feat(deploy): bake the ServerCluster/ClusterNode seed into docker-compose

Adds a one-shot cluster-seed service to docker-dev/docker-compose.yml that pre-populates the three Akka clusters' scope rows in the shared OtOpcUa ConfigDb so operators don't have to click through /clusters + /hosts on every fresh bring-up. Seed contents: ServerCluster MAIN (Warm/2), SITE-A (Warm/2), SITE-B (Warm/2) ClusterNode driver-a + driver-b → MAIN site-a-1 + site-a-2 → SITE-A site-b-1 + site-b-2 → SITE-B NodeCount + RedundancyMode honour the CK_ServerCluster check constraint. ApplicationUri follows the urn:OtOpcUa:<NodeId> convention; uniqueness across the fleet satisfies UX_ClusterNode_ApplicationUri. Mechanism: - docker-dev/seed/seed-clusters.sql — idempotent INSERTs (IF NOT EXISTS guards on every row). - docker-dev/seed/entrypoint.sh — bash wrapper that waits for SQL to accept connections, then polls until dbo.ServerCluster exists (the host containers' EF auto-migration creates it on first boot), then applies the SQL script. - cluster-seed service uses mcr.microsoft.com/mssql-tools as the base image (bash + sqlcmd available), restart: "no" so it runs once. Re-running `docker compose up` is safe: the seed exits cleanly on the second run because every INSERT is guarded. Manual re-seed: `docker compose run --rm cluster-seed`.
fix(deploy): site clusters share the single OtOpcUa ConfigDb
2026-05-26 14:06:47 -04:00 · 2026-05-26 14:02:24 -04:00 · 2026-05-26 13:59:23 -04:00 · 2026-05-26 13:53:09 -04:00 · 2026-05-26 13:48:35 -04:00 · 2026-05-26 13:48:18 -04:00
204 changed files with 19206 additions and 710 deletions
@@ -0,0 +1,76 @@
+# CI for the v2 branch — runs on every push + PR to the v2-akka-fuse / master
+# branches. Layered into three jobs:
+#   build           dotnet restore + build (fast feedback on compile errors)
+#   unit-tests      every v2 unit-test project
+#   integration     2-node Host.IntegrationTests harness
+#
+# Skips E2E (Category=E2E) — that runs nightly via v2-e2e.yml against the full
+# four-node docker-dev stack.
+#
+# Compatible with both GitHub Actions and Gitea Actions (act_runner). The .NET 10
+# SDK is pinned via global.json at the repo root; if no global.json exists, the
+# setup-dotnet step falls back to dotnet-version below.
+
+name: v2-ci
+
+on:
+  push:
+    branches: [v2-akka-fuse, master]
+  pull_request:
+    branches: [v2-akka-fuse, master]
+  workflow_dispatch: {}
+
+env:
+  DOTNET_NOLOGO: "1"
+  DOTNET_CLI_TELEMETRY_OPTOUT: "1"
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+      - name: dotnet restore
+        run: dotnet restore ZB.MOM.WW.OtOpcUa.slnx
+      - name: dotnet build
+        run: dotnet build ZB.MOM.WW.OtOpcUa.slnx --no-restore --configuration Release
+
+  unit-tests:
+    needs: build
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - tests/Core/ZB.MOM.WW.OtOpcUa.Cluster.Tests
+          - tests/Server/ZB.MOM.WW.OtOpcUa.ControlPlane.Tests
+          - tests/Server/ZB.MOM.WW.OtOpcUa.Runtime.Tests
+          - tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests
+          - tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+      - name: dotnet test ${{ matrix.project }}
+        run: dotnet test ${{ matrix.project }} --configuration Release --filter "Category!=E2E"
+
+  integration:
+    needs: build
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests
+          - tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+      - name: dotnet test ${{ matrix.project }}
+        run: dotnet test ${{ matrix.project }} --configuration Release --filter "Category!=E2E"
@@ -0,0 +1,57 @@
+# Nightly E2E job. Runs against the docker-dev four-node fleet (admin-a +
+# admin-b + driver-a + driver-b + SQL + LDAP + Traefik). Trigger:
+#   - cron at 03:00 UTC daily
+#   - workflow_dispatch from the Actions UI for on-demand runs
+#
+# The E2E test project (tests/Server/ZB.MOM.WW.OtOpcUa.E2ETests) does not yet
+# exist — it lands when the F-series follow-ups F10/F11/F12 wire enough of the
+# SDK/historian/probe so an end-to-end driver round-trip is meaningful. Until
+# then this workflow is a green no-op (the `--filter Category=E2E` matches
+# zero tests, and `dotnet test` returns 0).
+
+name: v2-e2e
+
+on:
+  schedule:
+    - cron: "0 3 * * *"
+  workflow_dispatch: {}
+
+env:
+  DOTNET_NOLOGO: "1"
+  DOTNET_CLI_TELEMETRY_OPTOUT: "1"
+
+jobs:
+
+  e2e:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+
+      - name: dotnet restore
+        run: dotnet restore ZB.MOM.WW.OtOpcUa.slnx
+
+      - name: Build docker-dev fleet
+        run: docker compose -f docker-dev/docker-compose.yml up -d --build
+
+      - name: Wait for cluster
+        run: |
+          for i in $(seq 1 30); do
+            if curl -sf http://localhost/health/active >/dev/null; then
+              echo "Admin leader healthy after ${i}s"
+              exit 0
+            fi
+            sleep 2
+          done
+          echo "Timed out waiting for /health/active"
+          docker compose -f docker-dev/docker-compose.yml logs --tail=200
+          exit 1
+
+      - name: dotnet test (E2E only)
+        run: dotnet test --configuration Release --filter "Category=E2E"
+
+      - name: Tear down
+        if: always()
+        run: docker compose -f docker-dev/docker-compose.yml down -v
@@ -62,6 +62,8 @@
  </Folder>
  <Folder Name="/tests/Server/">
    <Project Path="tests/Server/ZB.MOM.WW.OtOpcUa.ControlPlane.Tests/ZB.MOM.WW.OtOpcUa.ControlPlane.Tests.csproj" />
+    <Project Path="tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests.csproj" />
+    <Project Path="tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests.csproj" />
    <Project Path="tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests.csproj" />
    <Project Path="tests/Server/ZB.MOM.WW.OtOpcUa.Runtime.Tests/ZB.MOM.WW.OtOpcUa.Runtime.Tests.csproj" />
    <Project Path="tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/ZB.MOM.WW.OtOpcUa.Security.Tests.csproj" />
@@ -0,0 +1,20 @@
+# Multi-stage build of OtOpcUa.Host targeting linux-x64. Used by docker-dev/docker-compose.yml
+# to spin four host containers (admin-a, admin-b, driver-a, driver-b) from a single image —
+# Compose drives OTOPCUA_ROLES + Cluster:* env per container to differentiate them.
+
+FROM mcr.microsoft.com/dotnet/sdk:10.0 AS build
+WORKDIR /src
+COPY . .
+RUN dotnet restore ZB.MOM.WW.OtOpcUa.slnx
+RUN dotnet publish src/Server/ZB.MOM.WW.OtOpcUa.Host/ZB.MOM.WW.OtOpcUa.Host.csproj \
+        -c Release -o /app --no-restore
+
+FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS runtime
+WORKDIR /app
+COPY --from=build /app ./
+
+EXPOSE 9000
+EXPOSE 4053
+EXPOSE 4840
+
+ENTRYPOINT ["dotnet", "OtOpcUa.Host.dll"]
@@ -0,0 +1,112 @@
+# docker-dev
+
+Mac-friendly multi-cluster OtOpcUa fleet for manual UI exercise + integration smoke tests. Spins up **three isolated Akka clusters** + SQL Server + OpenLDAP + Traefik on the same Compose network. All three clusters share the single `OtOpcUa` ConfigDb — multi-tenancy is enforced by per-row `ServerCluster.ClusterId` scoping. Akka.Cluster gossip stays isolated between meshes because their seed-node lists are disjoint, even though they share the same system name `otopcua`.
+
+## Stack
+
+### Shared infrastructure
+
+| Service | Role | Ports |
+|---|---|---|
+| `sql` | SQL Server 2022 — single `OtOpcUa` ConfigDb shared by all three clusters | host `14330` → container `1433` |
+| `ldap` | OpenLDAP with dev users `alice` / `bob` | host `3893` → container `1389` |
+| `traefik` | Routes :80 by Host header / PathPrefix | host `80`, dashboard `8080` |
+
+### Main cluster — split admin/driver roles
+
+| Service | Role | Ports |
+|---|---|---|
+| `admin-a` | `OTOPCUA_ROLES=admin`, cluster seed | internal `9000` |
+| `admin-b` | `OTOPCUA_ROLES=admin`, joins admin-a | internal `9000` |
+| `driver-a` | `OTOPCUA_ROLES=driver` | host `4840` → container `4840` |
+| `driver-b` | `OTOPCUA_ROLES=driver` | host `4841` → container `4840` |
+
+### Site A cluster — 2-node fused admin+driver
+
+| Service | Role | Ports |
+|---|---|---|
+| `site-a-1` | `OTOPCUA_ROLES=admin,driver`, cluster seed | host `4842` → container `4840` |
+| `site-a-2` | `OTOPCUA_ROLES=admin,driver`, joins site-a-1 | host `4843` → container `4840` |
+
+### Site B cluster — 2-node fused admin+driver
+
+| Service | Role | Ports |
+|---|---|---|
+| `site-b-1` | `OTOPCUA_ROLES=admin,driver`, cluster seed | host `4844` → container `4840` |
+| `site-b-2` | `OTOPCUA_ROLES=admin,driver`, joins site-b-1 | host `4845` → container `4840` |
+
+All containers bind Akka remoting to port `4053` inside their own network namespace; the `PublicHostname` of each matches its Compose service name. Akka mesh isolation is enforced purely by disjoint seed lists. Configuration-side isolation is enforced by `ServerCluster.ClusterId` — see "Multi-tenancy" below.
+
+## Multi-tenancy
+
+All eight host nodes write to the same `OtOpcUa` ConfigDb. The `ServerCluster` table differentiates the three Akka meshes: each Akka cluster maps to one row, and each `ClusterNode` row's `ClusterId` ties the runtime node back to its owning cluster scope.
+
+A one-shot `cluster-seed` Compose service (image `mcr.microsoft.com/mssql-tools`) waits for SQL + the EF auto-migration to complete and then INSERTs the rows below. The seed is **idempotent** — `IF NOT EXISTS` guards every insert — so re-runs on `docker compose up` are no-ops:
+
+| Akka mesh | `ServerCluster.ClusterId` | `ClusterNode.NodeId` rows |
+|---|---|---|
+| Main | `MAIN` | `driver-a`, `driver-b` (OPC UA publishers) |
+| Site A | `SITE-A` | `site-a-1`, `site-a-2` |
+| Site B | `SITE-B` | `site-b-1`, `site-b-2` |
+
+`ClusterNode` is the table for **OPC UA-publishing nodes** (not every Akka cluster member), which is why the main cluster's `admin-a` / `admin-b` don't get rows — they're control-plane-only.
+
+Each `ClusterNode.NodeId` matches the node's `Cluster__PublicHostname` env value (Compose service name) — that's the lookup the runtime uses to resolve its own membership. `ApplicationUri` follows the `urn:OtOpcUa:<NodeId>` convention.
+
+The SQL lives at `seed/seed-clusters.sql`; the wait-and-apply wrapper lives at `seed/entrypoint.sh`. To re-seed manually:
+
+```bash
+docker compose -f docker-dev/docker-compose.yml run --rm cluster-seed
+```
+
+## Bring up
+
+```bash
+# from the repo root
+docker compose -f docker-dev/docker-compose.yml up -d --build
+
+# wait ~20 seconds for SQL to come up + all three clusters to form
+
+open http://localhost                      # main cluster admin UI
+open http://site-a.localhost               # site A admin UI
+open http://site-b.localhost               # site B admin UI
+open http://localhost:8080                 # Traefik dashboard
+```
+
+On macOS, `*.localhost` resolves to `127.0.0.1` automatically. On Linux add `127.0.0.1 site-a.localhost site-b.localhost` to `/etc/hosts` if your resolver doesn't.
+
+The first build takes a few minutes (.NET SDK image + restore + publish). Subsequent rebuilds are faster with Docker's layer cache.
+
+## Auth (dev only)
+
+Use one of the LDAP dev users from `LDAP_USERS` in `docker-compose.yml`:
+
+| Username | Password |
+|---|---|
+| `alice` | `alice123` |
+| `bob` | `bob123` |
+
+The compose mounts everyone into `ou=FleetAdmin` so the dev role mapping resolves to `FleetAdmin`.
+
+## Tear down
+
+```bash
+docker compose -f docker-dev/docker-compose.yml down -v
+```
+
+The `-v` drops the SQL + LDAP volumes; remove it to keep ConfigDb state across restarts.
+
+## Failover smoke
+
+1. Watch the Traefik dashboard at `http://localhost:8080`. Both `admin-a` and `admin-b` should be listed as healthy in the `otopcua-admin` service.
+2. `docker compose -f docker-dev/docker-compose.yml stop admin-a` — `admin-b` should pick up the admin role-leader within ~15 s (Akka split-brain stable-after). Traefik will route traffic to `admin-b` once its `/health/active` returns 200.
+3. `docker compose -f docker-dev/docker-compose.yml start admin-a` — `admin-a` rejoins as a follower; `admin-b` keeps the leader role until something disturbs it.
+
+## Notes
+
+- This compose is for the **local Mac/Linux developer rig**. The team's CI + soak runs go to the remote docker host at `10.100.0.35` (see `docs/v2/dev-environment.md`); the file there mirrors this one with adjusted port bindings.
+- The OPC UA driver endpoints are reachable directly from the host (Traefik is only in front of the admin HTTP surface):
+  - Main: `opc.tcp://localhost:4840` (driver-a), `opc.tcp://localhost:4841` (driver-b)
+  - Site A: `opc.tcp://localhost:4842` (site-a-1), `opc.tcp://localhost:4843` (site-a-2)
+  - Site B: `opc.tcp://localhost:4844` (site-b-1), `opc.tcp://localhost:4845` (site-b-2)
+- Galaxy + Wonderware drivers can't run in Linux containers (they need the Windows-only mxaccessgw + Historian SDK). On non-Windows, `DriverInstanceActor.ShouldStub(driverType, roles)` returns `true` for those types and the actor goes straight to a `Stubbed` state that returns deterministic success.
@@ -0,0 +1,268 @@
+# docker-dev/ — Mac-friendly multi-cluster fleet for v2 development + manual UI exercise.
+#
+# Stack (3 separate Akka clusters — all share the single `OtOpcUa` ConfigDb):
+#   sql        SQL Server 2022 — hosts the one ConfigDb that all three clusters use
+#   ldap       OpenLDAP with the dev users from C:\publish\glauth\auth.md mirrored in
+#
+#   Main cluster (existing — split-role admin / driver pair on a single Akka mesh):
+#     admin-a   OtOpcUa.Host with OTOPCUA_ROLES=admin (seed)
+#     admin-b   OtOpcUa.Host with OTOPCUA_ROLES=admin (joins admin-a)
+#     driver-a  OtOpcUa.Host with OTOPCUA_ROLES=driver (joins via admin-a)
+#     driver-b  OtOpcUa.Host with OTOPCUA_ROLES=driver (joins via admin-a)
+#
+#   Site A cluster (2-node fused admin+driver):
+#     site-a-1, site-a-2     OTOPCUA_ROLES=admin,driver, seed = site-a-1
+#
+#   Site B cluster (2-node fused admin+driver):
+#     site-b-1, site-b-2     OTOPCUA_ROLES=admin,driver, seed = site-b-1
+#
+#   traefik    PathPrefix → main cluster admin-a/admin-b; Host(`site-a.localhost`) →
+#              site-a-*; Host(`site-b.localhost`) → site-b-*. Add the two site hosts to
+#              your /etc/hosts (or rely on macOS `.localhost` auto-resolution).
+#
+# Multi-tenancy: ConfigDb is one schema with a `ServerCluster` table; each Akka cluster
+# corresponds to a row in it (ClusterId = "MAIN" / "SITE-A" / "SITE-B"), and each node's
+# `ClusterNode.NodeId` points back at the row that owns it. After first boot, sign in to
+# any cluster's Admin UI and create the matching ServerCluster + ClusterNode rows via
+# /clusters and /hosts so the runtime knows what configuration scope applies.
+#
+# Akka mesh isolation: same system name "otopcua" + same remoting port 4053 inside each
+# container's own network namespace, but with disjoint seed-node lists — gossip never
+# crosses between the three meshes.
+#
+# Usage:
+#   docker compose -f docker-dev/docker-compose.yml up -d --build
+#   open http://localhost                  # main cluster Blazor admin UI
+#   open http://site-a.localhost           # site A admin UI
+#   open http://site-b.localhost           # site B admin UI
+#   open http://localhost:8080             # Traefik dashboard
+#
+# Tear-down:  docker compose -f docker-dev/docker-compose.yml down -v
+
+name: otopcua-dev
+
+services:
+
+  sql:
+    image: mcr.microsoft.com/mssql/server:2022-latest
+    environment:
+      ACCEPT_EULA: "Y"
+      SA_PASSWORD: "OtOpcUa!Dev123"
+      MSSQL_PID: Developer
+    ports:
+      - "14330:1433"
+    healthcheck:
+      test: ["CMD-SHELL", "/opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P 'OtOpcUa!Dev123' -No -Q 'SELECT 1' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 20
+
+  # ── Cluster seed (one-shot) ────────────────────────────────────────────────
+  # Waits for SQL + the host containers' EF auto-migration, then INSERTs the
+  # three ServerCluster rows and the six ClusterNode rows that scope each Akka
+  # mesh inside the shared OtOpcUa ConfigDb. Idempotent — re-runs are no-ops.
+  cluster-seed:
+    image: mcr.microsoft.com/mssql-tools:latest
+    depends_on:
+      sql:
+        condition: service_healthy
+    volumes:
+      - ./seed:/seed:ro
+    entrypoint: ["/bin/bash", "/seed/entrypoint.sh"]
+    restart: "no"
+
+  ldap:
+    image: bitnami/openldap:2.6
+    environment:
+      LDAP_ROOT: "dc=lmxopcua,dc=local"
+      LDAP_ADMIN_USERNAME: "admin"
+      LDAP_ADMIN_PASSWORD: "ldapadmin"
+      LDAP_USERS: "alice,bob"
+      LDAP_PASSWORDS: "alice123,bob123"
+      LDAP_USER_DC: "ou=FleetAdmin"
+    ports:
+      - "3893:1389"
+
+  admin-a: &otopcua-host
+    build:
+      context: ..
+      dockerfile: docker-dev/Dockerfile
+    image: otopcua-host:dev
+    depends_on:
+      sql: { condition: service_healthy }
+    environment:
+      OTOPCUA_ROLES: "admin"
+      ASPNETCORE_URLS: "http://+:9000"
+      ConnectionStrings__ConfigDb: "Server=sql,1433;Database=OtOpcUa;User Id=sa;Password=OtOpcUa!Dev123;TrustServerCertificate=True;"
+      Cluster__Hostname: "0.0.0.0"
+      Cluster__Port: "4053"
+      Cluster__PublicHostname: "admin-a"
+      Cluster__SeedNodes__0: "akka.tcp://otopcua@admin-a:4053"
+      Cluster__Roles__0: "admin"
+      Security__Jwt__SigningKey: "docker-dev-signing-key-with-at-least-32-bytes-of-utf8-content-12345"
+      Security__Jwt__Issuer: "otopcua-dev"
+      Security__Jwt__Audience: "otopcua-dev"
+      Authentication__Ldap__Server: "ldap"
+      Authentication__Ldap__Port: "1389"
+      Authentication__Ldap__AllowInsecureLdap: "true"
+
+  admin-b:
+    <<: *otopcua-host
+    environment:
+      OTOPCUA_ROLES: "admin"
+      ASPNETCORE_URLS: "http://+:9000"
+      ConnectionStrings__ConfigDb: "Server=sql,1433;Database=OtOpcUa;User Id=sa;Password=OtOpcUa!Dev123;TrustServerCertificate=True;"
+      Cluster__Hostname: "0.0.0.0"
+      Cluster__Port: "4053"
+      Cluster__PublicHostname: "admin-b"
+      Cluster__SeedNodes__0: "akka.tcp://otopcua@admin-a:4053"
+      Cluster__Roles__0: "admin"
+      Security__Jwt__SigningKey: "docker-dev-signing-key-with-at-least-32-bytes-of-utf8-content-12345"
+      Security__Jwt__Issuer: "otopcua-dev"
+      Security__Jwt__Audience: "otopcua-dev"
+      Authentication__Ldap__Server: "ldap"
+      Authentication__Ldap__Port: "1389"
+      Authentication__Ldap__AllowInsecureLdap: "true"
+
+  driver-a:
+    <<: *otopcua-host
+    environment:
+      OTOPCUA_ROLES: "driver"
+      ConnectionStrings__ConfigDb: "Server=sql,1433;Database=OtOpcUa;User Id=sa;Password=OtOpcUa!Dev123;TrustServerCertificate=True;"
+      Cluster__Hostname: "0.0.0.0"
+      Cluster__Port: "4053"
+      Cluster__PublicHostname: "driver-a"
+      Cluster__SeedNodes__0: "akka.tcp://otopcua@admin-a:4053"
+      Cluster__Roles__0: "driver"
+    ports:
+      - "4840:4840"
+
+  driver-b:
+    <<: *otopcua-host
+    environment:
+      OTOPCUA_ROLES: "driver"
+      ConnectionStrings__ConfigDb: "Server=sql,1433;Database=OtOpcUa;User Id=sa;Password=OtOpcUa!Dev123;TrustServerCertificate=True;"
+      Cluster__Hostname: "0.0.0.0"
+      Cluster__Port: "4053"
+      Cluster__PublicHostname: "driver-b"
+      Cluster__SeedNodes__0: "akka.tcp://otopcua@admin-a:4053"
+      Cluster__Roles__0: "driver"
+    ports:
+      - "4841:4840"
+
+  # ── Site A cluster (2-node fused admin+driver) ──────────────────────────────
+  # Shares the OtOpcUa ConfigDb with the main + site-b clusters; multi-tenancy is
+  # enforced by ServerCluster.ClusterId rows (configure via /clusters after boot).
+  # Akka isolation comes from the disjoint seed list (seed = site-a-1).
+
+  site-a-1:
+    <<: *otopcua-host
+    environment:
+      OTOPCUA_ROLES: "admin,driver"
+      ASPNETCORE_URLS: "http://+:9000"
+      ConnectionStrings__ConfigDb: "Server=sql,1433;Database=OtOpcUa;User Id=sa;Password=OtOpcUa!Dev123;TrustServerCertificate=True;"
+      Cluster__Hostname: "0.0.0.0"
+      Cluster__Port: "4053"
+      Cluster__PublicHostname: "site-a-1"
+      Cluster__SeedNodes__0: "akka.tcp://otopcua@site-a-1:4053"
+      Cluster__Roles__0: "admin"
+      Cluster__Roles__1: "driver"
+      Security__Jwt__SigningKey: "docker-dev-signing-key-with-at-least-32-bytes-of-utf8-content-12345"
+      Security__Jwt__Issuer: "otopcua-dev"
+      Security__Jwt__Audience: "otopcua-dev"
+      Authentication__Ldap__Server: "ldap"
+      Authentication__Ldap__Port: "1389"
+      Authentication__Ldap__AllowInsecureLdap: "true"
+    ports:
+      - "4842:4840"
+
+  site-a-2:
+    <<: *otopcua-host
+    depends_on:
+      sql: { condition: service_healthy }
+      site-a-1: { condition: service_started }
+    environment:
+      OTOPCUA_ROLES: "admin,driver"
+      ASPNETCORE_URLS: "http://+:9000"
+      ConnectionStrings__ConfigDb: "Server=sql,1433;Database=OtOpcUa;User Id=sa;Password=OtOpcUa!Dev123;TrustServerCertificate=True;"
+      Cluster__Hostname: "0.0.0.0"
+      Cluster__Port: "4053"
+      Cluster__PublicHostname: "site-a-2"
+      Cluster__SeedNodes__0: "akka.tcp://otopcua@site-a-1:4053"
+      Cluster__Roles__0: "admin"
+      Cluster__Roles__1: "driver"
+      Security__Jwt__SigningKey: "docker-dev-signing-key-with-at-least-32-bytes-of-utf8-content-12345"
+      Security__Jwt__Issuer: "otopcua-dev"
+      Security__Jwt__Audience: "otopcua-dev"
+      Authentication__Ldap__Server: "ldap"
+      Authentication__Ldap__Port: "1389"
+      Authentication__Ldap__AllowInsecureLdap: "true"
+    ports:
+      - "4843:4840"
+
+  # ── Site B cluster (2-node fused admin+driver) ──────────────────────────────
+
+  site-b-1:
+    <<: *otopcua-host
+    environment:
+      OTOPCUA_ROLES: "admin,driver"
+      ASPNETCORE_URLS: "http://+:9000"
+      ConnectionStrings__ConfigDb: "Server=sql,1433;Database=OtOpcUa;User Id=sa;Password=OtOpcUa!Dev123;TrustServerCertificate=True;"
+      Cluster__Hostname: "0.0.0.0"
+      Cluster__Port: "4053"
+      Cluster__PublicHostname: "site-b-1"
+      Cluster__SeedNodes__0: "akka.tcp://otopcua@site-b-1:4053"
+      Cluster__Roles__0: "admin"
+      Cluster__Roles__1: "driver"
+      Security__Jwt__SigningKey: "docker-dev-signing-key-with-at-least-32-bytes-of-utf8-content-12345"
+      Security__Jwt__Issuer: "otopcua-dev"
+      Security__Jwt__Audience: "otopcua-dev"
+      Authentication__Ldap__Server: "ldap"
+      Authentication__Ldap__Port: "1389"
+      Authentication__Ldap__AllowInsecureLdap: "true"
+    ports:
+      - "4844:4840"
+
+  site-b-2:
+    <<: *otopcua-host
+    depends_on:
+      sql: { condition: service_healthy }
+      site-b-1: { condition: service_started }
+    environment:
+      OTOPCUA_ROLES: "admin,driver"
+      ASPNETCORE_URLS: "http://+:9000"
+      ConnectionStrings__ConfigDb: "Server=sql,1433;Database=OtOpcUa;User Id=sa;Password=OtOpcUa!Dev123;TrustServerCertificate=True;"
+      Cluster__Hostname: "0.0.0.0"
+      Cluster__Port: "4053"
+      Cluster__PublicHostname: "site-b-2"
+      Cluster__SeedNodes__0: "akka.tcp://otopcua@site-b-1:4053"
+      Cluster__Roles__0: "admin"
+      Cluster__Roles__1: "driver"
+      Security__Jwt__SigningKey: "docker-dev-signing-key-with-at-least-32-bytes-of-utf8-content-12345"
+      Security__Jwt__Issuer: "otopcua-dev"
+      Security__Jwt__Audience: "otopcua-dev"
+      Authentication__Ldap__Server: "ldap"
+      Authentication__Ldap__Port: "1389"
+      Authentication__Ldap__AllowInsecureLdap: "true"
+    ports:
+      - "4845:4840"
+
+  traefik:
+    image: traefik:v3.1
+    command:
+      - --entrypoints.web.address=:80
+      - --providers.file.filename=/etc/traefik/dynamic.yml
+      - --providers.file.watch=true
+      - --api.insecure=true
+    ports:
+      - "80:80"
+      - "8080:8080"
+    volumes:
+      - ./traefik-dynamic.yml:/etc/traefik/dynamic.yml:ro
+    depends_on:
+      - admin-a
+      - admin-b
+      - site-a-1
+      - site-a-2
+      - site-b-1
+      - site-b-2
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# docker-dev cluster-seed entrypoint. Waits for the host containers to finish
+# their EF Core auto-migration (which creates the ServerCluster table), then
+# applies the idempotent seed script.
+#
+# Image: mcr.microsoft.com/mssql-tools (Debian + sqlcmd at /opt/mssql-tools18/bin).
+
+set -euo pipefail
+
+SQLCMD="/opt/mssql-tools18/bin/sqlcmd"
+SERVER="${SQL_HOST:-sql},1433"
+USER="${SQL_USER:-sa}"
+PASS="${SQL_PASSWORD:-OtOpcUa!Dev123}"
+DB="${SQL_DATABASE:-OtOpcUa}"
+
+run_sql() {
+    "$SQLCMD" -S "$SERVER" -U "$USER" -P "$PASS" -d "$DB" -No -b -h -1 "$@"
+}
+
+echo "[cluster-seed] waiting for SQL Server to accept connections..."
+until run_sql -Q "SELECT 1" >/dev/null 2>&1; do
+    sleep 2
+done
+echo "[cluster-seed] SQL Server up."
+
+echo "[cluster-seed] waiting for $DB.ServerCluster (host containers must finish EF migration)..."
+until run_sql -Q "IF OBJECT_ID('dbo.ServerCluster') IS NULL THROW 50001, 'missing', 1; SELECT 1" >/dev/null 2>&1; do
+    sleep 3
+done
+echo "[cluster-seed] schema ready."
+
+echo "[cluster-seed] applying seed-clusters.sql..."
+run_sql -i /seed/seed-clusters.sql
+
+echo "[cluster-seed] done."
@@ -0,0 +1,106 @@
+-- docker-dev cluster seed. Idempotent — safe to re-run on every `docker compose up`.
+--
+-- Populates:
+--   ServerCluster   MAIN, SITE-A, SITE-B
+--   ClusterNode     driver-a, driver-b  → MAIN
+--                   site-a-1, site-a-2  → SITE-A
+--                   site-b-1, site-b-2  → SITE-B
+--
+-- ServerCluster.NodeCount + RedundancyMode are coupled by CHECK constraint:
+--   NodeCount=1 ⇒ RedundancyMode='None'
+--   NodeCount=2 ⇒ RedundancyMode∈('Warm','Hot')
+--
+-- Each ClusterNode.ApplicationUri MUST be globally unique (UX_ClusterNode_ApplicationUri).
+-- Convention: urn:OtOpcUa:<NodeId>.
+--
+-- Host = Compose service name (resolves inside the otopcua-dev network).
+-- OpcUaPort stays at the container-internal 4840; the host-side port mapping is in
+-- docker-compose.yml ports: blocks and is irrelevant to ClusterNode rows.
+
+SET NOCOUNT ON;
+SET XACT_ABORT ON;
+
+BEGIN TRANSACTION;
+
+------------------------------------------------------------------------------
+-- ServerCluster
+------------------------------------------------------------------------------
+
+IF NOT EXISTS (SELECT 1 FROM dbo.ServerCluster WHERE ClusterId = 'MAIN')
+    INSERT INTO dbo.ServerCluster
+        (ClusterId, Name, Enterprise, Site, NodeCount, RedundancyMode, Enabled, Notes, CreatedBy)
+    VALUES
+        ('MAIN', 'Main cluster', 'zb', 'docker-dev',
+         2, 'Warm', 1,
+         'docker-dev seed — admin-a/admin-b control-plane, driver-a/driver-b OPC UA publishers.',
+         'docker-dev-seed');
+
+IF NOT EXISTS (SELECT 1 FROM dbo.ServerCluster WHERE ClusterId = 'SITE-A')
+    INSERT INTO dbo.ServerCluster
+        (ClusterId, Name, Enterprise, Site, NodeCount, RedundancyMode, Enabled, Notes, CreatedBy)
+    VALUES
+        ('SITE-A', 'Site A', 'zb', 'site-a',
+         2, 'Warm', 1,
+         'docker-dev seed — 2-node fused admin+driver cluster.',
+         'docker-dev-seed');
+
+IF NOT EXISTS (SELECT 1 FROM dbo.ServerCluster WHERE ClusterId = 'SITE-B')
+    INSERT INTO dbo.ServerCluster
+        (ClusterId, Name, Enterprise, Site, NodeCount, RedundancyMode, Enabled, Notes, CreatedBy)
+    VALUES
+        ('SITE-B', 'Site B', 'zb', 'site-b',
+         2, 'Warm', 1,
+         'docker-dev seed — 2-node fused admin+driver cluster.',
+         'docker-dev-seed');
+
+------------------------------------------------------------------------------
+-- ClusterNode — main cluster OPC UA publishers
+------------------------------------------------------------------------------
+
+IF NOT EXISTS (SELECT 1 FROM dbo.ClusterNode WHERE NodeId = 'driver-a')
+    INSERT INTO dbo.ClusterNode
+        (NodeId, ClusterId, Host, OpcUaPort, DashboardPort, ApplicationUri, ServiceLevelBase, Enabled, CreatedBy)
+    VALUES ('driver-a', 'MAIN', 'driver-a', 4840, 8081, 'urn:OtOpcUa:driver-a', 200, 1, 'docker-dev-seed');
+
+IF NOT EXISTS (SELECT 1 FROM dbo.ClusterNode WHERE NodeId = 'driver-b')
+    INSERT INTO dbo.ClusterNode
+        (NodeId, ClusterId, Host, OpcUaPort, DashboardPort, ApplicationUri, ServiceLevelBase, Enabled, CreatedBy)
+    VALUES ('driver-b', 'MAIN', 'driver-b', 4840, 8081, 'urn:OtOpcUa:driver-b', 150, 1, 'docker-dev-seed');
+
+------------------------------------------------------------------------------
+-- ClusterNode — site A
+------------------------------------------------------------------------------
+
+IF NOT EXISTS (SELECT 1 FROM dbo.ClusterNode WHERE NodeId = 'site-a-1')
+    INSERT INTO dbo.ClusterNode
+        (NodeId, ClusterId, Host, OpcUaPort, DashboardPort, ApplicationUri, ServiceLevelBase, Enabled, CreatedBy)
+    VALUES ('site-a-1', 'SITE-A', 'site-a-1', 4840, 8081, 'urn:OtOpcUa:site-a-1', 200, 1, 'docker-dev-seed');
+
+IF NOT EXISTS (SELECT 1 FROM dbo.ClusterNode WHERE NodeId = 'site-a-2')
+    INSERT INTO dbo.ClusterNode
+        (NodeId, ClusterId, Host, OpcUaPort, DashboardPort, ApplicationUri, ServiceLevelBase, Enabled, CreatedBy)
+    VALUES ('site-a-2', 'SITE-A', 'site-a-2', 4840, 8081, 'urn:OtOpcUa:site-a-2', 150, 1, 'docker-dev-seed');
+
+------------------------------------------------------------------------------
+-- ClusterNode — site B
+------------------------------------------------------------------------------
+
+IF NOT EXISTS (SELECT 1 FROM dbo.ClusterNode WHERE NodeId = 'site-b-1')
+    INSERT INTO dbo.ClusterNode
+        (NodeId, ClusterId, Host, OpcUaPort, DashboardPort, ApplicationUri, ServiceLevelBase, Enabled, CreatedBy)
+    VALUES ('site-b-1', 'SITE-B', 'site-b-1', 4840, 8081, 'urn:OtOpcUa:site-b-1', 200, 1, 'docker-dev-seed');
+
+IF NOT EXISTS (SELECT 1 FROM dbo.ClusterNode WHERE NodeId = 'site-b-2')
+    INSERT INTO dbo.ClusterNode
+        (NodeId, ClusterId, Host, OpcUaPort, DashboardPort, ApplicationUri, ServiceLevelBase, Enabled, CreatedBy)
+    VALUES ('site-b-2', 'SITE-B', 'site-b-2', 4840, 8081, 'urn:OtOpcUa:site-b-2', 150, 1, 'docker-dev-seed');
+
+COMMIT TRANSACTION;
+
+------------------------------------------------------------------------------
+-- Summary (logged by sqlcmd output)
+------------------------------------------------------------------------------
+
+SELECT ClusterId, Name, NodeCount, RedundancyMode FROM dbo.ServerCluster ORDER BY ClusterId;
+SELECT NodeId, ClusterId, Host, OpcUaPort, ApplicationUri, ServiceLevelBase
+  FROM dbo.ClusterNode ORDER BY ClusterId, NodeId;
@@ -0,0 +1,57 @@
+# docker-dev companion to scripts/install/traefik-dynamic.yml. Routes three
+# Akka clusters that share the Compose network:
+#
+#   - Main cluster (default): PathPrefix(`/`) → admin-a / admin-b.
+#   - Site A cluster:         Host(`site-a.localhost`) → site-a-1 / site-a-2.
+#   - Site B cluster:         Host(`site-b.localhost`) → site-b-1 / site-b-2.
+#
+# Host-header rules are more specific than PathPrefix, so they win over the
+# default router for the site hostnames automatically — no priority field needed.
+
+http:
+  routers:
+    otopcua-admin:
+      entryPoints: ["web"]
+      rule: "PathPrefix(`/`)"
+      service: otopcua-admin
+
+    otopcua-site-a:
+      entryPoints: ["web"]
+      rule: "Host(`site-a.localhost`)"
+      service: otopcua-site-a
+
+    otopcua-site-b:
+      entryPoints: ["web"]
+      rule: "Host(`site-b.localhost`)"
+      service: otopcua-site-b
+
+  services:
+    otopcua-admin:
+      loadBalancer:
+        servers:
+          - url: "http://admin-a:9000"
+          - url: "http://admin-b:9000"
+        healthCheck:
+          path: /health/active
+          interval: 5s
+          timeout: 2s
+
+    otopcua-site-a:
+      loadBalancer:
+        servers:
+          - url: "http://site-a-1:9000"
+          - url: "http://site-a-2:9000"
+        healthCheck:
+          path: /health/active
+          interval: 5s
+          timeout: 2s
+
+    otopcua-site-b:
+      loadBalancer:
+        servers:
+          - url: "http://site-b-1:9000"
+          - url: "http://site-b-2:9000"
+        healthCheck:
+          path: /health/active
+          interval: 5s
+          timeout: 2s
@@ -1,6 +1,6 @@
 # Address Space

