docs(plans): mark F13a partial-complete (36c4751)

Adds OPC UA SDK's CheckApplicationInstanceCertificate call to
OpcUaApplicationHost.StartAsync, removing the v1 friction of needing to
pre-create the PKI directory tree before booting.

- New OpcUaApplicationHostOptions.PkiStoreRoot (defaults to "pki")
- BuildConfigurationAsync now derives own/issuer/trusted/rejected from
  PkiStoreRoot so the cert paths are configurable + consistent
- EnsureApplicationCertificateAsync runs before StandardServer.Start, and
  fails fast with a clear message if the SDK can't produce a valid cert
- 2 new tests: fresh-tree creates a cert, second boot reuses it

Partial slice of follow-up F13. Endpoint-security, user-token validator,
and observability wiring still pending in the F13 follow-up. OpcUaServer
tests: 4 → 6.

docs/plans/2026-05-26-akka-hosting-alignment-plan.md.tasks.json

@@ -87,7 +87,7 @@
     {"id": "F10", "subject": "Follow-up: OpcUaPublishActor SDK integration (address-space writes + ServiceLevel + RebuildAddressSpace)", "status": "pending", "classification": "high-risk", "estMinutes": 60, "parallelizableWith": [], "blockedBy": [47], "origin": "Self-review of Task 44 — SDK calls stubbed; counters only. Wire after Phase 7 OpcUaServer extraction."},
     {"id": "F11", "subject": "Follow-up: HistorianAdapterActor named-pipe IPC + SqliteStoreAndForwardSink wiring", "status": "completed", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "commit": "6861381", "deviationNotes": "Reshaped HistorianAdapterActor around the existing IAlarmHistorianSink abstraction (alarm-event shape, not the original tag-history-row stub). Defaults to NullAlarmHistorianSink; production deployments wire SqliteStoreAndForwardSink + WonderwareHistorianClient via AddOtOpcUaRuntime overrides. Actor now exposes GetStatus returning HistorianSinkStatus for diagnostics. Named-pipe transport implementation lives unchanged in src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Client/WonderwareHistorianClient.cs — the actor is intentionally just a fire-and-forget bridge.", "origin": "Self-review of Task 45 — stub buffers in-memory; named-pipe + SQLite store-and-forward not wired."},
     {"id": "F12", "subject": "Follow-up: PeerOpcUaProbeActor real opc.tcp ping (replace Ok=true stub)", "status": "completed", "classification": "small", "estMinutes": 20, "parallelizableWith": [], "blockedBy": [], "commit": "b06e3ae", "deviation": "TCP-connect probe rather than full OPC UA Hello/Acknowledge handshake. Enough for the redundancy calc; deeper liveness signals can layer on later without changing the actor's contract.", "origin": "Self-review of Task 45 — RunProbe always returns Ok=true; replace with OPC UA Client connect."},
-    {"id": "F13", "subject": "Follow-up: Full OpcUaApplicationHost extraction (security/alarms/history/observability)", "status": "pending", "classification": "high-risk", "estMinutes": 120, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 46 — facade only boots ApplicationInstance + StandardServer. Legacy 391-line file pulls Server.Security/Alarms/History/Observability. Pull those into thin OpcUaServer interfaces."},
+    {"id": "F13", "subject": "Follow-up: Full OpcUaApplicationHost extraction (security/alarms/history/observability)", "status": "partial", "classification": "high-risk", "estMinutes": 120, "parallelizableWith": [], "blockedBy": [], "commit": "36c4751-partial", "deviationNotes": "F13a (cert auto-creation) shipped in 36c4751. Remaining: endpoint-security wiring (SecurityProfileResolver into ServerConfiguration.SecurityPolicies), LDAP user-token validator (the OPC UA UserNameToken path; HTTP-layer LDAP auth is separate and already in OtOpcUa.Security), scripted-alarm node manager creation, history backend wiring, observability hooks (OpenTelemetry metrics + traces). These are gated by F10's OpcUaPublishActor SDK integration — until F10 lands, nothing instantiates OpcUaApplicationHost so the missing wiring is dead weight.", "origin": "Self-review of Task 46 — facade only boots ApplicationInstance + StandardServer. Legacy 391-line file pulls Server.Security/Alarms/History/Observability. Pull those into thin OpcUaServer interfaces."},
     {"id": "F14", "subject": "Follow-up: Migrate side-effecting Phase7Composer (EquipmentNodeWalker, trace logs, node cache)", "status": "pending", "classification": "standard", "estMinutes": 60, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 47 — pure version covers the projection. Walker + alarm sink registration + cache mutation stay in legacy until split into Phase7Applier."},
     {"id": "F15", "subject": "Follow-up: Migrate 47 legacy Admin Blazor components into AdminUI library", "status": "pending", "classification": "high-risk", "estMinutes": 180, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 48 — only MapAdminUI scaffold + 1 new page (Deployments). 47 pages stay in legacy Admin (accepted-broken) until Task 56."},
     {"id": "F16", "subject": "Follow-up: Bridge FleetStatusBroadcaster → SignalR hubs (FleetStatusHub / AlertHub / ScriptLogHub)", "status": "completed", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "commit": "f18c285", "deviation": "FleetStatusHub bridge landed. AlertHub + ScriptLogHub deferred — they need upstream message contracts that aren't defined yet (alerts emerge from F9 ScriptedAlarmActor, script logs from F8 VirtualTagActor).", "origin": "Self-review of Task 49 — hubs are passive Hub subclasses; the bridge from FleetStatusBroadcaster.broadcast → IHubContext is not wired."},

