Doc — PR 1 body for Gitea web UI paste-in. PR title + summary + test matrix + reviewer test plan + follow-up tracking. Source phase-1-configuration → target v2; URL https://gitea.dohertylan.com/dohertj2/lmxopcua/pulls/new/phase-1-configuration. No gh/tea CLI on this box, so the body is staged here for the operator to paste into the Gitea web UI rather than auto-created via API.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/v2/dev-environment.md

@@ -59,8 +59,8 @@ Running record of every v2 dev service stood up on this developer machine. Updat
 | Service | Container / Process | Version | Host:Port | Credentials (dev-only) | Data location | Status |
 |---------|---------------------|---------|-----------|------------------------|---------------|--------|
 | **Central config DB** | Docker container `otopcua-mssql` (image `mcr.microsoft.com/mssql/server:2022-latest`) | 16.0.4250.1 (RTM-CU24-GDR, KB5083252) | `localhost:14330` (host) → `1433` (container) — remapped from 1433 to avoid collision with the native MSSQL14 instance that hosts the Galaxy `ZB` DB (both bind 0.0.0.0:1433; whichever wins the race gets connections) | User `sa` / Password `OtOpcUaDev_2026!` | Docker named volume `otopcua-mssql-data` (mounted at `/var/opt/mssql` inside container) | ✅ Running — `InitialSchema` migration applied, 16 entity tables live |
-| Dev Galaxy (AVEVA System Platform) | Local install on this dev box | v1 baseline | Local COM via MXAccess | Windows Auth | Galaxy repository DB `ZB` on local SQL Server (separate instance from `otopcua-mssql` — legacy v1 Galaxy DB, not related to v2 config DB) | ✅ Available (per CLAUDE.md) |
-| GLAuth (LDAP) | Local install at `C:\publish\glauth\` | v1 baseline | `localhost:3893` (LDAP) / `3894` (LDAPS) | Bind DN `cn=admin,dc=otopcua,dc=local` / password in `glauth-otopcua.cfg` | `C:\publish\glauth\` | Pending — v2 test users + groups config not yet seeded (Phase 1 Stream E task) |
+| Dev Galaxy (AVEVA System Platform) | Local install on this dev box — full ArchestrA + Historian + OI-Server stack | v1 baseline | Local COM via MXAccess (`C:\Program Files (x86)\ArchestrA\Framework\bin\ArchestrA.MXAccess.dll`); Historian via `aaH*` services; SuiteLink via `slssvc` | Windows Auth | Galaxy repository DB `ZB` on local SQL Server (separate instance from `otopcua-mssql` — legacy v1 Galaxy DB, not related to v2 config DB) | ✅ **Fully available — Phase 2 lift unblocked.** 27 ArchestrA / AVEVA / Wonderware services running incl. `aaBootstrap`, `aaGR` (Galaxy Repository), `aaLogger`, `aaUserValidator`, `aaPim`, `ArchestrADataStore`, `AsbServiceManager`, `AutoBuild_Service`; full Historian set (`aahClientAccessPoint`, `aahGateway`, `aahInSight`, `aahSearchIndexer`, `aahSupervisor`, `InSQLStorage`, `InSQLConfiguration`, `InSQLEventSystem`, `InSQLIndexing`, `InSQLIOServer`, `InSQLManualStorage`, `InSQLSystemDriver`, `HistorianSearch-x64`); `slssvc` (Wonderware SuiteLink); `OI-Gateway` install present at `C:\Program Files (x86)\Wonderware\OI-Server\OI-Gateway\` (decision #142 AppServer-via-OI-Gateway smoke test now also unblocked) |
+| GLAuth (LDAP) | Local install at `C:\publish\glauth\` | v2.4.0 | `localhost:3893` (LDAP) / `3894` (LDAPS, disabled) | Direct-bind `cn={user},dc=lmxopcua,dc=local` per `auth.md`; users `readonly`/`writeop`/`writetune`/`writeconfig`/`alarmack`/`admin`/`serviceaccount` (passwords in `glauth.cfg` as SHA-256) | `C:\publish\glauth\` | ✅ Running (NSSM service `GLAuth`). Phase 1 Admin uses GroupToRole map `ReadOnly→ConfigViewer`, `WriteOperate→ConfigEditor`, `AlarmAck→FleetAdmin`. v2-rebrand to `dc=otopcua,dc=local` is a future cosmetic change |
 | OPC Foundation reference server | Not yet built | — | `localhost:62541` (target) | `user1` / `password1` (reference-server defaults) | — | Pending (needed for Phase 5 OPC UA Client driver testing) |
 | FOCAS TCP stub | Not yet built | — | `localhost:8193` (target) | n/a | — | Pending (built in Phase 5) |
 | Modbus simulator (`oitc/modbus-server`) | — | — | `localhost:502` (target) | n/a | — | Pending (needed for Phase 3 Modbus driver; moves to integration host per two-tier model) |

docs/v2/implementation/exit-gate-phase-2.md

@@ -0,0 +1,181 @@
+# Phase 2 Exit Gate Record (2026-04-18)
+
+> Supersedes `phase-2-partial-exit-evidence.md`. Captures the as-built state of Phase 2 after
+> the MXAccess COM client port + DB-backed and MXAccess-backed Galaxy backends + adversarial
+> review.
+
+## Status: **Streams A, B, C complete. Stream D + E gated only on legacy-Host removal + parity-test rewrite.**
+
+The Phase 2 plan exit criterion ("v1 IntegrationTests pass against v2 Galaxy.Proxy + Galaxy.Host
+topology byte-for-byte") still cannot be auto-validated in a single session. The blocker is no
+longer "the Galaxy code lift" — that's done in this session — but the structural fact that the
+494 v1 IntegrationTests instantiate v1 `OtOpcUa.Host` classes directly. They have to be rewritten
+to use the IPC-fronted Proxy topology before legacy `OtOpcUa.Host` can be deleted, and the plan
+budgets that work as a multi-day debug-cycle (Task E.1).
+
+What changed today: the MXAccess COM client now exists in Galaxy.Host with a real
+`ArchestrA.MxAccess.dll` reference, runs end-to-end against live `LMXProxyServer`, and 3 live
+COM smoke tests pass on this dev box. `MxAccessGalaxyBackend` (the third
+`IGalaxyBackend` implementation, alongside `StubGalaxyBackend` and `DbBackedGalaxyBackend`)
+combines the ported `GalaxyRepository` with the ported `MxAccessClient` so Discover / Read /
+Write / Subscribe all flow through one production-shape backend. `Program.cs` selects between
+the three backends via the `OTOPCUA_GALAXY_BACKEND` env var (default = `mxaccess`).
+
+## Delivered in Phase 2 (full scope, not just scaffolds)
+
+### Stream A — Driver.Galaxy.Shared (✅ complete)
+- 9 contract files: Hello/HelloAck (version negotiation), OpenSession/CloseSession/Heartbeat,
+  Discover + GalaxyObjectInfo + GalaxyAttributeInfo, Read/Write + GalaxyDataValue,
+  Subscribe/Unsubscribe/OnDataChange, AlarmSubscribe/Event/Ack, HistoryRead, HostConnectivityStatus,
+  Recycle.
+- Length-prefixed framing (4-byte BE length + 1-byte kind + MessagePack body) with a
+  16 MiB cap.
+- Thread-safe `FrameWriter` (semaphore-gated) and single-consumer `FrameReader`.
+- 6 round-trip tests + reflection-scan that asserts contracts only reference BCL + MessagePack.
+
+### Stream B — Driver.Galaxy.Host (✅ complete, exceeded original scope)
+- Real Win32 message pump in `StaPump` — `GetMessage`/`PostThreadMessage`/`PeekMessage`/
+  `PostQuitMessage` P/Invoke, dedicated STA thread, `WM_APP=0x8000` work dispatch, `WM_APP+1`
+  graceful-drain → `PostQuitMessage`, 5s join-on-dispose, responsiveness probe.
+- Strict `PipeAcl` (allow configured server SID only, deny LocalSystem + Administrators),
+  `PipeServer` with caller-SID verification + per-process shared-secret `Hello` handshake.
+- Galaxy-specific `MemoryWatchdog` (warn `max(1.5×baseline, +200 MB)`, soft-recycle
+  `max(2×baseline, +200 MB)`, hard ceiling 1.5 GB, slope ≥5 MB/min over 30-min window).
+- `RecyclePolicy` (1/hr cap + 03:00 daily scheduled), `PostMortemMmf` (1000-entry ring
+  buffer, hard-crash survivable, cross-process readable), `MxAccessHandle : SafeHandle`.
+- `IGalaxyBackend` interface + 3 implementations:
+  - **`StubGalaxyBackend`** — keeps IPC end-to-end testable without Galaxy.
+  - **`DbBackedGalaxyBackend`** — real Discover via the ported `GalaxyRepository` against ZB.
+  - **`MxAccessGalaxyBackend`** — Discover via DB + Read/Write/Subscribe via the ported
+    `MxAccessClient` over the StaPump.
+- `GalaxyRepository` ported from v1 (HierarchySql + AttributesSql byte-for-byte identical).
+- `MxAccessClient` ported from v1 (Connect/Read/Write/Subscribe/Unsubscribe + ConcurrentDict
+  handle tracking + OnDataChange / OnWriteComplete event marshalling). The reconnect loop +
+  Historian plugin loader + extended-attribute query are explicit follow-ups.
+- `MxProxyAdapter` + `IMxProxy` for COM-isolation testability.
+- `Program.cs` env-driven backend selection (`OTOPCUA_GALAXY_BACKEND=stub|db|mxaccess`,
+  `OTOPCUA_GALAXY_ZB_CONN`, `OTOPCUA_GALAXY_CLIENT_NAME`, plus the Phase 2 baseline
+  `OTOPCUA_GALAXY_PIPE` / `OTOPCUA_ALLOWED_SID` / `OTOPCUA_GALAXY_SECRET`).
+- ArchestrA.MxAccess.dll referenced via HintPath at `lib/ArchestrA.MxAccess.dll`. Project
+  flipped to **x86 platform target** (the COM interop requires it).
+
+### Stream C — Driver.Galaxy.Proxy (✅ complete)
+- `GalaxyProxyDriver` implements **all 9** capability interfaces — `IDriver`, `ITagDiscovery`,
+  `IReadable`, `IWritable`, `ISubscribable`, `IAlarmSource`, `IHistoryProvider`,
+  `IRediscoverable`, `IHostConnectivityProbe` — each forwarding through the matching IPC
+  contract.
+- `GalaxyIpcClient` with `CallAsync` (request/response gated through a semaphore so concurrent
+  callers don't interleave frames) + `SendOneWayAsync` for fire-and-forget calls
+  (Unsubscribe / AlarmAck / CloseSession).
+- `Backoff` (5s → 15s → 60s, capped, reset-on-stable-run), `CircuitBreaker` (3 crashes per
+  5 min opens; 1h → 4h → manual escalation; sticky alert), `HeartbeatMonitor` (2s cadence,
+  3 misses = host dead).
+
+### Tests
+- **963 pass / 1 pre-existing baseline** across the full solution.
+- New in this session:
+  - `StaPumpTests` — pump still passes 3/3 against the real Win32 implementation
+  - `EndToEndIpcTests` (5) — every IPC operation through Pipe + dispatcher + StubBackend
+  - `IpcHandshakeIntegrationTests` (2) — Hello + heartbeat + secret rejection
+  - `GalaxyRepositoryLiveSmokeTests` (5) — live SQL against ZB, skip when ZB unreachable
+  - `MxAccessLiveSmokeTests` (3) — live COM against running `aaBootstrap` + `LMXProxyServer`
+  - All net48 x86 to match Galaxy.Host
+
+## Adversarial review findings
+
+Independent pass over the Phase 2 deltas. Findings ranked by severity; **all open items are
+explicitly deferred to Stream D/E or v2.1 with rationale.**
+
+### Critical — none.
+
+### High
+
+1. **MxAccess `ReadAsync` has a subscription-leak window on cancellation.** The one-shot read
+   uses subscribe → first-OnDataChange → unsubscribe. If the caller cancels between the
+   `SubscribeOnPumpAsync` await and the `tcs.Task` await, the subscription stays installed.
+   *Mitigation:* the StaPump's idempotent unsubscribe path drops orphan subs at disconnect, but
+   a long-running session leaks them. **Fix scoped to Phase 2 follow-up** alongside the proper
+   subscription registry that v1 had.
+
+2. **No reconnect loop on the MXAccess COM connection.** v1's `MxAccessClient.Monitor` polled
+   a probe tag and triggered reconnect-with-replay on disconnection. The ported client's
+   `ConnectAsync` is one-shot and there's no health monitor. *Mitigation:* the Tier C
+   supervisor on the Proxy side (CircuitBreaker + HeartbeatMonitor) restarts the whole Host
+   process on liveness failure, so connection loss surfaces as a process recycle rather than
+   silent data loss. **Reconnect-without-recycle is a v2.1 refinement** per `driver-stability.md`.
+
+### Medium
+
+3. **`MxAccessGalaxyBackend.SubscribeAsync` doesn't push OnDataChange frames back to the
+   Proxy.** The wire frame `MessageKind.OnDataChangeNotification` is defined and `GalaxyProxyDriver`
+   has the `RaiseDataChange` internal entry point, but the Host-side push pipeline isn't wired —
+   the subscribe registers on the COM side but the value just gets discarded. *Mitigation:* the
+   SubscribeAsync handle is still useful for the ack flow, and one-shot reads work. **Push
+   plumbing is the next-session item.**
+
+4. **`WriteValuesAsync` doesn't await the OnWriteComplete callback.** v1's implementation
+   awaited a TCS keyed on the item handle; the port fires the write and returns success without
+   confirming the runtime accepted it. *Mitigation:* the StatusCode in the response will be 0
+   (Good) for a fire-and-forget — false positive if the runtime rejects post-callback. **Fix
+   needs the same TCS-by-handle pattern as v1; queued.**
+
+5. **`MxAccessGalaxyBackend.Discover` re-queries SQL on every call.** v1 cached the tree and
+   only refreshed on the deploy-watermark change. *Mitigation:* AttributesSql is the slow one
+   (~30s for a large Galaxy); first-call latency is the symptom, not data loss. **Caching +
+   `IRediscoverable` push is a v2.1 follow-up.**
+
+### Low
+
+6. **Live MXAccess test `Backend_ReadValues_against_discovered_attribute_returns_a_response_shape`
+   silently passes if no readable attribute is found.** Documented; the test asserts the *shape*
+   not the *value* because some Galaxy installs are configuration-only.
+
+7. **`FrameWriter` allocates the length-prefix as a 4-byte heap array per call.** Could be
+   stackalloc. Microbenchmark not done — currently irrelevant.
+
+8. **`MxProxyAdapter.Unregister` swallows exceptions during `Unregister(handle)`.** v1 did the
+   same; documented as best-effort during teardown. Consider logging the swallow.
+
+### Out of scope (correctly deferred)
+
+- Stream D.1 — delete legacy `OtOpcUa.Host`. **Cannot be done in any single session** because
+  the 494 v1 IntegrationTests reference Host classes directly. Requires the test rewrite cycle
+  in Stream E.
+- Stream E.1 — run v1 IntegrationTests against v2 topology. Requires (a) test rewrite to use
+  Proxy/Host instead of in-process Host classes, then (b) the parity-debug iteration that the
+  plan budgets 3-4 weeks for.
+- Stream E.2 — Client.CLI walkthrough diff. Requires the v1 baseline capture.
+- Stream E.3 — four 2026-04-13 stability findings regression tests. Requires the parity test
+  harness from Stream E.1.
+- Wonderware Historian SDK plugin loader (Task B.1.h). HistoryRead returns a recognisable
+  error until the plugin loader is wired.
+- Alarm subsystem wire-up (`MxAccessGalaxyBackend.SubscribeAlarmsAsync` is a no-op today).
+  v1's alarm tracking is its own subtree; queued as Phase 2 follow-up.
+
+## Stream-D removal checklist (next session)
+
+1. Decide policy on the 494 v1 tests:
+   - **Option A**: rewrite to use `Driver.Galaxy.Proxy` + `Driver.Galaxy.Host` topology
+     (multi-day; full parity validation as a side effect)
+   - **Option B**: archive them as `OtOpcUa.Tests.v1Archive` and write a smaller v2 parity suite
+     against the new topology (faster; less coverage initially)
+2. Execute the chosen option.
+3. Delete `src/ZB.MOM.WW.OtOpcUa.Host/`, remove from `.slnx`.
+4. Update Windows service installer to register two services
+   (`OtOpcUa` + `OtOpcUaGalaxyHost`) with the correct service-account SIDs.
+5. Migration script for `appsettings.json` Galaxy sections → `DriverInstance.DriverConfig` JSON.
+6. PR + adversarial review + `exit-gate-phase-2-final.md`.
+
+## What ships from this session
+
+Eight commits on `phase-1-configuration` since the previous push:
+
+- `01fd90c` Phase 1 finish + Phase 2 scaffold
+- `7a5b535` Admin UI core
+- `18f93d7` LDAP + SignalR
+- `a1e9ed4` AVEVA-stack inventory doc
+- `32eeeb9` Phase 2 A+B+C feature-complete
+- `549cd36` GalaxyRepository ported + DbBackedBackend + live ZB smoke
+- `(this commit)` MXAccess COM port + MxAccessGalaxyBackend + live MXAccess smoke + adversarial review
+
+`494/494` v1 tests still pass. No regressions.

docs/v2/implementation/phase-2-partial-exit-evidence.md

@@ -4,14 +4,53 @@
 > deferred. See `phase-2-galaxy-out-of-process.md` for the full task plan; this is the as-built
 > delta.
 
-## Status: **Streams A + B + C scaffolded and test-green. Streams D + E deferred.**
+## Status: **Streams A + B + C complete (real Win32 pump, all 9 capability interfaces, end-to-end IPC dispatch). Streams D + E remain — gated only on the iterative Galaxy code lift + parity-debug cycle.**
 
 The goal per the plan is "parity, not regression" — the phase exit gate requires v1
 IntegrationTests to pass against the v2 Galaxy.Proxy + Galaxy.Host topology byte-for-byte.
 Achieving that requires live MXAccess runtime plus the Galaxy code lift out of the legacy
-`OtOpcUa.Host`. Both are operations that need a dev Galaxy up and a parity test cycle to verify.
-Without that cycle, deleting the legacy Host would break the 494 passing v1 tests that are the
-parity baseline.
+`OtOpcUa.Host`. Without that cycle, deleting the legacy Host would break the 494 passing v1
+tests that are the parity baseline.
+
+> **Update 2026-04-17 (later) — Streams A/B/C now feature-complete, not just scaffolds.**
+> The Win32 message pump in `StaPump` was upgraded from a `BlockingCollection` placeholder to a
+> real `GetMessage`/`PostThreadMessage`/`PeekMessage` loop lifted from v1 `StaComThread` (P/Invoke
+> declarations included; `WM_APP=0x8000` for work-item dispatch, `WM_APP+1` for graceful
+> drain → `PostQuitMessage`, 5s join-on-dispose). `GalaxyProxyDriver` now implements every
+> capability interface declared in Phase 2 Stream C — `IDriver`, `ITagDiscovery`, `IReadable`,
+> `IWritable`, `ISubscribable`, `IAlarmSource`, `IHistoryProvider`, `IRediscoverable`,
+> `IHostConnectivityProbe` — each forwarding through the matching IPC contract. `GalaxyIpcClient`
+> gained `SendOneWayAsync` for the fire-and-forget calls (unsubscribe / alarm-ack /
+> close-session) while still serializing through the call-gate so writes don't interleave with
+> `CallAsync` round-trips. Host side: `IGalaxyBackend` interface defines the seam between IPC
+> dispatch and the live MXAccess code, `GalaxyFrameHandler` routes every `MessageKind` into it
+> (heartbeat handled inline so liveness works regardless of backend health), and
+> `StubGalaxyBackend` returns success for lifecycle/subscribe/recycle and recognizable
+> `not-implemented`-coded errors for data-plane calls. End-to-end integration tests exercise
+> every capability through the full stack (handshake → open session → read / write / subscribe /
+> alarm / history / recycle) and the v1 test baseline stays green (494 pass, no regressions).
+>
+> **What's left for the Phase 2 exit gate:** the actual Galaxy code lift (Task B.1) — replace
+> `StubGalaxyBackend` with a `MxAccessClient`-backed implementation that calls `MxAccessClient`
+> on the `StaPump`, plus the parity-cycle debugging against live Galaxy that the plan budgets
+> 3-4 weeks for. Removing the legacy `OtOpcUa.Host` (Task D.1) follows once the parity tests
+> are green against the v2 topology.
+
+> **Update 2026-04-17 — runtime confirmed local.** The dev box has the full AVEVA stack required
+> for the LmxOpcUa breakout: 27 ArchestrA / Wonderware / AVEVA services running including
+> `aaBootstrap`, `aaGR` (Galaxy Repository), `aaLogger`, `aaUserValidator`, `aaPim`,
+> `ArchestrADataStore`, `AsbServiceManager`; the full Historian set
+> (`aahClientAccessPoint`, `aahGateway`, `aahInSight`, `aahSearchIndexer`, `InSQLStorage`,
+> `InSQLConfiguration`, `InSQLEventSystem`, `InSQLIndexing`, `InSQLIOServer`,
+> `HistorianSearch-x64`); SuiteLink (`slssvc`); MXAccess COM at
+> `C:\Program Files (x86)\ArchestrA\Framework\bin\ArchestrA.MXAccess.dll`; and the OI-Gateway
+> install at `C:\Program Files (x86)\Wonderware\OI-Server\OI-Gateway\` (so the
+> AppServer-via-OI-Gateway smoke test from decision #142 is *also* runnable here, not blocked
+> on a dedicated AVEVA test box).
+>
+> The "needs a dev Galaxy" prerequisite is therefore satisfied. Stream D + E can start whenever
+> the team is ready to take the parity-cycle hit on the 494 v1 tests; no environmental blocker
+> remains.
 