-Each driver's browsable subtree is built by streaming nodes from the driver's `ITagDiscovery.DiscoverAsync` implementation into an `IAddressSpaceBuilder`. `GenericDriverNodeManager` (`src/Core/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs`) owns the shared orchestration; `DriverNodeManager` (`src/Server/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs`) implements `IAddressSpaceBuilder` against the OPC Foundation stack's `CustomNodeManager2`. The same code path serves Galaxy object hierarchies, Modbus PLC registers, AB CIP tags, TwinCAT symbols, FOCAS CNC parameters, and OPC UA Client aggregations — Galaxy is one driver of seven, not the driver.
+Each driver's browsable subtree is built by streaming nodes from the driver's `ITagDiscovery.DiscoverAsync` implementation into an `IAddressSpaceBuilder`. `GenericDriverNodeManager` (`src/Core/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs`) owns the shared orchestration; in v2 the SDK-driven materialization is handled by `OtOpcUaNodeManager` (`src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OtOpcUaNodeManager.cs`) fed via `SdkAddressSpaceSink` (`src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/SdkAddressSpaceSink.cs`). The same code path serves Galaxy object hierarchies, Modbus PLC registers, AB CIP tags, TwinCAT symbols, FOCAS CNC parameters, and OPC UA Client aggregations — Galaxy is one driver of seven, not the driver.

 ## Driver root folder

@@ -66,7 +66,7 @@ Drivers that implement `IRediscoverable` fire `OnRediscoveryNeeded` when their b
 ## Key source files

 - `src/Core/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs` — orchestration + `CapturingBuilder`
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs` — OPC UA materialization (`IAddressSpaceBuilder` impl + `NestedBuilder`)
+- `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OtOpcUaNodeManager.cs`, `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/SdkAddressSpaceSink.cs` — OPC UA materialization (write-only sink fed by the actor system)
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.Abstractions/IAddressSpaceBuilder.cs` — builder contract
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.Abstractions/ITagDiscovery.cs` — driver discovery capability
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.Abstractions/DriverAttributeInfo.cs` — per-attribute descriptor
@@ -15,9 +15,10 @@ historical reference.
 | **Galaxy sub-attribute fallback**  | `IWritable` writes to `$Alarm*` sub-attributes | gateway data subscription → driver `OnDataChange` → `DriverNodeManager` ConditionSink → `AlarmConditionService` |
 | **Scripted alarms**                | `Phase7EngineComposer` | server-side script evaluator → `Phase7EngineComposer.RouteToHistorianAsync` + `AlarmConditionService` |

-All three converge on `AlarmConditionService` (`src/Server/ZB.MOM.WW.OtOpcUa.Server/Alarms/AlarmConditionService.cs`),
-which owns the OPC UA Part 9 state machine and dispatches transitions
-to the OPC UA condition node managers. Driver-native transitions take
+All three converge on the alarm-state actor — in v2 the OPC UA Part 9 state
+machine lives inside `ScriptedAlarmActor`
+(`src/Server/ZB.MOM.WW.OtOpcUa.Runtime/ScriptedAlarms/ScriptedAlarmActor.cs`),
+which dispatches transitions to the OPC UA condition node managers. Driver-native transitions take
 precedence over sub-attribute synthesis when both arrive for the same
 condition — the dedup logic prefers the richer driver-native record
 because it carries the full operator + raise-time + category metadata
@@ -28,7 +28,7 @@ Static drivers (Modbus, S7, AB CIP, AB Legacy, FOCAS) do not implement `IRedisco

 Tag-set changes authored in the Admin UI (UNS edits, CSV imports, driver-config edits) accumulate in a draft generation and commit via `sp_PublishGeneration`. The delta between the currently-published generation and the proposed next one is computed by `sp_ComputeGenerationDiff`, which drives:

- The **DiffViewer** in Admin (`src/Server/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DiffViewer.razor`) so operators can preview what will change before clicking Publish.
+- The publish-preview surface in the Admin UI (`src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Deployments.razor`, backed by `AdminOperationsClient`) so operators can preview what will change before clicking Publish.
 - The 409-on-stale-draft flow (decision #161) — a UNS drag-reorder preview carries a `DraftRevisionToken` so Confirm returns `409 Conflict / refresh-required` if the draft advanced between preview and commit.

 After publish, the server's generation applier invokes `IDriver.ReinitializeAsync(driverConfigJson, ct)` on every driver whose `DriverInstance.DriverConfig` row changed in the new generation. Reinitialize is the in-process recovery path for Tier A/B drivers; if it fails the driver is marked `DriverState.Faulted` and its nodes go Bad quality — but the server process stays running. See `docs/v2/driver-stability.md`.
@@ -64,6 +64,7 @@ Subscriptions for unchanged references stay live across rebuilds — their ref-c
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.Abstractions/IRediscoverable.cs` — backend-change capability
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs` — discovery orchestration
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.Abstractions/IDriver.cs` — `ReinitializeAsync` contract
- `src/Server/ZB.MOM.WW.OtOpcUa.Admin/Services/GenerationService.cs` — publish-flow driver
+- `src/Server/ZB.MOM.WW.OtOpcUa.ControlPlane/Coordinators/ConfigPublishCoordinator.cs` — publish-flow driver
+- `src/Server/ZB.MOM.WW.OtOpcUa.ControlPlane/AdminOperations/AdminOperationsActor.cs` — cluster singleton invoked by the Admin UI's `AdminOperationsClient`
 - `docs/v2/config-db-schema.md` — `sp_PublishGeneration` + `sp_ComputeGenerationDiff`
 - `docs/v2/admin-ui.md` — DiffViewer + draft-revision-token flow
@@ -1,13 +1,13 @@
 # OPC UA Server

-The OPC UA server component (`src/Server/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OtOpcUaServer.cs`) hosts the OPC UA stack and exposes one browsable subtree per registered driver. The server itself is driver-agnostic — Galaxy/MXAccess, Modbus, S7, AB CIP, AB Legacy, TwinCAT, FOCAS, and OPC UA Client are all plugged in as `IDriver` implementations via the capability interfaces in `src/Core/ZB.MOM.WW.OtOpcUa.Core.Abstractions/`.
+The OPC UA server component (`src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OtOpcUaSdkServer.cs`) hosts the OPC UA stack and exposes one browsable subtree per registered driver. The server itself is driver-agnostic — Galaxy/MXAccess, Modbus, S7, AB CIP, AB Legacy, TwinCAT, FOCAS, and OPC UA Client are all plugged in as `IDriver` implementations via the capability interfaces in `src/Core/ZB.MOM.WW.OtOpcUa.Core.Abstractions/`.

 ## Composition

 `OtOpcUaServer` subclasses the OPC Foundation `StandardServer` and wires:

 - A `DriverHost` (`src/Core/ZB.MOM.WW.OtOpcUa.Core/Hosting/DriverHost.cs`) which registers drivers and holds the per-instance `IDriver` references.
- One `DriverNodeManager` per registered driver (`src/Server/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs`), constructed in `CreateMasterNodeManager`. Each manager owns its own namespace URI (`urn:OtOpcUa:{DriverInstanceId}`) and exposes the driver as a subtree under the standard `Objects` folder.
+- One `DriverNodeManager` per registered driver (`src/Core/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs`), constructed in `CreateMasterNodeManager`. Each manager owns its own namespace URI (`urn:OtOpcUa:{DriverInstanceId}`) and exposes the driver as a subtree under the standard `Objects` folder.
 - A `CapabilityInvoker` (`src/Core/ZB.MOM.WW.OtOpcUa.Core/Resilience/CapabilityInvoker.cs`) per driver instance, keyed on `(DriverInstanceId, HostName, DriverCapability)` against the shared `DriverResiliencePipelineBuilder`. Every Read/Write/Discovery/Subscribe/HistoryRead/AlarmSubscribe call on the driver flows through this invoker so the Polly pipeline (retry / timeout / breaker / bulkhead) applies. The OTOPCUA0001 Roslyn analyzer enforces the wrapping at compile time.
 - An `IUserAuthenticator` (LDAP in production, injected stub in tests) for `UserName` token validation in the `ImpersonateUser` hook.
 - Optional `AuthorizationGate` + `NodeScopeResolver` (Phase 6.2) that sit in front of every dispatch call. In lax mode the gate passes through when the identity lacks LDAP groups so existing integration tests keep working; strict mode (`Authorization:StrictMode = true`) denies those cases.
@@ -50,7 +50,7 @@ The host name fed to the invoker comes from `IPerCallHostResolver.ResolveHost(fu

 ## Redundancy

-`Redundancy.Enabled = true` on the `ServerInstance` activates the `RedundancyCoordinator` + `ServiceLevelCalculator` (`src/Server/ZB.MOM.WW.OtOpcUa.Server/Redundancy/`). Standard OPC UA redundancy nodes (`Server/ServerRedundancy/RedundancySupport`, `ServerUriArray`, `Server/ServiceLevel`) are populated on startup; `ServiceLevel` recomputes whenever any driver's `DriverHealth` changes. The apply-lease mechanism prevents two instances from concurrently applying a generation. See `docs/Redundancy.md`.
+`Redundancy.Enabled = true` on the `ServerInstance` activates the `RedundancyStateActor` + `ServiceLevelCalculator` (`src/Server/ZB.MOM.WW.OtOpcUa.ControlPlane/Redundancy/`). Standard OPC UA redundancy nodes (`Server/ServerRedundancy/RedundancySupport`, `ServerUriArray`, `Server/ServiceLevel`) are populated on startup; `ServiceLevel` recomputes whenever any driver's `DriverHealth` changes. The apply-lease mechanism prevents two instances from concurrently applying a generation. See `docs/Redundancy.md`.

 ## Server class hierarchy

@@ -79,10 +79,11 @@ Certificate stores default to `%LOCALAPPDATA%\OPC Foundation\pki\` (directory-ba

 ## Key source files

- `src/Server/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OtOpcUaServer.cs` — `StandardServer` subclass + `ImpersonateUser` hook
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs` — per-driver `CustomNodeManager2` + dispatch surface
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OpcUaApplicationHost.cs` — programmatic `ApplicationConfiguration` + lifecycle
+- `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OtOpcUaSdkServer.cs` — `StandardServer` subclass
+- `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OpcUaApplicationHost.cs` — programmatic `ApplicationConfiguration` + lifecycle + `ImpersonateUser` hook
+- `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OtOpcUaNodeManager.cs` — SDK node manager + write-only address-space sink
+- `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/SdkAddressSpaceSink.cs` — `IOpcUaAddressSpaceSink` adapter the actor system pushes into
+- `src/Core/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs` — per-driver discovery + dispatch surface
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core/Hosting/DriverHost.cs` — driver registration
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core/Resilience/CapabilityInvoker.cs` — Polly pipeline entry point
- `src/Core/ZB.MOM.WW.OtOpcUa.Core/Authorization/` — Phase 6.2 permission trie + evaluator
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/Security/AuthorizationGate.cs` — stack-to-evaluator bridge
+- `src/Core/ZB.MOM.WW.OtOpcUa.Core/Authorization/` — permission trie + evaluator (`PermissionTrie`, `PermissionTrieCache`, `TriePermissionEvaluator`)
@@ -9,10 +9,13 @@ The project was originally called **LmxOpcUa** (a single-driver Galaxy/MXAccess

 ## Platform overview

- **Core** owns the OPC UA stack, address space, session/security/subscription machinery.
+> **v2 (2026-05-26):** the separate `OtOpcUa.Server` + `OtOpcUa.Admin` services fused into a single role-gated `OtOpcUa.Host` binary, joined by an Akka.NET cluster. See [v2 design](plans/2026-05-26-akka-hosting-alignment-design.md) for the architectural decision.
+
+- **Core** owns shared abstractions (driver capability contracts, scripting, virtual tags, alarm historian).
 - **Drivers** plug in via capability interfaces in `ZB.MOM.WW.OtOpcUa.Core.Abstractions`: `IDriver`, `IReadable`, `IWritable`, `ITagDiscovery`, `ISubscribable`, `IHostConnectivityProbe`, `IAlarmSource`, `IHistoryProvider`, `IPerCallHostResolver`. Each driver opts into whichever it supports.
- **Server** is the OPC UA endpoint process (net10, AnyCPU). Hosts every driver in-process. The Galaxy driver reaches MXAccess via gRPC to a separately-installed **mxaccessgw** sidecar (sibling repo); it is no longer hosted from this repo.
- **Admin** is the Blazor Server operator UI (net10, x64). Owns the Config DB draft/publish flow, ACL + role-grant authoring, fleet status + `/metrics` scrape endpoint.
+- **Host** (`src/Server/ZB.MOM.WW.OtOpcUa.Host`) is the single fused binary (.NET 10, AnyCPU). `OTOPCUA_ROLES` env decides what to mount: `admin` (Blazor + control-plane singletons), `driver` (OPC UA endpoint + per-node actors), or both. See [ServiceHosting.md](ServiceHosting.md).
+- **Cluster + ControlPlane + Runtime + AdminUI + Security** sit between Core and Host. The cluster glues per-node actors into one logical fleet; the control-plane singletons (deploy coordinator, audit writer, redundancy state) live on the admin role-leader. See [Redundancy.md](Redundancy.md).
+- The Galaxy driver still reaches MXAccess via gRPC to a separately-installed **mxaccessgw** sidecar (sibling repo).

 ## Where to find what

@@ -56,7 +59,7 @@ For Modbus / S7 / AB CIP / AB Legacy / TwinCAT / FOCAS / OPC UA Client specifics
 | [security.md](security.md) | Transport security profiles, LDAP auth, ACL trie, role grants, OTOPCUA0001 analyzer |
 | [Redundancy.md](Redundancy.md) | `RedundancyCoordinator`, `ServiceLevelCalculator`, apply-lease, Prometheus metrics |
 | [Reservations.md](Reservations.md) | Fleet-wide ZTag / SAPID external-ID reservations — publish-time claim, release flow |
-| [ServiceHosting.md](ServiceHosting.md) | Two-process deploy (Server + Admin) install/uninstall, plus the optional `OtOpcUaWonderwareHistorian` sidecar |
+| [ServiceHosting.md](ServiceHosting.md) | Single fused `OtOpcUa.Host` binary install/uninstall with `OTOPCUA_ROLES` gating, plus the optional `OtOpcUaWonderwareHistorian` sidecar |
 | [StatusDashboard.md](StatusDashboard.md) | Pointer — superseded by [v2/admin-ui.md](v2/admin-ui.md) |

 ### Client tooling
@@ -1,6 +1,6 @@
 # Read/Write Operations

-`DriverNodeManager` (`src/Server/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs`) wires the OPC UA stack's per-variable `OnReadValue` and `OnWriteValue` hooks to each driver's `IReadable` and `IWritable` capabilities. Every dispatch flows through `CapabilityInvoker` so the Polly pipeline (retry / timeout / breaker / bulkhead) applies uniformly across Galaxy, Modbus, S7, AB CIP, AB Legacy, TwinCAT, FOCAS, and OPC UA Client drivers.
+`GenericDriverNodeManager` (`src/Core/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs`) wires the OPC UA stack's per-variable `OnReadValue` and `OnWriteValue` hooks to each driver's `IReadable` and `IWritable` capabilities. Every dispatch flows through `CapabilityInvoker` so the Polly pipeline (retry / timeout / breaker / bulkhead) applies uniformly across Galaxy, Modbus, S7, AB CIP, AB Legacy, TwinCAT, FOCAS, and OPC UA Client drivers.

 ## Driver vs virtual dispatch

@@ -60,8 +60,7 @@ Per decision #12, exceptions in the driver's capability call are logged and conv

 ## Key source files

- `src/Server/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs` — `OnReadValue` / `OnWriteValue` hooks
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/Security/WriteAuthzPolicy.cs` — classification-to-role policy
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/Security/AuthorizationGate.cs` — Phase 6.2 trie gate
+- `src/Core/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs` — `OnReadValue` / `OnWriteValue` hooks
+- `src/Core/ZB.MOM.WW.OtOpcUa.Core/Authorization/` — permission trie + evaluator (`PermissionTrie`, `PermissionTrieCache`, `TriePermissionEvaluator`) that gates Read/Write/Subscribe per the session's resolved LDAP groups
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core/Resilience/CapabilityInvoker.cs` — `ExecuteAsync` / `ExecuteWriteAsync`
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.Abstractions/IReadable.cs`, `IWritable.cs`, `WriteIdempotentAttribute.cs`
@@ -1,103 +1,109 @@
-# Redundancy
+# Redundancy (v2)

 ## Overview

-OtOpcUa supports OPC UA **non-transparent** warm/hot redundancy. Two (or more) OtOpcUa Server processes run side-by-side, share the same Config DB, the same driver backends (Galaxy ZB, MXAccess runtime, remote PLCs), and advertise the same OPC UA node tree. Each process owns a distinct `ApplicationUri`; OPC UA clients see both endpoints via the standard `ServerUriArray` and pick one based on the `ServiceLevel` that each server publishes.
+OtOpcUa supports OPC UA **non-transparent** warm/hot redundancy. Two or more `OtOpcUa.Host` processes run side-by-side, share the same Config DB, and join the same Akka.NET cluster. Each process owns a distinct `ApplicationUri`; OPC UA clients discover both endpoints by reading `Server.ServerArray` (NodeId `i=2254`) on either node and pick one based on the `ServiceLevel` byte that each server publishes.