src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OpcUaApplicationHost.cs

@@ -19,6 +19,13 @@ public sealed class OpcUaApplicationHostOptions
 
     /// <summary>Application config XML path; when set, loaded instead of building from defaults.</summary>
     public string? ApplicationConfigPath { get; set; }
+
+    /// <summary>
+    /// Root of the application's PKI hierarchy. Sub-stores (<c>own</c>, <c>issuer</c>,
+    /// <c>trusted</c>, <c>rejected</c>) are created under this path on first start. Defaults
+    /// to "pki" (relative to the host's working directory) to keep dev flows identical to v1.
+    /// </summary>
+    public string PkiStoreRoot { get; set; } = "pki";
 }
 
 /// <summary>
@@ -60,14 +67,35 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
         };
 
         _ = await BuildConfigurationAsync(cancellationToken);
-        // Certificate validation + auto-creation is part of the full extraction (F13).
-        // For the facade we trust that the configured cert store already exists.
+        await EnsureApplicationCertificateAsync(cancellationToken).ConfigureAwait(false);
         await _application.Start(server).ConfigureAwait(false);
 
         _logger.LogInformation("OPC UA server started on opc.tcp://{Host}:{Port}",
             _options.PublicHostname, _options.OpcUaPort);
     }
 
+    /// <summary>
+    /// Guarantees the application instance certificate exists in <c>{PkiStoreRoot}/own</c>.
+    /// The SDK auto-creates a self-signed certificate the first time this is called on a fresh
+    /// PKI tree; subsequent boots reuse the existing cert. Replaces v1's manual "you must
+    /// pre-create the PKI directory tree" friction. Partial slice of follow-up F13 — the
+    /// remaining endpoint-security, user-token validator, and observability wiring stays in
+    /// the follow-up queue.
+    /// </summary>
+    private async Task EnsureApplicationCertificateAsync(CancellationToken cancellationToken)
+    {
+        // silent: false → SDK logs cert creation events through its own trace plumbing.
+        // minimumKeySize/lifetimeInMonths: 0 → use SDK defaults (2048-bit, 12-month lifetime).
+        var ok = await _application!.CheckApplicationInstanceCertificate(
+            silent: false, minimumKeySize: 0, lifeTimeInMonths: 0, ct: cancellationToken).ConfigureAwait(false);
+        if (!ok)
+        {
+            throw new InvalidOperationException(
+                $"OPC UA application certificate validation failed for {_options.ApplicationName}. " +
+                $"Cert store root: {Path.GetFullPath(_options.PkiStoreRoot)}");
+        }
+    }
+
     private async Task<ApplicationConfiguration> BuildConfigurationAsync(CancellationToken ct)
     {
         if (!string.IsNullOrWhiteSpace(_options.ApplicationConfigPath))
@@ -92,10 +120,15 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
             },
             SecurityConfiguration = new SecurityConfiguration
             {
-                ApplicationCertificate = new CertificateIdentifier { StoreType = "Directory", StorePath = "pki/own", SubjectName = $"CN={_options.ApplicationName}" },
-                TrustedIssuerCertificates = new CertificateTrustList { StoreType = "Directory", StorePath = "pki/issuer" },
-                TrustedPeerCertificates = new CertificateTrustList { StoreType = "Directory", StorePath = "pki/trusted" },
-                RejectedCertificateStore = new CertificateTrustList { StoreType = "Directory", StorePath = "pki/rejected" },
+                ApplicationCertificate = new CertificateIdentifier
+                {
+                    StoreType = "Directory",
+                    StorePath = Path.Combine(_options.PkiStoreRoot, "own"),
+                    SubjectName = $"CN={_options.ApplicationName}",
+                },
+                TrustedIssuerCertificates = new CertificateTrustList { StoreType = "Directory", StorePath = Path.Combine(_options.PkiStoreRoot, "issuer") },
+                TrustedPeerCertificates = new CertificateTrustList { StoreType = "Directory", StorePath = Path.Combine(_options.PkiStoreRoot, "trusted") },
+                RejectedCertificateStore = new CertificateTrustList { StoreType = "Directory", StorePath = Path.Combine(_options.PkiStoreRoot, "rejected") },
                 AutoAcceptUntrustedCertificates = false,
             },
             TransportQuotas = new TransportQuotas(),

tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests/OpcUaApplicationHostTests.cs