 What *is* done: all scaffolding, IPC contracts, supervisor logic, and stability protections
 needed to hang the real MXAccess code onto. Every piece has unit-level or IPC-level test
@@ -151,13 +190,20 @@ Requires live MXAccess + Galaxy runtime and the above lift complete. Work items:
 
 ## Next-session checklist for Stream D + E
 
-1. Stand up dev Galaxy; capture Client.CLI walkthrough baseline against v1.
-2. Move Galaxy-specific files from `OtOpcUa.Host` into `Driver.Galaxy.Host`, renaming
+1. Verify the local AVEVA stack is still green (`Get-Service aaGR, aaBootstrap, slssvc` →
+   Running) and the Galaxy `ZB` repository is reachable from `sqlcmd -S localhost -d ZB -E`.
+   The runtime is already on this machine — no install step needed.
+2. Capture Client.CLI walkthrough baseline against v1 (the parity reference).
+3. Move Galaxy-specific files from `OtOpcUa.Host` into `Driver.Galaxy.Host`, renaming
    namespaces. Replace `StubFrameHandler` with the real one.
-3. Wire up the real Win32 pump inside `StaPump` (lift from scadalink-design's
+4. Wire up the real Win32 pump inside `StaPump` (lift from scadalink-design's
    `LmxProxy.Host` reference per CLAUDE.md).
-4. Run v1 IntegrationTests against the v2 topology — iterate on parity defects until green.
-5. Run Client.CLI walkthrough and diff.
-6. Regression tests for the four stability findings.
-7. Delete legacy `OtOpcUa.Host`; update `.slnx`; update installer scripts.
-8. Adversarial review; `exit-gate-phase-2.md` recorded; PR merged.
+5. Run v1 IntegrationTests against the v2 topology — iterate on parity defects until green.
+6. Run Client.CLI walkthrough and diff.
+7. Regression tests for the four 2026-04-13 stability findings.
+8. Delete legacy `OtOpcUa.Host`; update `.slnx`; update installer scripts.
+9. Optional but valuable now that the runtime is local: AppServer-via-OI-Gateway smoke test
+   (decision #142 / Phase 1 Task E.10) — the OI-Gateway install at
+   `C:\Program Files (x86)\Wonderware\OI-Server\OI-Gateway\` is in place; the test was deferred
+   for "needs live AVEVA runtime" reasons that no longer apply on this dev box.
+10. Adversarial review; `exit-gate-phase-2.md` recorded; PR merged.

docs/v2/implementation/pr-1-body.md

@@ -0,0 +1,80 @@
+# PR 1 — Phase 1 + Phase 2 A/B/C → v2
+
+**Source**: `phase-1-configuration` (commits `980ea51..7403b92`, 11 commits)
+**Target**: `v2`
+**URL**: https://gitea.dohertylan.com/dohertj2/lmxopcua/pulls/new/phase-1-configuration
+
+## Summary
+
+- **Phase 1 complete** — Configuration project with 16 entities + 3 EF migrations
+  (InitialSchema + 8 stored procs + AuthorizationGrants), Core + Server + full Admin UI
+  (Blazor Server with cluster CRUD, draft → diff → publish → rollback, equipment with
+  OPC 40010, UNS, namespaces, drivers, ACLs, reservations, audit), LDAP via GLAuth
+  (`localhost:3893`), SignalR real-time fleet status + alerts.
+- **Phase 2 Streams A + B + C feature-complete** — full IPC contract surface
+  (Galaxy.Shared, netstandard2.0, MessagePack), Galaxy.Host with real Win32 STA pump,
+  ACL + caller-SID + per-process-secret IPC, Galaxy-specific MemoryWatchdog +
+  RecyclePolicy + PostMortemMmf + MxAccessHandle, three `IGalaxyBackend`
+  implementations (Stub / DbBacked / **MxAccess** — real ArchestrA.MxAccess.dll
+  reference, x86, smoke-tested live against `LMXProxyServer`), Galaxy.Proxy with all
+  9 capability interfaces (`IDriver` / `ITagDiscovery` / `IReadable` / `IWritable` /
+  `ISubscribable` / `IAlarmSource` / `IHistoryProvider` / `IRediscoverable` /
+  `IHostConnectivityProbe`) + supervisor (Backoff + CircuitBreaker +
+  HeartbeatMonitor).
+- **Phase 2 Stream D non-destructive deliverables** — appsettings.json → DriverConfig
+  migration script, two-service Windows installer scripts, process-spawn cross-FX
+  parity test, Stream D removal procedure doc with both Option A (rewrite 494 v1
+  tests) and Option B (archive + new v2 E2E suite) spelled out step-by-step.
+
+## What's NOT in this PR
+
+- Legacy `OtOpcUa.Host` deletion (Stream D.1) — reserved for a follow-up PR after
+  Option B's E2E suite is green. The 494 v1 tests still pass against the unchanged
+  legacy Host.
+- Live-Galaxy parity validation (Stream E) — needs the iterative debug cycle the
+  removal-procedure doc describes.
+
+## Tests
+
+**964 pass / 1 pre-existing Phase 0 baseline failure**, across 14 test projects:
+
+| Project | Pass | Notes |
+|---|---:|---|
+| Core.Abstractions.Tests | 24 | |
+| Configuration.Tests | 42 | incl. 7 schema compliance, 8 stored-proc, 3 SQL-role auth, 13 validator, 6 LiteDB cache, 5 generation-applier |
+| Core.Tests | 4 | DriverHost lifecycle |
+| Server.Tests | 2 | NodeBootstrap + LiteDB cache fallback |
+| Admin.Tests | 21 | incl. 5 RoleMapper, 6 LdapAuth, 3 LiveLdap, 2 FleetStatusPoller, 2 services-integration |
+| Driver.Galaxy.Shared.Tests | 6 | Round-trip + framing |
+| Driver.Galaxy.Host.Tests | 30 | incl. 5 GalaxyRepository live ZB, 3 live MXAccess COM, 5 EndToEndIpc, 2 IpcHandshake, 4 MemoryWatchdog, 3 RecyclePolicy, 3 PostMortemMmf, 3 StaPump, 2 service-installer dry-run |
+| Driver.Galaxy.Proxy.Tests | 10 | 9 unit + 1 process-spawn parity |
+| Client.Shared.Tests | 131 | unchanged |
+| Client.UI.Tests | 98 | unchanged |
+| Client.CLI.Tests | 51 / 1 fail | pre-existing baseline failure |
+| Historian.Aveva.Tests | 41 | unchanged |
+| IntegrationTests (net48) | 6 | unchanged — v1 parity baseline |
+| **OtOpcUa.Tests (net48)** | **494** | **unchanged — v1 parity baseline** |
+
+## Test plan for reviewers
+
+- [ ] `dotnet build ZB.MOM.WW.OtOpcUa.slnx` succeeds with no warnings beyond the
+      known NuGetAuditSuppress + xUnit1051 warnings
+- [ ] `dotnet test ZB.MOM.WW.OtOpcUa.slnx` shows the same 964/1 result
+- [ ] `Get-Service aaGR, aaBootstrap` reports Running on the merger's box
+- [ ] `docker ps --filter name=otopcua-mssql` shows the SQL container Up
+- [ ] Admin UI boots (`dotnet run --project src/ZB.MOM.WW.OtOpcUa.Admin`); home page
+      renders at http://localhost:5123/; LDAP sign-in with GLAuth `readonly` /
+      `readonly123` succeeds
+- [ ] Migration script dry-run: `powershell -File
+      scripts/migration/Migrate-AppSettings-To-DriverConfig.ps1 -DryRun` produces
+      a well-formed DriverConfig JSON
+- [ ] Spot-read three commit messages to confirm the deferred-with-rationale items
+      are explicitly documented (`549cd36`, `a7126ba`, `7403b92` are the most
+      recent and most detailed)
+
+## Follow-up tracking
+
+PR 2 (next session) will execute Stream D Option B — archive `OtOpcUa.Tests` as
+`OtOpcUa.Tests.v1Archive`, build the new `OtOpcUa.Driver.Galaxy.E2E` test project,
+delete legacy `OtOpcUa.Host`, and run the parity-validation cycle. See
+`docs/v2/implementation/stream-d-removal-procedure.md`.

docs/v2/implementation/stream-d-removal-procedure.md

@@ -0,0 +1,103 @@
+# Stream D — Legacy `OtOpcUa.Host` Removal Procedure
+
+> Sequenced playbook for the next session that takes Phase 2 to its full exit gate.
+> All Stream A/B/C work is committed. The blocker is structural: the 494 v1
+> `OtOpcUa.Tests` instantiate v1 `Host` classes directly, so they must be
+> retargeted (or archived) before the Host project can be deleted.
+
+## Decision: Option A or Option B
+
+### Option A — Rewrite the 494 v1 tests to use v2 topology
+
+**Effort**: 3-5 days. Highest fidelity (full v1 test coverage carries forward).
+
+**Steps**:
+1. Build a `ProxyMxAccessClientAdapter` in a new `OtOpcUa.LegacyTestCompat/` project that
+   implements v1's `IMxAccessClient` by forwarding to `Driver.Galaxy.Proxy.GalaxyProxyDriver`.
+   Maps v1 `Vtq` ↔ v2 `DataValueSnapshot`, v1 `Quality` enum ↔ v2 `StatusCode` u32, the v1
+   `OnTagValueChanged` event ↔ v2 `ISubscribable.OnDataChange`.
+2. Same idea for `IGalaxyRepository` — adapter that wraps v2's `Backend.Galaxy.GalaxyRepository`.
+3. Replace `MxAccessClient` constructions in `OtOpcUa.Tests` test fixtures with the adapter.
+   Most tests use a single fixture so the change-set is concentrated.
+4. For each test class: run; iterate on parity defects until green. Expected defect families:
+   timing-sensitive assertions (IPC adds ~5ms latency; widen tolerances), Quality enum vs
+   StatusCode mismatches, value-byte-encoding differences.
+5. Once all 494 pass: proceed to deletion checklist below.
+
+**When to pick A**: regulatory environments that need the full historical test suite green,
+or when the v2 parity gate is itself a release-blocking artifact downstream consumers will
+look for.
+
+### Option B — Archive the 494 v1 tests, build a smaller v2 parity suite
+
+**Effort**: 1-2 days. Faster to green; less coverage initially, accreted over time.
+
+**Steps**:
+1. Rename `tests/ZB.MOM.WW.OtOpcUa.Tests/` → `tests/ZB.MOM.WW.OtOpcUa.Tests.v1Archive/`.
+   Add `<IsTestProject>false</IsTestProject>` so CI doesn't run them; mark every class with
+   `[Trait("Category", "v1Archive")]` so a future operator can opt in via `--filter`.
+2. New `tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E/` project (.NET 10):
+   - `ParityFixture` spawns Galaxy.Host EXE per test class with `OTOPCUA_GALAXY_BACKEND=mxaccess`
+     pointing at the dev box's live Galaxy. Pattern from `HostSubprocessParityTests`.
+   - 10-20 representative tests covering the core paths: hierarchy shape, attribute count,
+     read-Manufacturer-Boolean, write-Operate-Float roundtrip, subscribe-receives-OnDataChange,
+     Bad-quality on disconnect, alarm-event-shape.
+3. The four 2026-04-13 stability findings get individual regression tests in this project.
+4. Once green: proceed to deletion checklist below.
+
+**When to pick B**: typical dev velocity case. The v1 archive is reference, the new suite is
+the live parity bar.
+
+## Deletion checklist (after Option A or B is green)
+
+Pre-conditions:
+- [ ] Chosen-option test suite green (494 retargeted OR new E2E suite passing on this box)
+- [ ] `phase-2-compliance.ps1` runs and exits 0
+- [ ] `Get-Service aaGR, aaBootstrap` → Running
+- [ ] `Driver.Galaxy.Host` x86 publish output verified at
+      `src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/bin/Release/net48/`
+- [ ] Migration script tested: `scripts/migration/Migrate-AppSettings-To-DriverConfig.ps1
+      -AppSettingsPath src/ZB.MOM.WW.OtOpcUa.Host/appsettings.json -DryRun` produces a
+      well-formed DriverConfig
+- [ ] Service installer scripts dry-run on a test box: `scripts/install/Install-Services.ps1
+      -InstallRoot C:\OtOpcUa -ServiceAccount LOCALHOST\testuser` registers both services
+      and they start
+
+Steps:
+1. Delete `src/ZB.MOM.WW.OtOpcUa.Host/` (the legacy in-process Host project).
+2. Edit `ZB.MOM.WW.OtOpcUa.slnx` — remove the legacy Host `<Project>` line; keep all v2
+   project lines.
+3. Migrate the dev `appsettings.json` Galaxy sections to `DriverConfig` JSON via the
+   migration script; insert into the Configuration DB for the dev cluster's Galaxy driver
+   instance.
+4. Run the chosen test suite once more — confirm zero regressions from the deletion.
+5. Build full solution (`dotnet build ZB.MOM.WW.OtOpcUa.slnx`) — confirm clean build with
+   no references to the deleted project.
+6. Commit:
+   `git rm -r src/ZB.MOM.WW.OtOpcUa.Host` followed by the slnx + cleanup edits in one
+   atomic commit titled "Phase 2 Stream D — retire legacy OtOpcUa.Host".
+7. Run `/codex:adversarial-review --base v2` on the merged Phase 2 diff.
+8. Record `exit-gate-phase-2-final.md` with: Option chosen, deletion-commit SHA, parity
+   test count + duration, adversarial-review findings (each closed or deferred with link).
+9. Open PR against `v2`, link the exit-gate doc + compliance script output + parity report.
+10. Merge after one reviewer signoff.
+
+## Rollback
+
+If Stream D causes downstream consumer failures (ScadaBridge / Ignition / SystemPlatform IO
+clients seeing different OPC UA behavior), the rollback is `git revert` of the deletion
+commit — the whole v2 codebase keeps Galaxy.Proxy + Galaxy.Host installed alongside the
+restored legacy Host. Production can run either topology. `OtOpcUa.Driver.Galaxy.Proxy`
+becomes dormant until the next attempt.
+
+## Why this can't one-shot in an autonomous session
+
+- The parity-defect debug cycle is intrinsically interactive: each iteration requires running
+  the test suite against live Galaxy, inspecting the diff, deciding if the difference is a
+  legitimate v2 improvement or a regression, then either widening the assertion or fixing the
+  v2 code. That decision-making is the bottleneck, not the typing.
+- The legacy-Host deletion is destructive — needs explicit operator authorization on a real
+  PR review, not unattended automation.
+- The downstream consumer cutover (ScadaBridge, Ignition, AppServer) lives outside this repo
+  and on an integration-team track; "Phase 2 done" inside this repo is a precondition, not
+  the full release.

docs/v2/plan.md

@@ -234,6 +234,8 @@ All of these stay in the Galaxy Host process (.NET 4.8 x86). The `GalaxyProxy` i
 - Refactor is **incremental**: extract `IDriver` / `ISubscribable` / `ITagDiscovery` etc. against the existing `LmxNodeManager` first (still in-process on v2 branch), validate the system still runs, *then* move the implementation behind the IPC boundary into Galaxy.Host. Keeps the system runnable at each step and de-risks the out-of-process move.
 - **Parity test**: run the existing v1 IntegrationTests suite against the v2 Galaxy driver (same Galaxy, same expectations) **plus** a scripted Client.CLI walkthrough (connect / browse / read / write / subscribe / history / alarms) on a dev Galaxy. Automated regression + human-observable behavior.
 
+**Dev environment for the LmxOpcUa breakout:** the Phase 0/1 dev box (`DESKTOP-6JL3KKO`) hosts the full AVEVA stack required to execute Phase 2 Streams D + E — 27 ArchestrA / Wonderware / AVEVA services running including `aaBootstrap`, `aaGR` (Galaxy Repository), `aaLogger`, `aaUserValidator`, `aaPim`, `ArchestrADataStore`, `AsbServiceManager`; the full Historian set (`aahClientAccessPoint`, `aahGateway`, `aahInSight`, `aahSearchIndexer`, `InSQLStorage`, `InSQLConfiguration`, `InSQLEventSystem`, `InSQLIndexing`, `InSQLIOServer`, `HistorianSearch-x64`); SuiteLink (`slssvc`); MXAccess COM at `C:\Program Files (x86)\ArchestrA\Framework\bin\ArchestrA.MXAccess.dll`; and OI-Gateway at `C:\Program Files (x86)\Wonderware\OI-Server\OI-Gateway\` — so the Phase 1 Task E.10 AppServer-via-OI-Gateway smoke test (decision #142) is also runnable on the same box, no separate AVEVA test machine required. Inventory captured in `dev-environment.md`.
+
 ---
 