-The redundancy surface lives in `src/Server/ZB.MOM.WW.OtOpcUa.Server/Redundancy/`:
+> **Discovery surface.** The `ServerArray` path on the `Server` object is what each node populates with self + peer `ApplicationUri`s — see `OpcUaApplicationHost.PopulateServerArray` and the per-node `PeerApplicationUris` option below. The redundancy-object-type `ServerUriArray` proper (a child of `Server.ServerRedundancy`) remains deferred pending an SDK object-type upgrade; clients should read `Server.ServerArray` for peer discovery today.

-| Class | Role |
-|---|---|
-| `RedundancyCoordinator` | Process-singleton; owns the current `RedundancyTopology` loaded from the `ClusterNode` table. `RefreshAsync` re-reads after `sp_PublishGeneration` so operator role swaps take effect without a process restart. CAS-style swap (`Interlocked.Exchange`) means readers always see a coherent snapshot. |
-| `RedundancyTopology` | Immutable `(ClusterId, Self, Peers, ServerUriArray, ValidityFlags)` snapshot. |
-| `ApplyLeaseRegistry` | Tracks in-progress `sp_PublishGeneration` apply leases keyed on `(ConfigGenerationId, PublishRequestId)`. `await using` the disposable scope guarantees every exit path (success / exception / cancellation) decrements the lease; a stale-lease watchdog force-closes any lease older than `ApplyMaxDuration` (default 10 minutes) so a crashed publisher can't pin the node at `PrimaryMidApply`. |
-| `PeerReachabilityTracker` | Maintains last-known reachability for each peer node over two independent probes — OPC UA ping and HTTP `/healthz`. Both must succeed for `peerReachable = true`. |
-| `RecoveryStateManager` | Gates transitions out of the `Recovering*` bands; requires dwell + publish-witness satisfaction before allowing a return to nominal. |
-| `ServiceLevelCalculator` | Pure function `(role, selfHealthy, peerUa, peerHttp, applyInProgress, recoveryDwellMet, topologyValid, operatorMaintenance) → byte`. |
-| `RedundancyStatePublisher` | Orchestrates inputs into the calculator, pushes the resulting byte to the OPC UA `ServiceLevel` variable via an edge-triggered `OnStateChanged` event, and fires `OnServerUriArrayChanged` when the topology's `ServerUriArray` shifts. |
+> **v2 change.** v1's operator-managed `ClusterNode.RedundancyRole` column + `RedundancyCoordinator` / `ApplyLeaseRegistry` / `PeerHttpProbeLoop` are gone. Primary/secondary is now derived from **Akka cluster role-leader** for the `driver` role. The operator no longer writes a role into the DB; cluster topology + health drive ServiceLevel automatically.

-## Data model
+The runtime pieces live in:

-Per-node redundancy state lives in the Config DB `ClusterNode` table (`src/Core/ZB.MOM.WW.OtOpcUa.Configuration/Entities/ClusterNode.cs`):
-
-| Column | Role |
-|---|---|
-| `NodeId` | Unique node identity; matches `Node:NodeId` in the server's bootstrap `appsettings.json`. |
-| `ClusterId` | Foreign key into `ServerCluster`. |
-| `RedundancyRole` | `Primary`, `Secondary`, or `Standalone` (`RedundancyRole` enum in `Configuration/Enums`). |
-| `ServiceLevelBase` | Per-node base value used to bias nominal ServiceLevel output. |
-| `ApplicationUri` | Unique-per-node OPC UA ApplicationUri advertised in endpoint descriptions. |
-
-`ServerUriArray` is derived from the set of peer `ApplicationUri` values at topology-load time and republished when the topology changes.
-
-## ServiceLevel matrix
-
-`ServiceLevelCalculator` produces one of the following bands (see `ServiceLevelBand` enum in the same file):
-
-| Band | Byte | Meaning |
+| Component | Project | Role |
 |---|---|---|
-| `Maintenance` | 0 | Operator-declared maintenance. |
-| `NoData` | 1 | Self-reported unhealthy (`/healthz` fails). |
-| `InvalidTopology` | 2 | More than one Primary detected; both nodes self-demote. |
-| `RecoveringBackup` | 30 | Backup post-fault, dwell not met. |
-| `BackupMidApply` | 50 | Backup inside a publish-apply window. |
-| `IsolatedBackup` | 80 | Primary unreachable; Backup says "take over if asked" — does **not** auto-promote (non-transparent model). |
-| `AuthoritativeBackup` | 100 | Backup nominal. |
-| `RecoveringPrimary` | 180 | Primary post-fault, dwell not met. |
-| `PrimaryMidApply` | 200 | Primary inside a publish-apply window. |
-| `IsolatedPrimary` | 230 | Primary with unreachable peer, retains authority. |
-| `AuthoritativePrimary` | 255 | Primary nominal. |
+| `ServiceLevelCalculator` | `OtOpcUa.ControlPlane.Redundancy` | Pure function `(NodeHealthInputs) → byte`. No side effects. |
+| `RedundancyStateActor` | `OtOpcUa.ControlPlane.Redundancy` | Admin-role cluster singleton; subscribes to cluster topology events, debounces 250ms, broadcasts `RedundancyStateChanged` on the `redundancy-state` DPS topic. |
+| `DbHealthProbeActor` | `OtOpcUa.Runtime.Health` | Per-node; runs `SELECT 1` against ConfigDb every 5s. Read by health endpoint + redundancy calc. |
+| `PeerOpcUaProbeActor` | `OtOpcUa.Runtime.Health` | Per-node; pings peer `opc.tcp://peer:4840` (real probe call is staged for follow-up F12). |
+| `ClusterRoleInfo` | `OtOpcUa.Cluster` | Live view of cluster membership + role-leader; exposes `IClusterRoleInfo` to the rest of the host. |

-The reserved bands (0 Maintenance, 1 NoData, 2 InvalidTopology) take precedence over operational states per OPC UA Part 5 §6.3.34. Operational values occupy 2..255 so spec-compliant clients that treat "<3 = unhealthy" keep working.
+## ServiceLevel tiers (Part 5 §6.5)

-Standalone nodes (single-instance deployments) report `AuthoritativePrimary` when healthy and `PrimaryMidApply` during publish.
+`ServiceLevelCalculator.Compute(NodeHealthInputs)` returns a byte in 0..255 by tier:

-## Publish fencing and split-brain prevention
+| Tier | Byte | Condition |
+|---|---|---|
+| Down | 0 | Member status is not `Up` or `Joining` (leaving, removed, exiting). |
+| Critically degraded | 100 | ConfigDb unreachable AND data is stale. |
+| Stale | 200 | Data stale but ConfigDb reachable. |
+| Healthy follower | 240 | DB ok + OPC UA probe ok + not stale. |
+| Healthy leader | 250 | Healthy + this node is the `driver` role-leader. |

-Any Admin-triggered `sp_PublishGeneration` acquires an apply lease through `ApplyLeaseRegistry.BeginApplyLease`. While the lease is held:
+Drivers write their computed byte into the OPC UA `ServiceLevel` Variable on each refresh. Clients with the standard redundancy heuristic ("pick the highest ServiceLevel") therefore prefer the role-leader and fall back to followers on its degradation.

- The calculator reports `PrimaryMidApply` / `BackupMidApply` — clients see the band shift and cut over to the unaffected peer rather than racing against a half-applied generation.
- `RedundancyCoordinator.RefreshAsync` is called at the end of the apply window so the post-publish topology becomes visible exactly once, atomically.
- The watchdog force-closes any lease older than `ApplyMaxDuration`; a stuck publisher therefore cannot strand a node at `PrimaryMidApply`.
+## Data flow

-Because role transitions are **operator-driven** (write `RedundancyRole` in the Config DB + publish), the Backup never auto-promotes. An `IsolatedBackup` at 80 is the signal that the operator should intervene; auto-failover is intentionally out of scope for the non-transparent model (decision #154).
+```
+Cluster topology event ──┐
+DB health probe ─────────┤
+OPC UA peer probe ───────┤
+                          ▼
+              RedundancyStateActor (admin singleton)
+                          │  debounce 250ms
+                          ▼
+              DPS topic "redundancy-state"
+                          │
+                          ▼
+                Driver nodes' OpcUaPublishActor
+                          │
+                          ▼
+              ServiceLevelCalculator → byte
+                          │
+                          ▼
+              OPC UA ServiceLevel Variable
+```

-## Metrics
+The admin singleton is the cluster's only `RedundancyStateActor`. If the admin leader fails over, the new admin node spins up its replacement, re-subscribes to cluster events, and publishes a fresh snapshot from the current `Cluster.State`. There is no DB-persisted state to recover.

-`RedundancyMetrics` in `src/Server/ZB.MOM.WW.OtOpcUa.Admin/Services/RedundancyMetrics.cs` registers the `ZB.MOM.WW.OtOpcUa.Redundancy` meter on the Admin process. Instruments:
+## Configuration

-| Name | Kind | Tags | Description |
-|---|---|---|---|
-| `otopcua.redundancy.role_transition` | Counter<long> | `cluster.id`, `node.id`, `from_role`, `to_role` | Incremented every time `FleetStatusPoller` observes a `RedundancyRole` change on a `ClusterNode` row. |
-| `otopcua.redundancy.primary_count` | ObservableGauge<long> | `cluster.id` | Primary-role nodes per cluster — should be exactly 1 in nominal state. |
-| `otopcua.redundancy.secondary_count` | ObservableGauge<long> | `cluster.id` | Secondary-role nodes per cluster. |
-| `otopcua.redundancy.stale_count` | ObservableGauge<long> | `cluster.id` | Nodes whose `LastSeenAt` exceeded the stale threshold. |
+Per-node identity comes from `appsettings.json` + the `OTOPCUA_ROLES` env var:

-Admin `Program.cs` wires OpenTelemetry to the Prometheus exporter when `Metrics:Prometheus:Enabled=true` (default), exposing the meter under `/metrics`. The endpoint is intentionally unauthenticated — fleet conventions put it behind a reverse-proxy basic-auth gate if needed.
+```json
+{
+  "Cluster": {
+    "Hostname": "0.0.0.0",
+    "Port": 4053,
+    "PublicHostname": "node-a.lan",
+    "SeedNodes": ["akka.tcp://otopcua@node-a.lan:4053"],
+    "Roles": ["admin", "driver"]
+  }
+}
+```

-## Real-time notifications (Admin UI)
+```
+OTOPCUA_ROLES=admin,driver
+```

-`FleetStatusPoller` in `src/Server/ZB.MOM.WW.OtOpcUa.Admin/Hubs/` polls the `ClusterNode` table, records role transitions, updates `RedundancyMetrics.SetClusterCounts`, and pushes a `RoleChanged` SignalR event onto `FleetStatusHub` when a transition is observed. `RedundancyTab.razor` subscribes with `_hub.On<RoleChangedMessage>("RoleChanged", …)` so connected Admin sessions see role swaps the moment they happen.
+Both nodes share the same `ConfigDb` connection string; `Cluster.PublicHostname` + `Roles` are what makes them distinct in cluster gossip. The first node bootstraps the cluster (its address goes in `SeedNodes`); the second node joins via the same `SeedNodes` list.

-## Configuring a redundant pair
+There is no longer a `Node:NodeId` setting, no `ClusterNode.RedundancyRole`, no `ServiceLevelBase`. NodeId is derived as `host:port` of the cluster `PublicHostname` (see `ClusterRoleInfo.LocalNode` for the formula).

-Redundancy is configured **in the Config DB, not appsettings.json**. The fields that must differ between the two instances:
+### Peer URI advertising

-| Field | Location | Instance 1 | Instance 2 |
-|---|---|---|---|
-| `NodeId` | `appsettings.json` `Node:NodeId` (bootstrap) | `node-a` | `node-b` |
-| `ClusterNode.ApplicationUri` | Config DB | `urn:node-a:OtOpcUa` | `urn:node-b:OtOpcUa` |
-| `ClusterNode.RedundancyRole` | Config DB | `Primary` | `Secondary` |
-| `ClusterNode.ServiceLevelBase` | Config DB | typically 255 | typically 100 |
+Each node advertises its partner via `OpcUaApplicationHostOptions.PeerApplicationUris` (an `IList<string>`, default empty). `OpcUaApplicationHost.PopulateServerArray` appends each configured peer URI to the SDK's `IServerInternal.ServerUris` string table after server startup, so that `Server.ServerArray` reads served by `OnReadServerArray` return both self + peers. Set this per-node in `appsettings.json`:

-Shared between instances: `ClusterId`, Config DB connection string, published generation, cluster-level ACLs, UNS hierarchy, driver instances.
+```json
+{
+  "OpcUaServer": {
+    "PeerApplicationUris": ["urn:node-b:OtOpcUa"]
+  }
+}
+```

-Role swaps, stand-alone promotions, and base-level adjustments all happen through the Admin UI `RedundancyTab` — the operator edits the `ClusterNode` row in a draft generation and publishes. `RedundancyCoordinator.RefreshAsync` picks up the new topology without a process restart.
+Node A lists Node B's `ApplicationUri` and vice-versa. Validated by `DualEndpointTests` in `tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/` — boots two `OpcUaApplicationHost` instances on loopback, asserts a real OPCFoundation client `Session` reading `Server.ServerArray` from Node A sees both URIs.
+
+## Split-brain
+
+`akka.conf` configures Akka's split-brain resolver with `active-strategy = keep-oldest`, `stable-after = 15s`, and `failure-detector.threshold = 10.0`. Under a clean partition: the oldest member stays up + the smaller (or younger) side downs itself within ~15 seconds. The `RedundancyStateActor` on the surviving partition re-computes from the post-partition `Cluster.State`.
+
+There is no operator-driven role swap during a partition. Failover is what the cluster does automatically.

 ## Client-side failover

-The OtOpcUa Client CLI at `src/Client/ZB.MOM.WW.OtOpcUa.Client.CLI` supports `-F` / `--failover-urls` for automatic client-side failover; for long-running subscriptions the CLI monitors session KeepAlive and reconnects to the next available server, recreating the subscription on the new endpoint. See [`Client.CLI.md`](Client.CLI.md) for the command reference.
+The OtOpcUa Client CLI at `src/Client/ZB.MOM.WW.OtOpcUa.Client.CLI` supports `-F` / `--failover-urls` for automatic client-side failover; for long-running subscriptions the CLI monitors session KeepAlive and reconnects to the next available server, recreating the subscription on the new endpoint. See [`Client.CLI.md`](Client.CLI.md).

 ## Depth reference

-For the full decision trail and implementation plan — topology invariants, peer-probe cadence, recovery-dwell policy, compliance-script guard against enum-value drift — see `docs/v2/plan.md` §Phase 6.3.
+For the full design — message contracts, tiered calculator truth table, recovery semantics — see `docs/plans/2026-05-26-akka-hosting-alignment-design.md` §6.
@@ -111,13 +111,13 @@ Emissions map into `AlarmEventArgs` as `AlarmType = Kind.ToString()`, `SourceNod

 ## Composition

-`Phase7EngineComposer.Compose` (`src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/Phase7EngineComposer.cs`) is the single call site that instantiates the engine. It takes the generation's `Script` / `VirtualTag` / `ScriptedAlarm` rows, the shared `CachedTagUpstreamSource`, an `IAlarmStateStore`, and an `IAlarmHistorianSink`, and returns a `Phase7ComposedSources` the caller owns. When `scriptedAlarms.Count > 0`:
+`Phase7Composer` (`src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Phase7Composer.cs`) is the single call site that instantiates the engine. It takes the generation's `Script` / `VirtualTag` / `ScriptedAlarm` rows, the shared upstream-tag source, an `IAlarmStateStore`, and an `IAlarmHistorianSink`, and returns the composed sources the caller owns. When `scriptedAlarms.Count > 0`:

 1. `ProjectScriptedAlarms` resolves each row's `PredicateScriptId` against the script dictionary and produces a `ScriptedAlarmDefinition` list. Unknown or disabled scripts throw immediately — the DB publish guarantees referential integrity but this is a belt-and-braces check.
 2. A `ScriptedAlarmEngine` is constructed with the upstream source, the store, a shared `ScriptLoggerFactory` keyed to `scripts-*.log`, and the root Serilog logger.
 3. `alarmEngine.OnEvent` is wired to `RouteToHistorianAsync`, which projects each emission into an `AlarmHistorianEvent` and enqueues it on the sink. Fire-and-forget — the SQLite store-and-forward sink is already non-blocking.
 4. `LoadAsync(alarmDefs)` runs synchronously on the startup thread: it compiles every predicate, subscribes to the union of predicate inputs and message-template tokens, seeds the value cache, loads persisted state, re-derives `ActiveState` from a fresh predicate evaluation, and starts the 5s shelving timer. Compile failures are aggregated into one `InvalidOperationException` so operators see every bad predicate in one startup log line rather than one at a time.
-5. A `ScriptedAlarmSource` is created for the event stream, and a `ScriptedAlarmReadable` (`src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/ScriptedAlarmReadable.cs`) is created for OPC UA variable reads on the alarm's active-state node (task #245) — unknown alarm ids return `BadNodeIdUnknown` rather than silently reading `false`.
+5. A `ScriptedAlarmSource` is created for the event stream; the v2 `ScriptedAlarmActor` (`src/Server/ZB.MOM.WW.OtOpcUa.Runtime/ScriptedAlarms/ScriptedAlarmActor.cs`) owns the active-state surface for OPC UA variable reads on the alarm's active-state node (task #245) — unknown alarm ids return `BadNodeIdUnknown` rather than silently reading `false`.

 Both engine and source are added to `Phase7ComposedSources.Disposables`, which `Phase7Composer` disposes on server shutdown.

@@ -132,5 +132,7 @@ Both engine and source are added to `Phase7ComposedSources.Disposables`, which `
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms/AlarmTypes.cs` — `AlarmKind` + the four Part 9 enums
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms/MessageTemplate.cs` — `{path}` placeholder resolver
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms/IAlarmStateStore.cs` — persistence contract + `InMemoryAlarmStateStore` default
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/Phase7EngineComposer.cs` — composition, config-row projection, historian routing
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/ScriptedAlarmReadable.cs` — `IReadable` adapter exposing `ActiveState` to OPC UA variable reads
+- `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Phase7Composer.cs` — composition, config-row projection, historian routing
+- `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Phase7Applier.cs` — applies the composed Phase 7 plan into the SDK node manager
+- `src/Server/ZB.MOM.WW.OtOpcUa.Runtime/ScriptedAlarms/ScriptedAlarmActor.cs` — actor wrapper owning the alarm state machine and exposing `ActiveState` for OPC UA variable reads
+- `src/Server/ZB.MOM.WW.OtOpcUa.Host/Engines/RoslynScriptedAlarmEvaluator.cs` — production Roslyn predicate evaluator
@@ -1,62 +1,86 @@
-# Service Hosting
+# Service Hosting (v2)

 ## Overview

-A production OtOpcUa deployment runs **two or three processes**, each
-with a distinct runtime and install surface:
+A production OtOpcUa deployment runs **one binary per node**, plus the optional Wonderware historian sidecar:

 | Process | Project | Runtime | Platform | Responsibility |
 |---|---|---|---|---|
-| **OtOpcUa Server** | `src/Server/ZB.MOM.WW.OtOpcUa.Server` | .NET 10 | x64 | Hosts the OPC UA endpoint; loads every driver in-process (Modbus, S7, AbCip, AbLegacy, TwinCAT, FOCAS, OPC UA Client, Galaxy via mxaccessgw); exposes `/healthz`. |
-| **OtOpcUa Admin** | `src/Server/ZB.MOM.WW.OtOpcUa.Admin` | .NET 10 (ASP.NET Core / Blazor Server) | x64 | Operator UI for Config DB editing + fleet status, SignalR hubs (`FleetStatusHub`, `AlertHub`), Prometheus `/metrics`. |
-| **OtOpcUa Wonderware Historian** *(optional)* | `src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware` | .NET Framework 4.8 | x86 (32-bit) | Out-of-process sidecar exposing the Wonderware Historian SDK over a named pipe. Required only when `Historian:Wonderware:Enabled=true` in `appsettings.json`. |
+| **OtOpcUa Host** | `src/Server/ZB.MOM.WW.OtOpcUa.Host` | .NET 10 | AnyCPU | Single fused binary. `OTOPCUA_ROLES` env decides what to mount: `admin` (Blazor + auth + control-plane singletons), `driver` (OPC UA endpoint + per-driver actors), or both. |
+| **OtOpcUa Wonderware Historian** *(optional)* | `src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware` | .NET Framework 4.8 | x86 (32-bit) | Out-of-process sidecar exposing the Wonderware Historian SDK over a named pipe. Required only when `Historian:Wonderware:Enabled=true`. |

-Galaxy access uses a separately-installed **mxaccessgw** running out
-of a sibling repo (`c:\Users\dohertj2\Desktop\mxaccessgw\`) — see
-`docs/v2/Galaxy.ParityRig.md` for setup. The mxaccessgw owns the
-MXAccess COM bitness constraint (its worker is x86 net48); nothing
-in the OtOpcUa repo carries that constraint anymore. PR 7.2 retired
-the legacy in-process `Galaxy.Host` / `Galaxy.Proxy` / `Galaxy.Shared`
-projects + the `OtOpcUaGalaxyHost` Windows service.
+Galaxy access still uses the separately-installed **mxaccessgw** sidecar (see `docs/v2/Galaxy.ParityRig.md`); the gateway owns the MXAccess COM bitness constraint (its worker is x86 net48). Nothing in the OtOpcUa repo carries that constraint anymore.

-## OtOpcUa Server
+> **v2 change.** v1's separate `OtOpcUa.Server` + `OtOpcUa.Admin` Windows services merged into a single role-gated `OtOpcUa.Host` binary. Two installers became one (with a `-Roles` parameter). The whole DI graph is composed in `OtOpcUa.Host/Program.cs`; per-role wiring is conditional on the env var.

-Hosted via `Microsoft.Extensions.Hosting` with `AddWindowsService`
-(decision #30 — replaced TopShelf in v2). The host's `Build()`
-returns immediately when launched interactively (e.g. `dotnet run`)
-but blocks for SCM signals when running as a Windows service.
+## Role gating

-In-process drivers are registered at startup in `Program.cs`'s
-`DriverFactoryRegistry` block; the `DriverInstance` rows in the
-central Config DB select which driver factories materialise into
-live `IDriver` instances. See `docs/v2/driver-specs.md` for the
-per-driver `DriverConfig` JSON shapes.
+`Program.cs` reads `OTOPCUA_ROLES`, parses it with `RoleParser`, and conditionally registers services:

-## OtOpcUa Admin
+| Role present | Wires |
+|---|---|
+| `admin` | `AddOtOpcUaAuth`, `AddAdminUI`, `AddSignalR`, `AddOtOpcUaAdminClients`, `MapOtOpcUaAuth`, `MapAdminUI<App>`, `MapOtOpcUaHubs`, `WithOtOpcUaControlPlaneSingletons` (5 admin singletons via `Akka.Hosting`) |
+| `driver` | `WithOtOpcUaRuntimeActors` (DriverHostActor + DbHealthProbeActor) — and the OPC UA endpoint on port 4840 |
+| Either / both | `AddOtOpcUaConfigDb`, `AddOtOpcUaCluster`, `AddOtOpcUaHealth` (`/health/ready`, `/health/active`, `/healthz`) |

-Same hosting model; runs the Blazor Server UI + SignalR hubs.
-Reads from the same Config DB the Server writes to.
+Single-node dev: `OTOPCUA_ROLES=admin,driver`. Production: typically two admin nodes (HA pair) + N driver nodes.
+
+### Per-role configuration overlays
+
+`Program.cs:33-35` builds a role suffix by joining the parsed roles **alphabetically** with `-` and loads `appsettings.{roleSuffix}.json` as an optional overlay on top of base `appsettings.json`. Three overlays ship in `src/Server/ZB.MOM.WW.OtOpcUa.Host/`:
+
+- `appsettings.admin.json` — admin-only nodes
+- `appsettings.driver.json` — driver-only nodes
+- `appsettings.admin-driver.json` — fused single-node dev / small deployments
+
+All three carry Serilog log-level overrides + `Security:Ldap:DevStubMode = false`. Loading order is **base `appsettings.json` → role overlay (`appsettings.{role}.json`) → environment overlay (`appsettings.{Environment}.json`)** — later layers win. Overlays are optional; the base file boots a node on its own.
+
+## Akka cluster
+
+The host joins an Akka.NET cluster bound to the address in `appsettings.json::Cluster`:
+
+```json
+{
+  "Cluster": {
+    "Hostname": "0.0.0.0",
+    "Port": 4053,
+    "PublicHostname": "node-a.lan",
+    "SeedNodes": ["akka.tcp://otopcua@node-a.lan:4053"],
+    "Roles": ["admin", "driver"]
+  }
+}
+```
+
+- `WithOtOpcUaClusterBootstrap` (in `OtOpcUa.Cluster`) loads the embedded HOCON (split-brain resolver, pinned dispatcher, failure detector tuning) and overlays remote endpoint + cluster options.
+- All cluster singletons + per-node actors live on this single ActorSystem — there is no second Akka instance.
+
+See [Redundancy.md](Redundancy.md) for the role-leader + ServiceLevel story.
+
+## Health endpoints
+
+Both admin and driver nodes expose:
+
+| Path | Status meaning |
+|---|---|
+| `/healthz` | Process alive. |
+| `/health/ready` | ConfigDb reachable + cluster member state is `Up`. |
+| `/health/active` | Admin-role leader (the node Traefik or an HA LB should route traffic to). |
+
+Used by Traefik for the active-leader-only routing pattern (see [Task 63 traefik docs](v2/Architecture-v2.md) — TODO).

 ## OtOpcUa Wonderware Historian (optional)

-When `Historian:Wonderware:Enabled=true`, the Server speaks to a
-sidecar that wraps the Wonderware Historian SDK (which is .NET
-Framework only). The pipe IPC contract is in
-`src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Client/Contracts/`
-and the sidecar's pipe handler lives at
-`src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware/Pipe/`.
-
-Install via the `-InstallWonderwareHistorian` switch on
-`scripts/install/Install-Services.ps1`.
+Unchanged from v1. Pipe IPC contract lives in `src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Client/Contracts/`; sidecar pipe handler in `src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware/Pipe/`. Install via `scripts/install/Install-Services.ps1 -InstallWonderwareHistorian`.

