOpcUaServerHostedService>() Tests: OpcUaServer 24 -> 28 (+4 DeferredAddressSpaceSink unit tests), Runtime 69 -> 69 (existing ServiceCollectionExtensionsTests extended to verify the new mux + publish actor registration). All 6 v2 test suites green: 177 tests passing. Closes #108. Engine-wiring is now production-bound end-to-end on driver-role nodes — Deploy reaches real OPC UA Variable nodes that subscribed clients see.	2026-05-26 10:02:15 -04:00
Joseph Doherty	7e22e2250c	feat(runtime): #109 OpcUaPublishActor — load artifact, compose, plan-diff, apply ... Closes the loop between F10b (SDK NodeManager) and F14 (Phase7Plan + Phase7Applier). DriverHostActor's successful apply now triggers a RebuildAddressSpace on the publish actor, which loads the latest deployment artifact + walks composer → planner → applier through the sink. The OPC UA address space tracks the deployed composition. DeploymentArtifact: - New ParseComposition(blob) → Phase7CompositionResult that decodes Equipment + DriverInstance + ScriptedAlarm arrays into the projection records Phase7Planner consumes. Pascal-case property names mirror ConfigComposer.SnapshotAndFlattenAsync's output. - Each entity reader is tolerant: missing-id rows are dropped, natural-key sort matches Phase7Composer's contract. OpcUaPublishActor: - New Props params: dbFactory + applier. When wired, RebuildAddressSpace does: 1. LoadLatestArtifact (most recent Sealed Deployment.ArtifactBlob) 2. ParseComposition → Phase7CompositionResult 3. Phase7Planner.Compute(lastApplied, next) → Phase7Plan 4. Empty plan ⇒ no-op (deploy of unchanged composition is benign) 5. applier.Apply(plan) drives sink.RebuildAddressSpace + WriteAlarmState for removed nodes 6. lastApplied = next so the next rebuild diffs forward - Without dbFactory/applier wiring, falls back to raw sink.RebuildAddressSpace — the dev/Mac path before #108 binds prod. DriverHostActor: - New Props param opcUaPublishActor (IActorRef?). After successful ApplyAndAck (status Applied, ACK sent), tells the publish actor RebuildAddressSpace with the same correlation id so the audit trail threads through. Null publish actor ⇒ no trigger (admin-only nodes). Tests: Runtime 63 -> 69 (+6): - ParseComposition reads Equipment/Driver/Alarm sorted by natural key - ParseComposition returns empty for empty blob - Rebuild with dbFactory + sealed deployment artifact triggers exactly one sink.Rebuild call (Equipment topology added) - Rebuild with no artifact is idempotent no-op - Second rebuild with same composition is empty-plan no-op - Rebuild without dbFactory falls back to raw sink.Rebuild (legacy path) All 6 v2 test suites green: 173 tests passing. Closes #109. Engine-wiring data flow is now end-to-end through: Deploy → DriverHostActor.ApplyAndAck → driver spawn + ACK + RebuildAddressSpace → OpcUaPublishActor → Phase7Applier → SDK NodeManager → subscribed OPC UA clients see the change.	2026-05-26 09:55:11 -04:00
Joseph Doherty	d21f6947e1	feat(opcua): F10b SDK NodeManager binding — real OPC UA address-space writes ... OtOpcUaNodeManager + SdkAddressSpaceSink: the v2 IOpcUaAddressSpaceSink seam now has a production adapter against a real Opc.Ua.Server CustomNodeManager2. Writes through OpcUaPublishActor's sink materialise as real OPC UA Variable updates that subscribed clients see via the standard ClearChangeMasks notification path. OtOpcUaNodeManager (CustomNodeManager2): - Owns a ConcurrentDictionary<string, BaseDataVariableState> under a single namespace (https://zb.com/otopcua/ns) hung off Objects/. - WriteValue lazy-creates the variable on first write, sets Value + StatusCode (mapped from OpcUaQuality severity bits) + SourceTimestamp, then ClearChangeMasks to notify subscribers. - WriteAlarmState surfaces a [active, acknowledged] pair on a dedicated node id — full AlarmConditionState/event firing comes with #85 F14b (EquipmentNodeWalker SDK integration). - RebuildAddressSpace tears down every registered variable + clears the dictionary so the next write-pass starts fresh. - Address-space root folder is materialised in CreateAddressSpace. SdkAddressSpaceSink: thin IOpcUaAddressSpaceSink → OtOpcUaNodeManager bridge. Production DI binding (#108) constructs this once the host's StandardServer has