 ### 4. Configuration Model — Centralized MSSQL + Local Cache

scripts/install/Install-Services.ps1

@@ -0,0 +1,102 @@
+<#
+.SYNOPSIS
+    Registers the two v2 Windows services on a node: OtOpcUa (main server, net10) and
+    OtOpcUaGalaxyHost (out-of-process Galaxy COM host, net48 x86).
+
+.DESCRIPTION
+    Phase 2 Stream D.2 — replaces the v1 single-service install (TopShelf-based OtOpcUa.Host).
+    Installs both services with the correct service-account SID + per-process shared secret
+    provisioning per `driver-stability.md §"IPC Security"`. Galaxy.Host depends on OtOpcUa
+    (Galaxy.Host must be reachable when OtOpcUa starts; service dependency wiring + retry
+    handled by OtOpcUa.Server NodeBootstrap).
+
+.PARAMETER InstallRoot
+    Where the binaries live (typically C:\Program Files\OtOpcUa).
+
+.PARAMETER ServiceAccount
+    Service account SID or DOMAIN\name. Both services run under this account; the
+    Galaxy.Host pipe ACL only allows this SID to connect (decision #76).
+
+.PARAMETER GalaxySharedSecret
+    Per-process secret passed to Galaxy.Host via env var. Generated freshly per install.
+
+.PARAMETER ZbConnection
+    Galaxy ZB SQL connection string (passed to Galaxy.Host via env var).
+
+.EXAMPLE
+    .\Install-Services.ps1 -InstallRoot 'C:\Program Files\OtOpcUa' -ServiceAccount 'OTOPCUA\svc-otopcua'
+#>
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory)] [string]$InstallRoot,
+    [Parameter(Mandatory)] [string]$ServiceAccount,
+    [string]$GalaxySharedSecret,
+    [string]$ZbConnection = 'Server=localhost;Database=ZB;Integrated Security=True;TrustServerCertificate=True;Encrypt=False;',
+    [string]$GalaxyClientName = 'OtOpcUa-Galaxy.Host',
+    [string]$GalaxyPipeName = 'OtOpcUaGalaxy'
+)
+
+$ErrorActionPreference = 'Stop'
+
+if (-not (Test-Path "$InstallRoot\OtOpcUa.Server.exe")) {
+    Write-Error "OtOpcUa.Server.exe not found at $InstallRoot — copy the publish output first"
+    exit 1
+}
+if (-not (Test-Path "$InstallRoot\Galaxy\OtOpcUa.Driver.Galaxy.Host.exe")) {
+    Write-Error "OtOpcUa.Driver.Galaxy.Host.exe not found at $InstallRoot\Galaxy — copy the publish output first"
+    exit 1
+}
+
+# Generate a fresh shared secret per install if not supplied. Stored in DPAPI-protected file
+# rather than the registry so the service account can read it but other local users cannot.
+if (-not $GalaxySharedSecret) {
+    $bytes = New-Object byte[] 32
+    [System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
+    $GalaxySharedSecret = [Convert]::ToBase64String($bytes)
+}
+
+# Resolve the SID — the IPC ACL needs the SID, not the down-level name.
+$sid = if ($ServiceAccount.StartsWith('S-1-')) {
+    $ServiceAccount
+} else {
+    (New-Object System.Security.Principal.NTAccount $ServiceAccount).Translate([System.Security.Principal.SecurityIdentifier]).Value
+}
+
+# --- Install OtOpcUaGalaxyHost first (OtOpcUa starts after, depends on it being up).
+$galaxyEnv = @(
+    "OTOPCUA_GALAXY_PIPE=$GalaxyPipeName"
+    "OTOPCUA_ALLOWED_SID=$sid"
+    "OTOPCUA_GALAXY_SECRET=$GalaxySharedSecret"
+    "OTOPCUA_GALAXY_BACKEND=mxaccess"
+    "OTOPCUA_GALAXY_ZB_CONN=$ZbConnection"
+    "OTOPCUA_GALAXY_CLIENT_NAME=$GalaxyClientName"
+) -join "`0"
+$galaxyEnv += "`0`0"
+
+Write-Host "Installing OtOpcUaGalaxyHost..."
+& sc.exe create OtOpcUaGalaxyHost binPath= "`"$InstallRoot\Galaxy\OtOpcUa.Driver.Galaxy.Host.exe`"" `
+    DisplayName= 'OtOpcUa Galaxy Host (out-of-process MXAccess)' `
+    start= auto `
+    obj= $ServiceAccount | Out-Null
+
+# Set per-service environment variables via the registry — sc.exe doesn't expose them directly.
+$svcKey = "HKLM:\SYSTEM\CurrentControlSet\Services\OtOpcUaGalaxyHost"
+$envValue = $galaxyEnv.Split("`0") | Where-Object { $_ -ne '' }
+Set-ItemProperty -Path $svcKey -Name 'Environment' -Type MultiString -Value $envValue
+
+# --- Install OtOpcUa (depends on Galaxy host being installed; doesn't strictly require it
+#     started — OtOpcUa.Server NodeBootstrap retries on the IPC connect path).
+Write-Host "Installing OtOpcUa..."
+& sc.exe create OtOpcUa binPath= "`"$InstallRoot\OtOpcUa.Server.exe`"" `
+    DisplayName= 'OtOpcUa Server' `
+    start= auto `
+    depend= 'OtOpcUaGalaxyHost' `
+    obj= $ServiceAccount | Out-Null
+
+Write-Host ""
+Write-Host "Installed. Start with:"
+Write-Host "  sc.exe start OtOpcUaGalaxyHost"
+Write-Host "  sc.exe start OtOpcUa"
+Write-Host ""
+Write-Host "Galaxy shared secret (record this offline — required for service rebinding):"
+Write-Host "  $GalaxySharedSecret"

scripts/install/Uninstall-Services.ps1

@@ -0,0 +1,18 @@
+<#
+.SYNOPSIS
+    Stops + removes the two v2 services. Mirrors Install-Services.ps1.
+#>
+[CmdletBinding()] param()
+$ErrorActionPreference = 'Continue'
+
+foreach ($svc in 'OtOpcUa', 'OtOpcUaGalaxyHost') {
+    if (Get-Service $svc -ErrorAction SilentlyContinue) {
+        Write-Host "Stopping $svc..."
+        Stop-Service $svc -Force -ErrorAction SilentlyContinue
+        Write-Host "Removing $svc..."
+        & sc.exe delete $svc | Out-Null
+    } else {
+        Write-Host "$svc not installed — skipping"
+    }
+}
+Write-Host "Done."

scripts/migration/Migrate-AppSettings-To-DriverConfig.ps1

@@ -0,0 +1,107 @@
+<#
+.SYNOPSIS
+    Translates a v1 OtOpcUa.Host appsettings.json into a v2 DriverInstance.DriverConfig JSON
+    blob suitable for upserting into the central Configuration DB.
+
+.DESCRIPTION
+    Phase 2 Stream D.3 — moves the legacy MxAccess + GalaxyRepository + Historian sections out
+    of node-local appsettings.json and into the central DB so each node only needs Cluster.NodeId
+    + ClusterId + DB conn (per decision #18). Idempotent + dry-run-able.
+
+    Output shape matches the Galaxy DriverType schema in `docs/v2/plan.md` §"Galaxy DriverConfig":
+
+        {
+          "MxAccess":  { "ClientName": "...", "RequestTimeoutSeconds": 30 },
+          "Database":  { "ConnectionString": "...", "PollIntervalSeconds": 60 },
+          "Historian": { "Enabled": false }
+        }
+
+.PARAMETER AppSettingsPath
+    Path to the v1 appsettings.json. Defaults to ../../src/ZB.MOM.WW.OtOpcUa.Host/appsettings.json
+    relative to the script.
+
+.PARAMETER OutputPath
+    Where to write the generated DriverConfig JSON. Defaults to stdout.
+
+.PARAMETER DryRun
+    Print what would be written without writing.
+
+.EXAMPLE
+    pwsh ./Migrate-AppSettings-To-DriverConfig.ps1 -AppSettingsPath C:\OtOpcUa\appsettings.json -OutputPath C:\tmp\galaxy-driverconfig.json
+#>
+[CmdletBinding()]
+param(
+    [string]$AppSettingsPath,
+    [string]$OutputPath,
+    [switch]$DryRun
+)
+
+$ErrorActionPreference = 'Stop'
+
+if (-not $AppSettingsPath) {
+    $AppSettingsPath = Join-Path (Split-Path -Parent $PSScriptRoot) '..\src\ZB.MOM.WW.OtOpcUa.Host\appsettings.json'
+}
+
+if (-not (Test-Path $AppSettingsPath)) {
+    Write-Error "AppSettings file not found: $AppSettingsPath"
+    exit 1
+}
+
+$src = Get-Content -Raw $AppSettingsPath | ConvertFrom-Json
+
+$mx = $src.MxAccess
+$gr = $src.GalaxyRepository
+$hi = $src.Historian
+
+$driverConfig = [ordered]@{
+    MxAccess = [ordered]@{
+        ClientName            = $mx.ClientName
+        NodeName              = $mx.NodeName
+        GalaxyName            = $mx.GalaxyName
+        RequestTimeoutSeconds = $mx.ReadTimeoutSeconds
+        WriteTimeoutSeconds   = $mx.WriteTimeoutSeconds
+        MaxConcurrentOps      = $mx.MaxConcurrentOperations
+        MonitorIntervalSec    = $mx.MonitorIntervalSeconds
+        AutoReconnect         = $mx.AutoReconnect
+        ProbeTag              = $mx.ProbeTag
+    }
+    Database = [ordered]@{
+        ConnectionString          = $gr.ConnectionString
+        ChangeDetectionIntervalSec = $gr.ChangeDetectionIntervalSeconds
+        CommandTimeoutSeconds     = $gr.CommandTimeoutSeconds
+        ExtendedAttributes        = $gr.ExtendedAttributes
+        Scope                     = $gr.Scope
+        PlatformName              = $gr.PlatformName
+    }
+    Historian = [ordered]@{
+        Enabled = if ($null -ne $hi -and $null -ne $hi.Enabled) { $hi.Enabled } else { $false }
+    }
+}
+
+# Strip null-valued leaves so the resulting JSON is compact and round-trippable.
+function Remove-Nulls($obj) {
+    $keys = @($obj.Keys)
+    foreach ($k in $keys) {
+        if ($null -eq $obj[$k]) { $obj.Remove($k) | Out-Null }
+        elseif ($obj[$k] -is [System.Collections.Specialized.OrderedDictionary]) { Remove-Nulls $obj[$k] }
+    }
+}
+Remove-Nulls $driverConfig
+
+$json = $driverConfig | ConvertTo-Json -Depth 8
+
+if ($DryRun) {
+    Write-Host "=== DriverConfig (dry-run, would write to $OutputPath) ==="
+    Write-Host $json
+    return
+}
+
+if ($OutputPath) {
+    $dir = Split-Path -Parent $OutputPath
+    if ($dir -and -not (Test-Path $dir)) { New-Item -ItemType Directory -Path $dir | Out-Null }
+    Set-Content -Path $OutputPath -Value $json -Encoding UTF8
+    Write-Host "Wrote DriverConfig to $OutputPath"
+}
+else {
+    $json
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/DbBackedGalaxyBackend.cs

@@ -0,0 +1,153 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
+
+/// <summary>
+///     Galaxy backend that uses the live <c>ZB</c> repository for <see cref="DiscoverAsync"/> —
+///     real gobject hierarchy + attributes flow through to the Proxy without needing the MXAccess
+///     COM client. Runtime data-plane calls (Read/Write/Subscribe/Alarm/History) still surface
+///     as "MXAccess code lift pending" until the COM client port lands. This is the highest-value
+///     intermediate state because Discover is what powers the OPC UA address-space build, so
+///     downstream Proxy + parity tests can exercise the complete tree shape today.
+/// </summary>
+public sealed class DbBackedGalaxyBackend(GalaxyRepository repository) : IGalaxyBackend
+{
+    private long _nextSessionId;
+    private long _nextSubscriptionId;
+
+    public Task<OpenSessionResponse> OpenSessionAsync(OpenSessionRequest req, CancellationToken ct)
+    {
+        var id = Interlocked.Increment(ref _nextSessionId);
+        return Task.FromResult(new OpenSessionResponse { Success = true, SessionId = id });
+    }
+
+    public Task CloseSessionAsync(CloseSessionRequest req, CancellationToken ct) => Task.CompletedTask;
+
+    public async Task<DiscoverHierarchyResponse> DiscoverAsync(DiscoverHierarchyRequest req, CancellationToken ct)
+    {
+        try
+        {
+            var hierarchy = await repository.GetHierarchyAsync(ct).ConfigureAwait(false);
+            var attributes = await repository.GetAttributesAsync(ct).ConfigureAwait(false);
+
+            // Group attributes by their owning gobject for the IPC payload.
+            var attrsByGobject = attributes
+                .GroupBy(a => a.GobjectId)
+                .ToDictionary(g => g.Key, g => g.Select(MapAttribute).ToArray());
+
+            var parentByChild = hierarchy
+                .ToDictionary(o => o.GobjectId, o => o.ParentGobjectId);
+            var nameByGobject = hierarchy
+                .ToDictionary(o => o.GobjectId, o => o.TagName);
+
+            var objects = hierarchy.Select(o => new GalaxyObjectInfo
+            {
+                ContainedName = string.IsNullOrEmpty(o.ContainedName) ? o.TagName : o.ContainedName,
+                TagName = o.TagName,
+                ParentContainedName = parentByChild.TryGetValue(o.GobjectId, out var p)
+                                      && p != 0
+                                      && nameByGobject.TryGetValue(p, out var pName)
+                    ? pName
+                    : null,
+                TemplateCategory = MapCategory(o.CategoryId),
+                Attributes = attrsByGobject.TryGetValue(o.GobjectId, out var a) ? a : System.Array.Empty<GalaxyAttributeInfo>(),
+            }).ToArray();
+
+            return new DiscoverHierarchyResponse { Success = true, Objects = objects };
+        }
+        catch (Exception ex) when (ex is System.Data.SqlClient.SqlException
+                                   or InvalidOperationException
+                                   or TimeoutException)
+        {
+            return new DiscoverHierarchyResponse
+            {
+                Success = false,
+                Error = $"Galaxy ZB repository error: {ex.Message}",
+                Objects = System.Array.Empty<GalaxyObjectInfo>(),
+            };
+        }
+    }
+
+    public Task<ReadValuesResponse> ReadValuesAsync(ReadValuesRequest req, CancellationToken ct)
+        => Task.FromResult(new ReadValuesResponse
+        {
+            Success = false,
+            Error = "MXAccess code lift pending (Phase 2 Task B.1) — DB-backed backend covers Discover only",
+            Values = System.Array.Empty<GalaxyDataValue>(),
+        });
+
+    public Task<WriteValuesResponse> WriteValuesAsync(WriteValuesRequest req, CancellationToken ct)
+    {
+        var results = new WriteValueResult[req.Writes.Length];
+        for (var i = 0; i < req.Writes.Length; i++)
+        {
+            results[i] = new WriteValueResult
+            {
+                TagReference = req.Writes[i].TagReference,
+                StatusCode = 0x80020000u,
+                Error = "MXAccess code lift pending (Phase 2 Task B.1)",
+            };
+        }
+        return Task.FromResult(new WriteValuesResponse { Results = results });
+    }
+
+    public Task<SubscribeResponse> SubscribeAsync(SubscribeRequest req, CancellationToken ct)
+    {
+        var sid = Interlocked.Increment(ref _nextSubscriptionId);
+        return Task.FromResult(new SubscribeResponse
+        {
+            Success = true,
+            SubscriptionId = sid,
+            ActualIntervalMs = req.RequestedIntervalMs,
+        });
+    }
+
+    public Task UnsubscribeAsync(UnsubscribeRequest req, CancellationToken ct) => Task.CompletedTask;
+    public Task SubscribeAlarmsAsync(AlarmSubscribeRequest req, CancellationToken ct) => Task.CompletedTask;
+    public Task AcknowledgeAlarmAsync(AlarmAckRequest req, CancellationToken ct) => Task.CompletedTask;
+
+    public Task<HistoryReadResponse> HistoryReadAsync(HistoryReadRequest req, CancellationToken ct)
+        => Task.FromResult(new HistoryReadResponse
+        {
+            Success = false,
+            Error = "MXAccess + Historian code lift pending (Phase 2 Task B.1)",
+            Tags = System.Array.Empty<HistoryTagValues>(),
+        });
+
+    public Task<RecycleStatusResponse> RecycleAsync(RecycleHostRequest req, CancellationToken ct)
+        => Task.FromResult(new RecycleStatusResponse { Accepted = true, GraceSeconds = 15 });
+
+    private static GalaxyAttributeInfo MapAttribute(GalaxyAttributeRow row) => new()
+    {
+        AttributeName = row.AttributeName,
+        MxDataType = row.MxDataType,
+        IsArray = row.IsArray,
+        ArrayDim = row.ArrayDimension is int d and > 0 ? (uint)d : null,
+        SecurityClassification = row.SecurityClassification,
+        IsHistorized = row.IsHistorized,
+    };
+
+    /// <summary>
+    ///     Galaxy <c>template_definition.category_id</c> → human-readable name.
+    ///     Mirrors v1 Host's <c>AlarmObjectFilter</c> mapping.
+    /// </summary>
+    private static string MapCategory(int categoryId) => categoryId switch
+    {
+        1 => "$WinPlatform",
+        3 => "$AppEngine",
+        4 => "$Area",
+        10 => "$UserDefined",
+        11 => "$ApplicationObject",
+        13 => "$Area",
+        17 => "$DeviceIntegration",
+        24 => "$ViewEngine",
+        26 => "$ViewApp",
+        _ => $"category-{categoryId}",
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Galaxy/GalaxyHierarchyRow.cs

@@ -0,0 +1,35 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
+
+/// <summary>
+///     One row from the v1 <c>HierarchySql</c>. Galaxy <c>gobject</c> deployed instance with its
+///     hierarchy parent + template-chain context.
+/// </summary>
+public sealed class GalaxyHierarchyRow
+{
+    public int GobjectId { get; init; }
+    public string TagName { get; init; } = string.Empty;
+    public string ContainedName { get; init; } = string.Empty;
+    public string BrowseName { get; init; } = string.Empty;
+    public int ParentGobjectId { get; init; }
+    public bool IsArea { get; init; }
+    public int CategoryId { get; init; }
+    public int HostedByGobjectId { get; init; }
+    public System.Collections.Generic.IReadOnlyList<string> TemplateChain { get; init; } = System.Array.Empty<string>();
+}
+
+/// <summary>One row from the v1 <c>AttributesSql</c>.</summary>
+public sealed class GalaxyAttributeRow
+{
+    public int GobjectId { get; init; }
+    public string TagName { get; init; } = string.Empty;
+    public string AttributeName { get; init; } = string.Empty;
+    public string FullTagReference { get; init; } = string.Empty;
+    public int MxDataType { get; init; }
+    public string? DataTypeName { get; init; }
+    public bool IsArray { get; init; }
+    public int? ArrayDimension { get; init; }
+    public int MxAttributeCategory { get; init; }
+    public int SecurityClassification { get; init; }
+    public bool IsHistorized { get; init; }
+    public bool IsAlarm { get; init; }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Galaxy/GalaxyRepository.cs