 ## Install / Uninstall

- `scripts/install/Install-Services.ps1` — installs `OtOpcUa` and
-  optionally `OtOpcUaWonderwareHistorian`.
- `scripts/install/Uninstall-Services.ps1` — stops + removes both,
-  plus `OtOpcUaGalaxyHost` if a pre-7.2 rig still carries it.
+- `scripts/install/Install-Services.ps1 -Roles admin,driver` — installs `OtOpcUaHost`. v2 rewrite tracked as plan Task 62.
+- `scripts/install/Uninstall-Services.ps1` — stops + removes the host service (and the historian sidecar if installed).

 ## Logging

-Serilog with rolling-daily file sinks. Each service writes to
-`%ProgramData%\OtOpcUa\<service>-*.log` plus stdout (NSSM-friendly).
+Serilog with rolling-daily file sinks. Each host writes to `logs/otopcua-*.log` plus stdout (NSSM/systemd-friendly). Per-environment log level overrides go in `appsettings.{Environment}.json`.
+
+## Depth reference
+
+For the full host-architecture rationale (why fused vs. split, role-gating tradeoffs, multi-node deployment shapes), see `docs/plans/2026-05-26-akka-hosting-alignment-design.md` §3-4.
@@ -107,13 +107,12 @@ Per [ADR-002](v2/implementation/adr-002-driver-vs-virtual-dispatch.md) Option B,

 `ITagUpstreamSource` and `IHistoryWriter` are the two ports the engine requires from its host. Both live in `Core.VirtualTags`. In the Server process:

- **`CachedTagUpstreamSource`** (`src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/CachedTagUpstreamSource.cs`) implements the interface (and the parallel `Core.ScriptedAlarms.ITagUpstreamSource` — identical shape, distinct namespace). A `ConcurrentDictionary<path, DataValueSnapshot>` cache. `Push(path, snapshot)` updates the cache and fans out synchronously to every observer. Reads of never-pushed paths return `BadNodeIdUnknown` quality (`UpstreamNotConfigured = 0x80340000`).
- **`DriverSubscriptionBridge`** (`src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/DriverSubscriptionBridge.cs`) feeds the cache. For each registered `ISubscribable` driver it batches a single `SubscribeAsync` for every fullRef the script graph references, installs an `OnDataChange` handler that translates driver-opaque fullRefs back to UNS paths via a reverse map, and pushes each delta into `CachedTagUpstreamSource`. Unsubscribes on dispose. The bridge suppresses `OTOPCUA0001` (the Roslyn analyzer that requires `ISubscribable` callers to go through `CapabilityInvoker`) on the documented basis that this is a lifecycle wiring, not per-evaluation hot path.
+- **Upstream-tag feed.** In v2 the upstream-tag feed is provided by the actor system. `DependencyMuxActor` (`src/Server/ZB.MOM.WW.OtOpcUa.Runtime/VirtualTags/DependencyMuxActor.cs`) multiplexes driver `ISubscribable` subscriptions for every fullRef the script graph references, translating driver-opaque fullRefs back to UNS paths via a reverse map. Deltas land on `VirtualTagActor` (`src/Server/ZB.MOM.WW.OtOpcUa.Runtime/VirtualTags/VirtualTagActor.cs`) as `DependencyValueChanged` messages; the actor's in-memory cache serves the engine's synchronous `GetTag` reads. Reads of never-pushed paths return `BadNodeIdUnknown` quality (`UpstreamNotConfigured = 0x80340000`).
 - **`IHistoryWriter`** — no production implementation is currently wired for virtual tags; `VirtualTagEngine` gets `NullHistoryWriter` by default from `Phase7EngineComposer`.

 ## Composition

-`Phase7Composer` (`src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/Phase7Composer.cs`) is an `IAsyncDisposable` injected into `OpcUaServerService`:
+`Phase7Composer` (`src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Phase7Composer.cs`) projects the published generation into a `Phase7Plan` that `Phase7Applier` applies to the running SDK node manager:

 1. `PrepareAsync(generationId, ct)` — called after the bootstrap generation loads and before `OpcUaApplicationHost.StartAsync`. Reads the `Script` / `VirtualTag` / `ScriptedAlarm` rows for that generation from the config DB (`OtOpcUaConfigDbContext`). Empty-config fast path returns `Phase7ComposedSources.Empty`.
 2. Constructs a `CachedTagUpstreamSource` + hands it to `Phase7EngineComposer.Compose`.
@@ -145,8 +144,9 @@ Definition reload on config publish: `VirtualTagEngine.Load` is re-entrant — a
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.VirtualTags/ITagUpstreamSource.cs` — driver-tag read + subscribe port
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.VirtualTags/IHistoryWriter.cs` — historize sink port + `NullHistoryWriter`
 - `src/Core/ZB.MOM.WW.OtOpcUa.Core.VirtualTags/VirtualTagSource.cs` — `IReadable` + `ISubscribable` adapter
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/CachedTagUpstreamSource.cs` — production `ITagUpstreamSource`
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/DriverSubscriptionBridge.cs` — driver `ISubscribable` → cache feed
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/Phase7EngineComposer.cs` — row projection + engine instantiation
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/Phase7Composer.cs` — lifecycle host: load rows, compose, wire bridge
- `src/Server/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs` — `SelectReadable` + `IsWriteAllowedBySource` dispatch kernel
+- `src/Server/ZB.MOM.WW.OtOpcUa.Runtime/VirtualTags/VirtualTagActor.cs` — actor wrapper that owns per-instance state and the synchronous read cache
+- `src/Server/ZB.MOM.WW.OtOpcUa.Runtime/VirtualTags/DependencyMuxActor.cs` — driver `ISubscribable` → actor feed (replaces the v1 `DriverSubscriptionBridge`)
+- `src/Server/ZB.MOM.WW.OtOpcUa.Host/Engines/RoslynVirtualTagEvaluator.cs` — production Roslyn evaluator wired into the actor
+- `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Phase7Composer.cs` — row projection + engine instantiation (`Phase7Plan` composer)
+- `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Phase7Applier.cs` — applies the composed plan into the SDK node manager
+- `src/Core/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs` — driver-vs-virtual dispatch kernel
@@ -136,9 +136,10 @@ ConditionType events (non-base `BaseEventType`) is not verified.
 ## Follow-up candidates

 The easiest win here is to **wire the client driver tests against this
-repo's own server**. The integration test project
-`tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/OpcUaServerIntegrationTests.cs`
-already stands up a real OPC UA server on a non-default port with a seeded
+repo's own server**. The v2 integration test project
+`tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/DualEndpointTests.cs`
+(the v2 replacement for the retired v1 `OpcUaServerIntegrationTests`) already
+stands up a real OPC UA server on a non-default port with a seeded
 FakeDriver. An `OpcUaClientLiveLoopbackTests` that connects the client
 driver to that server would give:

@@ -165,6 +166,6 @@ Beyond that:
  mocked `Session`
 - `src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient/OpcUaClientDriver.cs` — ctor +
  session-factory seam tests mock through
- `tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/OpcUaServerIntegrationTests.cs` —
-  the server-side integration harness a future loopback client test could
-  piggyback on
+- `tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/DualEndpointTests.cs` —
+  the v2 dual-endpoint integration harness a future loopback client test could
+  piggyback on (v1 `OpcUaServerIntegrationTests.cs` retired with the v1 server project)
@@ -0,0 +1,716 @@
+# Akka Hosting Alignment — Gap Closeout Implementation Plan
+
+> **For Claude:** REQUIRED SUB-SKILL: Use `superpowers-extended-cc:executing-plans` to implement this plan task-by-task.
+
+**Goal:** Close the four real/cosmetic gaps identified by the audit of `docs/plans/2026-05-26-akka-hosting-alignment-plan.md` so the v2 implementation matches the plan's literal contract (per-role appsettings overlays, explicit dual-endpoint visibility test, plan-prescribed filenames, removal of empty legacy directories).
+
+**Architecture:** Additive only. No production-runtime semantics change. One small extension to `OpcUaApplicationHost` so the OPC UA server can advertise peer URIs in `Server.ServerArray` — gated on a new option, defaults to old behavior. Everything else is JSON, test code, file moves, and `rm -rf` of stale bin/obj trees.
+
+**Tech Stack:** .NET 10, OPCFoundation .NET Standard SDK (`Opc.Ua.*`), xunit.v3, Shouldly, EF Core 10 (inherited; no schema changes).
+
+**Source plan:** `docs/plans/2026-05-26-akka-hosting-alignment-plan.md`. The audit findings closed by this plan map to Tasks 54, 59, 60, and the post-Task-56 cosmetic cleanup. **Read the source plan's "Conventions for every task" block — those rules still apply here.**
+
+**Branch:** `v2-gap-closeout` off `master`.
+
+---
+
+## Conventions for every task
+
+- **Branch:** Stay on `v2-gap-closeout`. Never commit to `master` while plan is running.
+- **Build command:** `dotnet build ZB.MOM.WW.OtOpcUa.slnx` — must be green before commit.
+- **Test command:** `dotnet test ZB.MOM.WW.OtOpcUa.slnx --no-build` — relevant new/changed tests must pass.
+- **Commit format:** Conventional Commits matching the source plan — `feat(host):`, `test(opcua):`, `chore(cleanup):`, `refactor(test):`, etc.
+- **Mac compatibility:** All code must build on macOS. The new dual-endpoint test boots two real OPC UA servers on loopback — works on macOS (no Windows-only APIs needed; PKI is created under a per-test temp dir).
+
+---
+
+## Task 0: Add three role-overlay appsettings files (Task 54 gap)
+
+**Classification:** small
+**Estimated implement time:** ~3 min
+**Parallelizable with:** Task 1, Task 5, Task 6
+
+**Files:**
+- Create: `/Users/dohertj2/Desktop/OtOpcUa/src/Server/ZB.MOM.WW.OtOpcUa.Host/appsettings.admin.json`
+- Create: `/Users/dohertj2/Desktop/OtOpcUa/src/Server/ZB.MOM.WW.OtOpcUa.Host/appsettings.driver.json`
+- Create: `/Users/dohertj2/Desktop/OtOpcUa/src/Server/ZB.MOM.WW.OtOpcUa.Host/appsettings.admin-driver.json`
+
+**Background:**
+`Program.cs` line 33-35 loads `appsettings.{role-suffix}.json` where the suffix is the roles joined alphabetically with `'-'`. Today the loader passes `optional: true`, so the host boots without these files — but the source plan (Task 54) called them out as required scaffolding so operators have per-role tunable defaults.
+
+Suffix matrix:
+| `OTOPCUA_ROLES` env | Loaded file |
+|---|---|
+| `admin` | `appsettings.admin.json` |
+| `driver` | `appsettings.driver.json` |
+| `admin,driver` (any order) | `appsettings.admin-driver.json` (joined alphabetical) |
+
+**Step 1: Create `appsettings.admin.json`**
+
+Admin-only nodes don't bind drivers; tighten Serilog and disable the LDAP dev stub by default.
+
+```json
+{
+  "Serilog": {
+    "MinimumLevel": {
+      "Default": "Information",
+      "Override": {
+        "Microsoft.AspNetCore": "Warning",
+        "Akka": "Information"
+      }
+    }
+  },
+  "Security": {
+    "Ldap": {
+      "DevStubMode": false
+    }
+  }
+}
+```
+
+**Step 2: Create `appsettings.driver.json`**
+
+Driver-only nodes have no Admin UI; raise OPC UA verbosity slightly so per-node diagnostics flow to logs.
+
+```json
+{
+  "Serilog": {
+    "MinimumLevel": {
+      "Default": "Information",
+      "Override": {
+        "Opc.Ua": "Debug",
+        "Akka": "Information"
+      }
+    }
+  },
+  "Security": {
+    "Ldap": {
+      "DevStubMode": false
+    }
+  }
+}
+```
+
+**Step 3: Create `appsettings.admin-driver.json`**
+
+Combined-role nodes (the docker-dev compose default + the integration test harness) — turn on both surfaces with shared defaults.
+
+```json
+{
+  "Serilog": {
+    "MinimumLevel": {
+      "Default": "Information",
+      "Override": {
+        "Microsoft.AspNetCore": "Warning",
+        "Opc.Ua": "Information",
+        "Akka": "Information"
+      }
+    }
+  },
+  "Security": {
+    "Ldap": {
+      "DevStubMode": false
+    }
+  }
+}
+```
+
+**Step 4: Build green check**
+
+Run: `dotnet build ZB.MOM.WW.OtOpcUa.slnx`
+Expected: succeeds. (JSON files do not break the build; this is a smoke check that nothing else regressed.)
+
+**Step 5: Commit**
+
+```bash
+git add src/Server/ZB.MOM.WW.OtOpcUa.Host/appsettings.admin.json \
+        src/Server/ZB.MOM.WW.OtOpcUa.Host/appsettings.driver.json \
+        src/Server/ZB.MOM.WW.OtOpcUa.Host/appsettings.admin-driver.json
+git commit -m "feat(host): add per-role appsettings overlays for admin/driver/admin-driver"
+```
+
+---
+
+## Task 1: Extend `OpcUaApplicationHost` with `PeerApplicationUris` + populate `Server.ServerArray`
+
+**Classification:** standard
+**Estimated implement time:** ~5 min
+**Parallelizable with:** Task 0, Task 5, Task 6
+
+**Files:**
+- Modify: `/Users/dohertj2/Desktop/OtOpcUa/src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OpcUaApplicationHost.cs` (add option + post-start population)
+- Test: `/Users/dohertj2/Desktop/OtOpcUa/tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests/OpcUaApplicationHostServerArrayTests.cs`
+
+**Background:**
+The source plan's Task 60 promised a test where "real OPCFoundation client → both endpoints visible in ServerUriArray". That requires production code to populate the peer URIs onto each server's `Server.ServerArray` (NodeId i=2254) property. No such code exists in v2 today — this task adds it as an opt-in option so existing single-node tests keep their current behavior. Task 3 then writes the integration test that drives it across two servers.
+
+**Step 1: Write the failing unit test**
+
+Create `tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests/OpcUaApplicationHostServerArrayTests.cs`:
+
+```csharp
+using System.IO;
+using System.Net.Sockets;
+using System.Net;
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua;
+using Opc.Ua.Server;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.OpcUaServer;
+
+namespace ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests;
+
+/// <summary>
+/// Audit gap closeout — verifies <see cref="OpcUaApplicationHostOptions.PeerApplicationUris"/>
+/// is reflected in <c>Server.ServerArray</c> after start. Single-server in-process check; the
+/// cross-server visibility check lives in <c>OtOpcUa.OpcUaServer.IntegrationTests</c>.
+/// </summary>
+public sealed class OpcUaApplicationHostServerArrayTests
+{
+    [Fact]
+    public async Task ServerArray_contains_local_uri_and_configured_peers_after_start()
+    {
+        var pkiRoot = Path.Combine(Path.GetTempPath(), $"otopcua-pki-{Guid.NewGuid():N}");
+        try
+        {
+            var options = new OpcUaApplicationHostOptions
+            {
+                ApplicationName = "OtOpcUa.UnitTest",
+                ApplicationUri = "urn:OtOpcUa.UnitTest.NodeA",
+                OpcUaPort = AllocateFreePort(),
+                PublicHostname = "127.0.0.1",
+                PkiStoreRoot = pkiRoot,
+                PeerApplicationUris = new[] { "urn:OtOpcUa.UnitTest.NodeB" },
+            };
+
+            var server = new StandardServer();
+            await using var host = new OpcUaApplicationHost(options, NullLogger<OpcUaApplicationHost>.Instance);
+            await host.StartAsync(server, CancellationToken.None);
+
+            var serverArray = server.CurrentInstance.ServerObject.ServerArray.Value;
+            serverArray.ShouldNotBeNull();
+            serverArray.ShouldContain("urn:OtOpcUa.UnitTest.NodeA");
+            serverArray.ShouldContain("urn:OtOpcUa.UnitTest.NodeB");
+        }
+        finally
+        {
+            if (Directory.Exists(pkiRoot)) Directory.Delete(pkiRoot, recursive: true);
+        }
+    }
+
+    private static int AllocateFreePort()
+    {
+        var listener = new TcpListener(IPAddress.Loopback, 0);
+        listener.Start();
+        var port = ((IPEndPoint)listener.LocalEndpoint).Port;
+        listener.Stop();
+        return port;
+    }
+}
+```
+
+**Step 2: Run the test — confirm it fails**
+
+Run: `dotnet test tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests --filter "FullyQualifiedName~OpcUaApplicationHostServerArrayTests"`
+Expected: FAIL with `PeerApplicationUris` not found (compile error) — the option doesn't exist yet.
+
+**Step 3: Add the option**
+
+Edit `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OpcUaApplicationHost.cs`. Add to `OpcUaApplicationHostOptions` (after `AutoAcceptUntrustedClientCertificates`, around line 65):
+
+```csharp
+/// <summary>
+/// Peer server URIs published in <c>Server.ServerArray</c> after start, in addition to
+/// the local <see cref="ApplicationUri"/>. Empty by default — set this on warm-redundancy
+/// deployments so OPC UA clients can discover the partner endpoint via the standard
+/// Server.ServerArray property (NodeId i=2254). Order does not matter; the local URI
+/// is always element 0.
+/// </summary>
+public IList<string> PeerApplicationUris { get; set; } = new List<string>();
+```
+
+**Step 4: Populate `Server.ServerArray` after start**
+
+Edit `OpcUaApplicationHost.StartAsync` (around line 100-118). After the `_application.Start(server)` call and before the log line, insert:
+
+```csharp
+PopulateServerArray();
+```
+
+Then add the private method below `AttachUserAuthenticator`:
+
+```csharp
+/// <summary>
+/// Writes the union of <see cref="OpcUaApplicationHostOptions.ApplicationUri"/> and
+/// <see cref="OpcUaApplicationHostOptions.PeerApplicationUris"/> to the OPC UA standard
+/// <c>Server.ServerArray</c> property (NodeId i=2254). Clients in a warm-redundancy
+/// deployment discover the partner endpoint by reading this property.
+/// </summary>
+private void PopulateServerArray()
+{
+    var serverObject = _server?.CurrentInstance?.ServerObject;
+    if (serverObject is null) return;
+
+    var uris = new List<string> { _options.ApplicationUri };
+    foreach (var peer in _options.PeerApplicationUris)
+    {
+        if (!string.IsNullOrWhiteSpace(peer) && !uris.Contains(peer))
+            uris.Add(peer);
+    }
+    serverObject.ServerArray.Value = uris.ToArray();
+}
+```
+
+**Step 5: Run the test — confirm it passes**
+
+Run: `dotnet test tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests --filter "FullyQualifiedName~OpcUaApplicationHostServerArrayTests"`
+Expected: PASS. If `ServerObject.ServerArray.Value` is read-only (some SDK versions guard it), fall back to writing through `ServerArrayNode.Value` via the address-space accessor — but try the direct write first; the SDK exposes it as a settable BaseDataVariableState on `ServerObjectState`.
+
+**Step 6: Run full OpcUaServer.Tests suite to confirm no regression**
+
+Run: `dotnet test tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests`
+Expected: all tests pass — `PopulateServerArray` is additive when `PeerApplicationUris` is empty (default), so existing tests don't change behavior.
+
+**Step 7: Commit**
+
+```bash
+git add src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OpcUaApplicationHost.cs \
+        tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests/OpcUaApplicationHostServerArrayTests.cs
+git commit -m "feat(opcua): OpcUaApplicationHost publishes peer URIs in Server.ServerArray"
+```
+
+---
+
+## Task 2: Create `OtOpcUa.OpcUaServer.IntegrationTests` project
+
+**Classification:** small
+**Estimated implement time:** ~4 min
+**Parallelizable with:** Task 5, Task 6 (file moves elsewhere)
+**Depends on:** none (csproj is self-contained)
+
+**Files:**
+- Create: `/Users/dohertj2/Desktop/OtOpcUa/tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests.csproj`
+- Modify: `/Users/dohertj2/Desktop/OtOpcUa/ZB.MOM.WW.OtOpcUa.slnx` (add the project)
+
+**Background:**
+The source plan's Task 60 named this exact project. Audit found ServiceLevel coverage relocated to other test projects but no `OpcUaServer.IntegrationTests` project exists. Creating the project skeleton in its own task keeps Task 3's commit focused on the test code.
+
+**Step 1: Create the csproj**
+
+Mirror the conventions in `tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests.csproj`. The integration project needs the `Opc.Ua.Client` package (vs. only `Opc.Ua.Server` in the unit tests) — confirm the version against the existing client CLI's csproj: `src/Client/ZB.MOM.WW.OtOpcUa.Client.CLI/ZB.MOM.WW.OtOpcUa.Client.CLI.csproj`.
+
+```xml
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <IsPackable>false</IsPackable>
+        <IsTestProject>true</IsTestProject>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests</RootNamespace>
+        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="xunit.v3"/>
+        <PackageReference Include="Shouldly"/>
+        <PackageReference Include="Microsoft.NET.Test.Sdk"/>
+        <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Client"/>
+        <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Configuration"/>
+        <PackageReference Include="Microsoft.Extensions.Logging.Abstractions"/>
+        <PackageReference Include="xunit.runner.visualstudio">
+            <PrivateAssets>all</PrivateAssets>
+            <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+    </ItemGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\..\..\src\Server\ZB.MOM.WW.OtOpcUa.OpcUaServer\ZB.MOM.WW.OtOpcUa.OpcUaServer.csproj"/>
+    </ItemGroup>
+
+</Project>
+```
+
+If `OPCFoundation.NetStandard.Opc.Ua.Client` isn't in `Directory.Packages.props`, add it there (mirror the existing `OPCFoundation.NetStandard.Opc.Ua.Server` version exactly).
+
+**Step 2: Add project to the solution**
+
+Run: `dotnet sln ZB.MOM.WW.OtOpcUa.slnx add tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests.csproj`
+Expected: "Project added to the solution."
+
+**Step 3: Build green check**
+
+Run: `dotnet build ZB.MOM.WW.OtOpcUa.slnx`
+Expected: builds. (Empty project, so no test discovery yet — `dotnet test` would say "no tests".)
+
+**Step 4: Commit**
+
+```bash
+git add tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/ \
+        ZB.MOM.WW.OtOpcUa.slnx \
+        Directory.Packages.props  # only if the Opc.Ua.Client version was added there
+git commit -m "test(opcua): scaffold OtOpcUa.OpcUaServer.IntegrationTests project"
+```
+
+---
+
+## Task 3: `DualEndpointTests` — real OPC UA client reads both URIs from `Server.ServerArray`
+
+**Classification:** standard
+**Estimated implement time:** ~5 min
+**Parallelizable with:** Task 5, Task 6
+**Depends on:** Task 1 (PeerApplicationUris wiring), Task 2 (IT project exists)
+
+**Files:**
+- Create: `/Users/dohertj2/Desktop/OtOpcUa/tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/DualEndpointTests.cs`
+
+**Background:**
+This is the explicit Task 60 deliverable: a real OPC UA client connects to one server and confirms it can discover the partner via `Server.ServerArray`. Single-server unit-side coverage exists in Task 1; this test exercises the wire path with both servers up.
+
+**Step 1: Write the test**
+
+```csharp
+using System.Net;
+using System.Net.Sockets;
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua;
+using Opc.Ua.Client;
+using Opc.Ua.Configuration;
+using Opc.Ua.Server;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.OpcUaServer;
+
+namespace ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests;
+
+/// <summary>
+/// Source plan Task 60 — closes the audit gap. Boots two real <see cref="StandardServer"/>
+/// instances on loopback, each configured with the other's <c>ApplicationUri</c> in
+/// <see cref="OpcUaApplicationHostOptions.PeerApplicationUris"/>. A real OPC UA client connects
+/// to Node A, reads <c>Server.ServerArray</c>, and asserts both URIs are visible — the
+/// warm-redundancy discovery contract clients depend on.
+/// </summary>
+public sealed class DualEndpointTests
+{
+    private const string NodeAUri = "urn:OtOpcUa.DualEndpoint.NodeA";
+    private const string NodeBUri = "urn:OtOpcUa.DualEndpoint.NodeB";
+
+    [Fact]
+    public async Task Client_reads_both_ApplicationUris_from_NodeA_ServerArray()
+    {
+        var pkiRootA = Path.Combine(Path.GetTempPath(), $"otopcua-pki-a-{Guid.NewGuid():N}");
+        var pkiRootB = Path.Combine(Path.GetTempPath(), $"otopcua-pki-b-{Guid.NewGuid():N}");
+        var portA = AllocateFreePort();
+        var portB = AllocateFreePort();
+
+        try
+        {
+            await using var nodeA = await StartNodeAsync(NodeAUri, portA, pkiRootA, peers: new[] { NodeBUri });
+            await using var nodeB = await StartNodeAsync(NodeBUri, portB, pkiRootB, peers: new[] { NodeAUri });
+
+            var serverArray = await ReadServerArrayAsync($"opc.tcp://127.0.0.1:{portA}/OtOpcUa");
+            serverArray.ShouldContain(NodeAUri);
+            serverArray.ShouldContain(NodeBUri);
+        }
+        finally
+        {
+            if (Directory.Exists(pkiRootA)) Directory.Delete(pkiRootA, recursive: true);
+            if (Directory.Exists(pkiRootB)) Directory.Delete(pkiRootB, recursive: true);
+        }
+    }
+
+    private static async Task<OpcUaApplicationHost> StartNodeAsync(
+        string applicationUri, int port, string pkiRoot, string[] peers)
+    {
+        var options = new OpcUaApplicationHostOptions
+        {
+            ApplicationName = applicationUri,           // unique per node — SDK uses it for cert CN
+            ApplicationUri = applicationUri,
+            OpcUaPort = port,
+            PublicHostname = "127.0.0.1",
+            PkiStoreRoot = pkiRoot,
+            EnabledSecurityProfiles = new List<OpcUaSecurityProfile> { OpcUaSecurityProfile.None },
+            AutoAcceptUntrustedClientCertificates = true,
+            PeerApplicationUris = peers,
+        };
+        var server = new StandardServer();
+        var host = new OpcUaApplicationHost(options, NullLogger<OpcUaApplicationHost>.Instance);
+        await host.StartAsync(server, CancellationToken.None);
+        return host;
+    }
+
+    private static async Task<string[]> ReadServerArrayAsync(string endpointUrl)
+    {
+        var appConfig = new ApplicationConfiguration
+        {
+            ApplicationName = "OtOpcUa.DualEndpointClient",
+            ApplicationUri = $"urn:OtOpcUa.DualEndpointClient.{Guid.NewGuid():N}",
+            ApplicationType = ApplicationType.Client,
+            SecurityConfiguration = new SecurityConfiguration
+            {
+                ApplicationCertificate = new CertificateIdentifier(),
+                AutoAcceptUntrustedCertificates = true,
+            },
+            ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = 60_000 },
+            CertificateValidator = new CertificateValidator(),
+        };
+        await appConfig.Validate(ApplicationType.Client);
+        appConfig.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;
+
+        var endpoint = CoreClientUtils.SelectEndpoint(appConfig, endpointUrl, useSecurity: false);
+        var endpointConfiguration = EndpointConfiguration.Create(appConfig);
+        var configuredEndpoint = new ConfiguredEndpoint(null, endpoint, endpointConfiguration);
+
+        using var session = await Session.Create(
+            appConfig, configuredEndpoint, updateBeforeConnect: false,
+            sessionName: "DualEndpointTests", sessionTimeout: 60_000,
+            identity: new UserIdentity(new AnonymousIdentityToken()),
+            preferredLocales: null);
+
+        var value = session.ReadValue(VariableIds.Server_ServerArray);
+        return (string[])value.Value;
+    }
+
+    private static int AllocateFreePort()
+    {
+        var listener = new TcpListener(IPAddress.Loopback, 0);
+        listener.Start();
+        var port = ((IPEndPoint)listener.LocalEndpoint).Port;
+        listener.Stop();
+        return port;
+    }
+}
+```
+
+**Step 2: Run the test**
+
+Run: `dotnet test tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests`
+Expected: PASS. Wall-time ~3-5 s (two cert-creation cycles + session handshake).
+
+If the test hangs on the session handshake on first run, it's the SDK reading the trusted-cert store — bumping `AutoAcceptUntrustedClientCertificates = true` on both server hosts (already set above) should resolve it. If `CoreClientUtils.SelectEndpoint` throws because the SDK version uses a different overload, fall back to constructing the `EndpointDescription` directly with `EndpointUrl = endpointUrl, SecurityMode = MessageSecurityMode.None, SecurityPolicyUri = SecurityPolicies.None` and skipping `SelectEndpoint`.
+
+**Step 3: Commit**
+
+```bash
+git add tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/DualEndpointTests.cs
+git commit -m "test(opcua): DualEndpointTests — real client reads peer URIs from Server.ServerArray"
+```
+
+---
+
+## Task 4: Wire `OtOpcUa.OpcUaServer.IntegrationTests` into v2-ci.yml
+
+**Classification:** small
+**Estimated implement time:** ~3 min
+**Parallelizable with:** Task 5, Task 6
+**Depends on:** Task 3 (project must exist + have a real test before CI runs it)
+
+**Files:**
+- Modify: `/Users/dohertj2/Desktop/OtOpcUa/.github/workflows/v2-ci.yml`
+
+**Step 1: Add the project to the `integration` job**
+
+Either extend the existing `integration` job to run a second `dotnet test` step, or convert it to a matrix. Prefer a matrix for symmetry with `unit-tests`:
+
+Open `.github/workflows/v2-ci.yml`, locate the `integration:` job. Replace it with:
+
+```yaml
+  integration:
+    needs: build
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests
+          - tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 10.0.x
+      - name: dotnet test ${{ matrix.project }}
+        run: dotnet test ${{ matrix.project }} --configuration Release --filter "Category!=E2E"
+```
+
+**Step 2: Build green check**
+
+Run: `dotnet test tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests --configuration Release --filter "Category!=E2E"`
+Expected: matches the exact CI command — passes locally so CI will pass too.
+
+**Step 3: Commit**
+
+```bash
+git add .github/workflows/v2-ci.yml
+git commit -m "ci(v2): include OpcUaServer.IntegrationTests in integration matrix"
+```
+
+---
+
+## Task 5: Rename `FailoverScenarioTests` → `FailoverDuringDeployTests` (Task 59 cosmetic)
+
+**Classification:** trivial
+**Estimated implement time:** ~2 min
+**Parallelizable with:** Task 0, Task 1, Task 2, Task 6 (different files)
+
+**Files:**
+- Rename: `tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/FailoverScenarioTests.cs` → `FailoverDuringDeployTests.cs`
+- Modify: class name + namespace-internal references
+
+**Step 1: Rename the file and the class**
+
+```bash
+git mv tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/FailoverScenarioTests.cs \
+       tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/FailoverDuringDeployTests.cs
+```
+
+Then edit `FailoverDuringDeployTests.cs` and replace the single class declaration `public sealed class FailoverScenarioTests` with `public sealed class FailoverDuringDeployTests`. Use Edit, not sed — the file only declares this class once (`grep -c "FailoverScenario" .` ≤ 2).
+
+**Step 2: Sweep for any stale references**
+
+Run: `grep -rln "FailoverScenarioTests" .`
+Expected: zero matches after Step 1. If anything appears (e.g., a CI filter, a doc), fix the reference.
+
+**Step 3: Build + run test**
+
+Run: `dotnet test tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests --filter "FullyQualifiedName~FailoverDuringDeployTests"`
+Expected: same tests pass that previously passed under the old name.
+
+**Step 4: Commit**
+
+```bash
+git add tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/FailoverDuringDeployTests.cs
+git commit -m "refactor(test): rename FailoverScenarioTests → FailoverDuringDeployTests for plan parity"
+```
+
+---
+
+## Task 6: Delete empty bin/obj-only legacy directories
+
+**Classification:** trivial
+**Estimated implement time:** ~2 min
+**Parallelizable with:** Task 0, Task 1, Task 2, Task 5
+
+**Files:**
+- Delete: `src/Server/ZB.MOM.WW.OtOpcUa.Server/`
+- Delete: `src/Server/ZB.MOM.WW.OtOpcUa.Admin/`
+- Delete: `tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/`
+- Delete: `tests/Server/ZB.MOM.WW.OtOpcUa.Admin.Tests/`
+- Delete: `tests/Server/ZB.MOM.WW.OtOpcUa.Admin.E2ETests/`
+
+**Background:**
+Source plan Task 56 deleted the projects from `ZB.MOM.WW.OtOpcUa.slnx` (confirmed by the audit) but left `bin/`+`obj/` shells on disk. These confuse new contributors and skew directory listings. None of them are referenced anywhere.
+
+**Step 1: Sanity-check that each directory is bin/obj-only**
+
+```bash
+for dir in \
+  src/Server/ZB.MOM.WW.OtOpcUa.Server \
+  src/Server/ZB.MOM.WW.OtOpcUa.Admin \
+  tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests \
+  tests/Server/ZB.MOM.WW.OtOpcUa.Admin.Tests \
+  tests/Server/ZB.MOM.WW.OtOpcUa.Admin.E2ETests; do
+  echo "--- $dir ---"
+  find "$dir" -maxdepth 2 -type f | grep -v "/bin/\|/obj/"
+done
+```
+
+Expected: every section is empty (no source files leak out). If any source file shows, STOP and surface it — don't delete blindly.
+
+**Step 2: Verify slnx doesn't reference them**
+
+Run: `grep -nE 'ZB\.MOM\.WW\.OtOpcUa\.(Server|Admin)(/|\.Tests|\.E2ETests)' ZB.MOM.WW.OtOpcUa.slnx`
+Expected: zero matches.
+
+**Step 3: Delete the directories**
+
+```bash
+rm -rf src/Server/ZB.MOM.WW.OtOpcUa.Server \
+       src/Server/ZB.MOM.WW.OtOpcUa.Admin \
+       tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests \
+       tests/Server/ZB.MOM.WW.OtOpcUa.Admin.Tests \
+       tests/Server/ZB.MOM.WW.OtOpcUa.Admin.E2ETests
+```
+
+**Step 4: Build green check**
+
+Run: `dotnet build ZB.MOM.WW.OtOpcUa.slnx`
+Expected: succeeds (these directories were already out of the solution).
+
+**Step 5: Commit**
+
+```bash
+git add -A
+git commit -m "chore(cleanup): remove stale bin/obj shells for deleted v1 Server/Admin projects"
+```
+
+---
+
+## Task 7: Final build + test green check
+
+**Classification:** trivial
+**Estimated implement time:** ~3 min
+**Parallelizable with:** none (verification, depends on all prior tasks)
+
+**Step 1: Restore + build**
+
+Run: `dotnet build ZB.MOM.WW.OtOpcUa.slnx`
+Expected: 0 errors, 0 warnings (TreatWarningsAsErrors is on across the solution).
+
+**Step 2: Run the full test suite**
+
+Run: `dotnet test ZB.MOM.WW.OtOpcUa.slnx --no-build`
+Expected: all tests green. Specifically confirm:
+- `OpcUaApplicationHostServerArrayTests` (Task 1) — pass
+- `DualEndpointTests` (Task 3) — pass
+- `FailoverDuringDeployTests` (Task 5) — same count of tests pass as before the rename
+
+**Step 3: Smoke check the audit assertions**
+
+Run:
+```bash
+ls src/Server/ZB.MOM.WW.OtOpcUa.Host/appsettings.*.json
+find tests/Server -iname "DualEndpointTests.cs" -o -iname "FailoverDuringDeployTests.cs"
+ls -la src/Server/ZB.MOM.WW.OtOpcUa.{Server,Admin} 2>/dev/null
+```
+
+Expected:
+- 4 appsettings files: `.json`, `.Development.json`, `.admin.json`, `.admin-driver.json`, `.driver.json`
+- Both renamed/new test files exist
+- The two `ls -la` calls return errors (directories gone)
+
+**Step 4: No commit unless cleanup turned up**
+
+If anything failed in Steps 1-3, fix it as a follow-up task — do not paper over with a `--no-verify` commit.
+
+---
+
+## Final verification
+
+After Task 7:
+
+1. `dotnet build ZB.MOM.WW.OtOpcUa.slnx` — green
+2. `dotnet test ZB.MOM.WW.OtOpcUa.slnx --no-build` — green (incl. 2 new tests)
+3. `git log --oneline master..HEAD` — exactly 6 commits, Conventional-Commits style
+4. Open PR `v2-gap-closeout` → `master` titled "v2: close audit gaps — appsettings overlays, DualEndpointTests, cleanup"
+
+---
+
+## Task index
+
+| # | Title | Class | Time | Parallel with |
+|---|---|---|---|---|
+| 0 | Per-role appsettings overlays | small | 3m | 1, 5, 6 |
+| 1 | OpcUaApplicationHost.PeerApplicationUris + ServerArray | standard | 5m | 0, 5, 6 |
+| 2 | OpcUaServer.IntegrationTests project skeleton | small | 4m | 5, 6 |
+| 3 | DualEndpointTests | standard | 5m | 5, 6 |
+| 4 | CI matrix entry for new IT project | small | 3m | 5, 6 |
+| 5 | Rename FailoverScenarioTests → FailoverDuringDeployTests | trivial | 2m | 0, 1, 2, 6 |
+| 6 | Delete stale bin/obj-only directories | trivial | 2m | 0, 1, 2, 5 |
+| 7 | Final build + test green check | trivial | 3m | none |
+
+**Total estimated subagent time:** ~27 min.
+
+**Dependency graph (non-parallel pairs):**
+- Task 3 depends on Task 1 (option must exist) and Task 2 (project must exist)
+- Task 4 depends on Task 3 (CI runs the project's tests)
+- Task 7 depends on all prior tasks
@@ -0,0 +1,17 @@
+{
+  "planPath": "docs/plans/2026-05-26-akka-hosting-alignment-gaps-closeout.md",
+  "tasks": [
+    {"id": 1, "subject": "Task 0: Per-role appsettings overlays", "status": "completed", "commit": "898a477"},
+    {"id": 2, "subject": "Task 1: OpcUaApplicationHost.PeerApplicationUris + ServerArray population", "status": "completed", "commits": ["70ffd28", "cb936db"]},
+    {"id": 3, "subject": "Task 2: OpcUaServer.IntegrationTests project skeleton", "status": "completed", "commit": "83eda9e"},
+    {"id": 4, "subject": "Task 3: DualEndpointTests — real OPC UA client reads both URIs from Server.ServerArray", "status": "completed", "commits": ["dce2528", "a5412c1", "cb936db"], "blockedBy": ["2", "3"]},
+    {"id": 5, "subject": "Task 4: Wire OpcUaServer.IntegrationTests into v2-ci.yml", "status": "completed", "commit": "e8c4f18", "blockedBy": ["4"]},
+    {"id": 6, "subject": "Task 5: Rename FailoverScenarioTests → FailoverDuringDeployTests", "status": "completed", "commit": "25ce111"},
+    {"id": 7, "subject": "Task 6: Delete empty bin/obj-only legacy directories", "status": "completed", "commit": "(no tracked changes — bin/obj only)"},
+    {"id": 8, "subject": "Task 7: Final build + test green check", "status": "completed", "blockedBy": ["1", "2", "3", "4", "5", "6", "7"]}
+  ],
+  "lastUpdated": "2026-05-26T00:00:00Z",
+  "finalReview": "approved",
+  "branchHead": "e8c4f18",
+  "branchCommitCount": 8
+}
@@ -67,33 +67,35 @@
    {"id": 55, "subject": "Task 55: Mac dev mode + DEV-STUB drivers",                          "status": "completed", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [53,54], "blockedBy": [41], "commit": "8b4de80"},
    {"id": 56, "subject": "Task 56: Delete OtOpcUa.Server + OtOpcUa.Admin projects",           "status": "completed", "classification": "high-risk", "estMinutes": 5, "parallelizableWith": [], "blockedBy": [53,54,55], "commit": "76310b8"},
    {"id": 57, "subject": "Task 57: Build & test green check",                                 "status": "completed", "classification": "trivial",   "estMinutes": 3, "parallelizableWith": [], "blockedBy": [56], "commit": "76310b8"},
-    {"id": 58, "subject": "Task 58: 2-node integration test harness",                          "status": "pending", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [], "blockedBy": [57]},
-    {"id": 59, "subject": "Task 59: Deploy + failover integration tests",                      "status": "pending", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [60], "blockedBy": [58]},
+    {"id": 58, "subject": "Task 58: 2-node integration test harness",                          "status": "completed", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [], "blockedBy": [57], "commit": "d6fac2d", "deviation": "Also consolidated to a single Akka.Hosting ActorSystem — Program.cs ran two competing ActorSystems (custom AkkaHostedService + Akka.Hosting AddAkka). Cluster singletons landed on the bare one. Fixed in this commit; AkkaHostedService.cs deleted. docker-compose.yml (SQL+OpenLDAP for real local runs) deferred — harness uses EF in-memory."},
+    {"id": 59, "subject": "Task 59: Deploy + failover integration tests",                      "status": "completed", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [60], "blockedBy": [58], "commit": "5cfbe8b", "deviation": "Happy-path + idempotency landed. Failover scenarios (kill-mid-apply, split-brain, restart-during-deploy) deferred as F22 — they need node-down/restart primitives on the harness. Two production bugs fixed in this commit: (1) coordinator missing DPS subscription for ACKs, (2) NodeId collision on shared loopback host."},
    {"id": 60, "subject": "Task 60: OPC UA dual-endpoint + ServiceLevel tests",                "status": "pending", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [59], "blockedBy": [58]},
-    {"id": 61, "subject": "Task 61: E2E test infrastructure + GitHub Actions CI",              "status": "pending", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [], "blockedBy": [59,60]},
-    {"id": 62, "subject": "Task 62: Rewrite Install-Services.ps1",                             "status": "pending", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [63,64,65], "blockedBy": [53]},
-    {"id": 63, "subject": "Task 63: Traefik config + docker-dev compose",                      "status": "pending", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [62,64,65], "blockedBy": [53]},
-    {"id": 64, "subject": "Task 64: Update existing docs (Redundancy, ServiceHosting, security)", "status": "pending", "classification": "standard", "estMinutes": 5, "parallelizableWith": [62,63,65], "blockedBy": [57]},
-    {"id": 65, "subject": "Task 65: New v2 docs (Architecture-v2, Cluster, ControlPlane, Runtime)", "status": "pending", "classification": "standard", "estMinutes": 5, "parallelizableWith": [62,63,64], "blockedBy": [57]},
-    {"id": "F1", "subject": "Follow-up: AuthEndpoints integration tests against fused Host", "status": "pending", "classification": "small", "estMinutes": 10, "parallelizableWith": ["F2"], "blockedBy": [53], "origin": "Deviation from Task 29 (commit 38ea0c5) — deferred until Task 53 wires AddOtOpcUaAuth/MapOtOpcUaAuth in Program. Add WebApplicationFactory<OtOpcUa.Host.Program> tests for /auth/login (204/401/503), /auth/ping (401/200), /auth/token (200+JWT), /auth/logout (204+cookie clear) using a stub ILdapAuthService."},
-    {"id": "F2", "subject": "Follow-up: Replace JwtBearer BuildServiceProvider antipattern with IPostConfigureOptions", "status": "pending", "classification": "small", "estMinutes": 5, "parallelizableWith": ["F1"], "blockedBy": [], "origin": "Deviation from Task 26 (commit 207fc6a) — AddOtOpcUaAuth uses services.BuildServiceProvider().CreateScope() inside .AddJwtBearer lambda (ASP0000). Refactor to IPostConfigureOptions<JwtBearerOptions> so validation parameters resolve lazily from the real request provider."},
-    {"id": "F3", "subject": "Follow-up: Add EventId unique column to ConfigAuditLog for cross-restart audit idempotency", "status": "pending", "classification": "small", "estMinutes": 15, "parallelizableWith": ["F4"], "blockedBy": [], "origin": "Deviation from Task 33 — AuditWriterActor only dedups in-buffer; ConfigAuditLog lacks EventId column so a duplicate AuditEvent that arrives after a flush becomes a duplicate row. Add nullable EventId Guid + filtered unique index, migration, and refactor AuditWriterActor.WrapDetails away."},
-    {"id": "F4", "subject": "Follow-up: Harden AuditWriterActor.WrapDetails JSON synthesis with System.Text.Json", "status": "pending", "classification": "small", "estMinutes": 5, "parallelizableWith": ["F3"], "blockedBy": [], "origin": "Self-review of Task 33 — WrapDetails uses string concat; malformed caller DetailsJson would produce invalid JSON and trip the CK_ConfigAuditLog_DetailsJson_IsJson constraint, killing the entire flush batch. Discard this task if F3 lands first (F3 removes WrapDetails entirely)."},
-    {"id": "F5", "subject": "Follow-up: ConfigPublishCoordinator multi-node happy-path test", "status": "pending", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 30 — single-ActorSystem TestKit can't simulate the plan's 'dispatch to N driver nodes, all ack, seals' happy path because DiscoverDriverNodes() needs real cluster membership. Add a multi-system test (two ActorSystems joined into one cluster, driver-role on the second)."},
-    {"id": "F6", "subject": "Follow-up: RedundancyStateActor publisher abstraction so tests don't need DPS bootstrap", "status": "pending", "classification": "small", "estMinutes": 10, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 35 — RedundancyStateActorTests are skipped because single-node DistributedPubSub bootstrap is unreliable in TestKit. Inject an Action<object> broadcast so tests can replace it with a probe; un-skip both tests."},
-    {"id": "F7", "subject": "Follow-up: DriverInstanceActor full engine wiring (subscriptions, writes, ApplyDelta diff)", "status": "pending", "classification": "standard", "estMinutes": 45, "parallelizableWith": [], "blockedBy": [44], "origin": "Self-review of Task 41 — subscription publishing, ApplyDelta diffing, bad-quality-on-disconnect, write path, and supervisor backoff are stubbed. Wire after OpcUaPublishActor lands."},
-    {"id": "F8", "subject": "Follow-up: VirtualTagActor engine wiring (compile expression, subscribe deps, publish result)", "status": "pending", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 42 — VirtualTagEngine.Evaluate not called; DependencyValueChanged just buffers."},
-    {"id": "F9", "subject": "Follow-up: ScriptedAlarmActor engine wiring + state persistence", "status": "pending", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 43 — AlarmConditionService not called; PreRestart persistence to ScriptedAlarmState DB not wired; HistorianAdapter rows not emitted."},
-    {"id": "F10", "subject": "Follow-up: OpcUaPublishActor SDK integration (address-space writes + ServiceLevel + RebuildAddressSpace)", "status": "pending", "classification": "high-risk", "estMinutes": 60, "parallelizableWith": [], "blockedBy": [47], "origin": "Self-review of Task 44 — SDK calls stubbed; counters only. Wire after Phase 7 OpcUaServer extraction."},
-    {"id": "F11", "subject": "Follow-up: HistorianAdapterActor named-pipe IPC + SqliteStoreAndForwardSink wiring", "status": "pending", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 45 — stub buffers in-memory; named-pipe + SQLite store-and-forward not wired."},
-    {"id": "F12", "subject": "Follow-up: PeerOpcUaProbeActor real opc.tcp ping (replace Ok=true stub)", "status": "pending", "classification": "small", "estMinutes": 20, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 45 — RunProbe always returns Ok=true; replace with OPC UA Client connect."},
-    {"id": "F13", "subject": "Follow-up: Full OpcUaApplicationHost extraction (security/alarms/history/observability)", "status": "pending", "classification": "high-risk", "estMinutes": 120, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 46 — facade only boots ApplicationInstance + StandardServer. Legacy 391-line file pulls Server.Security/Alarms/History/Observability. Pull those into thin OpcUaServer interfaces."},
-    {"id": "F14", "subject": "Follow-up: Migrate side-effecting Phase7Composer (EquipmentNodeWalker, trace logs, node cache)", "status": "pending", "classification": "standard", "estMinutes": 60, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 47 — pure version covers the projection. Walker + alarm sink registration + cache mutation stay in legacy until split into Phase7Applier."},
-    {"id": "F15", "subject": "Follow-up: Migrate 47 legacy Admin Blazor components into AdminUI library", "status": "pending", "classification": "high-risk", "estMinutes": 180, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 48 — only MapAdminUI scaffold + 1 new page (Deployments). 47 pages stay in legacy Admin (accepted-broken) until Task 56."},
-    {"id": "F16", "subject": "Follow-up: Bridge FleetStatusBroadcaster → SignalR hubs (FleetStatusHub / AlertHub / ScriptLogHub)", "status": "pending", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 49 — hubs are passive Hub subclasses; the bridge from FleetStatusBroadcaster.broadcast → IHubContext is not wired."},
-    {"id": "F17", "subject": "Follow-up: FleetDiagnosticsClient real Akka ActorSelection round-trip (GetDiagnosticsRequest)", "status": "pending", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 51 — client returns an empty snapshot stub. Add GetDiagnosticsRequest contract + DriverHostActor handler + real Ask/Reply."},
-    {"id": "F18", "subject": "Follow-up: Thread HttpContext.User.Identity.Name into Deployments page (createdBy)", "status": "pending", "classification": "small", "estMinutes": 5, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 52 — Deployments.razor hardcodes createdBy=\"(current user)\"; needs @inject AuthenticationStateProvider."},
-    {"id": "F19", "subject": "Follow-up: RuntimeStartup extension for driver-role node-actor spawn", "status": "pending", "classification": "standard", "estMinutes": 20, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 53 — only admin-role singletons are wired via WithOtOpcUaControlPlaneSingletons. Driver-role nodes need a parallel WithOtOpcUaRuntimeActors that spawns DriverHostActor."},
-    {"id": "F20", "subject": "Follow-up: Wire DriverInstanceActor.ShouldStub() into DriverHostActor child spawn", "status": "pending", "classification": "small", "estMinutes": 10, "parallelizableWith": ["F7"], "blockedBy": [], "origin": "Self-review of Task 55 — ShouldStub helper exists but nothing calls it. Folds into F7 when DriverHostActor learns to spawn DriverInstanceActor children."}
+    {"id": 61, "subject": "Task 61: E2E test infrastructure + GitHub Actions CI",              "status": "completed", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [], "blockedBy": [59,60], "commit": "253fb60", "deviation": "CI workflow files landed but E2E test project (tests/Server/ZB.MOM.WW.OtOpcUa.E2ETests) deferred — it lands when F10/F11/F12 wire enough engine for an end-to-end round-trip to be meaningful. The E2E workflow runs against the docker-dev fleet but its --filter Category=E2E currently matches zero tests."},
+    {"id": 62, "subject": "Task 62: Rewrite Install-Services.ps1",                             "status": "completed", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [63,64,65], "blockedBy": [53], "commit": "e40615d"},
+    {"id": 63, "subject": "Task 63: Traefik config + docker-dev compose",                      "status": "completed", "classification": "standard",  "estMinutes": 5, "parallelizableWith": [62,64,65], "blockedBy": [53], "commit": "7e3b56c", "deviation": "Untested on macOS (no local Docker). Compose file should work — exercise + adjust on first run against a real Docker host."},
+    {"id": 64, "subject": "Task 64: Update existing docs (Redundancy, ServiceHosting, security)", "status": "completed", "classification": "standard", "estMinutes": 5, "parallelizableWith": [62,63,65], "blockedBy": [57], "commit": "3c3fef9", "deviation": "Redundancy.md + ServiceHosting.md full rewrites. security.md v2 banner only — full per-section rewrite waits for F15 (Admin pages migration) since security.md references many pages that will move. README.md platform-overview updated."},
+    {"id": 65, "subject": "Task 65: New v2 docs (Architecture-v2, Cluster, ControlPlane, Runtime)", "status": "completed", "classification": "standard", "estMinutes": 5, "parallelizableWith": [62,63,64], "blockedBy": [57], "commit": "1689901"},
+    {"id": "F1", "subject": "Follow-up: AuthEndpoints integration tests against fused Host", "status": "completed", "classification": "small", "estMinutes": 10, "parallelizableWith": ["F2"], "blockedBy": [53], "commit": "463512d", "origin": "Deviation from Task 29 (commit 38ea0c5) — deferred until Task 53 wires AddOtOpcUaAuth/MapOtOpcUaAuth in Program. Add WebApplicationFactory<OtOpcUa.Host.Program> tests for /auth/login (204/401/503), /auth/ping (401/200), /auth/token (200+JWT), /auth/logout (204+cookie clear) using a stub ILdapAuthService.", "deviation": "Used HostBuilder + TestServer directly (Security.Tests/AuthEndpointsIntegrationTests) instead of WebApplicationFactory<Program> — Host needs Akka cluster bootstrap that's out of scope for this contract test. Cluster-mode auth coverage belongs in Task 58."},
+    {"id": "F2", "subject": "Follow-up: Replace JwtBearer BuildServiceProvider antipattern with IPostConfigureOptions", "status": "completed", "classification": "small", "estMinutes": 5, "parallelizableWith": ["F1"], "blockedBy": [], "commit": "45a8c79", "origin": "Deviation from Task 26 (commit 207fc6a) — AddOtOpcUaAuth uses services.BuildServiceProvider().CreateScope() inside .AddJwtBearer lambda (ASP0000). Refactor to IPostConfigureOptions<JwtBearerOptions> so validation parameters resolve lazily from the real request provider."},
+    {"id": "F3", "subject": "Follow-up: Add EventId unique column to ConfigAuditLog for cross-restart audit idempotency", "status": "completed", "classification": "small", "estMinutes": 15, "parallelizableWith": ["F4"], "blockedBy": [], "commit": "f57f61d", "origin": "Deviation from Task 33 — AuditWriterActor only dedups in-buffer; ConfigAuditLog lacks EventId column so a duplicate AuditEvent that arrives after a flush becomes a duplicate row. Add nullable EventId Guid + filtered unique index, migration, and refactor AuditWriterActor.WrapDetails away."},
+    {"id": "F4", "subject": "Follow-up: Harden AuditWriterActor.WrapDetails JSON synthesis with System.Text.Json", "status": "completed", "classification": "small", "estMinutes": 5, "parallelizableWith": ["F3"], "blockedBy": [], "commit": "f57f61d", "deviation": "Moot — F3 deleted WrapDetails entirely (EventId/CorrelationId now live in dedicated columns).", "origin": "Self-review of Task 33 — WrapDetails uses string concat; malformed caller DetailsJson would produce invalid JSON and trip the CK_ConfigAuditLog_DetailsJson_IsJson constraint, killing the entire flush batch. Discard this task if F3 lands first (F3 removes WrapDetails entirely)."},
+    {"id": "F5", "subject": "Follow-up: ConfigPublishCoordinator multi-node happy-path test", "status": "completed", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "commit": "5cfbe8b", "deviation": "Delivered by Task 59 — DeployHappyPathTests.StartDeployment_seals_after_both_nodes_apply exercises the exact 'dispatch to N driver nodes, all ack, seals' flow via the real 2-node TwoNodeClusterHarness rather than a multi-system TestKit. Cleaner because it tests the production code path end-to-end.", "origin": "Self-review of Task 30 — single-ActorSystem TestKit can't simulate the plan's 'dispatch to N driver nodes, all ack, seals' happy path because DiscoverDriverNodes() needs real cluster membership. Add a multi-system test (two ActorSystems joined into one cluster, driver-role on the second)."},
+    {"id": "F6", "subject": "Follow-up: RedundancyStateActor publisher abstraction so tests don't need DPS bootstrap", "status": "completed", "classification": "small", "estMinutes": 10, "parallelizableWith": [], "blockedBy": [], "commit": "dfc143c", "origin": "Self-review of Task 35 — RedundancyStateActorTests are skipped because single-node DistributedPubSub bootstrap is unreliable in TestKit. Inject an Action<object> broadcast so tests can replace it with a probe; un-skip both tests."},
+    {"id": "F7", "subject": "Follow-up: DriverInstanceActor full engine wiring (subscriptions, writes, ApplyDelta diff)", "status": "completed", "classification": "standard", "estMinutes": 45, "parallelizableWith": [], "blockedBy": [44], "origin": "Self-review of Task 41 — subscription publishing, ApplyDelta diffing, bad-quality-on-disconnect, write path, and supervisor backoff are stubbed. Wire after OpcUaPublishActor lands.", "shipped": "All three pieces landed: (1) spawn lifecycle in DriverHostActor (DriverSpawnPlanner + IDriverFactory seam) — da14149, (2) ISubscribable wiring + OPC UA status-code → OpcUaQuality severity-bit mapping + DetachSubscription on disconnect/PostStop, (3) IWritable.WriteAsync write path with 5s timeout, status-code bubble-up, and AttributeValuePublished published to parent on every OnDataChange — both shipped in the F7-residual batch. Host DI binding (DriverFactoryBootstrap registers AbCip/AbLegacy/FOCAS/Galaxy/Modbus/S7/TwinCAT factories) lives in src/Server/ZB.MOM.WW.OtOpcUa.Host/Drivers/."},
+    {"id": "F8", "subject": "Follow-up: VirtualTagActor engine wiring (compile expression, subscribe deps, publish result)", "status": "partial", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 42 — VirtualTagEngine.Evaluate not called; DependencyValueChanged just buffers.", "shipped": "(1) IVirtualTagEvaluator seam + NullVirtualTagEvaluator default. VirtualTagActor calls evaluator on DependencyValueChanged, dedupes unchanged results, emits EvaluationResult to parent, publishes Warning ScriptLogEntry on failure. (2) DependencyMuxActor in Runtime fans out DriverInstanceActor.AttributeValuePublished from DriverHostActor through to interested VirtualTagActor subscribers. VirtualTagActor takes dependencyRefs + mux ActorRef in Props, registers interest in PreStart, unregisters in PostStop. WithOtOpcUaRuntimeActors spawns the mux + threads it into DriverHostActor. Production binding to Core.VirtualTags.VirtualTagEngine (expression compile + dep extraction) still TODO — split as F8b."},
+    {"id": "F9", "subject": "Follow-up: ScriptedAlarmActor engine wiring + state persistence", "status": "partial", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 43 — AlarmConditionService not called; PreRestart persistence to ScriptedAlarmState DB not wired; HistorianAdapter rows not emitted.", "shipped": "(1) IScriptedAlarmEvaluator seam + NullScriptedAlarmEvaluator default. ScriptedAlarmActor takes AlarmConfig (id/name/path/severity/predicate), evaluates on DependencyValueChanged, publishes AlarmTransitionEvent + ScriptLogEntry on every transition. (2) IAlarmActorStateStore seam in Commons.Engines + NullAlarmActorStateStore default + EfAlarmActorStateStore production adapter over the ScriptedAlarmState entity. ScriptedAlarmActor PreStart loads + restores; every Transition fires a fire-and-forget save with lastAckUser. Predicate binding to Core.ScriptedAlarms.ScriptedAlarmEngine still TODO — split as F9b."},
+    {"id": "F10", "subject": "Follow-up: OpcUaPublishActor SDK integration (address-space writes + ServiceLevel + RebuildAddressSpace)", "status": "partial", "classification": "high-risk", "estMinutes": 60, "parallelizableWith": [], "blockedBy": [47], "origin": "Self-review of Task 44 — SDK calls stubbed; counters only. Wire after Phase 7 OpcUaServer extraction.", "shipped": "(1) IOpcUaAddressSpaceSink + IServiceLevelPublisher seams in Commons.OpcUa with Null* defaults. OpcUaPublishActor routes through the sink, dedupes ServiceLevelChanged, subscribes to redundancy-state DPS topic, maps redundancy snapshot to a coarse ServiceLevel (Primary+leader=240, Primary=200, Secondary=100, Detached=0). (2) OtOpcUaNodeManager (CustomNodeManager2) + OtOpcUaSdkServer (StandardServer subclass) + SdkAddressSpaceSink in OpcUaServer — lazy variable creation on first WriteValue, WriteAlarmState shape, RebuildAddressSpace tear-down. Variable updates propagate via ClearChangeMasks so subscribed OPC UA clients see them. Tests boot a real StandardServer + verify sink writes show up in the manager. Production wiring through OpcUaApplicationHost.StartAsync (default server = OtOpcUaSdkServer) + IServiceLevelPublisher SDK binding + #109 OpcUaPublishActor→Phase7Applier integration are the remaining pieces."},
+    {"id": "F11", "subject": "Follow-up: HistorianAdapterActor named-pipe IPC + SqliteStoreAndForwardSink wiring", "status": "completed", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "commit": "6861381", "deviationNotes": "Reshaped HistorianAdapterActor around the existing IAlarmHistorianSink abstraction (alarm-event shape, not the original tag-history-row stub). Defaults to NullAlarmHistorianSink; production deployments wire SqliteStoreAndForwardSink + WonderwareHistorianClient via AddOtOpcUaRuntime overrides. Actor now exposes GetStatus returning HistorianSinkStatus for diagnostics. Named-pipe transport implementation lives unchanged in src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Client/WonderwareHistorianClient.cs — the actor is intentionally just a fire-and-forget bridge.", "origin": "Self-review of Task 45 — stub buffers in-memory; named-pipe + SQLite store-and-forward not wired."},
+    {"id": "F12", "subject": "Follow-up: PeerOpcUaProbeActor real opc.tcp ping (replace Ok=true stub)", "status": "completed", "classification": "small", "estMinutes": 20, "parallelizableWith": [], "blockedBy": [], "commit": "b06e3ae", "deviation": "TCP-connect probe rather than full OPC UA Hello/Acknowledge handshake. Enough for the redundancy calc; deeper liveness signals can layer on later without changing the actor's contract.", "origin": "Self-review of Task 45 — RunProbe always returns Ok=true; replace with OPC UA Client connect."},
+    {"id": "F13", "subject": "Follow-up: Full OpcUaApplicationHost extraction (security/alarms/history/observability)", "status": "partial", "classification": "high-risk", "estMinutes": 120, "parallelizableWith": [], "blockedBy": [], "commit": "36c4751-partial", "deviationNotes": "F13a (cert auto-creation) shipped in 36c4751. Remaining: endpoint-security wiring (SecurityProfileResolver into ServerConfiguration.SecurityPolicies), LDAP user-token validator (the OPC UA UserNameToken path; HTTP-layer LDAP auth is separate and already in OtOpcUa.Security), scripted-alarm node manager creation, history backend wiring, observability hooks (OpenTelemetry metrics + traces). These are gated by F10's OpcUaPublishActor SDK integration — until F10 lands, nothing instantiates OpcUaApplicationHost so the missing wiring is dead weight.", "origin": "Self-review of Task 46 — facade only boots ApplicationInstance + StandardServer. Legacy 391-line file pulls Server.Security/Alarms/History/Observability. Pull those into thin OpcUaServer interfaces."},
+    {"id": "F14", "subject": "Follow-up: Migrate side-effecting Phase7Composer (EquipmentNodeWalker, trace logs, node cache)", "status": "partial", "classification": "standard", "estMinutes": 60, "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 47 — pure version covers the projection. Walker + alarm sink registration + cache mutation stay in legacy until split into Phase7Applier.", "shipped": "Phase7Plan + Phase7Planner.Compute (pure diff over EquipmentNodes/DriverInstancePlans/ScriptedAlarmPlans by stable id, with Added/Removed/Changed lists). Phase7Applier consumes plan + IOpcUaAddressSpaceSink: drives RebuildAddressSpace on Equipment/Alarm topology change, writes inactive AlarmState for removed nodes, catches + logs sink faults. Driver-only changes correctly skip the rebuild (DriverHostActor's spawn-plan in Runtime handles those). Walker integration with the real SDK NodeManager is the remaining piece — split as F14b (consumes the existing EquipmentNodeWalker once F10b lands an SDK builder)."},
+    {"id": "F15", "subject": "Follow-up: Migrate 47 legacy Admin Blazor components into AdminUI library", "status": "completed", "classification": "high-risk", "estMinutes": 180, "commit": "Phase A-D (read views) + F15.2 batches 1-4 (live-edit CRUD) + F15.3 (live alerts/script-log/CSV import/Monaco)", "deviationNotes": "All 4 phases of read-only views shipped: Phase A (shell/auth/fleet/hosts), B (cluster CRUD + Overview/Redundancy), C (Equipment/UNS/Namespaces/Drivers/Tags/ACLs), D (Audit/VirtualTags/ScriptedAlarms/Scripts/RoleGrants/Certificates/Reservations/AlarmsHistorian). Per Q1–Q5 of docs/v2/AdminUI-rebuild-plan.md: typed driver editors deferred, top-level VirtualTags/ScriptedAlarms kept (Q2 reversed for cross-cluster discoverability), routes-not-tabs adopted, fleet-wide LDAP→role map only, generic login errors. Live-edit forms (F15.2) and ScriptLog page (depends on F16 ScriptLogHub) are explicit follow-ups.", "parallelizableWith": [], "blockedBy": [], "origin": "Self-review of Task 48 — only MapAdminUI scaffold + 1 new page (Deployments). 47 pages stay in legacy Admin (accepted-broken) until Task 56."},
+    {"id": "F16", "subject": "Follow-up: Bridge FleetStatusBroadcaster → SignalR hubs (FleetStatusHub / AlertHub / ScriptLogHub)", "status": "completed", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "commit": "f18c285", "deviation": "FleetStatusHub bridge landed. AlertHub + ScriptLogHub deferred — they need upstream message contracts that aren't defined yet (alerts emerge from F9 ScriptedAlarmActor, script logs from F8 VirtualTagActor).", "origin": "Self-review of Task 49 — hubs are passive Hub subclasses; the bridge from FleetStatusBroadcaster.broadcast → IHubContext is not wired."},
+    {"id": "F17", "subject": "Follow-up: FleetDiagnosticsClient real Akka ActorSelection round-trip (GetDiagnosticsRequest)", "status": "completed", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "commit": "8f32b89", "origin": "Self-review of Task 51 — client returns an empty snapshot stub. Add GetDiagnosticsRequest contract + DriverHostActor handler + real Ask/Reply."},
+    {"id": "F18", "subject": "Follow-up: Thread HttpContext.User.Identity.Name into Deployments page (createdBy)", "status": "completed", "classification": "small", "estMinutes": 5, "parallelizableWith": [], "blockedBy": [], "commit": "b266f63", "origin": "Self-review of Task 52 — Deployments.razor hardcodes createdBy=\"(current user)\"; needs @inject AuthenticationStateProvider."},
+    {"id": "F19", "subject": "Follow-up: RuntimeStartup extension for driver-role node-actor spawn", "status": "completed", "classification": "standard", "estMinutes": 20, "parallelizableWith": [], "blockedBy": [], "commit": "09d6676", "origin": "Self-review of Task 53 — only admin-role singletons are wired via WithOtOpcUaControlPlaneSingletons. Driver-role nodes need a parallel WithOtOpcUaRuntimeActors that spawns DriverHostActor."},
+    {"id": "F20", "subject": "Follow-up: Wire DriverInstanceActor.ShouldStub() into DriverHostActor child spawn", "status": "completed", "classification": "small", "estMinutes": 10, "parallelizableWith": ["F7"], "blockedBy": [], "origin": "Self-review of Task 55 — ShouldStub helper exists but nothing calls it. Folds into F7 when DriverHostActor learns to spawn DriverInstanceActor children.", "shipped": "DriverHostActor.SpawnChild now calls DriverInstanceActor.ShouldStub(type, _localRoles) and routes Windows-only driver types to the stub path on non-Windows / dev-role hosts. Verified by DriverHostActorReconcileTests.Galaxy_on_non_windows_is_stubbed_by_ShouldStub_check."},
+    {"id": "F21", "subject": "Follow-up: docker-compose.yml for Host.IntegrationTests (real SQL Server + OpenLDAP)", "status": "completed", "classification": "standard", "estMinutes": 30, "parallelizableWith": [], "blockedBy": [], "commit": "b0a2bb0", "deviationNotes": "Stack shipped (SQL on 14331, OpenLDAP on 3894). HarnessMode reads OTOPCUA_HARNESS_USE_SQL=1 / USE_LDAP=1 from env; SQL mode uses per-harness unique DB via EnsureCreated. Compose itself not local-validated — DESKTOP-6JL3KKO has no Docker per CLAUDE.md; CI on Linux will exercise the real path. The xunit test-trait split was punted — env vars are simpler and cover the same use case (one suite, two modes, no test-class duplication).", "origin": "Deviation from Task 58 — TwoNodeClusterHarness uses EF InMemoryDatabase + StubLdapAuthService. For Mac-friendly local runs against real SQL constraints + LDAP, add tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/docker-compose.yml (SQL Server + OpenLDAP), wire EF SqlServer provider behind an env var (OTOPCUA_HARNESS_USE_SQL=1), and add a test trait so CI can run both modes."},
+    {"id": "F22", "subject": "Follow-up: failover scenario integration tests (kill-mid-apply, split-brain, restart-during-deploy)", "status": "completed", "classification": "standard", "estMinutes": 60, "parallelizableWith": [], "blockedBy": [], "commit": "cd5540c", "deviationNotes": "Shipped 3 scenarios on the existing 2-node harness: stop-shrinks, restart-rejoins-same-port, deploy-with-one-node-down. Split-brain via simulated partition deferred — Akka.Hosting + xunit don't expose transport-level interference cleanly. The graceful-shutdown + rejoin path is what production actually exercises; ungraceful kill-mid-apply non-deterministic under SBR's 15s stable-after.", "origin": "Deviation from Task 59 — happy-path + idempotency landed but design §8 cases 3-7 need controlled node-down primitives on TwoNodeClusterHarness (StopNodeAsync, RestartNodeAsync, PartitionBetweenAsync). Add those + 5 scenario tests."}
  ]
 }
@@ -1,5 +1,19 @@
 # Security