@@ -0,0 +1,100 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua.Server;
+using Shouldly;
+using Xunit;
+
+namespace ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests;
+
+/// <summary>
+/// Verifies the F13a cert auto-creation slice of <see cref="OpcUaApplicationHost"/>: the SDK
+/// self-signs a certificate into <c>{PkiStoreRoot}/own/certs/</c> on first boot against a
+/// fresh PKI tree, and the file persists for reuse on the next boot.
+/// </summary>
+public sealed class OpcUaApplicationHostTests : IDisposable
+{
+    private static CancellationToken Ct => TestContext.Current.CancellationToken;
+
+    private readonly string _pkiRoot = Path.Combine(
+        Path.GetTempPath(),
+        $"otopcua-pki-{Guid.NewGuid():N}");
+
+    [Fact]
+    public async Task StartAsync_creates_application_certificate_in_pki_own()
+    {
+        await using var host = new OpcUaApplicationHost(
+            new OpcUaApplicationHostOptions
+            {
+                ApplicationName = "OtOpcUa.Test",
+                ApplicationUri = $"urn:OtOpcUa.Test:{Guid.NewGuid():N}",
+                OpcUaPort = AllocateFreePort(),
+                PublicHostname = "localhost",
+                PkiStoreRoot = _pkiRoot,
+            },
+            NullLogger<OpcUaApplicationHost>.Instance);
+
+        await host.StartAsync(new StandardServer(), Ct);
+
+        var ownCerts = Path.Combine(_pkiRoot, "own", "certs");
+        Directory.Exists(ownCerts).ShouldBeTrue($"expected SDK to create {ownCerts}");
+        Directory.EnumerateFiles(ownCerts).ShouldNotBeEmpty("expected a self-signed cert file in the own store");
+    }
+
+    [Fact]
+    public async Task StartAsync_reuses_existing_certificate_on_second_boot()
+    {
+        var port1 = AllocateFreePort();
+        await using (var first = new OpcUaApplicationHost(
+            new OpcUaApplicationHostOptions
+            {
+                ApplicationName = "OtOpcUa.Reuse",
+                ApplicationUri = "urn:OtOpcUa.Reuse",
+                OpcUaPort = port1,
+                PublicHostname = "localhost",
+                PkiStoreRoot = _pkiRoot,
+            },
+            NullLogger<OpcUaApplicationHost>.Instance))
+        {
+            await first.StartAsync(new StandardServer(), Ct);
+        }
+
+        var ownCerts = Path.Combine(_pkiRoot, "own", "certs");
+        var firstFiles = Directory.GetFiles(ownCerts).OrderBy(f => f).ToArray();
+        firstFiles.ShouldNotBeEmpty();
+
+        var port2 = AllocateFreePort();
+        await using (var second = new OpcUaApplicationHost(
+            new OpcUaApplicationHostOptions
+            {
+                ApplicationName = "OtOpcUa.Reuse",
+                ApplicationUri = "urn:OtOpcUa.Reuse",
+                OpcUaPort = port2,
+                PublicHostname = "localhost",
+                PkiStoreRoot = _pkiRoot,
+            },
+            NullLogger<OpcUaApplicationHost>.Instance))
+        {
+            await second.StartAsync(new StandardServer(), Ct);
+        }
+
+        var secondFiles = Directory.GetFiles(ownCerts).OrderBy(f => f).ToArray();
+        secondFiles.ShouldBe(firstFiles, "expected the second boot to reuse the cert from the first, not create a new one");
+    }
+
+    private static int AllocateFreePort()
+    {
+        using var listener = new System.Net.Sockets.TcpListener(System.Net.IPAddress.Loopback, 0);
+        listener.Start();
+        var port = ((System.Net.IPEndPoint)listener.LocalEndpoint).Port;
+        listener.Stop();
+        return port;
+    }
+
+    public void Dispose()
+    {
+        if (Directory.Exists(_pkiRoot))
+        {
+            try { Directory.Delete(_pkiRoot, recursive: true); }
+            catch { /* best-effort cleanup */ }
+        }
+    }
+}

tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests.csproj

@@ -15,6 +15,7 @@
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
+        <PackageReference Include="Microsoft.Extensions.Logging.Abstractions"/>
     </ItemGroup>
 
     <ItemGroup>