@@ -0,0 +1,224 @@
+using System;
+using System.Collections.Generic;
+using System.Data.SqlClient;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
+
+/// <summary>
+///     SQL access to the Galaxy <c>ZB</c> repository — port of v1 <c>GalaxyRepositoryService</c>.
+///     The two SQL bodies (Hierarchy + Attributes) are byte-for-byte identical to v1 so the
+///     queries surface the same row set at parity time. Extended-attributes and scope-filter
+///     queries from v1 are intentionally not ported yet — they're refinements that aren't on
+///     the Phase 2 critical path.
+/// </summary>
+public sealed class GalaxyRepository(GalaxyRepositoryOptions options)
+{
+    public async Task<bool> TestConnectionAsync(CancellationToken ct = default)
+    {
+        try
+        {
+            using var conn = new SqlConnection(options.ConnectionString);
+            await conn.OpenAsync(ct).ConfigureAwait(false);
+            using var cmd = new SqlCommand("SELECT 1", conn) { CommandTimeout = options.CommandTimeoutSeconds };
+            var result = await cmd.ExecuteScalarAsync(ct).ConfigureAwait(false);
+            return result is int i && i == 1;
+        }
+        catch (SqlException) { return false; }
+        catch (InvalidOperationException) { return false; }
+    }
+
+    public async Task<DateTime?> GetLastDeployTimeAsync(CancellationToken ct = default)
+    {
+        using var conn = new SqlConnection(options.ConnectionString);
+        await conn.OpenAsync(ct).ConfigureAwait(false);
+        using var cmd = new SqlCommand("SELECT time_of_last_deploy FROM galaxy", conn)
+        { CommandTimeout = options.CommandTimeoutSeconds };
+        var result = await cmd.ExecuteScalarAsync(ct).ConfigureAwait(false);
+        return result is DateTime dt ? dt : null;
+    }
+
+    public async Task<List<GalaxyHierarchyRow>> GetHierarchyAsync(CancellationToken ct = default)
+    {
+        var rows = new List<GalaxyHierarchyRow>();
+
+        using var conn = new SqlConnection(options.ConnectionString);
+        await conn.OpenAsync(ct).ConfigureAwait(false);
+
+        using var cmd = new SqlCommand(HierarchySql, conn) { CommandTimeout = options.CommandTimeoutSeconds };
+        using var reader = await cmd.ExecuteReaderAsync(ct).ConfigureAwait(false);
+
+        while (await reader.ReadAsync(ct).ConfigureAwait(false))
+        {
+            var templateChainRaw = reader.IsDBNull(8) ? string.Empty : reader.GetString(8);
+            var templateChain = templateChainRaw.Length == 0
+                ? Array.Empty<string>()
+                : templateChainRaw.Split(new[] { '|' }, StringSplitOptions.RemoveEmptyEntries)
+                    .Select(s => s.Trim())
+                    .Where(s => s.Length > 0)
+                    .ToArray();
+
+            rows.Add(new GalaxyHierarchyRow
+            {
+                GobjectId = Convert.ToInt32(reader.GetValue(0)),
+                TagName = reader.GetString(1),
+                ContainedName = reader.IsDBNull(2) ? string.Empty : reader.GetString(2),
+                BrowseName = reader.GetString(3),
+                ParentGobjectId = Convert.ToInt32(reader.GetValue(4)),
+                IsArea = Convert.ToInt32(reader.GetValue(5)) == 1,
+                CategoryId = Convert.ToInt32(reader.GetValue(6)),
+                HostedByGobjectId = Convert.ToInt32(reader.GetValue(7)),
+                TemplateChain = templateChain,
+            });
+        }
+        return rows;
+    }
+
+    public async Task<List<GalaxyAttributeRow>> GetAttributesAsync(CancellationToken ct = default)
+    {
+        var rows = new List<GalaxyAttributeRow>();
+
+        using var conn = new SqlConnection(options.ConnectionString);
+        await conn.OpenAsync(ct).ConfigureAwait(false);
+
+        using var cmd = new SqlCommand(AttributesSql, conn) { CommandTimeout = options.CommandTimeoutSeconds };
+        using var reader = await cmd.ExecuteReaderAsync(ct).ConfigureAwait(false);
+
+        while (await reader.ReadAsync(ct).ConfigureAwait(false))
+        {
+            rows.Add(new GalaxyAttributeRow
+            {
+                GobjectId = Convert.ToInt32(reader.GetValue(0)),
+                TagName = reader.GetString(1),
+                AttributeName = reader.GetString(2),
+                FullTagReference = reader.GetString(3),
+                MxDataType = Convert.ToInt32(reader.GetValue(4)),
+                DataTypeName = reader.IsDBNull(5) ? null : reader.GetString(5),
+                IsArray = Convert.ToInt32(reader.GetValue(6)) == 1,
+                ArrayDimension = reader.IsDBNull(7) ? (int?)null : Convert.ToInt32(reader.GetValue(7)),
+                MxAttributeCategory = Convert.ToInt32(reader.GetValue(8)),
+                SecurityClassification = Convert.ToInt32(reader.GetValue(9)),
+                IsHistorized = Convert.ToInt32(reader.GetValue(10)) == 1,
+                IsAlarm = Convert.ToInt32(reader.GetValue(11)) == 1,
+            });
+        }
+        return rows;
+    }
+
+    private const string HierarchySql = @"
+;WITH template_chain AS (
+    SELECT g.gobject_id AS instance_gobject_id, t.gobject_id AS template_gobject_id,
+           t.tag_name AS template_tag_name, t.derived_from_gobject_id, 0 AS depth
+    FROM gobject g
+    INNER JOIN gobject t ON t.gobject_id = g.derived_from_gobject_id
+    WHERE g.is_template = 0 AND g.deployed_package_id <> 0 AND g.derived_from_gobject_id <> 0
+    UNION ALL
+    SELECT tc.instance_gobject_id, t.gobject_id, t.tag_name, t.derived_from_gobject_id, tc.depth + 1
+    FROM template_chain tc
+    INNER JOIN gobject t ON t.gobject_id = tc.derived_from_gobject_id
+    WHERE tc.derived_from_gobject_id <> 0 AND tc.depth < 10
+)
+SELECT DISTINCT
+    g.gobject_id,
+    g.tag_name,
+    g.contained_name,
+    CASE WHEN g.contained_name IS NULL OR g.contained_name = ''
+         THEN g.tag_name
+         ELSE g.contained_name
+    END AS browse_name,
+    CASE WHEN g.contained_by_gobject_id = 0
+         THEN g.area_gobject_id
+         ELSE g.contained_by_gobject_id
+    END AS parent_gobject_id,
+    CASE WHEN td.category_id = 13
+         THEN 1
+         ELSE 0
+    END AS is_area,
+    td.category_id AS category_id,
+    g.hosted_by_gobject_id AS hosted_by_gobject_id,
+    ISNULL(
+        STUFF((
+            SELECT '|' + tc.template_tag_name
+            FROM template_chain tc
+            WHERE tc.instance_gobject_id = g.gobject_id
+            ORDER BY tc.depth
+            FOR XML PATH('')
+        ), 1, 1, ''),
+        ''
+    ) AS template_chain
+FROM gobject g
+INNER JOIN template_definition td
+    ON g.template_definition_id = td.template_definition_id
+WHERE td.category_id IN (1, 3, 4, 10, 11, 13, 17, 24, 26)
+    AND g.is_template = 0
+    AND g.deployed_package_id <> 0
+ORDER BY parent_gobject_id, g.tag_name";
+
+    private const string AttributesSql = @"
+;WITH deployed_package_chain AS (
+    SELECT g.gobject_id, p.package_id, p.derived_from_package_id, 0 AS depth
+    FROM gobject g
+    INNER JOIN package p ON p.package_id = g.deployed_package_id
+    WHERE g.is_template = 0 AND g.deployed_package_id <> 0
+    UNION ALL
+    SELECT dpc.gobject_id, p.package_id, p.derived_from_package_id, dpc.depth + 1
+    FROM deployed_package_chain dpc
+    INNER JOIN package p ON p.package_id = dpc.derived_from_package_id
+    WHERE dpc.derived_from_package_id <> 0 AND dpc.depth < 10
+)
+SELECT gobject_id, tag_name, attribute_name, full_tag_reference,
+    mx_data_type, data_type_name, is_array, array_dimension,
+    mx_attribute_category, security_classification, is_historized, is_alarm
+FROM (
+    SELECT
+        dpc.gobject_id,
+        g.tag_name,
+        da.attribute_name,
+        g.tag_name + '.' + da.attribute_name
+            + CASE WHEN da.is_array = 1 THEN '[]' ELSE '' END
+            AS full_tag_reference,
+        da.mx_data_type,
+        dt.description AS data_type_name,
+        da.is_array,
+        CASE WHEN da.is_array = 1
+             THEN CONVERT(int, CONVERT(varbinary(2),
+                  SUBSTRING(da.mx_value, 15, 2) + SUBSTRING(da.mx_value, 13, 2), 2))
+             ELSE NULL
+        END AS array_dimension,
+        da.mx_attribute_category,
+        da.security_classification,
+        CASE WHEN EXISTS (
+            SELECT 1 FROM deployed_package_chain dpc2
+            INNER JOIN primitive_instance pi ON pi.package_id = dpc2.package_id AND pi.primitive_name = da.attribute_name
+            INNER JOIN primitive_definition pd ON pd.primitive_definition_id = pi.primitive_definition_id AND pd.primitive_name = 'HistoryExtension'
+            WHERE dpc2.gobject_id = dpc.gobject_id
+        ) THEN 1 ELSE 0 END AS is_historized,
+        CASE WHEN EXISTS (
+            SELECT 1 FROM deployed_package_chain dpc2
+            INNER JOIN primitive_instance pi ON pi.package_id = dpc2.package_id AND pi.primitive_name = da.attribute_name
+            INNER JOIN primitive_definition pd ON pd.primitive_definition_id = pi.primitive_definition_id AND pd.primitive_name = 'AlarmExtension'
+            WHERE dpc2.gobject_id = dpc.gobject_id
+        ) THEN 1 ELSE 0 END AS is_alarm,
+        ROW_NUMBER() OVER (
+            PARTITION BY dpc.gobject_id, da.attribute_name
+            ORDER BY dpc.depth
+        ) AS rn
+    FROM deployed_package_chain dpc
+    INNER JOIN dynamic_attribute da
+        ON da.package_id = dpc.package_id
+    INNER JOIN gobject g
+        ON g.gobject_id = dpc.gobject_id
+    INNER JOIN template_definition td
+        ON td.template_definition_id = g.template_definition_id
+    LEFT JOIN data_type dt
+        ON dt.mx_data_type = da.mx_data_type
+    WHERE td.category_id IN (1, 3, 4, 10, 11, 13, 17, 24, 26)
+        AND da.attribute_name NOT LIKE '[_]%'
+        AND da.attribute_name NOT LIKE '%.Description'
+        AND da.mx_attribute_category IN (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 24)
+) ranked
+WHERE rn = 1
+ORDER BY tag_name, attribute_name";
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Galaxy/GalaxyRepositoryOptions.cs

@@ -0,0 +1,13 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
+
+/// <summary>
+///     Connection settings for the Galaxy <c>ZB</c> repository database. Set from the
+///     <c>DriverConfig</c> JSON section <c>Database</c> per <c>plan.md</c> §"Galaxy DriverConfig".
+/// </summary>
+public sealed class GalaxyRepositoryOptions
+{
+    public string ConnectionString { get; init; } =
+        "Server=localhost;Database=ZB;Integrated Security=True;TrustServerCertificate=True;Encrypt=False;";
+
+    public int CommandTimeoutSeconds { get; init; } = 60;
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/IGalaxyBackend.cs

@@ -0,0 +1,34 @@
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
+
+/// <summary>
+///     Galaxy data-plane abstraction. Replaces the placeholder <c>StubFrameHandler</c> with a
+///     real boundary the lifted <c>MxAccessClient</c> + <c>GalaxyRepository</c> implement during
+///     Phase 2 Task B.1. Splitting the IPC dispatch (<c>GalaxyFrameHandler</c>) from the
+///     backend means the dispatcher is unit-testable against an in-memory mock without needing
+///     live Galaxy.
+/// </summary>
+public interface IGalaxyBackend
+{
+    Task<OpenSessionResponse> OpenSessionAsync(OpenSessionRequest req, CancellationToken ct);
+    Task CloseSessionAsync(CloseSessionRequest req, CancellationToken ct);
+
+    Task<DiscoverHierarchyResponse> DiscoverAsync(DiscoverHierarchyRequest req, CancellationToken ct);
+
+    Task<ReadValuesResponse> ReadValuesAsync(ReadValuesRequest req, CancellationToken ct);
+    Task<WriteValuesResponse> WriteValuesAsync(WriteValuesRequest req, CancellationToken ct);
+
+    Task<SubscribeResponse> SubscribeAsync(SubscribeRequest req, CancellationToken ct);
+    Task UnsubscribeAsync(UnsubscribeRequest req, CancellationToken ct);
+
+    Task SubscribeAlarmsAsync(AlarmSubscribeRequest req, CancellationToken ct);
+    Task AcknowledgeAlarmAsync(AlarmAckRequest req, CancellationToken ct);
+
+    Task<HistoryReadResponse> HistoryReadAsync(HistoryReadRequest req, CancellationToken ct);
+
+    Task<RecycleStatusResponse> RecycleAsync(RecycleHostRequest req, CancellationToken ct);
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccess/IMxProxy.cs

@@ -0,0 +1,43 @@
+using ArchestrA.MxAccess;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+
+/// <summary>
+///     Delegate matching <c>LMXProxyServer.OnDataChange</c> COM event signature. Allows
+///     <see cref="MxAccessClient"/> to subscribe via the abstracted <see cref="IMxProxy"/>
+///     instead of the COM object directly (so the test mock works without MXAccess registered).
+/// </summary>
+public delegate void MxDataChangeHandler(
+    int hLMXServerHandle,
+    int phItemHandle,
+    object pvItemValue,
+    int pwItemQuality,
+    object pftItemTimeStamp,
+    ref MXSTATUS_PROXY[] ItemStatus);
+
+public delegate void MxWriteCompleteHandler(
+    int hLMXServerHandle,
+    int phItemHandle,
+    ref MXSTATUS_PROXY[] ItemStatus);
+
+/// <summary>
+///     Abstraction over <c>LMXProxyServer</c> — port of v1 <c>IMxProxy</c>. Same surface area
+///     so the lifted client behaves identically; only the namespace + apartment-marshalling
+///     entry-point change.
+/// </summary>
+public interface IMxProxy
+{
+    int Register(string clientName);
+    void Unregister(int handle);
+
+    int AddItem(int handle, string address);
+    void RemoveItem(int handle, int itemHandle);
+
+    void AdviseSupervisory(int handle, int itemHandle);
+    void UnAdviseSupervisory(int handle, int itemHandle);
+
+    void Write(int handle, int itemHandle, object value, int securityClassification);
+
+    event MxDataChangeHandler? OnDataChange;
+    event MxWriteCompleteHandler? OnWriteComplete;
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccess/MxAccessClient.cs

@@ -0,0 +1,178 @@
+using System;
+using System.Collections.Concurrent;
+using System.Threading;
+using System.Threading.Tasks;
+using ArchestrA.MxAccess;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Sta;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+
+/// <summary>
+///     MXAccess runtime client — focused port of v1 <c>MxAccessClient</c>. Owns one
+///     <c>LMXProxyServer</c> COM connection on the supplied <see cref="StaPump"/>; serializes
+///     read / write / subscribe through the pump because all COM calls must run on the STA
+///     thread. Subscriptions are stored so they can be replayed on reconnect (full reconnect
+///     loop is the deferred-but-non-blocking refinement; this version covers connect/read/write
+///     /subscribe/unsubscribe — the MVP needed for parity testing).
+/// </summary>
+public sealed class MxAccessClient : IDisposable
+{
+    private readonly StaPump _pump;
+    private readonly IMxProxy _proxy;
+    private readonly string _clientName;
+
+    // Galaxy attribute reference → MXAccess item handle (set on first Subscribe/Read).
+    private readonly ConcurrentDictionary<string, int> _addressToHandle = new(StringComparer.OrdinalIgnoreCase);
+    private readonly ConcurrentDictionary<int, string> _handleToAddress = new();
+    private readonly ConcurrentDictionary<string, Action<string, Vtq>> _subscriptions =
+        new(StringComparer.OrdinalIgnoreCase);
+    private readonly ConcurrentDictionary<int, TaskCompletionSource<bool>> _pendingWrites = new();
+
+    private int _connectionHandle;
+    private bool _connected;
+
+    public MxAccessClient(StaPump pump, IMxProxy proxy, string clientName)
+    {
+        _pump = pump;
+        _proxy = proxy;
+        _clientName = clientName;
+        _proxy.OnDataChange += OnDataChange;
+        _proxy.OnWriteComplete += OnWriteComplete;
+    }
+
+    public bool IsConnected => _connected;
+    public int SubscriptionCount => _subscriptions.Count;
+
+    /// <summary>Connects on the STA thread. Idempotent.</summary>
+    public Task<int> ConnectAsync() => _pump.InvokeAsync(() =>
+    {
+        if (_connected) return _connectionHandle;
+        _connectionHandle = _proxy.Register(_clientName);
+        _connected = true;
+        return _connectionHandle;
+    });
+
+    public Task DisconnectAsync() => _pump.InvokeAsync(() =>
+    {
+        if (!_connected) return;
+        try { _proxy.Unregister(_connectionHandle); }
+        finally
+        {
+            _connected = false;
+            _addressToHandle.Clear();
+            _handleToAddress.Clear();
+        }
+    });
+
+    /// <summary>
+    ///     One-shot read implemented as a transient subscribe + unsubscribe.
+    ///     <c>LMXProxyServer</c> doesn't expose a synchronous read, so the canonical pattern
+    ///     (lifted from v1) is to subscribe, await the first OnDataChange, then unsubscribe.
+    ///     This method captures that single value.
+    /// </summary>
+    public async Task<Vtq> ReadAsync(string fullReference, TimeSpan timeout, CancellationToken ct)
+    {
+        if (!_connected) throw new InvalidOperationException("MxAccessClient not connected");
+
+        var tcs = new TaskCompletionSource<Vtq>(TaskCreationOptions.RunContinuationsAsynchronously);
+        Action<string, Vtq> oneShot = (_, value) => tcs.TrySetResult(value);
+
+        // Stash the one-shot handler before sending the subscribe, then remove it after firing.
+        _subscriptions.AddOrUpdate(fullReference, oneShot, (_, existing) => Combine(existing, oneShot));
+
+        var itemHandle = await SubscribeOnPumpAsync(fullReference);
+
+        using var _ = ct.Register(() => tcs.TrySetCanceled());
+        var raceTask = await Task.WhenAny(tcs.Task, Task.Delay(timeout, ct));
+        if (raceTask != tcs.Task) throw new TimeoutException($"MXAccess read of {fullReference} timed out after {timeout}");
+
+        // Detach the one-shot handler.
+        _subscriptions.AddOrUpdate(fullReference, _ => default!, (_, existing) => Remove(existing, oneShot));
+
+        return await tcs.Task;
+    }
+
+    public Task WriteAsync(string fullReference, object value, int securityClassification = 0) =>
+        _pump.InvokeAsync(() =>
+        {
+            if (!_connected) throw new InvalidOperationException("MxAccessClient not connected");
+            var itemHandle = ResolveItem(fullReference);
+            _proxy.Write(_connectionHandle, itemHandle, value, securityClassification);
+        });
+
+    public async Task SubscribeAsync(string fullReference, Action<string, Vtq> callback)
+    {
+        if (!_connected) throw new InvalidOperationException("MxAccessClient not connected");
+
+        _subscriptions.AddOrUpdate(fullReference, callback, (_, existing) => Combine(existing, callback));
+        await SubscribeOnPumpAsync(fullReference);
+    }
+
+    public Task UnsubscribeAsync(string fullReference) => _pump.InvokeAsync(() =>
+    {
+        if (!_connected) return;
+        if (!_addressToHandle.TryRemove(fullReference, out var handle)) return;
+        _handleToAddress.TryRemove(handle, out _);
+        _subscriptions.TryRemove(fullReference, out _);
+
+        try
+        {
+            _proxy.UnAdviseSupervisory(_connectionHandle, handle);
+            _proxy.RemoveItem(_connectionHandle, handle);
+        }
+        catch { /* best-effort during teardown */ }
+    });
+
+    private Task<int> SubscribeOnPumpAsync(string fullReference) => _pump.InvokeAsync(() =>
+    {
+        if (_addressToHandle.TryGetValue(fullReference, out var existing)) return existing;
+
+        var itemHandle = _proxy.AddItem(_connectionHandle, fullReference);
+        _addressToHandle[fullReference] = itemHandle;
+        _handleToAddress[itemHandle] = fullReference;
+        _proxy.AdviseSupervisory(_connectionHandle, itemHandle);
+        return itemHandle;
+    });
+
+    private int ResolveItem(string fullReference)
+    {
+        if (_addressToHandle.TryGetValue(fullReference, out var existing)) return existing;
+        var itemHandle = _proxy.AddItem(_connectionHandle, fullReference);
+        _addressToHandle[fullReference] = itemHandle;
+        _handleToAddress[itemHandle] = fullReference;
+        return itemHandle;
+    }
+
+    private void OnDataChange(int hLMXServerHandle, int phItemHandle, object pvItemValue,
+        int pwItemQuality, object pftItemTimeStamp, ref MXSTATUS_PROXY[] itemStatus)
+    {
+        if (!_handleToAddress.TryGetValue(phItemHandle, out var fullRef)) return;
+
+        var ts = pftItemTimeStamp is DateTime dt ? dt.ToUniversalTime() : DateTime.UtcNow;
+        var quality = (byte)Math.Min(255, Math.Max(0, pwItemQuality));
+        var vtq = new Vtq(pvItemValue, ts, quality);
+
+        if (_subscriptions.TryGetValue(fullRef, out var cb)) cb?.Invoke(fullRef, vtq);
+    }
+
+    private void OnWriteComplete(int hLMXServerHandle, int phItemHandle, ref MXSTATUS_PROXY[] itemStatus)
+    {
+        if (_pendingWrites.TryRemove(phItemHandle, out var tcs))
+            tcs.TrySetResult(itemStatus is null || itemStatus.Length == 0 || itemStatus[0].success != 0);
+    }
+
+    private static Action<string, Vtq> Combine(Action<string, Vtq> a, Action<string, Vtq> b)
+        => (Action<string, Vtq>)Delegate.Combine(a, b)!;
+
+    private static Action<string, Vtq> Remove(Action<string, Vtq> source, Action<string, Vtq> remove)
+        => (Action<string, Vtq>?)Delegate.Remove(source, remove) ?? ((_, _) => { });
+
+    public void Dispose()
+    {
+        try { DisconnectAsync().GetAwaiter().GetResult(); }
+        catch { /* swallow */ }
+
+        _proxy.OnDataChange -= OnDataChange;
+        _proxy.OnWriteComplete -= OnWriteComplete;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccess/MxProxyAdapter.cs