+> **v2 status (2026-05-26).** The four security concerns below are unchanged in v2.
+> Paths + project names moved: `OtOpcUa.Server/Security/` → `OtOpcUa.Security/`
+> (`Ldap/`, `Jwt/`, `Endpoints/AuthEndpoints.cs`), `OtOpcUa.Admin` is gone (its
+> auth + role-grant pages live in `OtOpcUa.AdminUI`), and Admin auth policies
+> register in `OtOpcUa.Host/Program.cs` via `AddOtOpcUaAuth` rather than in a
+> separate Admin process. The v2 `Security:Jwt` section adds JWT bearer auth
+> alongside the existing cookie scheme (`AddJwtBearer` wired via
+> `IPostConfigureOptions<JwtBearerOptions>` in `OtOpcUa.Security`). DataProtection
+> keys persist to the shared `ConfigDb.DataProtectionKeys` table so cookies
+> survive failover between admin-role nodes.
+>
+> See `docs/plans/2026-05-26-akka-hosting-alignment-design.md` §5 for the v2
+> auth + DataProtection rationale.
+
 OtOpcUa has four independent security concerns. This document covers all four:

 1. **Transport security** — OPC UA secure channel (signing, encryption, X.509 trust).
@@ -95,7 +109,7 @@ The Server accepts three OPC UA identity-token types:
 | Token | Handler | Notes |
 |---|---|---|
 | Anonymous | `IUserAuthenticator.AuthenticateAsync(username: "", password: "")` | Refused in strict mode unless explicit anonymous grants exist; allowed in lax mode for backward compatibility. |
-| UserName/Password | `LdapUserAuthenticator` (`src/Server/ZB.MOM.WW.OtOpcUa.Server/Security/LdapUserAuthenticator.cs`) | LDAP bind + group lookup; resolved `LdapGroups` flow into the session's identity bearer (`ILdapGroupsBearer`). |
+| UserName/Password | `LdapOpcUaUserAuthenticator` (`src/Server/ZB.MOM.WW.OtOpcUa.Host/OpcUa/LdapOpcUaUserAuthenticator.cs`, backed by `LdapAuthService` at `src/Server/ZB.MOM.WW.OtOpcUa.Security/Ldap/LdapAuthService.cs`) | LDAP bind + group lookup; resolved `LdapGroups` flow into the session's identity bearer (`ILdapGroupsBearer`). |
 | X.509 Certificate | Stack-level acceptance + role mapping via CN | X.509 identity carries `AuthenticatedUser` + read roles; finer-grain authorization happens through the data-plane ACLs. |

 ### LDAP bind flow (`LdapUserAuthenticator`)
@@ -207,20 +221,16 @@ The three Write tiers map to Galaxy's v1 `SecurityClassification` — `FreeAcces

 `NodeScope` carries `(ClusterId, NamespaceId, AreaId, LineId, EquipmentId, TagId)`; any suffix may be null — a tag-level ACL is more specific than an area-level ACL but both contribute via union.

-### Dispatch gate — `AuthorizationGate`
+### Dispatch gate — `IPermissionEvaluator`

-`src/Server/ZB.MOM.WW.OtOpcUa.Server/Security/AuthorizationGate.cs` bridges the OPC UA stack's `ISystemContext.UserIdentity` to the evaluator. `DriverNodeManager` holds exactly one reference to it and calls `IsAllowed(identity, OpcUaOperation.*, NodeScope)` on every Read, Write, HistoryRead, Browse, Subscribe, AckAlarm, Call path. A false return short-circuits the dispatch with `BadUserAccessDenied`.
+`IPermissionEvaluator.Authorize(session, operation, scope)` (default impl `TriePermissionEvaluator` at `src/Core/ZB.MOM.WW.OtOpcUa.Core/Authorization/TriePermissionEvaluator.cs`) bridges the OPC UA stack's `ISystemContext.UserIdentity` to the trie. The dispatch path calls it on every Read, Write, HistoryRead, Browse, Subscribe, AckAlarm, Call. A non-allow decision short-circuits the dispatch with `BadUserAccessDenied`.

 Key properties:

- **Driver-agnostic.** No driver-level code participates in authorization decisions. Drivers report `SecurityClassification` as metadata on tag discovery; everything else flows through `AuthorizationGate`.
+- **Driver-agnostic.** No driver-level code participates in authorization decisions. Drivers report `SecurityClassification` as metadata on tag discovery; everything else flows through the evaluator.
 - **Fail-open-during-transition.** `StrictMode = false` (default during ACL rollouts) lets sessions without resolved LDAP groups proceed; flip `Authorization:StrictMode = true` in production once ACLs are populated.
 - **Evaluator stays pure.** `TriePermissionEvaluator` has no OPC UA stack dependency — it's tested directly from xUnit.

-### Probe-this-permission (Admin UI)
-
-`PermissionProbeService` (`src/Server/ZB.MOM.WW.OtOpcUa.Admin/Services/PermissionProbeService.cs`) lets an operator ask "if a user with groups X, Y, Z asked to do operation O on node N, would it succeed?" The answer is rendered in the AclsTab "Probe" dialog — same evaluator, same trie, so the Admin UI answer and the live Server answer cannot disagree.
-
 ### Full model

 See [`docs/v2/acl-design.md`](v2/acl-design.md) for the complete design: trie invalidation, flag semantics, per-path override rules, and the reasoning behind additive-only (no Deny).
@@ -235,7 +245,7 @@ Per decision #150 control-plane roles are **deliberately independent of data-pla

 ### Roles

-`src/Server/ZB.MOM.WW.OtOpcUa.Admin/Services/AdminRoles.cs`:
+The `AdminRole` enum (`src/Core/ZB.MOM.WW.OtOpcUa.Configuration/Enums/AdminRole.cs`) defines:

 | Role | Capabilities |
 |---|---|
@@ -243,15 +253,7 @@ Per decision #150 control-plane roles are **deliberately independent of data-pla
 | `ConfigEditor` | ConfigViewer plus draft editing (UNS, equipment, tags, ACLs, driver instances, reservations, CSV imports). Cannot publish. |
 | `FleetAdmin` | ConfigEditor plus publish, cluster/node CRUD, credential management, role-grant management. |

-Policies registered in Admin `Program.cs`:
-
-```csharp
-builder.Services.AddAuthorizationBuilder()
-    .AddPolicy("CanEdit",    p => p.RequireRole(AdminRoles.ConfigEditor, AdminRoles.FleetAdmin))
-    .AddPolicy("CanPublish", p => p.RequireRole(AdminRoles.FleetAdmin));
-```
-
-Razor pages and API endpoints gate with `[Authorize(Policy = "CanEdit")]` / `"CanPublish"`; nav-menu sections hide via `<AuthorizeView>`.
+In v2 the authentication + authorization stack is wired centrally by `AddOtOpcUaAuth` (`src/Server/ZB.MOM.WW.OtOpcUa.Security/ServiceCollectionExtensions.cs`) and Razor pages gate inline with the role names, e.g. `@attribute [Authorize(Roles = "FleetAdmin,ConfigEditor")]` on `Deployments.razor`. Nav-menu sections hide via `<AuthorizeView>`.