booted. OtOpcUaSdkServer (StandardServer subclass): overrides CreateMasterNodeManager to inject OtOpcUaNodeManager via the MasterNodeManager additionalManagers ctor. NodeManager property exposes the live instance so OpcUaApplicationHost callers can wrap it in a sink. Tests: OpcUaServer 20 -> 24 (+4): - WriteValue creates + updates variables in the manager - WriteAlarmState creates a node distinct from value writes - RebuildAddressSpace clears everything; subsequent writes start fresh - NullOpcUaAddressSpaceSink no-op sanity Each test boots a real OpcUaApplicationHost on a free port with the SDK certificate auto-create flow (F13a) intact — full integration slice on macOS. All 6 v2 test suites green: 167 tests passing. F10 status updated to reflect SDK binding shipped. Residuals: - #109 OpcUaPublishActor.RebuildAddressSpace → Phase7Applier wiring - #108 Host DI default to SdkAddressSpaceSink when hasDriver - #85 F14b EquipmentNodeWalker integration (proper AlarmConditionState + folder hierarchy) - IServiceLevelPublisher SDK binding (writes Server.ServiceLevel node)	2026-05-26 09:49:44 -04:00
Joseph Doherty	7fa863f6da	feat(runtime): #113 DependencyMuxActor — drivers → virtual-tag fan-out ... End-to-end data path is now wired on the read side: driver subscriptions fire AttributeValuePublished → DriverHostActor → DependencyMuxActor → DependencyValueChanged to every interested VirtualTagActor. Previously the publish hit a dead-letter at the host. DependencyMuxActor: - Per-node fan-out router. Maintains tagRef → Set<IActorRef> with a reverse subscriber → refs index so unregister/replace are O(refs). - Watches subscribers; Terminated triggers automatic unregister so dead virtual-tag actors stop receiving publishes. - Re-register replaces the prior interest set — no stale-ref leaks on actor restart. - Drops publishes for refs with no interested subscribers. VirtualTagActor: - New Props params: dependencyRefs + mux ActorRef. - PreStart sends RegisterInterest to the mux; PostStop sends UnregisterInterest. Default both null so older callers stay quiet. DriverHostActor: - New dependencyMux Props param. Steady + Applying states now receive AttributeValuePublished from their DriverInstance children and forward to the mux. Null mux is a no-op (dev/Mac). ServiceCollectionExtensions: - WithOtOpcUaRuntimeActors spawns DependencyMuxActor before DriverHostActor and threads its ActorRef into the host's Props. New DependencyMuxActorKey + DependencyMuxActorName. Tests: Runtime 57 -> 63 (+6): - Mux forwards to only subscribers interested in each ref - Publish for unregistered ref is dropped silently - Unregister stops forwarding - Re-register replaces prior interest set - VirtualTagActor PreStart registration drives end-to-end eval (uses AwaitAssert to race-safely settle the PreStart Tell) - DriverHostActor forwards AttributeValuePublished through to mux All 6 v2 test suites green: 163 tests passing. F8 (#79) state updated — dep subscribe seam shipped, Core.VirtualTags production engine binding (compile + ITagUpstreamSource subscribe) is the residual.	2026-05-26 09:43:06 -04:00
Joseph Doherty	f427dc4f26	feat(runtime): #112 ScriptedAlarmActor state persistence via IAlarmActorStateStore ... ScriptedAlarmActor now survives actor restart: PreStart loads from the configured store + restores in-memory state; every Transition() fires a fire-and-forget save. ActiveState still re-derives from the evaluator on first tick (Phase 7 decision #14), but Acked state + lastAckUser persist verbatim so operators don't re-ack across an outage. Three pieces: - IAlarmActorStateStore seam in Commons.Engines, with the AlarmActorStateSnapshot record (alarmId / state / lastTransitionUtc / lastAckUser) and NullAlarmActorStateStore default. - EfAlarmActorStateStore in Runtime.ScriptedAlarms — production adapter over the existing ScriptedAlarmState table in ConfigDb. Maps the actor's 3-state enum to the table's AckedState column (Active⇒Unacknowledged, Acknowledged⇒Acknowledged, Inactive⇒ Acknowledged). Concurrency conflicts are logged + dropped — the next transition writes again. - ScriptedAlarmActor PreStart load (async, piped back as StateRestored) + Transition save. New Props overload takes the store; default is