@@ -0,0 +1,68 @@
+using System;
+using System.Runtime.InteropServices;
+using ArchestrA.MxAccess;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+
+/// <summary>
+///     Concrete <see cref="IMxProxy"/> backed by a real <c>LMXProxyServer</c> COM object.
+///     Port of v1 <c>MxProxyAdapter</c>. <strong>Must only be constructed on an STA thread</strong>
+///     — the StaPump owns this instance.
+/// </summary>
+public sealed class MxProxyAdapter : IMxProxy, IDisposable
+{
+    private LMXProxyServer? _lmxProxy;
+
+    public event MxDataChangeHandler? OnDataChange;
+    public event MxWriteCompleteHandler? OnWriteComplete;
+
+    public int Register(string clientName)
+    {
+        _lmxProxy = new LMXProxyServer();
+        _lmxProxy.OnDataChange += ProxyOnDataChange;
+        _lmxProxy.OnWriteComplete += ProxyOnWriteComplete;
+
+        var handle = _lmxProxy.Register(clientName);
+        if (handle <= 0)
+            throw new InvalidOperationException($"LMXProxyServer.Register returned invalid handle: {handle}");
+        return handle;
+    }
+
+    public void Unregister(int handle)
+    {
+        if (_lmxProxy is null) return;
+        try
+        {
+            _lmxProxy.OnDataChange -= ProxyOnDataChange;
+            _lmxProxy.OnWriteComplete -= ProxyOnWriteComplete;
+            _lmxProxy.Unregister(handle);
+        }
+        finally
+        {
+            // ReleaseComObject loop until refcount = 0 — the Tier C SafeHandle wraps this in
+            // production; here the lifetime is owned by the surrounding MxAccessHandle.
+            while (Marshal.IsComObject(_lmxProxy) && Marshal.ReleaseComObject(_lmxProxy) > 0) { }
+            _lmxProxy = null;
+        }
+    }
+
+    public int AddItem(int handle, string address) => _lmxProxy!.AddItem(handle, address);
+
+    public void RemoveItem(int handle, int itemHandle) => _lmxProxy!.RemoveItem(handle, itemHandle);
+
+    public void AdviseSupervisory(int handle, int itemHandle) => _lmxProxy!.AdviseSupervisory(handle, itemHandle);
+
+    public void UnAdviseSupervisory(int handle, int itemHandle) => _lmxProxy!.UnAdvise(handle, itemHandle);
+
+    public void Write(int handle, int itemHandle, object value, int securityClassification) =>
+        _lmxProxy!.Write(handle, itemHandle, value, securityClassification);
+
+    private void ProxyOnDataChange(int hLMXServerHandle, int phItemHandle, object pvItemValue,
+        int pwItemQuality, object pftItemTimeStamp, ref MXSTATUS_PROXY[] ItemStatus)
+        => OnDataChange?.Invoke(hLMXServerHandle, phItemHandle, pvItemValue, pwItemQuality, pftItemTimeStamp, ref ItemStatus);
+
+    private void ProxyOnWriteComplete(int hLMXServerHandle, int phItemHandle, ref MXSTATUS_PROXY[] ItemStatus)
+        => OnWriteComplete?.Invoke(hLMXServerHandle, phItemHandle, ref ItemStatus);
+
+    public void Dispose() => Unregister(0);
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccess/Vtq.cs

@@ -0,0 +1,24 @@
+using System;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+
+/// <summary>Value-timestamp-quality triplet — port of v1 <c>Vtq</c>.</summary>
+public readonly struct Vtq
+{
+    public object? Value { get; }
+    public DateTime TimestampUtc { get; }
+    public byte Quality { get; }
+
+    public Vtq(object? value, DateTime timestampUtc, byte quality)
+    {
+        Value = value;
+        TimestampUtc = timestampUtc;
+        Quality = quality;
+    }
+
+    /// <summary>OPC DA Good = 192.</summary>
+    public static Vtq Good(object? v) => new(v, DateTime.UtcNow, 192);
+
+    /// <summary>OPC DA Bad = 0.</summary>
+    public static Vtq Bad() => new(null, DateTime.UtcNow, 0);
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccessGalaxyBackend.cs

@@ -0,0 +1,210 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+using MessagePack;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
+
+/// <summary>
+///     Production <see cref="IGalaxyBackend"/> — combines the SQL-backed
+///     <see cref="GalaxyRepository"/> for Discover with the live MXAccess
+///     <see cref="MxAccessClient"/> for Read / Write / Subscribe. History stays bad-coded
+///     until the Wonderware Historian SDK plugin loader (Task B.1.h) lands. Alarms come from
+///     MxAccess <c>AlarmExtension</c> primitives but the wire-up is also Phase 2 follow-up
+///     (the v1 alarm subsystem is its own subtree).
+/// </summary>
+public sealed class MxAccessGalaxyBackend : IGalaxyBackend
+{
+    private readonly GalaxyRepository _repository;
+    private readonly MxAccessClient _mx;
+    private long _nextSessionId;
+    private long _nextSubscriptionId;
+
+    // Active SubscriptionId → MXAccess full reference list — so Unsubscribe can find them.
+    private readonly System.Collections.Concurrent.ConcurrentDictionary<long, IReadOnlyList<string>> _subs = new();
+
+    public MxAccessGalaxyBackend(GalaxyRepository repository, MxAccessClient mx)
+    {
+        _repository = repository;
+        _mx = mx;
+    }
+
+    public async Task<OpenSessionResponse> OpenSessionAsync(OpenSessionRequest req, CancellationToken ct)
+    {
+        try
+        {
+            await _mx.ConnectAsync();
+            return new OpenSessionResponse { Success = true, SessionId = Interlocked.Increment(ref _nextSessionId) };
+        }
+        catch (Exception ex)
+        {
+            return new OpenSessionResponse { Success = false, Error = $"MXAccess connect failed: {ex.Message}" };
+        }
+    }
+
+    public async Task CloseSessionAsync(CloseSessionRequest req, CancellationToken ct)
+    {
+        await _mx.DisconnectAsync();
+    }
+
+    public async Task<DiscoverHierarchyResponse> DiscoverAsync(DiscoverHierarchyRequest req, CancellationToken ct)
+    {
+        try
+        {
+            var hierarchy = await _repository.GetHierarchyAsync(ct).ConfigureAwait(false);
+            var attributes = await _repository.GetAttributesAsync(ct).ConfigureAwait(false);
+
+            var attrsByGobject = attributes
+                .GroupBy(a => a.GobjectId)
+                .ToDictionary(g => g.Key, g => g.Select(MapAttribute).ToArray());
+            var nameByGobject = hierarchy.ToDictionary(o => o.GobjectId, o => o.TagName);
+
+            var objects = hierarchy.Select(o => new GalaxyObjectInfo
+            {
+                ContainedName = string.IsNullOrEmpty(o.ContainedName) ? o.TagName : o.ContainedName,
+                TagName = o.TagName,
+                ParentContainedName = o.ParentGobjectId != 0 && nameByGobject.TryGetValue(o.ParentGobjectId, out var p) ? p : null,
+                TemplateCategory = MapCategory(o.CategoryId),
+                Attributes = attrsByGobject.TryGetValue(o.GobjectId, out var a) ? a : Array.Empty<GalaxyAttributeInfo>(),
+            }).ToArray();
+
+            return new DiscoverHierarchyResponse { Success = true, Objects = objects };
+        }
+        catch (Exception ex)
+        {
+            return new DiscoverHierarchyResponse { Success = false, Error = ex.Message, Objects = Array.Empty<GalaxyObjectInfo>() };
+        }
+    }
+
+    public async Task<ReadValuesResponse> ReadValuesAsync(ReadValuesRequest req, CancellationToken ct)
+    {
+        if (!_mx.IsConnected) return new ReadValuesResponse { Success = false, Error = "Not connected", Values = Array.Empty<GalaxyDataValue>() };
+
+        var results = new List<GalaxyDataValue>(req.TagReferences.Length);
+        foreach (var reference in req.TagReferences)
+        {
+            try
+            {
+                var vtq = await _mx.ReadAsync(reference, TimeSpan.FromSeconds(5), ct);
+                results.Add(ToWire(reference, vtq));
+            }
+            catch (Exception ex)
+            {
+                results.Add(new GalaxyDataValue
+                {
+                    TagReference = reference,
+                    StatusCode = 0x80020000u, // Bad_InternalError
+                    ServerTimestampUtcUnixMs = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(),
+                    ValueBytes = MessagePackSerializer.Serialize(ex.Message),
+                });
+            }
+        }
+
+        return new ReadValuesResponse { Success = true, Values = results.ToArray() };
+    }
+
+    public async Task<WriteValuesResponse> WriteValuesAsync(WriteValuesRequest req, CancellationToken ct)
+    {
+        var results = new List<WriteValueResult>(req.Writes.Length);
+        foreach (var w in req.Writes)
+        {
+            try
+            {
+                // Decode the value back from the MessagePack bytes the Proxy sent.
+                var value = w.ValueBytes is null
+                    ? null
+                    : MessagePackSerializer.Deserialize<object>(w.ValueBytes);
+
+                await _mx.WriteAsync(w.TagReference, value!);
+                results.Add(new WriteValueResult { TagReference = w.TagReference, StatusCode = 0 });
+            }
+            catch (Exception ex)
+            {
+                results.Add(new WriteValueResult { TagReference = w.TagReference, StatusCode = 0x80020000u, Error = ex.Message });
+            }
+        }
+        return new WriteValuesResponse { Results = results.ToArray() };
+    }
+
+    public async Task<SubscribeResponse> SubscribeAsync(SubscribeRequest req, CancellationToken ct)
+    {
+        var sid = Interlocked.Increment(ref _nextSubscriptionId);
+
+        try
+        {
+            // For each requested tag, register a subscription that publishes back via the
+            // shared MXAccess data-change handler. The OnDataChange push frame to the Proxy
+            // is wired in the upcoming subscription-push pass; for now the value is captured
+            // for the first ReadAsync to hit it (so the subscribe surface itself is functional).
+            foreach (var tag in req.TagReferences)
+                await _mx.SubscribeAsync(tag, (_, __) => { /* push-frame plumbing in next iteration */ });
+
+            _subs[sid] = req.TagReferences;
+            return new SubscribeResponse { Success = true, SubscriptionId = sid, ActualIntervalMs = req.RequestedIntervalMs };
+        }
+        catch (Exception ex)
+        {
+            return new SubscribeResponse { Success = false, Error = ex.Message };
+        }
+    }
+
+    public async Task UnsubscribeAsync(UnsubscribeRequest req, CancellationToken ct)
+    {
+        if (!_subs.TryRemove(req.SubscriptionId, out var refs)) return;
+        foreach (var r in refs)
+            await _mx.UnsubscribeAsync(r);
+    }
+
+    public Task SubscribeAlarmsAsync(AlarmSubscribeRequest req, CancellationToken ct) => Task.CompletedTask;
+    public Task AcknowledgeAlarmAsync(AlarmAckRequest req, CancellationToken ct) => Task.CompletedTask;
+
+    public Task<HistoryReadResponse> HistoryReadAsync(HistoryReadRequest req, CancellationToken ct)
+        => Task.FromResult(new HistoryReadResponse
+        {
+            Success = false,
+            Error = "Wonderware Historian plugin loader not yet wired (Phase 2 Task B.1.h follow-up)",
+            Tags = Array.Empty<HistoryTagValues>(),
+        });
+
+    public Task<RecycleStatusResponse> RecycleAsync(RecycleHostRequest req, CancellationToken ct)
+        => Task.FromResult(new RecycleStatusResponse { Accepted = true, GraceSeconds = 15 });
+
+    private static GalaxyDataValue ToWire(string reference, Vtq vtq) => new()
+    {
+        TagReference = reference,
+        ValueBytes = vtq.Value is null ? null : MessagePackSerializer.Serialize(vtq.Value),
+        ValueMessagePackType = 0,
+        StatusCode = vtq.Quality >= 192 ? 0u : 0x40000000u, // Good vs Uncertain placeholder
+        SourceTimestampUtcUnixMs = new DateTimeOffset(vtq.TimestampUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+        ServerTimestampUtcUnixMs = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(),
+    };
+
+    private static GalaxyAttributeInfo MapAttribute(GalaxyAttributeRow row) => new()
+    {
+        AttributeName = row.AttributeName,
+        MxDataType = row.MxDataType,
+        IsArray = row.IsArray,
+        ArrayDim = row.ArrayDimension is int d and > 0 ? (uint)d : null,
+        SecurityClassification = row.SecurityClassification,
+        IsHistorized = row.IsHistorized,
+    };
+
+    private static string MapCategory(int categoryId) => categoryId switch
+    {
+        1 => "$WinPlatform",
+        3 => "$AppEngine",
+        4 => "$Area",
+        10 => "$UserDefined",
+        11 => "$ApplicationObject",
+        13 => "$Area",
+        17 => "$DeviceIntegration",
+        24 => "$ViewEngine",
+        26 => "$ViewApp",
+        _ => $"category-{categoryId}",
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/StubGalaxyBackend.cs

@@ -0,0 +1,87 @@
+using System.Threading;
+using System.Threading.Tasks;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
+
+/// <summary>
+///     Phase 2 placeholder backend — accepts session open/close + responds to recycle, returns
+///     "not-implemented" results for every data-plane call. Replaced by the lifted
+///     <c>MxAccessClient</c>-backed implementation during the deferred Galaxy code move
+///     (Task B.1 + parity gate). Keeps the IPC end-to-end testable today.
+/// </summary>
+public sealed class StubGalaxyBackend : IGalaxyBackend
+{
+    private long _nextSessionId;
+    private long _nextSubscriptionId;
+
+    public Task<OpenSessionResponse> OpenSessionAsync(OpenSessionRequest req, CancellationToken ct)
+    {
+        var id = Interlocked.Increment(ref _nextSessionId);
+        return Task.FromResult(new OpenSessionResponse { Success = true, SessionId = id });
+    }
+
+    public Task CloseSessionAsync(CloseSessionRequest req, CancellationToken ct) => Task.CompletedTask;
+
+    public Task<DiscoverHierarchyResponse> DiscoverAsync(DiscoverHierarchyRequest req, CancellationToken ct)
+        => Task.FromResult(new DiscoverHierarchyResponse
+        {
+            Success = false,
+            Error = "stub: MXAccess code lift pending (Phase 2 Task B.1)",
+            Objects = System.Array.Empty<GalaxyObjectInfo>(),
+        });
+
+    public Task<ReadValuesResponse> ReadValuesAsync(ReadValuesRequest req, CancellationToken ct)
+        => Task.FromResult(new ReadValuesResponse
+        {
+            Success = false,
+            Error = "stub: MXAccess code lift pending (Phase 2 Task B.1)",
+            Values = System.Array.Empty<GalaxyDataValue>(),
+        });
+
+    public Task<WriteValuesResponse> WriteValuesAsync(WriteValuesRequest req, CancellationToken ct)
+    {
+        var results = new WriteValueResult[req.Writes.Length];
+        for (var i = 0; i < req.Writes.Length; i++)
+        {
+            results[i] = new WriteValueResult
+            {
+                TagReference = req.Writes[i].TagReference,
+                StatusCode = 0x80020000u, // Bad_InternalError
+                Error = "stub: MXAccess code lift pending (Phase 2 Task B.1)",
+            };
+        }
+        return Task.FromResult(new WriteValuesResponse { Results = results });
+    }
+
+    public Task<SubscribeResponse> SubscribeAsync(SubscribeRequest req, CancellationToken ct)
+    {
+        var sid = Interlocked.Increment(ref _nextSubscriptionId);
+        return Task.FromResult(new SubscribeResponse
+        {
+            Success = true,
+            SubscriptionId = sid,
+            ActualIntervalMs = req.RequestedIntervalMs,
+        });
+    }
+
+    public Task UnsubscribeAsync(UnsubscribeRequest req, CancellationToken ct) => Task.CompletedTask;
+
+    public Task SubscribeAlarmsAsync(AlarmSubscribeRequest req, CancellationToken ct) => Task.CompletedTask;
+    public Task AcknowledgeAlarmAsync(AlarmAckRequest req, CancellationToken ct) => Task.CompletedTask;
+
+    public Task<HistoryReadResponse> HistoryReadAsync(HistoryReadRequest req, CancellationToken ct)
+        => Task.FromResult(new HistoryReadResponse
+        {
+            Success = false,
+            Error = "stub: MXAccess code lift pending (Phase 2 Task B.1)",
+            Tags = System.Array.Empty<HistoryTagValues>(),
+        });
+
+    public Task<RecycleStatusResponse> RecycleAsync(RecycleHostRequest req, CancellationToken ct)
+        => Task.FromResult(new RecycleStatusResponse
+        {
+            Accepted = true,
+            GraceSeconds = 15, // matches Phase 2 plan §B.8 default
+        });
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Ipc/GalaxyFrameHandler.cs

@@ -0,0 +1,107 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using MessagePack;
+using Serilog;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
+
+/// <summary>
+///     Real IPC dispatcher — routes each <see cref="MessageKind"/> to the matching
+///     <see cref="IGalaxyBackend"/> method. Replaces <see cref="StubFrameHandler"/>. Heartbeat
+///     stays handled inline so liveness detection works regardless of backend health.
+/// </summary>
+public sealed class GalaxyFrameHandler(IGalaxyBackend backend, ILogger logger) : IFrameHandler
+{
+    public async Task HandleAsync(MessageKind kind, byte[] body, FrameWriter writer, CancellationToken ct)
+    {
+        try
+        {
+            switch (kind)
+            {
+                case MessageKind.Heartbeat:
+                {
+                    var hb = Deserialize<Heartbeat>(body);
+                    await writer.WriteAsync(MessageKind.HeartbeatAck,
+                        new HeartbeatAck { SequenceNumber = hb.SequenceNumber, UtcUnixMs = hb.UtcUnixMs }, ct);
+                    return;
+                }
+                case MessageKind.OpenSessionRequest:
+                {
+                    var resp = await backend.OpenSessionAsync(Deserialize<OpenSessionRequest>(body), ct);
+                    await writer.WriteAsync(MessageKind.OpenSessionResponse, resp, ct);
+                    return;
+                }
+                case MessageKind.CloseSessionRequest:
+                    await backend.CloseSessionAsync(Deserialize<CloseSessionRequest>(body), ct);
+                    return; // one-way
+
+                case MessageKind.DiscoverHierarchyRequest:
+                {
+                    var resp = await backend.DiscoverAsync(Deserialize<DiscoverHierarchyRequest>(body), ct);
+                    await writer.WriteAsync(MessageKind.DiscoverHierarchyResponse, resp, ct);
+                    return;
+                }
+                case MessageKind.ReadValuesRequest:
+                {
+                    var resp = await backend.ReadValuesAsync(Deserialize<ReadValuesRequest>(body), ct);
+                    await writer.WriteAsync(MessageKind.ReadValuesResponse, resp, ct);
+                    return;
+                }
+                case MessageKind.WriteValuesRequest:
+                {
+                    var resp = await backend.WriteValuesAsync(Deserialize<WriteValuesRequest>(body), ct);
+                    await writer.WriteAsync(MessageKind.WriteValuesResponse, resp, ct);
+                    return;
+                }
+                case MessageKind.SubscribeRequest:
+                {
+                    var resp = await backend.SubscribeAsync(Deserialize<SubscribeRequest>(body), ct);
+                    await writer.WriteAsync(MessageKind.SubscribeResponse, resp, ct);
+                    return;
+                }
+                case MessageKind.UnsubscribeRequest:
+                    await backend.UnsubscribeAsync(Deserialize<UnsubscribeRequest>(body), ct);
+                    return; // one-way
+
+                case MessageKind.AlarmSubscribeRequest:
+                    await backend.SubscribeAlarmsAsync(Deserialize<AlarmSubscribeRequest>(body), ct);
+                    return; // one-way; subsequent alarm events are server-pushed
+                case MessageKind.AlarmAckRequest:
+                    await backend.AcknowledgeAlarmAsync(Deserialize<AlarmAckRequest>(body), ct);
+                    return;
+
+                case MessageKind.HistoryReadRequest:
+                {
+                    var resp = await backend.HistoryReadAsync(Deserialize<HistoryReadRequest>(body), ct);
+                    await writer.WriteAsync(MessageKind.HistoryReadResponse, resp, ct);
+                    return;
+                }
+                case MessageKind.RecycleHostRequest:
+                {
+                    var resp = await backend.RecycleAsync(Deserialize<RecycleHostRequest>(body), ct);
+                    await writer.WriteAsync(MessageKind.RecycleStatusResponse, resp, ct);
+                    return;
+                }
+                default:
+                    await SendErrorAsync(writer, "unknown-kind", $"Frame kind {kind} not handled by Host", ct);
+                    return;
+            }
+        }
+        catch (OperationCanceledException) { throw; }
+        catch (Exception ex)
+        {
+            logger.Error(ex, "GalaxyFrameHandler threw on {Kind}", kind);
+            await SendErrorAsync(writer, "handler-exception", ex.Message, ct);
+        }
+    }
+
+    private static T Deserialize<T>(byte[] body) => MessagePackSerializer.Deserialize<T>(body);
+
+    private static Task SendErrorAsync(FrameWriter writer, string code, string message, CancellationToken ct)
+        => writer.WriteAsync(MessageKind.ErrorResponse,
+            new ErrorResponse { Code = code, Message = message }, ct);
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Program.cs