 ### Role grant source

@@ -0,0 +1,265 @@
+# Admin UI rebuild plan (F15)
+
+**Status:** UX kickoff — proposals to react to before any per-page rebuild starts.
+**Last updated:** 2026-05-26 on `v2-akka-fuse`.
+
+## Why this isn't a straight port
+
+The v1 Admin UI was built around `ConfigGeneration` draft → publish:
+operators edited a **draft** generation, the system computed a **diff** against the
+last published one, and a manual **Publish** sealed it. Six full pages
+(`DraftEditor`, `DiffViewer`, `DiffSection`, `Generations`, plus the per-tab
+"viewing draft N" header) lived to make this workflow legible.
+
+v2 replaces that with **live-edit + snapshot-deploy** (decisions #14a–#14e on this
+branch). Edits write directly to live tables guarded by `RowVersion`
+concurrency; deploying is a single click that snapshots the current live state
+and dispatches it via Akka. Drift between "current live" and "last sealed
+deployment" surfaces as a one-line indicator on the
+[Deployments](../../src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Deployments.razor)
+page.
+
+That collapses **six pages → zero** before we ship a line of new Razor. The
+remaining ~41 legacy pages map to ~30 v2 pages once redundant fleet-wide views
+fold into their cluster-tab equivalents.
+
+## Inventory: 47 legacy pages → v2 disposition
+
+Source: `git show 76310b8^ -- 'src/Server/ZB.MOM.WW.OtOpcUa.Admin/**/*.razor'`.
+
+### Site shell (5 files) — port
+
+| Legacy | v2 status | Notes |
+|---|---|---|
+| `App.razor`, `Routes.razor`, `_Imports.razor` | Port | Boilerplate; minor render-mode tweaks |
+| `Layout/MainLayout.razor` | ✅ Already in v2 | Done in Task 48 |
+| `Components/Pages/Login.razor`, `Account.razor` | Port | Auth endpoints changed (cookie+JWT hybrid, Task 26); login form posts to `/auth/login` now |
+
+### Shared widgets (5 files) — port
+
+| Legacy | v2 status |
+|---|---|
+| `StatusBadge.razor` | ✅ Already in v2 |
+| `LoadingSpinner.razor` | ✅ Already in v2 |
+| `ToastNotification.razor` | ✅ Already in v2 |
+| `ClusterAuthorizeView.razor`, `RedirectToLogin.razor` | Port — adjust for v2 `IUserAuthenticator` |
+
+### Fleet (1 file) — reshape
+
+| Legacy | v2 strategy |
+|---|---|
+| `Fleet.razor` | **Reshape.** Drop the v1 "poller reads central DB" data source. v2 reads `NodeDeploymentState` (Applied / Failed / Stale per node) + subscribes to `FleetStatusHub` for live `ServiceLevel` updates (already wired in F16) + queries `IFleetDiagnosticsClient.GetDiagnostics` (F17) for per-node driver health. Single page, similar shape to v1. |
+
+### Cluster CRUD (3 files) — port
+
+| Legacy | v2 strategy |
+|---|---|
+| `ClustersList.razor` | Port |
+| `NewCluster.razor` | Port |
+| `ClusterDetail.razor` | **Port — drop draft/publish chrome.** No "New draft" button; no "current published" sidebar. Replace with "Last deployed" badge + a "Deploy" button (already a SignalR-aware widget on the Deployments page; this becomes a cluster-scoped variant). |
+
+### Draft/publish workflow (4 files) — **drop entirely**
+
+| Legacy | v2 strategy |
+|---|---|
+| `DraftEditor.razor` | **Drop.** No drafts in v2. |
+| `DiffViewer.razor` | **Drop.** Drift indicator replaces it on Deployments page. |
+| `DiffSection.razor` | **Drop.** |
+| `Generations.razor` | **Drop — replaced by `Deployments.razor`** (already shipped in v2 ahead of F15). |
+
+### Cluster tabs (11 files) — port as live-edit forms
+
+Each becomes a live-edit surface: load the entity, bind to a form, save with
+`RowVersion` concurrency check (409 on conflict → toast + reload). No "viewing
+draft N" header; no per-tab snapshot view.
+
+| Legacy tab | v2 strategy |
+|---|---|
+| `EquipmentTab.razor` | Port — UNS path tree picker stays |
+| `UnsTab.razor` | Port — same |
+| `NamespacesTab.razor` | Port |
+| `DriversTab.razor` | Port — **driver-type-specific editors are a separate question (see below)** |
+| `TagsTab.razor` | Port |
+| `AclsTab.razor` | Port — wire to v2 LDAP group → role mapping (see RoleGrants question) |
+| `RedundancyTab.razor` | Port — surface v2 `ServiceLevel` calc (Task 35) instead of v1 redundancy state machine |
+| `ScriptedAlarmsTab.razor` | Port |
+| `ScriptsTab.razor` | Port |
+| `VirtualTagsTab.razor` | Port |
+| `AuditTab.razor` | Port — wire to v2 `ConfigAuditLog` (post-F3 schema: `EventId`, `CorrelationId` columns) |
+
+### Cluster-scoped editors (3 files) — port as reusable inputs
+
+| Legacy | v2 strategy |
+|---|---|
+| `IdentificationFields.razor` | Port |
+| `ImportEquipment.razor` | Port |
+| `ScriptEditor.razor` | Port |
+
+### Cross-cluster pages (8 files) — mixed
+
+| Legacy | v2 strategy |
+|---|---|
+| `Hosts.razor` | Port — reshape to "Akka cluster members" (showing `host:port` NodeIds, roles, redundancy state) |
+| `Certificates.razor` | Port — F13a's `PkiStoreRoot` becomes the data source |
+| `Reservations.razor` | Port |
+| `RoleGrants.razor` | **Reshape.** v1 was cluster-scoped role grants; v2 uses LDAP group → role mapping (see Q4 below) |
+| `AlarmsHistorian.razor` | Port — wire to F11's `HistorianAdapterActor.GetStatus` (queue depth + drain state) |
+| `ScriptLog.razor` | Port — needs SignalR hub bridge (F16 deferred ScriptLogHub) |
+| `ScriptedAlarms.razor` (top-level) | **Possibly drop** (see Q2 below) |
+| `VirtualTags.razor` (top-level) | **Possibly drop** (see Q2 below) |
+
+### Driver-typed editors (5 files) — sequencing decision needed
+
+| Legacy | v2 strategy |
+|---|---|
+| `Drivers/FocasDetail.razor` | Defer — JSON editor in `DriversTab` covers the same config initially |
+| `Modbus/ModbusOptionsEditor.razor` | Same |
+| `Modbus/ModbusAddressEditor.razor` | Same |
+| `Modbus/ModbusAddressPreview.razor` | Same |
+| `Modbus/ModbusDiagnostics.razor` | Port — separate from the config editor, this is operational telemetry |
+
+### Account (1 file) — port
+
+| Legacy | v2 strategy |
+|---|---|
+| `Account.razor` | Port — minor reshape for JWT (token expiry UI, refresh button) |
+
+## Summary by disposition
+
+| Disposition | Count |
+|---|---|
+| Already in v2 | 5 |
+| Port as-is | 22 |
+| Port + reshape | 7 |
+| **Drop (replaced by live-edit / Deployments page)** | **5** |
+| Drop (redundant with cluster tab) | 2 (pending Q2) |
+| Defer (driver-typed editors) | 4 |
+| **Total active rebuild** | ~30 pages |
+
+## Open design questions
+
+These need answers before per-page sequencing starts. They drive how many
+phases the rebuild takes and what gets cut.
+
+### Q1 — Driver-typed editors: ship now or defer?
+
+**Context.** v1 had typed editors for Modbus + FOCAS driver config. They sat
+behind a generic JSON editor for the other six driver types. The typed editors
+caught operator typos that the JSON editor missed (port ranges, slave-ID
+collisions, address-map overlaps).
+
+**Options.**
+- **Defer all typed editors.** Ship `DriversTab` with a JSON editor first; add
+  typed editors per-driver as field requests come in. Saves ~1 day on F15.
+- **Port the existing two.** Modbus + FOCAS were already validated against
+  field use. The other six driver types stay JSON-only.
+- **Ship all eight typed editors.** Most work, best UX. ~3 extra days on F15.
+
+**Recommendation:** Defer. The OPC UA dual-endpoint tests + driver
+engine wiring (F7-F10) are higher-leverage and need attention first.
+
+### Q2 — Top-level `ScriptedAlarms.razor` and `VirtualTags.razor`: keep or drop?
+
+**Context.** In v1, these were fleet-wide views of every scripted alarm and
+virtual tag across every cluster. The cluster tabs let you edit them; the
+top-level pages let you find them across clusters.
+
+**Options.**
+- **Drop.** Fleet-wide view is rare; cluster scope covers 95% of use.
+- **Keep as read-only.** Cross-cluster search + drill-down to the per-cluster tab.
+
+**Recommendation:** Drop, but expose a global search on the top nav that
+matches cluster + alarm/tag names if operators ask.
+
+### Q3 — ClusterDetail: 10 tabs or split routes?
+
+**Context.** v1 had 10 nav-tabs inside `ClusterDetail.razor`. Some are very
+heavy (Tags can be 10k rows; AuditTab streams). All 10 share render state.
+
+**Options.**
+- **Keep tabs.** Familiar; one URL per cluster.
+- **Split into routes.** `/clusters/{id}/equipment`, `/clusters/{id}/tags`,
+  etc. Better deep-linking, better load (one tab's data per page), easier auth
+  scoping.
+
+**Recommendation:** Split into routes. The v1 monolith was already groaning
+under the live-update SignalR fan-in; routes let each surface manage its own
+subscription lifecycle.
+
+### Q4 — RoleGrants: cluster-scoped table or LDAP group → role map?
+
+**Context.** v1 had a per-cluster `RoleGrants` table where you mapped users to
+cluster-scoped roles (ClusterAdmin, ClusterOperator, etc.). v2 introduced
+LDAP-driven auth: LDAP group membership maps to OPC UA permissions
+(`ReadOnly`, `WriteOperate`, `WriteTune`, `WriteConfigure`, `AlarmAck`)
+fleet-wide.
+
+**Options.**
+- **Keep v1 model.** Cluster-scoped grants survive; LDAP just provides the
+  username.
+- **Replace with fleet-wide LDAP-group → role mapping.** v2's `LdapOptions`
+  already has a `GroupToRole` dictionary; surface that in a single fleet-level
+  page.
+- **Both.** LDAP map for fleet-wide defaults; per-cluster overrides for
+  scoping.
+
+**Recommendation:** Fleet-wide LDAP-group → role map only. Per-cluster scoping
+adds combinatorial complexity that v2's redundancy model doesn't need
+(every driver-role node runs every driver in the fleet).
+
+### Q5 — Login UI: backed by `/auth/login` (cookie+JWT hybrid) — what about LDAP error UX?
+
+**Context.** v2's `/auth/login` does an LDAP bind. Failures come back as
+specific reasons (invalid creds vs. service-account misconfig vs. server
+unreachable). The default behavior is to lump them all into "Login failed."
+
+**Options.**
+- **Generic "Login failed."** Safer; doesn't leak whether the username exists.
+- **Specific error categories.** Helps operators diagnose deploy issues.
+
+**Recommendation:** Generic for production deployments, specific when
+`Authentication:Ldap:AllowInsecureLdap=true` (dev mode signal).
+
+## Proposed sequencing (4 phases)
+
+Each phase is independently mergeable. The branch ships when Phase A is in;
+Phases B–D can follow as smaller PRs.
+
+### Phase A — Shell + auth + fleet (minimum-viable Admin)
+~½–1 day. Ships a working admin surface with no config editing.
+- Port `App.razor`, `Routes.razor`, `_Imports.razor`
+- Port `Login.razor` (post Q5)
+- Port `Account.razor`
+- Reshape `Fleet.razor` against v2 data sources
+- Port `Hosts.razor` reshape
+
+### Phase B — Cluster CRUD + Overview/Redundancy tabs
+~1 day. Adds cluster browse + readonly redundancy view.
+- Port `ClustersList`, `NewCluster`, `ClusterDetail` (Overview tab only)
+- Port `RedundancyTab` (read-only — surfaces v2 `ServiceLevel`)
+- Split into routes if Q3 = split
+
+### Phase C — Config editor tabs
+~2 days. The big chunk — the live-edit config surface.
+- `EquipmentTab`, `UnsTab`, `NamespacesTab`
+- `DriversTab` (JSON-only initially per Q1)
+- `TagsTab`
+- `AclsTab` post Q4 reshape
+- `ImportEquipment`, `IdentificationFields`
+
+### Phase D — Logic + ops pages
+~1 day.
+- `VirtualTagsTab`, `ScriptedAlarmsTab`, `ScriptsTab`, `ScriptEditor`
+- `AuditTab` against new ConfigAuditLog schema
+- `RoleGrants` post Q4 reshape
+- `Certificates`
+- `Reservations`
+- `AlarmsHistorian`, `ScriptLog` (depends on F16 ScriptLogHub deferred)
+
+## Out of scope for F15
+
+- Typed driver editors (Q1, deferred unless reversed)
+- Top-level fleet-wide ScriptedAlarms / VirtualTags pages (Q2, recommended drop)
+- Per-cluster RoleGrants (Q4, recommended drop)
+- ScriptLogHub SignalR bridge (F16 deferred — only needed for Phase D's
+  ScriptLog page; can move to a separate F16-extension follow-up)
@@ -0,0 +1,128 @@
+# OtOpcUa v2 Architecture
+
+Single-page tour of the v2 layout. For decision history + tradeoffs, see [`2026-05-26-akka-hosting-alignment-design.md`](../plans/2026-05-26-akka-hosting-alignment-design.md).
+
+## Big picture
+
+```
+                    ┌─────────────────────────────────────────────┐
+                    │                  OtOpcUa.Host               │  (fused binary)
+                    │                                             │
+                    │  reads OTOPCUA_ROLES env, mounts:           │
+                    │  ┌─────────────────────────────────────┐    │
+                    │  │  admin → Blazor + auth + control-  │    │
+                    │  │          plane singletons          │    │
+                    │  │  driver → OPC UA endpoint +        │    │
+                    │  │           per-node actors          │    │
+                    │  └─────────────────────────────────────┘    │
+                    └─────────────────────────────────────────────┘
+                                          │
+                                          │  joins
+                                          ▼
+                    ┌─────────────────────────────────────────────┐
+                    │              Akka.NET cluster               │
+                    │  (split-brain resolver: keep-oldest, 15s)   │
+                    └─────────────────────────────────────────────┘
+
+shared by every node:  ┌─────────────────┐
+                       │  ConfigDb (SQL) │   live-edit + Deployment artifacts + audit
+                       └─────────────────┘
+```
+
+The v1 setup was two separate Windows services (`OtOpcUa.Server` + `OtOpcUa.Admin`) talking through the DB. v2 collapses them into one binary with role gating, and adds an Akka cluster so admin singletons can drive deploys and the redundancy story is automatic.
+
+## Project layout
+
+```
+src/Core/                       shared abstractions, no Server deps
+  ZB.MOM.WW.OtOpcUa.Commons             types + Akka message contracts + interfaces
+  ZB.MOM.WW.OtOpcUa.Cluster             HOCON, AkkaClusterOptions, IClusterRoleInfo
+  ZB.MOM.WW.OtOpcUa.Configuration       EF Core DbContext + entities
+
+src/Server/                     server-side projects
+  ZB.MOM.WW.OtOpcUa.Security            cookie+JWT auth, LDAP, JwtTokenService
+  ZB.MOM.WW.OtOpcUa.ControlPlane        admin-role cluster singletons
+  ZB.MOM.WW.OtOpcUa.Runtime             driver-role per-node actors
+  ZB.MOM.WW.OtOpcUa.OpcUaServer         OPC UA endpoint facade + Phase7Composer
+  ZB.MOM.WW.OtOpcUa.AdminUI             Blazor Razor class library
+  ZB.MOM.WW.OtOpcUa.Host                fused binary (Program.cs)
+```
+
+| Project | Role | Doc |
+|---|---|---|
+| Cluster | Bootstrap + cluster topology view | [Cluster.md](Cluster.md) |
+| ControlPlane | Admin singletons (deploy, audit, fleet, redundancy) | [ControlPlane.md](ControlPlane.md) |
+| Runtime | Driver-role actor tree | [Runtime.md](Runtime.md) |
+| Security | Cookie+JWT auth, LDAP, /auth/* endpoints | [../security.md](../security.md) |
+| OpcUaServer | OPC UA endpoint host + composer | [../OpcUaServer.md](../OpcUaServer.md) |
+| Host | Role-gated DI graph + Program.cs | [../ServiceHosting.md](../ServiceHosting.md) |
+
+## Role gating
+
+`Program.cs` reads `OTOPCUA_ROLES` once (per process) and decides what to wire:
+
+```csharp
+var roles = RoleParser.Parse(Environment.GetEnvironmentVariable("OTOPCUA_ROLES"));
+var hasAdmin = roles.Contains("admin");
+var hasDriver = roles.Contains("driver");
+
+builder.Services.AddOtOpcUaConfigDb(builder.Configuration);
+builder.Services.AddOtOpcUaCluster(builder.Configuration);
+
+builder.Services.AddAkka("otopcua", (ab, sp) =>
+{
+    ab.WithOtOpcUaClusterBootstrap(sp);            // HOCON + remote + cluster options
+    if (hasAdmin)  ab.WithOtOpcUaControlPlaneSingletons();
+    if (hasDriver) ab.WithOtOpcUaRuntimeActors();
+});
+
+if (hasAdmin)
+{
+    builder.Services.AddOtOpcUaAuth(builder.Configuration);
+    builder.Services.AddAdminUI();
+    // SignalR, AdminOpsClient, etc.
+}
+
+builder.Services.AddOtOpcUaHealth();
+```
+
+There is a **single** ActorSystem. Cluster singletons + per-node actors share it via the `Akka.Hosting` registry. This was a v2 fix (the initial Phase 9 wiring ran two ActorSystems by mistake; see commit `d6fac2d`).
+
+## Live-edit vs draft/publish
+
+v1 had `ConfigGeneration(Draft|Published)` with every live-edit entity FK'd to a generation. Edits accumulated in a Draft until Publish promoted them.
+
+v2 removes that entirely:
+
+- No `ConfigGeneration` table, no `GenerationId` columns.
+- Every live-edit entity has a `RowVersion` (`IsRowVersion()`) for last-write-wins.
+- Audit goes to `ConfigEdit` (per-row delta) and `ConfigAuditLog` (event-level).
+- Deploys snapshot the *current* DB state into an immutable `Deployment.ArtifactBlob` + its `RevisionHash`. That artifact is what driver nodes apply.
+
+See [ControlPlane.md § Deploy flow](ControlPlane.md#deploy-flow) for the end-to-end dispatch + ACK + seal sequence.
+
+## NodeId
+
+Each cluster member has a `NodeId` derived as `{PublicHostname}:{Port}` of the Akka remote endpoint. `ClusterRoleInfo.LocalNode` + `ConfigPublishCoordinator.DiscoverDriverNodes()` use the same formula so they always agree. The port suffix makes loopback test deployments distinguishable (commit `5cfbe8b`); in production the hostname alone is already unique.
+
+## Health endpoints
+
+| Path | Returns 200 when… |
+|---|---|
+| `/healthz` | Process is alive (no checks). |
+| `/health/ready` | DB reachable + this node is `Up` in the cluster. |
+| `/health/active` | This node is the admin role-leader (used by Traefik/HA-LB to pin traffic). |
+
+## What lives where (quick map)
+
+| Concern | Project | Entry point |
+|---|---|---|
+| Read OTOPCUA_ROLES | `Cluster.RoleParser` | static `Parse(string?)` |
+| Cluster lifecycle | `Cluster.WithOtOpcUaClusterBootstrap` | extension on `AkkaConfigurationBuilder` |
+| Local node identity | `Cluster.IClusterRoleInfo.LocalNode` | DI singleton |
+| Admin singletons | `ControlPlane.WithOtOpcUaControlPlaneSingletons` | extension on `AkkaConfigurationBuilder` |
+| Driver actors | `Runtime.WithOtOpcUaRuntimeActors` | extension on `AkkaConfigurationBuilder` |
+| Auth pipeline | `Security.AddOtOpcUaAuth` + `MapOtOpcUaAuth` | extensions on `IServiceCollection` / `IEndpointRouteBuilder` |
+| OPC UA facade | `OpcUaServer.OpcUaApplicationHost` | runtime host, started by driver-role startup |
+| Partner-URI advertising | `OpcUaServer.OpcUaApplicationHost.PopulateServerArray` | runs after `_application.Start`, appends `PeerApplicationUris` to the SDK `ServerUris` `StringTable` so `Server.ServerArray` (i=2254) returns self + peers |
+| Health endpoints | `Host.Health.AddOtOpcUaHealth` + `MapOtOpcUaHealth` | extensions on `IServiceCollection` / `IEndpointRouteBuilder` |
@@ -0,0 +1,104 @@
+# OtOpcUa.Cluster
+
+Akka.NET cluster bootstrap + topology view. Used by every other server-side project to talk to the live cluster.
+
+Path: `src/Core/ZB.MOM.WW.OtOpcUa.Cluster/`
+
+## Public surface
+
+| Type | Role |
+|---|---|
+| `AkkaClusterOptions` | DI-bound options from `appsettings.json::Cluster`. Hostname/Port/PublicHostname/SeedNodes/Roles. |
+| `IClusterRoleInfo` (interface in Commons) | Live view of cluster membership + role-leader topology. Thread-safe + event-raising. |
+| `ClusterRoleInfo` | Implementation. Subscribes to `ClusterEvent.IMemberEvent` + `RoleLeaderChanged` + `LeaderChanged`. |
+| `HoconLoader.LoadBaseConfig()` | Reads the embedded `Resources/akka.conf`. |
+| `RoleParser.Parse(string?)` | Parses `OTOPCUA_ROLES` env var into a deduped `string[]`. |
+| `ServiceCollectionExtensions.AddOtOpcUaCluster(configuration)` | Binds options + registers `IClusterRoleInfo` singleton. **Does not** start an ActorSystem. |
+| `WithOtOpcUaClusterBootstrap(serviceProvider)` | Extension on `AkkaConfigurationBuilder`. Loads embedded HOCON + applies `WithRemoting(...)` + `WithClustering(...)` from options. |
+
+## Bootstrap flow
+
+```csharp
+// Program.cs
+builder.Services.AddOtOpcUaCluster(builder.Configuration);
+
+builder.Services.AddAkka("otopcua", (ab, sp) =>
+{
+    ab.WithOtOpcUaClusterBootstrap(sp);          // HOCON + remote + cluster
+    // …singletons + node actors layered on
+});
+```
+
+Order matters: `AddOtOpcUaCluster` must come before `AddAkka` so the options binding has run by the time the `AddAkka` lambda fires. Inside the lambda, `WithOtOpcUaClusterBootstrap` resolves `IOptions<AkkaClusterOptions>` from `sp` and writes them into the Akka builder.
+
+The single ActorSystem this produces is what every other v2 piece runs on. There is no second Akka instance — that was a Phase 9 bug (commit `d6fac2d` consolidated).
+
+## Embedded HOCON
+
+`src/Core/ZB.MOM.WW.OtOpcUa.Cluster/Resources/akka.conf` contains:
+
+| Setting | Value | Why |
+|---|---|---|
+| `akka.actor.provider` | `cluster` | Required for `Cluster.Get(system)` to work. |
+| `akka.cluster.split-brain-resolver.active-strategy` | `keep-oldest` | Smaller/younger side downs itself on partition. |
+| `akka.cluster.split-brain-resolver.stable-after` | `15s` | Time before SBR acts. |
+| `akka.cluster.failure-detector.threshold` | `10.0` | Higher than default (8.0) for GC-pause tolerance. |
+| `opcua-synchronized-dispatcher.type` | `PinnedDispatcher` | Dedicated thread for `OpcUaPublishActor` so SDK calls stay marshalled. |
+
+The Cluster.Tests project verifies these key values stay correct (`HoconLoaderTests`).
+
+## Configuration
+
+```json
+{
+  "Cluster": {
+    "Hostname": "0.0.0.0",
+    "Port": 4053,
+    "PublicHostname": "node-a.lan",
+    "SeedNodes": ["akka.tcp://otopcua@node-a.lan:4053"],
+    "Roles": ["admin", "driver"]
+  }
+}
+```
+
+- `Hostname`: interface to bind. `0.0.0.0` listens on every interface.
+- `Port`: TCP port for cluster gossip. Default 4053.
+- `PublicHostname`: address advertised in cluster gossip. Must be reachable by every other node.
+- `SeedNodes`: where new nodes go to join. List one (or two) stable nodes. First node bootstraps the cluster from its own address.
+- `Roles`: free-form tags Akka gossip propagates. v2 uses `admin` + `driver`; per-role wiring in `Program.cs` reads `OTOPCUA_ROLES` env var, not this list — these two should stay in sync.
+
+Per-role overlay files (`appsettings.admin.json`, `appsettings.driver.json`, `appsettings.admin-driver.json`) layer on top of base `appsettings.json` based on the parsed `OTOPCUA_ROLES` (alphabetical, joined by `-`). See [ServiceHosting.md § Per-role configuration overlays](../ServiceHosting.md#per-role-configuration-overlays).
+
+## IClusterRoleInfo
+
+Anywhere in the host that needs the local node's identity or a view of who-else-is-in-the-cluster, inject `IClusterRoleInfo`:
+
+```csharp
+public sealed class MyService(IClusterRoleInfo cluster)
+{
+    public NodeId Self => cluster.LocalNode;
+    public IReadOnlyList<NodeId> Drivers => cluster.MembersWithRole("driver");
+    public NodeId? AdminLeader => cluster.RoleLeader("admin");
+
+    public MyService(IClusterRoleInfo cluster)
+    {
+        cluster.RoleLeaderChanged += (_, e) =>
+            Console.WriteLine($"role={e.Role}: {e.PreviousLeader} → {e.NewLeader}");
+    }
+}
+```
+
+`LocalNode` is `{PublicHostname}:{Port}` (the port suffix lets loopback test deployments stay distinct; production hostnames are already unique). `ConfigPublishCoordinator` uses the same `{host}:{port}` formula so the expected-ack set and the driver self-identification agree (commit `5cfbe8b`).
+
+## Lifecycle
+
+Akka.Hosting owns the lifecycle: `IHostedService` starts the ActorSystem at host start, runs `CoordinatedShutdown.ClusterLeavingReason` on host stop. The Cluster project does not register its own `IHostedService` (the v1 `AkkaHostedService` was deleted in commit `d6fac2d`).
+
+## Tests
+
+`tests/Core/ZB.MOM.WW.OtOpcUa.Cluster.Tests/` covers:
+
+- `HoconLoaderTests` — embedded resource loads + key settings parse correctly.
+- `RoleParserTests` — comma-split + dedup + trim semantics.
+
+Cross-project integration is in `tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/` (cluster formation, deploy round-trip).
@@ -0,0 +1,99 @@
+# OtOpcUa.ControlPlane
+
+Five admin-role cluster singletons that drive the v2 deploy, audit, fleet, and redundancy stories. Path: `src/Server/ZB.MOM.WW.OtOpcUa.ControlPlane/`.
+
+## Singletons
+
+| Actor | File | Marker key | Role |
+|---|---|---|---|
+| `ConfigPublishCoordinator` | `Coordinators/ConfigPublishCoordinator.cs` | `ConfigPublishCoordinatorKey` | Dispatches `DispatchDeployment`, collects `ApplyAck`s, seals/fails/times-out. |
+| `AdminOperationsActor` | `AdminOperations/AdminOperationsActor.cs` | `AdminOperationsActorKey` | Receives `StartDeployment` from the UI, snapshots ConfigDb via `ConfigComposer`, persists `Deployment` row + `ConfigEdit` marker, tells the coordinator to dispatch. |
+| `AuditWriterActor` | `Audit/AuditWriterActor.cs` | `AuditWriterActorKey` | Batched `ConfigAuditLog` writer. Flushes every 500 events or 5 s. In-buffer dedup; cross-restart dedup tracked as F3. |
+| `FleetStatusBroadcaster` | `Fleet/FleetStatusBroadcaster.cs` | `FleetStatusBroadcasterKey` | Aggregates per-node `FleetNodeStatus` heartbeats; publishes `FleetStatusChanged` on the `fleet-status` DPS topic (SignalR bridge tracked as F16). |
+| `RedundancyStateActor` | `Redundancy/RedundancyStateActor.cs` | `RedundancyStateActorKey` | Cluster-event subscriber; debounces 250 ms; publishes `RedundancyStateChanged` on the `redundancy-state` DPS topic. |
+
+All five register via `WithOtOpcUaControlPlaneSingletons()` (extension on `AkkaConfigurationBuilder`). Each uses `ClusterSingletonOptions { Role = "admin" }` so the singleton runs on the admin role-leader and migrates to the next admin node on failover.
+
+```csharp
+// Program.cs (admin role only)
+builder.Services.AddAkka("otopcua", (ab, sp) =>
+{
+    ab.WithOtOpcUaClusterBootstrap(sp);
+    if (hasAdmin) ab.WithOtOpcUaControlPlaneSingletons();
+    if (hasDriver) ab.WithOtOpcUaRuntimeActors();
+});
+```
+
+Resolve from anywhere via `IRequiredActor<T>` or the `ActorRegistry`:
+
+```csharp
+public sealed class AdminOperationsClient(ActorRegistry registry) : IAdminOperationsClient
+{
+    private readonly IActorRef _proxy = registry.Get<AdminOperationsActorKey>();
+    // ...
+}
+```
+
+## Deploy flow
+
+```
+UI → IAdminOperationsClient.StartDeploymentAsync(createdBy)
+        │  Ask the AdminOperationsActor singleton proxy
+        ▼
+AdminOperationsActor
+        │  ConfigComposer.SnapshotAndFlattenAsync(db) → ConfigArtifact(blob, revHash)
+        │  insert Deployment(Dispatching) + ConfigEdit marker
+        │  Tell coordinator → DispatchDeployment
+        ▼
+ConfigPublishCoordinator
+        │  DiscoverDriverNodes() → expected ACK set (host:port per member)
+        │  insert NodeDeploymentState(Applying) per driver
+        │  Publish DispatchDeployment on "deployments" topic
+        │  Start apply-deadline timer (2 min default)
+        ▼  DistributedPubSub
+DriverHostActor (on each driver node — subscribed to "deployments")
+        │  PreStart subscribed; current state Steady(rev)
+        │  if currentRev == msg.rev → immediate ApplyAck(Applied)  (idempotent)
+        │  else Become(Applying) → write NodeDeploymentStatus → ApplyAck
+        ▼  via "deployment-acks" topic
+ConfigPublishCoordinator (subscribed to "deployment-acks" in PreStart)
+        │  PersistNodeAck + collect
+        │  all-Applied → Sealed
+        │  any-Failed → PartiallyFailed
+        │  deadline → TimedOut
+```
+
+The dedicated `deployment-acks` topic + coordinator subscription was added in commit `5cfbe8b`. Before that, ACKs were published back on `deployments` and the coordinator (not subscribed) silently dropped them — deployments hung at `AwaitingApplyAcks` forever in multi-node tests.
+
+### Failover recovery
+
+If the admin singleton fails over mid-deploy, the new instance's `PreStart` queries `NodeDeploymentState` for any `Dispatching`/`AwaitingApplyAcks` row, rebuilds `_expectedAcks` + `_acks` from persisted state, and resumes the deadline timer. See `Coordinators/ConfigPublishCoordinator.cs::PreStart`.
+
+## ConfigComposer
+
+Pure function `SnapshotAndFlattenAsync(db) → ConfigArtifact(byte[], string)`:
+
+1. Reads every live-edit table.
+2. Serialises to a stable byte[] (deterministic ordering).
+3. Computes SHA-256 over the bytes → 64-hex `RevisionHash`.
+
+Same DB state → same artifact + same hash. That's what makes the `NoChanges` outcome work (AdminOperations compares the proposed hash to the last sealed deployment's hash).
+
+## ServiceLevelCalculator
+
+Pure function exposed at `Redundancy/ServiceLevelCalculator.Compute(NodeHealthInputs)`. Returns the OPC UA `ServiceLevel` byte per the truth table in [Redundancy.md](../Redundancy.md#servicelevel-tiers-part-5-65). No side effects; trivially unit-testable.
+
+## DPS topics
+
+| Topic | Publisher | Subscribers |
+|---|---|---|
+| `deployments` | ConfigPublishCoordinator | DriverHostActor (per-node) |
+| `deployment-acks` | DriverHostActor | ConfigPublishCoordinator |
+| `fleet-status` | FleetStatusBroadcaster | (SignalR bridge — F16) |
+| `redundancy-state` | RedundancyStateActor | (per-node ServiceLevel calc — F10) |
+
+## Tests
+
+`tests/Server/ZB.MOM.WW.OtOpcUa.ControlPlane.Tests/` — 29 tests covering coordinator (happy path, timeout, failover recovery), AdminOps (StartDeployment outcomes), AuditWriter (batching, dedup), FleetStatusBroadcaster (heartbeat staleness), RedundancyStateActor (debounce, snapshot), ConfigComposer (purity), ServiceLevelCalculator (truth table).
+
+Multi-node tests (cross-ActorSystem) are in `tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/`.
@@ -0,0 +1,126 @@
+# OtOpcUa.Runtime
+
+Driver-role actor tree — one set per node. Path: `src/Server/ZB.MOM.WW.OtOpcUa.Runtime/`.
+
+## Actor tree
+
+```
+                    DriverHostActor (per node)
+                          │  state machine: Steady ⇄ Applying ⇄ Stale
+                          │
+                          ├──▶ DriverInstanceActor (per configured DriverInstance row)
+                          │      state: Connecting → Connected → Reconnecting (or Stubbed)
+                          │
+                          ├──▶ VirtualTagActor (per VirtualTag row)
+                          │      compiles + evaluates expression, publishes derived value
+                          │
+                          ├──▶ ScriptedAlarmActor (per ScriptedAlarm row)
+                          │      state: Inactive ⇄ Active ⇄ Acknowledged
+                          │
+                          ├──▶ OpcUaPublishActor (per node, pinned dispatcher)
+                          │      marshalled OPC UA SDK writes + RebuildAddressSpace
+                          │
+                          ├──▶ HistorianAdapterActor (per node)
+                          │      pipe IPC to Wonderware historian sidecar
+                          │
+                          ├──▶ PeerOpcUaProbeActor (per peer node)
+                          │      opc.tcp ping → redundancy-state DPS topic
+                          │
+                          └──▶ DbHealthProbeActor (per node)
+                                cached SELECT 1; consumed by /health/ready + redundancy calc
+```
+
+## Public surface
+
+| Type | File |
+|---|---|
+| `WithOtOpcUaRuntimeActors()` | `ServiceCollectionExtensions.cs` — extension on `AkkaConfigurationBuilder`. Spawns `DriverHostActor` + `DbHealthProbeActor` on the host's ActorSystem. |
+| `DriverHostActor` | `Drivers/DriverHostActor.cs` |
+| `DriverInstanceActor` | `Drivers/DriverInstanceActor.cs` |
+| `VirtualTagActor` | `VirtualTags/VirtualTagActor.cs` |
+| `ScriptedAlarmActor` | `ScriptedAlarms/ScriptedAlarmActor.cs` |
+| `OpcUaPublishActor` | `OpcUa/OpcUaPublishActor.cs` |
+| `HistorianAdapterActor` | `Historian/HistorianAdapterActor.cs` |
+| `PeerOpcUaProbeActor` | `Health/PeerOpcUaProbeActor.cs` |
+| `DbHealthProbeActor` | `Health/DbHealthProbeActor.cs` |
+
+Marker keys for registry lookup: `DriverHostActorKey`, `DbHealthProbeActorKey`.
+
+## DriverHostActor
+
+Per-node supervisor with three Become states:
+
+| State | Meaning |
+|---|---|
+| `Steady(rev)` | Caught up. `DispatchDeployment` with `msg.rev == currentRev` → immediate `ApplyAck(Applied)` (idempotent). New rev → `Become(Applying)`. |
+| `Applying(id)` | Apply in progress. Further `DispatchDeployment` for in-flight ID → debug-log + ignore. For new ID → defer via `Self.Forward`. |
+| `Stale` | ConfigDb unreachable on bootstrap. Periodic `RetryConfigDbConnection` tries to advance to `Steady`. |
+
+`PreStart`:
+
+1. Subscribe to `deployments` DPS topic.
+2. Read most-recent `NodeDeploymentState` for this node from ConfigDb.
+3. If `Applied` → restore `_currentRevision`, `Become(Steady)`.
+4. If `Applying` (orphan from crash) → replay apply (idempotent).
+5. If `Failed` → `Become(Steady)` at last known rev.
+6. DB unreachable → `Become(Stale)`, start retry timer.
+
+ACK publishing: when no `_coordinatorOverride` is set (production), `SendAck` publishes on the dedicated `deployment-acks` DPS topic which the coordinator subscribes to (commit `5cfbe8b`).
+
+## DriverInstanceActor
+
+Per-driver-instance child. State machine:
+
+- `Connecting` → first attempt to reach the underlying driver
+- `Connected` → subscriptions active, reads/writes flow
+- `Reconnecting` → temporary disconnect; backoff retry
+- `Stubbed` → DEV-STUB mode for Windows-only drivers (Galaxy, Wonderware Historian) on non-Windows or when `roles` contains `dev`
+
+`ShouldStub(driverType, roles)` returns `true` for `"Galaxy" | "Historian.Wonderware"` on non-Windows; the actor goes straight to `Stubbed` and returns deterministic success without touching real hardware. Wiring this into the DriverHost child-spawn path is follow-up F20 (folds into F7).
+
+Engine wiring (subscription publishing, ApplyDelta diff, bad-quality-on-disconnect, write path, supervisor backoff) is stubbed — tracked as F7. Tests exercise message contracts, not engine behaviour.
+
+## VirtualTagActor / ScriptedAlarmActor
+
+Skeleton state machines + message handlers. Engine work:
+
+- `VirtualTagEngine.Evaluate()` not yet called from `VirtualTagActor.DependencyValueChanged` (F8).
+- `AlarmConditionService` not yet called from `ScriptedAlarmActor` (F9).
+- `ScriptedAlarmState` DB persistence on `PreRestart` not wired (F9).
+
+## OpcUaPublishActor
+
+The only actor on the **pinned dispatcher** (`opcua-synchronized-dispatcher` from `akka.conf`). All OPC UA SDK address-space writes go through it so the SDK's threading model isn't violated.
+
+Message contracts are defined; actual SDK calls are stubbed (counters only). Real address-space writes + `ServiceLevel` Variable updates + `RebuildAddressSpace` after a deploy land in F10 (gated on F13 — full `OpcUaApplicationHost` extraction).
+
+## HistorianAdapterActor, PeerOpcUaProbeActor
+
+Both have message contracts wired. Engine integration deferred:
+
+- `HistorianAdapterActor` — named-pipe IPC to the Wonderware historian sidecar + `SqliteStoreAndForwardSink` (F11).
+- `PeerOpcUaProbeActor` — real `opc.tcp://peer:4840` ping (F12). Current stub always returns `Ok=true`.
+
+## DbHealthProbeActor
+
+`Ask<DbHealthStatus>` returns cached state (refreshed every 5 s by an internal `SELECT 1`). Consumed by `/health/ready` and `RedundancyStateActor`.
+
+## Lifecycle wiring
+
+```csharp
+// Program.cs (driver role only)
+builder.Services.AddAkka("otopcua", (ab, sp) =>
+{
+    ab.WithOtOpcUaClusterBootstrap(sp);
+    if (hasAdmin)  ab.WithOtOpcUaControlPlaneSingletons();
+    if (hasDriver) ab.WithOtOpcUaRuntimeActors();
+});
+```
+
+`WithOtOpcUaRuntimeActors` resolves `IDbContextFactory<OtOpcUaConfigDbContext>` + `IClusterRoleInfo` from DI, then spawns `DbHealthProbeActor` and `DriverHostActor` as top-level `/user/` actors. Both register marker keys in `ActorRegistry` so the registry lookup works from anywhere.
+
+## Tests
+
+`tests/Server/ZB.MOM.WW.OtOpcUa.Runtime.Tests/` — 16 tests covering DriverHostActor (Steady ack, Applying transitions, Stale recovery), DriverInstanceActor (state machine, stub mode), VirtualTagActor + ScriptedAlarmActor (message contracts), OpcUaPublishActor (props + message acceptance), DbHealthProbe + PeerOpcUaProbe (probe loop), and the `WithOtOpcUaRuntimeActors` registration round-trip.
+
+End-to-end deploy from admin → driver via the cluster is in `tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/DeployHappyPathTests.cs`.
@@ -36,7 +36,7 @@ Mirror ScadaLink's layout exactly:

 ```
 src/
-  ZB.MOM.WW.OtOpcUa.Admin/                        # Razor Components project (.NET 10)
+  ZB.MOM.WW.OtOpcUa.AdminUI/                       # Razor Components project (.NET 10)
    Auth/
      AuthEndpoints.cs                            # /auth/login, /auth/logout, /auth/token
      CookieAuthenticationStateProvider.cs        # bridges cookie auth to Blazor <AuthorizeView>
@@ -61,10 +61,10 @@ src/
        NotAuthorizedView.razor
    EndpointExtensions.cs                         # MapAuthEndpoints + role policies
    ServiceCollectionExtensions.cs                # AddCentralAdmin
-  ZB.MOM.WW.OtOpcUa.Admin.Security/               # LDAP + role mapping + JWT (sibling of ScadaLink.Security)
+  ZB.MOM.WW.OtOpcUa.Security/                      # LDAP + role mapping + JWT (sibling of ScadaLink.Security)
 ```