NullAlarmActorStateStore so tests stay quiet. Tests: Runtime 52 -> 57 (+5): - Transition writes Active then Acknowledged snapshots with lastAckUser populated - PreStart with persisted Active state restores so a subsequent AcknowledgeAlarm fires (not ignored as it would be from Inactive) - Empty store boots Inactive (AcknowledgeAlarm correctly ignored) - EfAlarmActorStateStore Save + Load round-trips via in-memory EF - Load for unknown alarmId returns null All 6 v2 test suites green: 157 tests passing. Closes #112. F9 (#80) remaining residual is predicate binding to Core.ScriptedAlarms.ScriptedAlarmEngine — split as F9b in tasks JSON.	2026-05-26 09:34:37 -04:00
Joseph Doherty	3e3f7588bd	feat(runtime,host): close F7 — driver subscribe + write paths + Host DI ... Three pieces landed in one batch, closing F7-residual + Host DI #106: Runtime/DriverInstanceActor: - Subscribe / Unsubscribe message contracts; the Connected state handles them via IDriver.ISubscribable. On every OnDataChange event the actor publishes AttributeValuePublished to its parent (DriverHostActor → OpcUaPublishActor). OPC UA StatusCode is mapped to the 3-state OpcUaQuality enum via severity bits (00=Good, 01=Uncertain, 10/11=Bad). - DetachSubscription tears the handler off the driver on DisconnectObserved, Unsubscribe, and PostStop so a stale handler never pushes to a dead actor. - WriteAttribute now dispatches IWritable.WriteAsync (batch of one) with a 5s CancellationTokenSource; status-code propagated to WriteAttributeResult on non-Good results. Host: - New ProjectReferences to Core + every cross-platform driver assembly (AbCip/AbLegacy/FOCAS/Galaxy/Modbus/S7/TwinCAT). Galaxy is net10 (gRPC client to mxaccessgw); the COM-bound net48 Wonderware Historian driver stays out of the Host's reference closure — its .Client gRPC wrapper is what binds for historian needs. - New DriverFactoryBootstrap.AddOtOpcUaDriverFactories() registers a singleton DriverFactoryRegistry, invokes each driver's Register(registry, loggerFactory), and binds IDriverFactory to DriverFactoryRegistryAdapter. Replaces the F7 NullDriverFactory default so deploys actually materialise real IDriver instances on driver-role nodes. ShouldStub() still gates per-platform behaviour at spawn time. - Program.cs wires AddOtOpcUaDriverFactories() before AddAkka so the runtime extension can resolve IDriverFactory from DI. Tests: Runtime 46 -> 52 (+6): - Write returns success when StatusCode = Good - Write propagates non-Good status code in failure Reason - Subscribe forwards OnDataChange to parent as AttributeValuePublished - Quality translation: Uncertain (0x40...) and Bad (0x80...) - Subscribe against non-ISubscribable returns failure - DisconnectObserved detaches handler so late events are dropped All 6 v2 test suites green: 152 tests passing. Closes F7. F7-residual sub-tasks #110 (subscribe) and #111 (write) both shipped. Host DI binding #106 shipped.	2026-05-26 09:28:34 -04:00
Joseph Doherty	c02f016f1d	feat(opcua): F14 Phase7Plan + Phase7Applier ... Splits the side-effecting half of Phase7Composer (deferred at Task 47) into two pieces that mirror DriverHostActor's spawn-plan pattern: Phase7Plan + Phase7Planner.Compute (pure): Diff two Phase7CompositionResult snapshots by stable id (EquipmentId, DriverInstanceId, ScriptedAlarmId). Emits Added/Removed/Changed lists per entity class. Added/Removed are sorted by id for deterministic apply order. Changed wraps both Previous and Current projections so consumers can decide between in-place mutation and tear-down + rebuild. Phase7Applier (side-effecting): Drives an IOpcUaAddressSpaceSink against a plan. Removed equipment/ alarms get an inactive AlarmState write per id; Added/Removed of Equipment or ScriptedAlarm triggers RebuildAddressSpace. Driver-only changes correctly skip the rebuild — those flow through DriverHost- Actor's spawn-plan in Runtime. Sink exceptions are caught + logged so one bad node doesn't abort the apply. Tests: OpcUaServer 6 -> 20 (+14): - Phase7PlannerTests x9 (empty-in/empty-out, add/remove/change per entity class, mixed changes, deterministic ordering) - Phase7ApplierTests x5 (empty plan no-op, removal writes inactive states + rebuild, added equipment triggers rebuild, driver-only skips rebuild, sink fault is non-fatal) The remaining piece is the EquipmentNodeWalker integration against a real SDK NodeManager — split as F14b, gated on F10b's SDK builder. All 6 v2 test suites green: 146 tests passing.	2026-05-26 09:16:08 -04:00