@@ -2,7 +2,11 @@ using System;
 using System.Security.Principal;
 using System.Threading;
 using Serilog;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Sta;
 
 namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host;
 
@@ -38,8 +42,44 @@ public static class Program
 
             Log.Information("OtOpcUaGalaxyHost starting — pipe={Pipe} allowedSid={Sid}", pipeName, allowedSidValue);
 
-            var handler = new StubFrameHandler();
-            server.RunAsync(handler, cts.Token).GetAwaiter().GetResult();
+            // Backend selection — env var picks the implementation:
+            //   OTOPCUA_GALAXY_BACKEND=stub       → StubGalaxyBackend (no Galaxy required)
+            //   OTOPCUA_GALAXY_BACKEND=db         → DbBackedGalaxyBackend (Discover only, against ZB)
+            //   OTOPCUA_GALAXY_BACKEND=mxaccess   → MxAccessGalaxyBackend (real COM + ZB; default)
+            var backendKind = Environment.GetEnvironmentVariable("OTOPCUA_GALAXY_BACKEND")?.ToLowerInvariant() ?? "mxaccess";
+            var zbConn = Environment.GetEnvironmentVariable("OTOPCUA_GALAXY_ZB_CONN")
+                         ?? "Server=localhost;Database=ZB;Integrated Security=True;TrustServerCertificate=True;Encrypt=False;";
+            var clientName = Environment.GetEnvironmentVariable("OTOPCUA_GALAXY_CLIENT_NAME") ?? "OtOpcUa-Galaxy.Host";
+
+            IGalaxyBackend backend;
+            StaPump? pump = null;
+            MxAccessClient? mx = null;
+            switch (backendKind)
+            {
+                case "stub":
+                    backend = new StubGalaxyBackend();
+                    break;
+                case "db":
+                    backend = new DbBackedGalaxyBackend(new GalaxyRepository(new GalaxyRepositoryOptions { ConnectionString = zbConn }));
+                    break;
+                default: // mxaccess
+                    pump = new StaPump("Galaxy.Sta");
+                    pump.WaitForStartedAsync().GetAwaiter().GetResult();
+                    mx = new MxAccessClient(pump, new MxProxyAdapter(), clientName);
+                    backend = new MxAccessGalaxyBackend(
+                        new GalaxyRepository(new GalaxyRepositoryOptions { ConnectionString = zbConn }),
+                        mx);
+                    break;
+            }
+
+            Log.Information("OtOpcUaGalaxyHost backend={Backend}", backendKind);
+            var handler = new GalaxyFrameHandler(backend, Log.Logger);
+            try { server.RunAsync(handler, cts.Token).GetAwaiter().GetResult(); }
+            finally
+            {
+                mx?.Dispose();
+                pump?.Dispose();
+            }
 
             Log.Information("OtOpcUaGalaxyHost stopped cleanly");
             return 0;

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Sta/StaPump.cs

@@ -1,31 +1,37 @@
 using System;
 using System.Collections.Concurrent;
+using System.Runtime.InteropServices;
 using System.Threading;
 using System.Threading.Tasks;
 
 namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Sta;
 
 /// <summary>
-///     Dedicated STA thread that owns all <c>LMXProxyServer</c> COM instances. Work items are
-///     posted from any thread and dispatched on the STA. Per <c>driver-stability.md</c> Galaxy
-///     deep dive §"STA thread + Win32 message pump".
+///     Dedicated STA thread with a Win32 message pump that owns all <c>LMXProxyServer</c> COM
+///     instances. Lifted from v1 <c>StaComThread</c> per CLAUDE.md "Reference Implementation".
+///     Per <c>driver-stability.md</c> Galaxy deep dive §"STA thread + Win32 message pump":
+///     work items dispatched via <c>PostThreadMessage(WM_APP)</c>; <c>WM_APP+1</c> requests a
+///     graceful drain → <c>WM_QUIT</c>; supervisor escalates to <c>Environment.Exit(2)</c> if the
+///     pump doesn't drain within the recycle grace window.
 /// </summary>
-/// <remarks>
-///     Phase 2 scaffold: uses a <see cref="BlockingCollection{T}"/> dispatcher instead of the real
-///     Win32 <c>GetMessage/DispatchMessage</c> pump. Real pump arrives when the v1 <c>StaComThread</c>
-///     is lifted — that's part of the deferred Galaxy code move. The apartment state and work
-///     dispatch semantics are identical so production code can be swapped in without changes.
-/// </remarks>
 public sealed class StaPump : IDisposable
 {
+    private const uint WM_APP = 0x8000;
+    private const uint WM_DRAIN_AND_QUIT = WM_APP + 1;
+    private const uint PM_NOREMOVE = 0x0000;
+
     private readonly Thread _thread;
-    private readonly BlockingCollection<Action> _workQueue = new(new ConcurrentQueue<Action>());
+    private readonly ConcurrentQueue<WorkItem> _workItems = new();
     private readonly TaskCompletionSource<bool> _started = new(TaskCreationOptions.RunContinuationsAsynchronously);
+
+    private volatile uint _nativeThreadId;
+    private volatile bool _pumpExited;
     private volatile bool _disposed;
 
     public int ThreadId => _thread.ManagedThreadId;
     public DateTime LastDispatchedUtc { get; private set; } = DateTime.MinValue;
-    public int QueueDepth => _workQueue.Count;
+    public int QueueDepth => _workItems.Count;
+    public bool IsRunning => _nativeThreadId != 0 && !_disposed && !_pumpExited;
 
     public StaPump(string name = "Galaxy.Sta")
     {
@@ -40,24 +46,36 @@ public sealed class StaPump : IDisposable
     public Task<T> InvokeAsync<T>(Func<T> work)
     {
         if (_disposed) throw new ObjectDisposedException(nameof(StaPump));
+        if (_pumpExited) throw new InvalidOperationException("STA pump has exited");
 
         var tcs = new TaskCompletionSource<T>(TaskCreationOptions.RunContinuationsAsynchronously);
-        _workQueue.Add(() =>
+        _workItems.Enqueue(new WorkItem(
+            () =>
+            {
+                try { tcs.TrySetResult(work()); }
+                catch (Exception ex) { tcs.TrySetException(ex); }
+            },
+            ex => tcs.TrySetException(ex)));
+
+        if (!PostThreadMessage(_nativeThreadId, WM_APP, IntPtr.Zero, IntPtr.Zero))
         {
-            try { tcs.SetResult(work()); }
-            catch (Exception ex) { tcs.SetException(ex); }
-        });
+            _pumpExited = true;
+            DrainAndFaultQueue();
+        }
+
         return tcs.Task;
     }
 
     public Task InvokeAsync(Action work) => InvokeAsync(() => { work(); return 0; });
 
     /// <summary>
-    ///     Health probe — returns true if a no-op work item round-trips within <paramref name="timeout"/>.
-    ///     Used by the supervisor; timeout means the pump is wedged and a recycle is warranted.
+    ///     Health probe — returns true if a no-op work item round-trips within
+    ///     <paramref name="timeout"/>. Used by the supervisor; timeout means the pump is wedged
+    ///     and a recycle is warranted (Task B.2 acceptance).
     /// </summary>
     public async Task<bool> IsResponsiveAsync(TimeSpan timeout)
     {
+        if (!IsRunning) return false;
         var task = InvokeAsync(() => { });
         var completed = await Task.WhenAny(task, Task.Delay(timeout)).ConfigureAwait(false);
         return completed == task;
@@ -65,27 +83,124 @@ public sealed class StaPump : IDisposable
 
     private void PumpLoop()
     {
-        _started.TrySetResult(true);
         try
         {
-            while (!_disposed)
+            _nativeThreadId = GetCurrentThreadId();
+
+            // Force the system to create the thread message queue before we signal Started.
+            // PeekMessage(PM_NOREMOVE) on an empty queue is the documented way to do this.
+            PeekMessage(out _, IntPtr.Zero, 0, 0, PM_NOREMOVE);
+
+            _started.TrySetResult(true);
+
+            // GetMessage returns 0 on WM_QUIT, -1 on error, otherwise a positive value.
+            while (GetMessage(out var msg, IntPtr.Zero, 0, 0) > 0)
             {
-                if (_workQueue.TryTake(out var work, Timeout.Infinite))
+                if (msg.message == WM_APP)
                 {
-                    work();
-                    LastDispatchedUtc = DateTime.UtcNow;
+                    DrainQueue();
+                }
+                else if (msg.message == WM_DRAIN_AND_QUIT)
+                {
+                    DrainQueue();
+                    PostQuitMessage(0);
+                }
+                else
+                {
+                    // Pass through any window/dialog messages the COM proxy may inject.
+                    TranslateMessage(ref msg);
+                    DispatchMessage(ref msg);
                 }
             }
         }
-        catch (InvalidOperationException) { /* CompleteAdding called during dispose */ }
+        catch (Exception ex)
+        {
+            _started.TrySetException(ex);
+        }
+        finally
+        {
+            _pumpExited = true;
+            DrainAndFaultQueue();
+        }
+    }
+
+    private void DrainQueue()
+    {
+        while (_workItems.TryDequeue(out var item))
+        {
+            item.Execute();
+            LastDispatchedUtc = DateTime.UtcNow;
+        }
+    }
+
+    private void DrainAndFaultQueue()
+    {
+        var ex = new InvalidOperationException("STA pump has exited");
+        while (_workItems.TryDequeue(out var item))
+        {
+            try { item.Fault(ex); }
+            catch { /* faulting a TCS shouldn't throw, but be defensive */ }
+        }
     }
 
     public void Dispose()
     {
         if (_disposed) return;
         _disposed = true;
-        _workQueue.CompleteAdding();
-        _thread.Join(TimeSpan.FromSeconds(5));
-        _workQueue.Dispose();
+
+        try
+        {
+            if (_nativeThreadId != 0 && !_pumpExited)
+                PostThreadMessage(_nativeThreadId, WM_DRAIN_AND_QUIT, IntPtr.Zero, IntPtr.Zero);
+            _thread.Join(TimeSpan.FromSeconds(5));
+        }
+        catch { /* swallow — best effort */ }
+
+        DrainAndFaultQueue();
     }
+
+    private sealed record WorkItem(Action Execute, Action<Exception> Fault);
+
+    #region Win32 P/Invoke
+
+    [StructLayout(LayoutKind.Sequential)]
+    private struct MSG
+    {
+        public IntPtr hwnd;
+        public uint message;
+        public IntPtr wParam;
+        public IntPtr lParam;
+        public uint time;
+        public POINT pt;
+    }
+
+    [StructLayout(LayoutKind.Sequential)]
+    private struct POINT { public int x; public int y; }
+
+    [DllImport("user32.dll")]
+    private static extern int GetMessage(out MSG lpMsg, IntPtr hWnd, uint wMsgFilterMin, uint wMsgFilterMax);
+
+    [DllImport("user32.dll")]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    private static extern bool TranslateMessage(ref MSG lpMsg);
+
+    [DllImport("user32.dll")]
+    private static extern IntPtr DispatchMessage(ref MSG lpMsg);
+
+    [DllImport("user32.dll")]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    private static extern bool PostThreadMessage(uint idThread, uint Msg, IntPtr wParam, IntPtr lParam);
+
+    [DllImport("user32.dll")]
+    private static extern void PostQuitMessage(int nExitCode);
+
+    [DllImport("user32.dll")]
+    [return: MarshalAs(UnmanagedType.Bool)]
+    private static extern bool PeekMessage(out MSG lpMsg, IntPtr hWnd, uint wMsgFilterMin, uint wMsgFilterMax,
+        uint wRemoveMsg);
+
+    [DllImport("kernel32.dll")]
+    private static extern uint GetCurrentThreadId();
+
+    #endregion
 }

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.csproj

@@ -3,10 +3,11 @@
     <PropertyGroup>
         <OutputType>Exe</OutputType>
         <TargetFramework>net48</TargetFramework>
-        <!-- Decision #23: x86 required for MXAccess COM interop. Currently AnyCPU is OK because
-             the actual MXAccess code lift is deferred (it stays in the v1 Host until the Phase 2
-             parity gate); flip to x86 when Task B.1 "move Galaxy code" actually executes. -->
-        <PlatformTarget>AnyCPU</PlatformTarget>
+        <!-- Decision #23: x86 required for MXAccess COM interop. The MxAccess COM client is
+             now ported (Backend/MxAccess/) so we need the x86 platform target for the
+             ArchestrA.MxAccess.dll COM interop reference to resolve at runtime. -->
+        <PlatformTarget>x86</PlatformTarget>
+        <Prefer32Bit>true</Prefer32Bit>
         <Nullable>enable</Nullable>
         <LangVersion>latest</LangVersion>
         <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
@@ -20,6 +21,7 @@
         <PackageReference Include="System.IO.Pipes.AccessControl" Version="5.0.0"/>
         <PackageReference Include="System.Memory" Version="4.5.5"/>
         <PackageReference Include="System.Threading.Tasks.Extensions" Version="4.5.4"/>
+        <PackageReference Include="System.Data.SqlClient" Version="4.9.0"/>
         <PackageReference Include="Serilog" Version="4.2.0"/>
         <PackageReference Include="Serilog.Sinks.File" Version="7.0.0"/>
     </ItemGroup>
@@ -28,6 +30,13 @@
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.csproj"/>
     </ItemGroup>
 
+    <ItemGroup>
+        <Reference Include="ArchestrA.MxAccess">
+            <HintPath>..\..\lib\ArchestrA.MxAccess.dll</HintPath>
+            <Private>true</Private>
+        </Reference>
+    </ItemGroup>
+
     <ItemGroup>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/GalaxyProxyDriver.cs

@@ -1,25 +1,43 @@
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Ipc;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+using IpcHostConnectivityStatus = ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts.HostConnectivityStatus;
 
 namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy;
 
 /// <summary>
 ///     <see cref="IDriver"/> implementation that forwards every capability over the Galaxy IPC
-///     channel to the out-of-process Host. Implements <see cref="ITagDiscovery"/> as the
-///     Phase 2 minimum; other capability interfaces (<see cref="IReadable"/>, etc.) will be wired
-///     in once the Host's MXAccess code lift is complete and end-to-end parity tests run.
+///     channel to the out-of-process Host. Implements the full Phase 2 capability surface;
+///     bodies that depend on the deferred Host-side MXAccess code lift will surface
+///     <see cref="GalaxyIpcException"/> with code <c>not-implemented</c> until the Host's
+///     <c>IGalaxyBackend</c> is wired to the real <c>MxAccessClient</c>.
 /// </summary>
 public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
-    : IDriver, ITagDiscovery, IDisposable
+    : IDriver,
+      ITagDiscovery,
+      IReadable,
+      IWritable,
+      ISubscribable,
+      IAlarmSource,
+      IHistoryProvider,
+      IRediscoverable,
+      IHostConnectivityProbe,
+      IDisposable
 {
     private GalaxyIpcClient? _client;
     private long _sessionId;
     private DriverHealth _health = new(DriverState.Unknown, null, null);
 
+    private IReadOnlyList<Core.Abstractions.HostConnectivityStatus> _hostStatuses = [];
+
     public string DriverInstanceId => options.DriverInstanceId;
     public string DriverType => "Galaxy";
 
+    public event EventHandler<DataChangeEventArgs>? OnDataChange;
+    public event EventHandler<AlarmEventArgs>? OnAlarmEvent;
+    public event EventHandler<RediscoveryEventArgs>? OnRediscoveryNeeded;
+    public event EventHandler<HostStatusChangedEventArgs>? OnHostStatusChanged;
+
     public async Task InitializeAsync(string driverConfigJson, CancellationToken cancellationToken)
     {
         _health = new DriverHealth(DriverState.Initializing, null, null);
@@ -59,9 +77,10 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
 
         try
         {
-            await _client.CallAsync<CloseSessionRequest, ErrorResponse>(
-                MessageKind.CloseSessionRequest, new CloseSessionRequest { SessionId = _sessionId },
-                MessageKind.ErrorResponse, cancellationToken);
+            await _client.SendOneWayAsync(
+                MessageKind.CloseSessionRequest,
+                new CloseSessionRequest { SessionId = _sessionId },
+                cancellationToken);
         }
         catch { /* shutdown is best effort */ }
 
@@ -71,17 +90,17 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
     }
 
     public DriverHealth GetHealth() => _health;
-
-    public long GetMemoryFootprint() => 0; // Tier C footprint is reported by the Host over IPC
-
+    public long GetMemoryFootprint() => 0;
     public Task FlushOptionalCachesAsync(CancellationToken cancellationToken) => Task.CompletedTask;
 
+    // ---- ITagDiscovery ----
+
     public async Task DiscoverAsync(IAddressSpaceBuilder builder, CancellationToken cancellationToken)
     {
         ArgumentNullException.ThrowIfNull(builder);
-        if (_client is null) throw new InvalidOperationException("Driver not initialized");
+        var client = RequireClient();
 
-        var resp = await _client.CallAsync<DiscoverHierarchyRequest, DiscoverHierarchyResponse>(
+        var resp = await client.CallAsync<DiscoverHierarchyRequest, DiscoverHierarchyResponse>(
             MessageKind.DiscoverHierarchyRequest,
             new DiscoverHierarchyRequest { SessionId = _sessionId },
             MessageKind.DiscoverHierarchyResponse,
@@ -109,6 +128,245 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
         }
     }
 
+    // ---- IReadable ----
+
+    public async Task<IReadOnlyList<DataValueSnapshot>> ReadAsync(
+        IReadOnlyList<string> fullReferences, CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        var resp = await client.CallAsync<ReadValuesRequest, ReadValuesResponse>(
+            MessageKind.ReadValuesRequest,
+            new ReadValuesRequest { SessionId = _sessionId, TagReferences = [.. fullReferences] },
+            MessageKind.ReadValuesResponse,
+            cancellationToken);
+
+        if (!resp.Success)
+            throw new InvalidOperationException($"Galaxy.Host ReadValues failed: {resp.Error}");
+
+        var byRef = resp.Values.ToDictionary(v => v.TagReference);
+        var result = new DataValueSnapshot[fullReferences.Count];
+        for (var i = 0; i < fullReferences.Count; i++)
+        {
+            result[i] = byRef.TryGetValue(fullReferences[i], out var v)
+                ? ToSnapshot(v)
+                : new DataValueSnapshot(null, StatusBadInternalError, null, DateTime.UtcNow);
+        }
+        return result;
+    }
+
+    // ---- IWritable ----
+
+    public async Task<IReadOnlyList<WriteResult>> WriteAsync(
+        IReadOnlyList<WriteRequest> writes, CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        var resp = await client.CallAsync<WriteValuesRequest, WriteValuesResponse>(
+            MessageKind.WriteValuesRequest,
+            new WriteValuesRequest
+            {
+                SessionId = _sessionId,
+                Writes = [.. writes.Select(FromWriteRequest)],
+            },
+            MessageKind.WriteValuesResponse,
+            cancellationToken);
+
+        return [.. resp.Results.Select(r => new WriteResult(r.StatusCode))];
+    }
+
+    // ---- ISubscribable ----
+
+    public async Task<ISubscriptionHandle> SubscribeAsync(
+        IReadOnlyList<string> fullReferences, TimeSpan publishingInterval, CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        var resp = await client.CallAsync<SubscribeRequest, SubscribeResponse>(
+            MessageKind.SubscribeRequest,
+            new SubscribeRequest
+            {
+                SessionId = _sessionId,
+                TagReferences = [.. fullReferences],
+                RequestedIntervalMs = (int)publishingInterval.TotalMilliseconds,
+            },
+            MessageKind.SubscribeResponse,
+            cancellationToken);
+
+        if (!resp.Success)
+            throw new InvalidOperationException($"Galaxy.Host Subscribe failed: {resp.Error}");
+
+        return new GalaxySubscriptionHandle(resp.SubscriptionId);
+    }
+
+    public async Task UnsubscribeAsync(ISubscriptionHandle handle, CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        var sid = ((GalaxySubscriptionHandle)handle).SubscriptionId;
+        await client.SendOneWayAsync(
+            MessageKind.UnsubscribeRequest,
+            new UnsubscribeRequest { SessionId = _sessionId, SubscriptionId = sid },
+            cancellationToken);
+    }
+
+    /// <summary>
+    ///     Internal entry point used by the IPC client when the Host pushes an
+    ///     <see cref="MessageKind.OnDataChangeNotification"/> frame. Surfaces it as a managed
+    ///     <see cref="OnDataChange"/> event.
+    /// </summary>
+    internal void RaiseDataChange(OnDataChangeNotification notif)
+    {
+        var handle = new GalaxySubscriptionHandle(notif.SubscriptionId);
+        // ISubscribable.OnDataChange fires once per changed attribute — fan out the batch.
+        foreach (var v in notif.Values)
+            OnDataChange?.Invoke(this, new DataChangeEventArgs(handle, v.TagReference, ToSnapshot(v)));
+    }
+
+    // ---- IAlarmSource ----
+
+    public async Task<IAlarmSubscriptionHandle> SubscribeAlarmsAsync(
+        IReadOnlyList<string> sourceNodeIds, CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        await client.SendOneWayAsync(
+            MessageKind.AlarmSubscribeRequest,
+            new AlarmSubscribeRequest { SessionId = _sessionId },
+            cancellationToken);
+        return new GalaxyAlarmSubscriptionHandle($"alarm-{_sessionId}");
+    }
+
+    public Task UnsubscribeAlarmsAsync(IAlarmSubscriptionHandle handle, CancellationToken cancellationToken)
+        => Task.CompletedTask;
+
+    public async Task AcknowledgeAsync(
+        IReadOnlyList<AlarmAcknowledgeRequest> acknowledgements, CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        foreach (var ack in acknowledgements)
+        {
+            await client.SendOneWayAsync(
+                MessageKind.AlarmAckRequest,
+                new AlarmAckRequest
+                {
+                    SessionId = _sessionId,
+                    EventId = ack.ConditionId,
+                    Comment = ack.Comment ?? string.Empty,
+                },
+                cancellationToken);
+        }
+    }
+
+    internal void RaiseAlarmEvent(GalaxyAlarmEvent ev)
+    {
+        var handle = new GalaxyAlarmSubscriptionHandle($"alarm-{_sessionId}");
+        OnAlarmEvent?.Invoke(this, new AlarmEventArgs(
+            SubscriptionHandle: handle,
+            SourceNodeId: ev.ObjectTagName,
+            ConditionId: ev.EventId,
+            AlarmType: ev.AlarmName,
+            Message: ev.Message,
+            Severity: MapSeverity(ev.Severity),
+            SourceTimestampUtc: DateTimeOffset.FromUnixTimeMilliseconds(ev.UtcUnixMs).UtcDateTime));
+    }
+
+    // ---- IHistoryProvider ----
+
+    public async Task<HistoryReadResult> ReadRawAsync(
+        string fullReference, DateTime startUtc, DateTime endUtc, uint maxValuesPerNode,
+        CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        var resp = await client.CallAsync<HistoryReadRequest, HistoryReadResponse>(
+            MessageKind.HistoryReadRequest,
+            new HistoryReadRequest
+            {
+                SessionId = _sessionId,
+                TagReferences = [fullReference],
+                StartUtcUnixMs = new DateTimeOffset(startUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+                EndUtcUnixMs = new DateTimeOffset(endUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+                MaxValuesPerTag = maxValuesPerNode,
+            },
+            MessageKind.HistoryReadResponse,
+            cancellationToken);
+
+        if (!resp.Success)
+            throw new InvalidOperationException($"Galaxy.Host HistoryRead failed: {resp.Error}");
+
+        var first = resp.Tags.FirstOrDefault();
+        IReadOnlyList<DataValueSnapshot> samples = first is null
+            ? Array.Empty<DataValueSnapshot>()
+            : [.. first.Values.Select(ToSnapshot)];
+        return new HistoryReadResult(samples, ContinuationPoint: null);
+    }
+
+    public Task<HistoryReadResult> ReadProcessedAsync(
+        string fullReference, DateTime startUtc, DateTime endUtc, TimeSpan interval,
+        HistoryAggregateType aggregate, CancellationToken cancellationToken)
+        => throw new NotSupportedException("Galaxy historian processed reads are not supported in v2; use ReadRawAsync.");
+
+    // ---- IRediscoverable ----
+
+    /// <summary>
+    ///     Triggered by the IPC client when the Host pushes a deploy-watermark notification
+    ///     (Galaxy <c>time_of_last_deploy</c> changed per decision #54).
+    /// </summary>
+    internal void RaiseRediscoveryNeeded(string reason, string? scopeHint = null) =>
+        OnRediscoveryNeeded?.Invoke(this, new RediscoveryEventArgs(reason, scopeHint));
+
+    // ---- IHostConnectivityProbe ----
+
+    public IReadOnlyList<Core.Abstractions.HostConnectivityStatus> GetHostStatuses() => _hostStatuses;
+
+    internal void OnHostConnectivityUpdate(IpcHostConnectivityStatus update)
+    {
+        var translated = new Core.Abstractions.HostConnectivityStatus(
+            HostName: update.HostName,
+            State: ParseHostState(update.RuntimeStatus),
+            LastChangedUtc: DateTimeOffset.FromUnixTimeMilliseconds(update.LastObservedUtcUnixMs).UtcDateTime);
+
+        var prior = _hostStatuses.FirstOrDefault(h => h.HostName == translated.HostName);
+        _hostStatuses = [
+            .. _hostStatuses.Where(h => h.HostName != translated.HostName),
+            translated
+        ];
+
+        if (prior is null || prior.State != translated.State)
+        {
+            OnHostStatusChanged?.Invoke(this, new HostStatusChangedEventArgs(
+                translated.HostName, prior?.State ?? HostState.Unknown, translated.State));
+        }
+    }
+
+    private static HostState ParseHostState(string s) => s switch
+    {
+        "Running" => HostState.Running,
+        "Stopped" => HostState.Stopped,
+        "Faulted" => HostState.Faulted,
+        _ => HostState.Unknown,
+    };
+
+    // ---- helpers ----
+
+    private GalaxyIpcClient RequireClient() =>
+        _client ?? throw new InvalidOperationException("Driver not initialized");
+
+    private const uint StatusBadInternalError = 0x80020000u;
+
+    private static DataValueSnapshot ToSnapshot(GalaxyDataValue v) => new(
+        Value: v.ValueBytes,
+        StatusCode: v.StatusCode,
+        SourceTimestampUtc: v.SourceTimestampUtcUnixMs > 0
+            ? DateTimeOffset.FromUnixTimeMilliseconds(v.SourceTimestampUtcUnixMs).UtcDateTime
+            : null,
+        ServerTimestampUtc: DateTimeOffset.FromUnixTimeMilliseconds(v.ServerTimestampUtcUnixMs).UtcDateTime);
+
+    private static GalaxyDataValue FromWriteRequest(WriteRequest w) => new()
+    {
+        TagReference = w.FullReference,
+        ValueBytes = MessagePack.MessagePackSerializer.Serialize(w.Value),
+        ValueMessagePackType = 0,
+        StatusCode = 0,
+        SourceTimestampUtcUnixMs = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(),
+        ServerTimestampUtcUnixMs = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(),
+    };
+
     private static DriverDataType MapDataType(int mxDataType) => mxDataType switch
     {
         0 => DriverDataType.Boolean,
@@ -132,9 +390,27 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
         _ => SecurityClassification.FreeAccess,
     };
 
+    private static AlarmSeverity MapSeverity(int sev) => sev switch
+    {
+        <= 250 => AlarmSeverity.Low,
+        <= 500 => AlarmSeverity.Medium,
+        <= 800 => AlarmSeverity.High,
+        _ => AlarmSeverity.Critical,
+    };
+
     public void Dispose() => _client?.DisposeAsync().AsTask().GetAwaiter().GetResult();
 }
 
+internal sealed record GalaxySubscriptionHandle(long SubscriptionId) : ISubscriptionHandle
+{
+    public string DiagnosticId => $"galaxy-sub-{SubscriptionId}";
+}
+
+internal sealed record GalaxyAlarmSubscriptionHandle(string Id) : IAlarmSubscriptionHandle
+{
+    public string DiagnosticId => Id;
+}
+
 public sealed class GalaxyProxyOptions
 {
     public required string DriverInstanceId { get; init; }

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/Ipc/GalaxyIpcClient.cs

@@ -85,6 +85,18 @@ public sealed class GalaxyIpcClient : IAsyncDisposable
         finally { _callGate.Release(); }
     }
 
+    /// <summary>
+    ///     Fire-and-forget request — used for unsubscribe, alarm-ack, close-session, and other
+    ///     calls where the protocol is one-way. The send is still serialized through the call
+    ///     gate so it doesn't interleave a frame with a concurrent <see cref="CallAsync{TReq, TResp}"/>.
+    /// </summary>
+    public async Task SendOneWayAsync<TReq>(MessageKind requestKind, TReq request, CancellationToken ct)
+    {
+        await _callGate.WaitAsync(ct);
+        try { await _writer.WriteAsync(requestKind, request, ct); }
+        finally { _callGate.Release(); }
+    }
+
     public async ValueTask DisposeAsync()
     {
         _callGate.Dispose();

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/EndToEndIpcTests.cs

@@ -0,0 +1,181 @@
+using System;
+using System.IO;
+using System.IO.Pipes;
+using System.Security.Principal;
+using System.Threading;
+using System.Threading.Tasks;
+using MessagePack;
+using Serilog;
+using Serilog.Core;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
+{
+    /// <summary>
+    ///     Drives every <see cref="MessageKind"/> the Phase 2 plan exposes through the full
+    ///     Host-side stack (<see cref="PipeServer"/> + <see cref="GalaxyFrameHandler"/> +
+    ///     <see cref="StubGalaxyBackend"/>) using a hand-rolled IPC client built on Shared's
+    ///     <see cref="FrameReader"/>/<see cref="FrameWriter"/>. The Proxy's <c>GalaxyIpcClient</c>
+    ///     is net10-only and cannot load in this net48 x86 test process, so we exercise the same
+    ///     wire protocol through the framing primitives directly. The dispatcher/backend response
+    ///     shapes are the production code path verbatim.
+    /// </summary>
+    [Trait("Category", "Integration")]
+    public sealed class EndToEndIpcTests
+    {
+        private static bool IsAdministrator()
+        {
+            using var identity = WindowsIdentity.GetCurrent();
+            return new WindowsPrincipal(identity).IsInRole(WindowsBuiltInRole.Administrator);
+        }
+
+        private sealed class TestStack : IDisposable
+        {
+            public PipeServer Server = null!;
+            public NamedPipeClientStream Stream = null!;
+            public FrameReader Reader = null!;
+            public FrameWriter Writer = null!;
+            public Task ServerTask = null!;
+            public CancellationTokenSource Cts = null!;
+
+            public void Dispose()
+            {
+                Cts.Cancel();
+                try { ServerTask.GetAwaiter().GetResult(); } catch { /* shutdown */ }
+                Server.Dispose();
+                Stream.Dispose();
+                Reader.Dispose();
+                Writer.Dispose();
+                Cts.Dispose();
+            }
+        }
+
+        private static async Task<TestStack> StartAsync()
+        {
+            using var identity = WindowsIdentity.GetCurrent();
+            var sid = identity.User!;
+            var pipe = $"OtOpcUaGalaxyE2E-{Guid.NewGuid():N}";
+            const string secret = "e2e-secret";
+            Logger log = new LoggerConfiguration().CreateLogger();
+            var cts = new CancellationTokenSource(TimeSpan.FromSeconds(15));
+
+            var server = new PipeServer(pipe, sid, secret, log);
+            var serverTask = Task.Run(() => server.RunAsync(
+                new GalaxyFrameHandler(new StubGalaxyBackend(), log), cts.Token));
+
+            var stream = new NamedPipeClientStream(".", pipe, PipeDirection.InOut, PipeOptions.Asynchronous);
+            await stream.ConnectAsync(5_000, cts.Token);
+            var reader = new FrameReader(stream, leaveOpen: true);
+            var writer = new FrameWriter(stream, leaveOpen: true);
+            await writer.WriteAsync(MessageKind.Hello,
+                new Hello { PeerName = "e2e", SharedSecret = secret }, cts.Token);
+            var ack = await reader.ReadFrameAsync(cts.Token);
+            if (ack is null || ack.Value.Kind != MessageKind.HelloAck)
+                throw new InvalidOperationException("Hello handshake failed");
+
+            return new TestStack
+            {
+                Server = server,
+                Stream = stream,
+                Reader = reader,
+                Writer = writer,
+                ServerTask = serverTask,
+                Cts = cts,
+            };
+        }
+
+        private static async Task<TResp> RoundTripAsync<TReq, TResp>(
+            TestStack s, MessageKind reqKind, TReq req, MessageKind respKind)
+        {
+            await s.Writer.WriteAsync(reqKind, req, s.Cts.Token);
+            var frame = await s.Reader.ReadFrameAsync(s.Cts.Token);
+            frame.HasValue.ShouldBeTrue();
+            frame!.Value.Kind.ShouldBe(respKind);
+            return MessagePackSerializer.Deserialize<TResp>(frame.Value.Body);
+        }
+
+        [Fact]
+        public async Task OpenSession_succeeds_with_an_assigned_session_id()
+        {
+            if (IsAdministrator()) return;
+            using var s = await StartAsync();
+
+            var resp = await RoundTripAsync<OpenSessionRequest, OpenSessionResponse>(
+                s, MessageKind.OpenSessionRequest,
+                new OpenSessionRequest { DriverInstanceId = "gal-e2e", DriverConfigJson = "{}" },
+                MessageKind.OpenSessionResponse);
+
+            resp.Success.ShouldBeTrue();
+            resp.SessionId.ShouldBeGreaterThan(0L);
+        }
+
+        [Fact]
+        public async Task Discover_against_stub_returns_an_error_response()
+        {
+            if (IsAdministrator()) return;
+            using var s = await StartAsync();
+
+            var resp = await RoundTripAsync<DiscoverHierarchyRequest, DiscoverHierarchyResponse>(
+                s, MessageKind.DiscoverHierarchyRequest,
+                new DiscoverHierarchyRequest { SessionId = 1 },
+                MessageKind.DiscoverHierarchyResponse);
+
+            resp.Success.ShouldBeFalse();
+            resp.Error.ShouldContain("MXAccess code lift pending");
+        }
+
+        [Fact]
+        public async Task WriteValues_returns_per_tag_BadInternalError_status()
+        {
+            if (IsAdministrator()) return;
+            using var s = await StartAsync();
+
+            var resp = await RoundTripAsync<WriteValuesRequest, WriteValuesResponse>(
+                s, MessageKind.WriteValuesRequest,
+                new WriteValuesRequest
+                {
+                    SessionId = 1,
+                    Writes = new[] { new GalaxyDataValue { TagReference = "TagA" } },
+                },
+                MessageKind.WriteValuesResponse);
+
+            resp.Results.Length.ShouldBe(1);
+            resp.Results[0].StatusCode.ShouldBe(0x80020000u);
+        }
+
+        [Fact]
+        public async Task Subscribe_returns_a_subscription_id()
+        {
+            if (IsAdministrator()) return;
+            using var s = await StartAsync();
+
+            var sub = await RoundTripAsync<SubscribeRequest, SubscribeResponse>(
+                s, MessageKind.SubscribeRequest,
+                new SubscribeRequest { SessionId = 1, TagReferences = new[] { "TagA" }, RequestedIntervalMs = 500 },
+                MessageKind.SubscribeResponse);
+
+            sub.Success.ShouldBeTrue();
+            sub.SubscriptionId.ShouldBeGreaterThan(0L);
+        }
+
+        [Fact]
+        public async Task Recycle_returns_the_grace_window_from_the_backend()
+        {
+            if (IsAdministrator()) return;
+            using var s = await StartAsync();
+
+            var resp = await RoundTripAsync<RecycleHostRequest, RecycleStatusResponse>(
+                s, MessageKind.RecycleHostRequest,
+                new RecycleHostRequest { Kind = "Soft", Reason = "test" },
+                MessageKind.RecycleStatusResponse);
+
+            resp.Accepted.ShouldBeTrue();
+            resp.GraceSeconds.ShouldBe(15);
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/GalaxyRepositoryLiveSmokeTests.cs

@@ -0,0 +1,100 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
+{
+    /// <summary>
+    ///     Live smoke against the Galaxy <c>ZB</c> repository. Skipped when ZB is unreachable so
+    ///     CI / dev boxes without an AVEVA install still pass. Exercises the ported
+    ///     <see cref="GalaxyRepository"/> + <see cref="DbBackedGalaxyBackend"/> against the same
+    ///     SQL the v1 Host uses, proving the lift is byte-for-byte equivalent at the
+    ///     <c>DiscoverHierarchyResponse</c> shape.
+    /// </summary>
+    [Trait("Category", "LiveGalaxy")]
+    public sealed class GalaxyRepositoryLiveSmokeTests
+    {
+        private static GalaxyRepositoryOptions DevZbOptions() => new()
+        {
+            ConnectionString =
+                "Server=localhost;Database=ZB;Integrated Security=True;TrustServerCertificate=True;Encrypt=False;Connect Timeout=2;",
+            CommandTimeoutSeconds = 10,
+        };
+
+        private static async Task<bool> ZbReachableAsync()
+        {
+            try
+            {
+                var repo = new GalaxyRepository(DevZbOptions());
+                using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(3));
+                return await repo.TestConnectionAsync(cts.Token);
+            }
+            catch { return false; }
+        }
+
+        [Fact]
+        public async Task TestConnection_returns_true_against_live_ZB()
+        {
+            if (!await ZbReachableAsync()) return;
+
+            var repo = new GalaxyRepository(DevZbOptions());
+            (await repo.TestConnectionAsync()).ShouldBeTrue();
+        }
+
+        [Fact]
+        public async Task GetHierarchy_returns_at_least_one_deployed_gobject()
+        {
+            if (!await ZbReachableAsync()) return;
+
+            var repo = new GalaxyRepository(DevZbOptions());
+            var rows = await repo.GetHierarchyAsync();
+
+            rows.Count.ShouldBeGreaterThan(0,
+                "the dev Galaxy has at least the WinPlatform + AppEngine deployed");
+            rows.ShouldAllBe(r => !string.IsNullOrEmpty(r.TagName));
+        }
+
+        [Fact]
+        public async Task GetAttributes_returns_attributes_for_deployed_objects()
+        {
+            if (!await ZbReachableAsync()) return;
+
+            var repo = new GalaxyRepository(DevZbOptions());
+            var attrs = await repo.GetAttributesAsync();
+
+            attrs.Count.ShouldBeGreaterThan(0);
+            attrs.ShouldAllBe(a => !string.IsNullOrEmpty(a.FullTagReference) && a.FullTagReference.Contains("."));
+        }
+
+        [Fact]
+        public async Task GetLastDeployTime_returns_a_value()
+        {
+            if (!await ZbReachableAsync()) return;
+
+            var repo = new GalaxyRepository(DevZbOptions());
+            var ts = await repo.GetLastDeployTimeAsync();
+            ts.ShouldNotBeNull();
+        }
+
+        [Fact]
+        public async Task DbBackedBackend_DiscoverAsync_returns_objects_with_attributes_and_categories()
+        {
+            if (!await ZbReachableAsync()) return;
+
+            var backend = new DbBackedGalaxyBackend(new GalaxyRepository(DevZbOptions()));
+            var resp = await backend.DiscoverAsync(new DiscoverHierarchyRequest { SessionId = 1 }, CancellationToken.None);
+
+            resp.Success.ShouldBeTrue(resp.Error);
+            resp.Objects.Length.ShouldBeGreaterThan(0);
+
+            var firstWithAttrs = System.Linq.Enumerable.FirstOrDefault(resp.Objects, o => o.Attributes.Length > 0);
+            firstWithAttrs.ShouldNotBeNull("at least one gobject in the dev Galaxy carries dynamic attributes");
+            firstWithAttrs!.TemplateCategory.ShouldNotBeNullOrEmpty();
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/IpcHandshakeIntegrationTests.cs