Joseph Doherty	a1325299ce	feat(runtime): F10 OpcUaPublishActor sink seams + redundancy-driven ServiceLevel ... OpcUaPublishActor now routes through pluggable seams instead of just incrementing a counter: - IOpcUaAddressSpaceSink (Commons.OpcUa) — WriteValue / WriteAlarmState / RebuildAddressSpace. OpcUaQuality enum moved here from the actor's nested type so producers don't have to reference the actor itself. - IServiceLevelPublisher — Publish(byte). NullServiceLevelPublisher retains the last level for inspection. - The actor subscribes to the redundancy-state DPS topic in PreStart and maps the local node's NodeRedundancyState to a coarse ServiceLevel (Primary+leader=240, Primary=200, Secondary=100, Detached=0). This keeps the local SDK's ServiceLevel node honest without round-tripping back through the admin-singleton calculator. - ServiceLevelChanged dedupes identical levels so the SDK doesn't see redundant writes. - Sink + publisher exceptions are caught and logged; the actor never crashes its own dispatcher. - PropsForTests gets optional sink/publisher/localNode params and skips the DPS subscribe so unit tests stay on a vanilla TestKit cluster. Production binding to a real SDK NodeManager + Variable nodes is the remaining residual — split as F10b. Task 60 still blocked on F10b. Tests: Runtime 40 -> 46 (+6): - AttributeValueUpdate routes to sink - AlarmStateUpdate routes to sink - RebuildAddressSpace calls sink.Rebuild - ServiceLevelChanged dedupes - RedundancyStateChanged for primary-leader publishes 240 - RedundancyStateChanged for secondary publishes 100 All 6 v2 test suites green: 132 tests passing.	2026-05-26 09:10:55 -04:00
Joseph Doherty	14fb2b05ed	feat(runtime): F8/F9 engine evaluator seams + DPS fan-out ... VirtualTagActor and ScriptedAlarmActor now route through pluggable evaluator interfaces and fan out to the cluster's live-tail topics shipped in F15.3: - IVirtualTagEvaluator + NullVirtualTagEvaluator in Commons.Engines. VirtualTagActor calls evaluator on every DependencyValueChanged, dedupes unchanged values, forwards EvaluationResult to its parent, and publishes ScriptLogEntry Warning to the script-logs DPS topic whenever the evaluator fails. - IScriptedAlarmEvaluator + NullScriptedAlarmEvaluator. ScriptedAlarmActor takes an AlarmConfig (id/name/equipment-path/severity/predicate) and publishes both an AlarmTransitionEvent (alerts topic) and a ScriptLogEntry (script-logs topic) at every transition. Manual ConditionMet/Acknowledge/Cleared still flow through the same Transition() so callers without engine bindings still drive the state machine; the legacy single-string Props() overload routes through a default AlarmConfig. The Null* defaults keep the actors safe when no engine is bound — unconfigured nodes never spuriously alarm. Production binding to Core.VirtualTags.VirtualTagEngine and Core.ScriptedAlarms is the remaining residual (F8b/F9b — split in tasks JSON). Tests: Runtime 34 -> 40 (+6): - VirtualTagActorTests x3 (evaluator drives EvaluationResult, unchanged-value dedup, failure publishes Warning ScriptLogEntry) - ScriptedAlarmActorTests x3 (engine threshold drives Activated + Cleared on alerts topic, manual Acknowledge attribution). All 6 v2 test suites green: 126 tests passing.	2026-05-26 09:05:04 -04:00
Joseph Doherty	da141497f8	feat(runtime): F7 spawn lifecycle + F20 ShouldStub gate ... DriverHostActor.ApplyAndAck now reads the deployment artifact and reconciles its set of DriverInstanceActor children — spawn the missing, ApplyDelta to those with changed config, stop the removed/disabled. The diff lives in pure DriverSpawnPlanner so it can be unit-tested without an ActorSystem. Adds IDriverFactory in Core.Abstractions (consumed by Runtime) + DriverFactoryRegistryAdapter in Core.Hosting that wraps the existing v1 DriverFactoryRegistry — Runtime stays decoupled from Polly/Serilog, the Host wires the adapter once driver assemblies have registered. ShouldStub(type, roles) is now actually called on every spawn — Galaxy + Wonderware-Historian boot stubbed on macOS/Linux or whenever the host carries the dev role. Missing factory ⇒ stub fallback, never a crash. Tests: 24 → 34 in Runtime (+10): - DriverSpawnPlannerTests x7 (diff cases, type change ⇒ stop+respawn) - DeploymentArtifactTests x5 (empty/malformed/missing fields tolerant) - DriverHostActorReconcileTests x4 (spawn count, stub fallback, ShouldStub gate, second-apply stops the removed) All 6 v2 test suites green: 120 tests passing. Closes F20 (ShouldStub wired). F7 marked partial — subscription publishing + write path still stubbed in DriverInstanceActor itself.	