@@ -0,0 +1,119 @@
+using System;
+using System.IO;
+using System.IO.Pipes;
+using System.Security.Principal;
+using System.Threading;
+using System.Threading.Tasks;
+using MessagePack;
+using Serilog;
+using Serilog.Core;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
+{
+    /// <summary>
+    ///     Direct IPC handshake test — drives <see cref="PipeServer"/> with a hand-rolled client
+    ///     built on <see cref="FrameReader"/>/<see cref="FrameWriter"/> from Shared. Stays in
+    ///     net48 x86 alongside the Host (the Proxy's <c>GalaxyIpcClient</c> is net10 only and
+    ///     cannot be loaded into this process). Functionally equivalent to going through
+    ///     <c>GalaxyIpcClient</c> — proves the wire protocol + ACL + shared-secret enforcement.
+    ///     Skipped on Administrator shells per the same PipeAcl-denies-Administrators guard.
+    /// </summary>
+    [Trait("Category", "Integration")]
+    public sealed class IpcHandshakeIntegrationTests
+    {
+        private static bool IsAdministrator()
+        {
+            using var identity = WindowsIdentity.GetCurrent();
+            return new WindowsPrincipal(identity).IsInRole(WindowsBuiltInRole.Administrator);
+        }
+
+        private static async Task<(NamedPipeClientStream Stream, FrameReader Reader, FrameWriter Writer)>
+            ConnectAndHelloAsync(string pipeName, string secret, CancellationToken ct)
+        {
+            var stream = new NamedPipeClientStream(".", pipeName, PipeDirection.InOut, PipeOptions.Asynchronous);
+            await stream.ConnectAsync(5_000, ct);
+
+            var reader = new FrameReader(stream, leaveOpen: true);
+            var writer = new FrameWriter(stream, leaveOpen: true);
+            await writer.WriteAsync(MessageKind.Hello,
+                new Hello { PeerName = "test-client", SharedSecret = secret }, ct);
+
+            var ack = await reader.ReadFrameAsync(ct);
+            if (ack is null) throw new EndOfStreamException("no HelloAck");
+            if (ack.Value.Kind != MessageKind.HelloAck) throw new InvalidOperationException("unexpected first frame");
+            var ackMsg = MessagePackSerializer.Deserialize<HelloAck>(ack.Value.Body);
+            if (!ackMsg.Accepted) throw new UnauthorizedAccessException(ackMsg.RejectReason);
+
+            return (stream, reader, writer);
+        }
+
+        [Fact]
+        public async Task Handshake_with_correct_secret_succeeds_and_heartbeat_round_trips()
+        {
+            if (IsAdministrator()) return;
+
+            using var identity = WindowsIdentity.GetCurrent();
+            var sid = identity.User!;
+            var pipe = $"OtOpcUaGalaxyTest-{Guid.NewGuid():N}";
+            const string secret = "test-secret-2026";
+            Logger log = new LoggerConfiguration().CreateLogger();
+            using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
+
+            var server = new PipeServer(pipe, sid, secret, log);
+            var serverTask = Task.Run(() => server.RunOneConnectionAsync(
+                new GalaxyFrameHandler(new StubGalaxyBackend(), log), cts.Token));
+
+            var (stream, reader, writer) = await ConnectAndHelloAsync(pipe, secret, cts.Token);
+            using (stream)
+            using (reader)
+            using (writer)
+            {
+                await writer.WriteAsync(MessageKind.Heartbeat,
+                    new Heartbeat { SequenceNumber = 42, UtcUnixMs = 1000 }, cts.Token);
+
+                var hbAckFrame = await reader.ReadFrameAsync(cts.Token);
+                hbAckFrame.HasValue.ShouldBeTrue();
+                hbAckFrame!.Value.Kind.ShouldBe(MessageKind.HeartbeatAck);
+                MessagePackSerializer.Deserialize<HeartbeatAck>(hbAckFrame.Value.Body).SequenceNumber.ShouldBe(42L);
+            }
+
+            cts.Cancel();
+            try { await serverTask; } catch { /* shutdown */ }
+            server.Dispose();
+        }
+
+        [Fact]
+        public async Task Handshake_with_wrong_secret_is_rejected()
+        {
+            if (IsAdministrator()) return;
+
+            using var identity = WindowsIdentity.GetCurrent();
+            var sid = identity.User!;
+            var pipe = $"OtOpcUaGalaxyTest-{Guid.NewGuid():N}";
+            Logger log = new LoggerConfiguration().CreateLogger();
+            using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
+
+            var server = new PipeServer(pipe, sid, "real-secret", log);
+            var serverTask = Task.Run(() => server.RunOneConnectionAsync(
+                new GalaxyFrameHandler(new StubGalaxyBackend(), log), cts.Token));
+
+            await Should.ThrowAsync<UnauthorizedAccessException>(async () =>
+            {
+                var (s, r, w) = await ConnectAndHelloAsync(pipe, "wrong-secret", cts.Token);
+                s.Dispose();
+                r.Dispose();
+                w.Dispose();
+            });
+
+            cts.Cancel();
+            try { await serverTask; } catch { /* shutdown */ }
+            server.Dispose();
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/MxAccessLiveSmokeTests.cs

@@ -0,0 +1,116 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Sta;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
+{
+    /// <summary>
+    ///     End-to-end smoke against the live MXAccess COM runtime + Galaxy ZB DB on this dev box.
+    ///     Skipped when ArchestrA bootstrap (<c>aaBootstrap</c>) isn't running. Verifies the
+    ///     ported <see cref="MxAccessClient"/> can connect to <c>LMXProxyServer</c>, the
+    ///     <see cref="MxAccessGalaxyBackend"/> can answer Discover against the live ZB schema,
+    ///     and a one-shot read returns a valid VTQ for the first deployed attribute it finds.
+    /// </summary>
+    [Trait("Category", "LiveMxAccess")]
+    public sealed class MxAccessLiveSmokeTests
+    {
+        private static GalaxyRepositoryOptions DevZb() => new()
+        {
+            ConnectionString = "Server=localhost;Database=ZB;Integrated Security=True;TrustServerCertificate=True;Encrypt=False;Connect Timeout=2;",
+            CommandTimeoutSeconds = 10,
+        };
+
+        private static async Task<bool> ArchestraReachableAsync()
+        {
+            try
+            {
+                var repo = new GalaxyRepository(DevZb());
+                using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(2));
+                if (!await repo.TestConnectionAsync(cts.Token)) return false;
+
+                using var sc = new System.ServiceProcess.ServiceController("aaBootstrap");
+                return sc.Status == System.ServiceProcess.ServiceControllerStatus.Running;
+            }
+            catch { return false; }
+        }
+
+        [Fact]
+        public async Task Connect_to_local_LMXProxyServer_succeeds()
+        {
+            if (!await ArchestraReachableAsync()) return;
+
+            using var pump = new StaPump("MxA-test-pump");
+            await pump.WaitForStartedAsync();
+
+            using var mx = new MxAccessClient(pump, new MxProxyAdapter(), "OtOpcUa-MxAccessSmoke");
+            var handle = await mx.ConnectAsync();
+            handle.ShouldBeGreaterThan(0);
+            mx.IsConnected.ShouldBeTrue();
+        }
+
+        [Fact]
+        public async Task Backend_OpenSession_then_Discover_returns_objects_with_attributes()
+        {
+            if (!await ArchestraReachableAsync()) return;
+
+            using var pump = new StaPump("MxA-test-pump");
+            await pump.WaitForStartedAsync();
+            using var mx = new MxAccessClient(pump, new MxProxyAdapter(), "OtOpcUa-MxAccessSmoke");
+            var backend = new MxAccessGalaxyBackend(new GalaxyRepository(DevZb()), mx);
+
+            var session = await backend.OpenSessionAsync(new OpenSessionRequest { DriverInstanceId = "smoke" }, CancellationToken.None);
+            session.Success.ShouldBeTrue(session.Error);
+
+            var resp = await backend.DiscoverAsync(new DiscoverHierarchyRequest { SessionId = session.SessionId }, CancellationToken.None);
+            resp.Success.ShouldBeTrue(resp.Error);
+            resp.Objects.Length.ShouldBeGreaterThan(0);
+
+            await backend.CloseSessionAsync(new CloseSessionRequest { SessionId = session.SessionId }, CancellationToken.None);
+        }
+
+        /// <summary>
+        ///     Live one-shot read against any attribute we discover. Best-effort — passes silently
+        ///     if no readable attribute is exposed (some Galaxy installs are configuration-only;
+        ///     we only assert the call shape is correct, not a specific value).
+        /// </summary>
+        [Fact]
+        public async Task Backend_ReadValues_against_discovered_attribute_returns_a_response_shape()
+        {
+            if (!await ArchestraReachableAsync()) return;
+
+            using var pump = new StaPump("MxA-test-pump");
+            await pump.WaitForStartedAsync();
+            using var mx = new MxAccessClient(pump, new MxProxyAdapter(), "OtOpcUa-MxAccessSmoke");
+            var backend = new MxAccessGalaxyBackend(new GalaxyRepository(DevZb()), mx);
+
+            var session = await backend.OpenSessionAsync(new OpenSessionRequest { DriverInstanceId = "smoke" }, CancellationToken.None);
+            var disc = await backend.DiscoverAsync(new DiscoverHierarchyRequest { SessionId = session.SessionId }, CancellationToken.None);
+            var firstAttr = System.Linq.Enumerable.FirstOrDefault(disc.Objects, o => o.Attributes.Length > 0);
+            if (firstAttr is null)
+            {
+                await backend.CloseSessionAsync(new CloseSessionRequest { SessionId = session.SessionId }, CancellationToken.None);
+                return;
+            }
+
+            var fullRef = $"{firstAttr.TagName}.{firstAttr.Attributes[0].AttributeName}";
+            var read = await backend.ReadValuesAsync(
+                new ReadValuesRequest { SessionId = session.SessionId, TagReferences = new[] { fullRef } },
+                CancellationToken.None);
+
+            read.Success.ShouldBeTrue();
+            read.Values.Length.ShouldBe(1);
+            // We don't assert the value (it may be Bad/Uncertain depending on what's running);
+            // we only assert the response shape is correct end-to-end.
+            read.Values[0].TagReference.ShouldBe(fullRef);
+
+            await backend.CloseSessionAsync(new CloseSessionRequest { SessionId = session.SessionId }, CancellationToken.None);
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests.csproj

@@ -2,6 +2,8 @@
 
     <PropertyGroup>
         <TargetFramework>net48</TargetFramework>
+        <PlatformTarget>x86</PlatformTarget>
+        <Prefer32Bit>true</Prefer32Bit>
         <Nullable>enable</Nullable>
         <LangVersion>latest</LangVersion>
         <IsPackable>false</IsPackable>
@@ -21,6 +23,7 @@
 
     <ItemGroup>
         <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.csproj"/>
+        <Reference Include="System.ServiceProcess"/>
     </ItemGroup>
 
     <ItemGroup>

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/HostSubprocessParityTests.cs

@@ -0,0 +1,130 @@
+using System.Diagnostics;
+using System.Reflection;
+using System.Security.Principal;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Ipc;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests;
+
+/// <summary>
+///     The honest cross-FX parity test — spawns the actual <c>OtOpcUa.Driver.Galaxy.Host.exe</c>
+///     subprocess (net48 x86), the Proxy connects via real named pipe, exercises Discover
+///     against the live Galaxy ZB DB, and asserts gobjects come back. This is the production
+///     deployment shape (Tier C: separate process, IPC over named pipe, Proxy in the .NET 10
+///     server process). Skipped when the Host EXE isn't built or Galaxy is unreachable.
+/// </summary>
+[Trait("Category", "ProcessSpawnParity")]
+public sealed class HostSubprocessParityTests : IDisposable
+{
+    private Process? _hostProcess;
+
+    public void Dispose()
+    {
+        if (_hostProcess is not null && !_hostProcess.HasExited)
+        {
+            try { _hostProcess.Kill(entireProcessTree: true); } catch { /* ignore */ }
+            try { _hostProcess.WaitForExit(5_000); } catch { /* ignore */ }
+        }
+        _hostProcess?.Dispose();
+    }
+
+    private static string? FindHostExe()
+    {
+        // The test assembly lives at tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/bin/Debug/net10.0/.
+        // The Host EXE lives at src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/bin/Debug/net48/.
+        var asmDir = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location)!;
+        var solutionRoot = asmDir;
+        for (var i = 0; i < 8 && solutionRoot is not null; i++)
+        {
+            if (File.Exists(Path.Combine(solutionRoot, "ZB.MOM.WW.OtOpcUa.slnx")))
+                break;
+            solutionRoot = Path.GetDirectoryName(solutionRoot);
+        }
+        if (solutionRoot is null) return null;
+
+        var candidate = Path.Combine(solutionRoot,
+            "src", "ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host", "bin", "Debug", "net48",
+            "OtOpcUa.Driver.Galaxy.Host.exe");
+        return File.Exists(candidate) ? candidate : null;
+    }
+
+    private static bool IsAdministrator()
+    {
+        if (!OperatingSystem.IsWindows()) return false;
+        using var identity = WindowsIdentity.GetCurrent();
+        return new WindowsPrincipal(identity).IsInRole(WindowsBuiltInRole.Administrator);
+    }
+
+    private static async Task<bool> ZbReachableAsync()
+    {
+        try
+        {
+            using var client = new System.Net.Sockets.TcpClient();
+            var task = client.ConnectAsync("localhost", 1433);
+            return await Task.WhenAny(task, Task.Delay(1_500)) == task && client.Connected;
+        }
+        catch { return false; }
+    }
+
+    [Fact]
+    public async Task Spawned_Host_in_db_mode_lets_Proxy_Discover_real_Galaxy_gobjects()
+    {
+        if (!OperatingSystem.IsWindows() || IsAdministrator()) return;
+        if (!await ZbReachableAsync()) return;
+
+        var hostExe = FindHostExe();
+        if (hostExe is null) return; // skip when the Host hasn't been built
+
+        using var identity = WindowsIdentity.GetCurrent();
+        var sid = identity.User!;
+        var pipeName = $"OtOpcUaGalaxyParity-{Guid.NewGuid():N}";
+        const string secret = "parity-secret";
+
+        var psi = new ProcessStartInfo(hostExe)
+        {
+            UseShellExecute = false,
+            CreateNoWindow = true,
+            RedirectStandardOutput = true,
+            RedirectStandardError = true,
+            EnvironmentVariables =
+            {
+                ["OTOPCUA_GALAXY_PIPE"] = pipeName,
+                ["OTOPCUA_ALLOWED_SID"] = sid.Value,
+                ["OTOPCUA_GALAXY_SECRET"] = secret,
+                ["OTOPCUA_GALAXY_BACKEND"] = "db", // SQL-only — doesn't need MXAccess
+                ["OTOPCUA_GALAXY_ZB_CONN"] = "Server=localhost;Database=ZB;Integrated Security=True;TrustServerCertificate=True;Encrypt=False;",
+            },
+        };
+
+        _hostProcess = Process.Start(psi)
+            ?? throw new InvalidOperationException("Failed to spawn Galaxy.Host");
+
+        // Wait for the pipe to come up — the Host's PipeServer takes ~100ms to bind.
+        await Task.Delay(2_000);
+
+        await using var client = await GalaxyIpcClient.ConnectAsync(
+            pipeName, secret, TimeSpan.FromSeconds(5), CancellationToken.None);
+
+        var sessionResp = await client.CallAsync<OpenSessionRequest, OpenSessionResponse>(
+            MessageKind.OpenSessionRequest,
+            new OpenSessionRequest { DriverInstanceId = "parity", DriverConfigJson = "{}" },
+            MessageKind.OpenSessionResponse,
+            CancellationToken.None);
+        sessionResp.Success.ShouldBeTrue(sessionResp.Error);
+
+        var discoverResp = await client.CallAsync<DiscoverHierarchyRequest, DiscoverHierarchyResponse>(
+            MessageKind.DiscoverHierarchyRequest,
+            new DiscoverHierarchyRequest { SessionId = sessionResp.SessionId },
+            MessageKind.DiscoverHierarchyResponse,
+            CancellationToken.None);
+
+        discoverResp.Success.ShouldBeTrue(discoverResp.Error);
+        discoverResp.Objects.Length.ShouldBeGreaterThan(0,
+            "live Galaxy ZB has at least one deployed gobject");
+
+        await client.SendOneWayAsync(MessageKind.CloseSessionRequest,
+            new CloseSessionRequest { SessionId = sessionResp.SessionId }, CancellationToken.None);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/IpcHandshakeIntegrationTests.cs

@@ -1,91 +0,0 @@
-using System.IO.Pipes;
-using System.Security.Principal;
-using Serilog;
-using Serilog.Core;
-using Shouldly;
-using Xunit;
-using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
-using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Ipc;
-using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
-
-namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests;
-
-/// <summary>
-///     End-to-end IPC test: <see cref="PipeServer"/> (from Galaxy.Host) accepts a connection from
-///     the Proxy's <see cref="GalaxyIpcClient"/>. Verifies the Hello handshake, shared-secret
-///     check, and heartbeat round-trip. Uses the current user's SID so the ACL allows the
-///     localhost test process. Skipped on non-Windows (pipe ACL is Windows-only).
-/// </summary>
-[Trait("Category", "Integration")]
-public sealed class IpcHandshakeIntegrationTests
-{
-    [Fact]
-    public async Task Hello_handshake_with_correct_secret_succeeds_and_heartbeat_round_trips()
-    {
-        if (!OperatingSystem.IsWindows()) return; // pipe ACL is Windows-only
-        if (IsAdministrator()) return; // ACL explicitly denies Administrators — skip on admin shells
-
-        using var currentIdentity = WindowsIdentity.GetCurrent();
-        var allowedSid = currentIdentity.User!;
-        var pipeName = $"OtOpcUaGalaxyTest-{Guid.NewGuid():N}";
-        const string secret = "test-secret-2026";
-        Logger log = new LoggerConfiguration().CreateLogger();
-
-        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
-
-        var server = new PipeServer(pipeName, allowedSid, secret, log);
-        var serverTask = Task.Run(() => server.RunOneConnectionAsync(new StubFrameHandler(), cts.Token));
-
-        await using var client = await GalaxyIpcClient.ConnectAsync(
-            pipeName, secret, TimeSpan.FromSeconds(5), cts.Token);
-
-        // Heartbeat round-trip via the stub handler.
-        var ack = await client.CallAsync<Heartbeat, HeartbeatAck>(
-            MessageKind.Heartbeat,
-            new Heartbeat { SequenceNumber = 42, UtcUnixMs = 1000 },
-            MessageKind.HeartbeatAck,
-            cts.Token);
-        ack.SequenceNumber.ShouldBe(42L);
-
-        cts.Cancel();
-        try { await serverTask; } catch (OperationCanceledException) { }
-        server.Dispose();
-    }
-
-    [Fact]
-    public async Task Hello_with_wrong_secret_is_rejected()
-    {
-        if (!OperatingSystem.IsWindows()) return;
-        if (IsAdministrator()) return;
-
-        using var currentIdentity = WindowsIdentity.GetCurrent();
-        var allowedSid = currentIdentity.User!;
-        var pipeName = $"OtOpcUaGalaxyTest-{Guid.NewGuid():N}";
-        Logger log = new LoggerConfiguration().CreateLogger();
-
-        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
-        var server = new PipeServer(pipeName, allowedSid, "real-secret", log);
-        var serverTask = Task.Run(() => server.RunOneConnectionAsync(new StubFrameHandler(), cts.Token));
-
-        await Should.ThrowAsync<UnauthorizedAccessException>(() =>
-            GalaxyIpcClient.ConnectAsync(pipeName, "wrong-secret", TimeSpan.FromSeconds(5), cts.Token));
-
-        cts.Cancel();
-        try { await serverTask; } catch { /* server loop ends */ }
-        server.Dispose();
-    }
-
-    /// <summary>
-    ///     The production ACL explicitly denies Administrators. On dev boxes the interactive user
-    ///     is often an Administrator, so the allow rule gets overridden by the deny — the pipe
-    ///     refuses the connection. Skip in that case; the production install runs as a dedicated
-    ///     non-admin service account.
-    /// </summary>
-    private static bool IsAdministrator()
-    {
-        if (!OperatingSystem.IsWindows()) return false;
-        using var identity = WindowsIdentity.GetCurrent();
-        var principal = new WindowsPrincipal(identity);
-        return principal.IsInRole(WindowsBuiltInRole.Administrator);
-    }
-}