2026-05-26 08:57:16 -04:00
Joseph Doherty	9892ceae9a	docs(plans): mark F15.3 complete — F15 fully shipped	2026-05-26 08:39:47 -04:00
Joseph Doherty	59858129cb	feat(adminui): F15.3 closes F15 — live alerts/script-log, CSV import, Monaco editor ... Final F15 batch wires up the SignalR-backed live pages, ports the bulk equipment importer, and progressively enhances the Script source editor with Monaco. Message contracts: - Commons.Messages.Alerts.AlarmTransitionEvent — fires on every alarm state transition; published on the `alerts` DPS topic by future ScriptedAlarmActor (F9) emits. - Commons.Messages.Logging.ScriptLogEntry — one log line emitted by a hosted script; published on the `script-logs` DPS topic by future VirtualTagActor (F8) + ScriptedAlarmActor (F9) emits. (Folder named "Logging" to dodge .gitignore's "logs/" rule.) SignalR plumbing: - AlertHub gains MethodName + bridge actor (AlertSignalRBridge) - ScriptLogHub introduced; ScriptLogSignalRBridge follows the same DPS-subscribe → IHubContext fan-out pattern as FleetStatusSignalRBridge - WithOtOpcUaSignalRBridges now spawns all three bridges - MapOtOpcUaHubs maps /hubs/script-log alongside the existing hubs Pages: - /alerts live alarm tail, 200-row capacity - /script-log live script-log tail with level + script filter, 500-row capacity - /clusters/{id}/equipment/import — CSV bulk Equipment add with preview (Name/MachineCode/UnsLineId/Driver + optional ZTag/SAPID/Manufacturer/Model; skips rows whose MachineCode already exists in the fleet) - ScriptEdit progressively enhanced with Monaco editor via JSInterop — the textarea remains Blazor's source of truth and Monaco syncs into it on every keystroke so @bind keeps working; falls back gracefully if the CDN is unreachable. MainLayout nav gains a "Live" section (Deployments, Alerts, Alarms historian) and a "Scripts" link under Scripting. ClusterEquipment surfaces the new Import CSV button. Tally: F15 ships ~42 razor pages + 3 SignalR hubs + 3 bridge actors. Microsoft.AspNetCore.SignalR.Client added (was already in central PM). All 104 v2 tests remain green.	2026-05-26 08:39:17 -04:00
Joseph Doherty	e248e037e7	docs(plans): mark F15 complete — read views + live-edit CRUD	2026-05-26 08:28:13 -04:00
Joseph Doherty	ae980aef5d	feat(adminui): F15.2 batch 4 — closes live-edit forms (Acl/VirtualTag/ScriptedAlarm/Script) ... Final batch of F15.2. After this commit every entity surfaced by the Phase A-D read views has a matching new/edit/delete form. - AclEdit.razor /clusters/{id}/acls/{new|aclId} - NodePermissions [Flags] enum surfaced as per-bit checkboxes plus one-click bundle buttons (ReadOnly / Operator / Engineer / Admin) - ScopeKind select + ScopeId free-text target (null = cluster-wide) - VirtualTagEdit.razor /virtual-tags/{new|virtualTagId} - Trigger validation: enforces at least one of ChangeTriggered or TimerIntervalMs is set - ScriptedAlarmEdit.razor /scripted-alarms/{new|scriptedAlarmId} - AlarmType select with OPC UA Part 9 subtypes - MessageTemplate is a textarea (template tokens are server-resolved) - ScriptEdit.razor /scripts/{new|scriptId} - SHA-256 hash computed from SourceCode on save (operator never sees or edits SourceHash directly) - InputTextArea now; Monaco syntax editor is a future enhancement List pages (ClusterAcls / VirtualTags / ScriptedAlarms / Scripts) all gain New + per-row Edit affordances. Tally: F15.2 shipped CRUD for 11 entities — Cluster, ClusterNode, UnsArea, UnsLine, Namespace, DriverInstance, Equipment, Tag, NodeAcl, VirtualTag, ScriptedAlarm, Script. All 9 integration tests still green.	2026-05-26 08:27:56 -04:00