-The `Admin.Security` project carries `LdapAuthService`, `RoleMapper`, `JwtTokenService`, `AuthorizationPolicies`. If it ever makes sense to consolidate with ScadaLink's identical project, lift to a shared internal NuGet — out of scope for v2.0 to keep OtOpcUa decoupled from ScadaLink's release cycle.
+The `Security` project carries `LdapAuthService`, `RoleMapper`, `JwtTokenService`, `AuthorizationPolicies`. If it ever makes sense to consolidate with ScadaLink's identical project, lift to a shared internal NuGet — out of scope for v2.0 to keep OtOpcUa decoupled from ScadaLink's release cycle.

 ## Authentication & Authorization

@@ -96,7 +96,7 @@ Shipped as PR #183 (12 tests in configuration; 13 more in Admin.Tests).
 | F.4 — Test harness (modal, synthetic inputs, output + logger display) | **Partial** | `ScriptTestHarnessService.cs` is complete and tested. `ScriptsTab.razor` calls `Harness.RunVirtualTagAsync` with zero-value synthetic inputs derived from the extractor. A full interactive input-form modal was not shipped — the harness zeroes all inputs automatically rather than prompting the operator per-tag. |
 | F.5 — Script log viewer (SignalR tail of `scripts-*.log` filtered by `ScriptName`, load-more) | **Not started** | No SignalR stream of the scripts log is wired in the Admin UI. The `AlertHub` / `FleetStatusHub` exist but there is no `ScriptLogHub`. |
 | F.6 — `/alarms/historian` diagnostics view | **Done** | `AlarmsHistorian.razor` + `HistorianDiagnosticsService.cs` |
-| F.7 — Playwright smoke (author calc tag, verify in equipment tree; author alarm, verify in `AlarmsAndConditions`) | **Not started** | `tests/Server/ZB.MOM.WW.OtOpcUa.Admin.E2ETests/` exists but its `UnsTabDragDropE2ETests.cs` is the only Playwright test; no Phase 7 Admin UI playwright scenario. |
+| F.7 — Playwright smoke (author calc tag, verify in equipment tree; author alarm, verify in `AlarmsAndConditions`) | **Not started** | No Phase 7 Playwright/E2E project exists in the repo today; future-work item without an assigned path. |

 Shipped as PR #185 (13 Admin service tests; UI completeness is partial — see gaps section).

@@ -190,8 +190,8 @@ The SignalR tail of `scripts-*.log` filtered by `ScriptName` was not implemented
 | `Core.VirtualTags` sources | `src/Core/ZB.MOM.WW.OtOpcUa.Core.VirtualTags/` |
 | `Core.ScriptedAlarms` sources | `src/Core/ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms/` |
 | `Core.AlarmHistorian` sources | `src/Core/ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian/` |
-| Server Phase7 composition | `src/Server/ZB.MOM.WW.OtOpcUa.Server/Phase7/` |
-| Admin services | `src/Server/ZB.MOM.WW.OtOpcUa.Admin/Services/Script*.cs`, `VirtualTagService.cs`, `HistorianDiagnosticsService.cs` |
-| Admin UI pages | `src/Server/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/ScriptsTab.razor`, `AlarmsHistorian.razor` |
+| Server Phase7 composition | `src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/Phase7Composer.cs`, `Phase7Applier.cs`, `Phase7Plan.cs` |
+| Admin services (CRUD writes) | `src/Server/ZB.MOM.WW.OtOpcUa.ControlPlane/AdminOperations/AdminOperationsActor.cs` (actor-driven); live state in `src/Server/ZB.MOM.WW.OtOpcUa.Runtime/ScriptedAlarms/ScriptedAlarmActor.cs`, `Runtime/VirtualTags/VirtualTagActor.cs`; Roslyn engines in `src/Server/ZB.MOM.WW.OtOpcUa.Host/Engines/` — v1 `Admin/Services/Script*.cs`, `VirtualTagService.cs`, `HistorianDiagnosticsService.cs` deleted |
+| Admin UI pages | `src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/Scripts.razor`, `ScriptEdit.razor`, `ScriptedAlarms.razor`, `ScriptedAlarmEdit.razor`, `AlarmsHistorian.razor`, `VirtualTags.razor`, `VirtualTagEdit.razor` |
 | Historian sidecar writer | `src/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Client/WonderwareHistorianClient.cs` |
 | EF migrations | `src/Core/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260420231641_AddPhase7ScriptingTables.cs`, `20260420232000_ExtendComputeGenerationDiffWithPhase7.cs` |
@@ -55,6 +55,7 @@ Each row is one manual run; pass criterion in the right column.
 | A2 | ServiceLevel updates on peer down | Connect to Primary. Stop Backup (`sc stop OtOpcUa`). Watch `ServiceLevel`. | Transitions 200 → 150 within ~2 s of peer probe timeout |
 | A3 | RedundancySupport | Browse to `Server.ServerRedundancy.RedundancySupport`. | Value matches the declared `RedundancyMode` (Warm / Hot / None) |
 | A4 | ServerUriArray (non-transparent upgrade) | Requires a redundancy-object-type upgrade follow-up. | When upgrade lands: `ServerUriArray` reports both ApplicationUris, self first |
+| A4b | Peer URI visibility via `Server.ServerArray` (i=2254) | Configure each `OpcUaApplicationHost` with the partner's `ApplicationUri` via `OpcUaApplicationHostOptions.PeerApplicationUris`. From any client, Read NodeId `i=2254` (`Server.ServerArray`). | Returned `String[]` includes both self + peer `ApplicationUri`s. Validated by `DualEndpointTests` in `tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/` (loopback dual-host with real OPCFoundation client `Session` read). |
 | A5 | Mid-apply dip | On Primary trigger a `sp_PublishGeneration` apply. | `ServiceLevel` drops to 75 for the apply duration + dwell |

 ### Block B — Client failover
@@ -101,7 +102,9 @@ flips A4 from "deferred" to "expected pass").
 - **A4 pending**: `Server.ServerRedundancy` on our current SDK build lands as
  the base `ServerRedundancyState`, which has no `ServerUriArray` child.
  `ServerRedundancyNodeWriter.ApplyServerUriArray` logs-and-skips until the
-  redundancy-object-type upgrade follow-up lands.
+  redundancy-object-type upgrade follow-up lands. Cross-reference **A4b** —
+  peer URIs are visible today via `Server.ServerArray` (i=2254) populated by
+  `OpcUaApplicationHost.PopulateServerArray`.
 - **Recovery dwell default**: `RecoveryStateManager.DwellTime` defaults to 60 s
  in `Program.cs`. Adjust via future config knob if B3 takes too long to
  observe.
@@ -121,8 +124,8 @@ flips A4 from "deferred" to "expected pass").
  redundancy implementations we don't control.
 - For the sub-set of scenarios that *can* be automated — the self-loopback
  case where our own `otopcua-cli` drives Primary + Backup — the existing
-  `tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/RedundancyStatePublisherTests` +
-  `ServiceLevelCalculatorTests` (unit) + `ClusterTopologyLoaderTests`
-  (integration) already cover the math + data path. The wire-level assertion
-  that the values actually land on the right OPC UA nodes is covered by
-  `ServerRedundancyNodeWriterTests`.
+  `tests/Server/ZB.MOM.WW.OtOpcUa.ControlPlane.Tests/RedundancyStateActorTests` +
+  `ServiceLevelCalculatorTests` (unit) already cover the math + data path.
+  The wire-level assertion that the peer URIs actually land on the
+  `Server.ServerArray` node (i=2254) is covered by `DualEndpointTests` in
+  `tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/`.
@@ -57,7 +57,7 @@ Remaining follow-ups (hardening):
 Remaining Phase 6.3 surfaces (hardening, not release-blocking):

 - ~~`PeerHttpProbeLoop` + `PeerUaProbeLoop` HostedServices populating `PeerReachabilityTracker` on each tick.~~ **Closed 2026-04-24.** Two-layer probe model shipped: HTTP probe at 2 s / 1 s timeout against `/healthz`; OPC UA probe at 10 s / 5 s timeout via `DiscoveryClient.GetEndpoints`, short-circuiting when HTTP reports the peer unhealthy. Registered on the Server as `AddHostedService<PeerHttpProbeLoop>` + `AddHostedService<PeerUaProbeLoop>`. Publisher now sees accurate `PeerReachability` per peer instead of degrading to `Unknown` → Isolated-Primary band (230).
- OPC UA variable-node wiring: bind `ServiceLevel` Byte + `ServerUriArray` String[] to the publisher's events via `BaseDataVariable.OnReadValue` / direct value push.
+- ~~OPC UA variable-node wiring: bind `ServiceLevel` Byte + `ServerUriArray` String[] to the publisher's events via `BaseDataVariable.OnReadValue` / direct value push.~~ **Closed 2026-05-26.** `ServiceLevel` byte binding closed earlier under Path D. Peer-URI half closed via `OpcUaApplicationHost.PopulateServerArray` — populates self + each `PeerApplicationUris` entry into the SDK `IServerInternal.ServerUris` `StringTable`; clients read `Server.ServerArray` (NodeId `i=2254`). Validated by `DualEndpointTests` in `tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/`. `ServerUriArray` proper (the redundancy-object-type child) remains deferred pending object-type upgrade.
 - ~~`sp_PublishGeneration` wraps its apply in `await using var lease = coordinator.BeginApplyLease(...)` so the `PrimaryMidApply` band (200) fires during actual publishes (task #148 part 2).~~ **Closed 2026-04-24.** The apply loop now lives in `GenerationRefreshHostedService` — polls `sp_GetCurrentGenerationForCluster` every 5s, opens a lease when a new generation is detected, calls `RedundancyCoordinator.RefreshAsync` inside the `await using`, releases the lease on all exit paths. Replaces the previous "topology never refreshes without a process restart" behaviour.
 - Client interop matrix — Ignition / Kepware / Aveva OI Gateway (Stream F, task #150). Manual + doc-only.

@@ -118,6 +118,7 @@ v2 GA requires all of the following:

 ## Change log

+- **2026-05-26** — Gap-closeout pass. `OpcUaApplicationHost.PopulateServerArray` populates `Server.ServerArray` (NodeId `i=2254`) with self + `OpcUaApplicationHostOptions.PeerApplicationUris`, giving non-transparent peer URI visibility through the standard discovery surface. New `tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests/` IT project (`DualEndpointTests`) validates with two real `OpcUaApplicationHost` instances on loopback + a live OPCFoundation client `Session` read. CI `v2-ci.yml` `integration:` job converted to a matrix across `Host.IntegrationTests` + `OpcUaServer.IntegrationTests`. Per-role appsettings overlays shipped (`appsettings.admin.json` / `appsettings.driver.json` / `appsettings.admin-driver.json`) — `Program.cs:33-35` loads by alphabetical-joined role suffix. `FailoverScenarioTests` → `FailoverDuringDeployTests` rename. Stale empty `src/Server/{Server,Admin}` + `tests/Server/{Server.Tests,Admin.Tests,Admin.E2ETests}` directories deleted (no source, absent from `.slnx`).
 - **2026-04-24** — Phase 5 driver complement closed (task #120 CLOSED). AB CIP, AB Legacy, TwinCAT, FOCAS all shipped. FOCAS migration: retired the Tier-C split (`Driver.FOCAS.Host` + `Driver.FOCAS.Shared` + `FwlibNative` + shim DLL deleted) in favour of a pure-managed in-process `FocasWireClient` inlined into `Driver.FOCAS`; driver is now read-only against the CNC by design. Integration test matrix grew to cover Browse / Subscribe / IAlarmSource / Probe end-to-end.
 - **2026-04-23** — Phase 6.4 audit close-out. IdentificationFolderBuilder + OPC 40010 Identification folder verified against the shipped code.
 - **2026-04-20** — Phase 7 plan drafted (`phase-7-scripting-and-alarming.md`, `phase-7-e2e-smoke.md`). Out of scope for v2 GA.
@@ -1,46 +1,63 @@
 <#
 .SYNOPSIS
-    Registers the v2 Windows services on a node: OtOpcUa (main server, net10) and
-    optionally OtOpcUaWonderwareHistorian (Wonderware historian sidecar).
+    Registers the v2 Windows service on a node: OtOpcUaHost (fused binary, .NET 10)
+    and optionally OtOpcUaWonderwareHistorian (Wonderware historian sidecar, net48 x86).

 .DESCRIPTION
-    PR 7.2 retired the legacy out-of-process OtOpcUaGalaxyHost service alongside the
-    GalaxyProxyDriver / GalaxyHost / GalaxyShared projects. Galaxy access now flows
-    through the in-process GalaxyDriver talking gRPC to a separately-installed
-    mxaccessgw. The mxaccessgw server runs out of its own repo
-    (`c:\Users\dohertj2\Desktop\mxaccessgw\`) — see
-    `docs/v2/Galaxy.ParityRig.md` for the gw setup recipe.
+    v2 consolidates the legacy OtOpcUa + OtOpcUaAdmin services into a single role-gated
+    OtOpcUaHost binary. The -Roles parameter sets the OTOPCUA_ROLES service env so
+    Program.cs decides what to mount (admin / driver / both). The Wonderware historian
+    sidecar logic is unchanged from v1; install it with -InstallWonderwareHistorian.
+
+    Galaxy access flows through the mxaccessgw sibling repo (separate service); see
+    docs/v2/Galaxy.ParityRig.md for the gateway setup.

 .PARAMETER InstallRoot
-    Where the binaries live (typically C:\Program Files\OtOpcUa).
+    Where the binaries live (typically C:\Program Files\OtOpcUa). The OtOpcUaHost
+    service runs OtOpcUa.Host.exe from this directory; publish the Host project there
+    with `dotnet publish -c Release -r win-x64 --self-contained` first.

 .PARAMETER ServiceAccount
-    Service account SID or DOMAIN\name. The OtOpcUa service runs under this account.
+    Service account SID or DOMAIN\name. The OtOpcUaHost service runs under this account.
+
+.PARAMETER Roles
+    Comma-separated cluster roles for this node. One of:
+    - "admin,driver"  — single-node dev or all-in-one production node
+    - "admin"          — admin-only HA pair member (Blazor + control-plane singletons)
+    - "driver"         — driver-only node (OPC UA endpoint + per-node actors)
+    Written to the service env as OTOPCUA_ROLES.
+
+.PARAMETER HttpPort
+    HTTP port for the AdminUI + auth endpoints. Default 9000. Written as ASPNETCORE_URLS.
+    Ignored on driver-only nodes (no Blazor surface).

 .PARAMETER InstallWonderwareHistorian
-    Gate the OtOpcUaWonderwareHistorian sidecar install. Off by default; set when
-    the deployment uses the Wonderware historian for history reads + alarm-event
-    persistence.
+    Gate the OtOpcUaWonderwareHistorian sidecar install. Off by default; set when the
+    deployment uses the Wonderware historian for history reads + alarm-event persistence.

 .PARAMETER HistorianSharedSecret
-    Per-process secret passed to the Historian sidecar via env var. Generated
-    freshly per install when not supplied.
+    Per-process secret passed to the historian sidecar via env var. Generated freshly
+    per install when not supplied.

 .EXAMPLE
-    .\Install-Services.ps1 -InstallRoot 'C:\Program Files\OtOpcUa' -ServiceAccount 'OTOPCUA\svc-otopcua'
+    .\Install-Services.ps1 -InstallRoot 'C:\Program Files\OtOpcUa' `
+        -ServiceAccount 'OTOPCUA\svc-otopcua' -Roles 'admin,driver'

 .EXAMPLE
-    .\Install-Services.ps1 -InstallRoot 'C:\Program Files\OtOpcUa' -ServiceAccount 'OTOPCUA\svc-otopcua' `
+    .\Install-Services.ps1 -InstallRoot 'C:\Program Files\OtOpcUa' `
+        -ServiceAccount 'OTOPCUA\svc-otopcua' -Roles 'driver' `
        -InstallWonderwareHistorian
 #>
 [CmdletBinding()]
 param(
    [Parameter(Mandatory)] [string]$InstallRoot,
    [Parameter(Mandatory)] [string]$ServiceAccount,
+    [Parameter(Mandatory)] [ValidateSet('admin', 'driver', 'admin,driver', 'driver,admin')]
+                          [string]$Roles,
+    [int]$HttpPort = 9000,

-    # PR 3.W — Wonderware historian sidecar. Optional; gates the
-    # OtOpcUaWonderwareHistorian service. Secret + pipe defaults match the server's
-    # Historian:Wonderware appsettings block.
+    # Wonderware historian sidecar. Optional; gates the OtOpcUaWonderwareHistorian
+    # service. Secret + pipe defaults match the server's Historian:Wonderware appsettings.
    [switch]$InstallWonderwareHistorian,
    [string]$HistorianSharedSecret,
    [string]$HistorianPipeName = 'OtOpcUaWonderwareHistorian',
@@ -51,18 +68,19 @@ param(

 $ErrorActionPreference = 'Stop'

-if (-not (Test-Path "$InstallRoot\OtOpcUa.Server.exe")) {
-    Write-Error "OtOpcUa.Server.exe not found at $InstallRoot — copy the publish output first"
+if (-not (Test-Path "$InstallRoot\OtOpcUa.Host.exe")) {
+    Write-Error "OtOpcUa.Host.exe not found at $InstallRoot — copy the publish output first"
    exit 1
 }

-# Generate fresh shared secrets per install if not supplied.
 function New-SharedSecret {
    $bytes = New-Object byte[] 32
    [System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
    return [Convert]::ToBase64String($bytes)
 }
-if ($InstallWonderwareHistorian -and -not $HistorianSharedSecret) { $HistorianSharedSecret = New-SharedSecret }
+if ($InstallWonderwareHistorian -and -not $HistorianSharedSecret) {
+    $HistorianSharedSecret = New-SharedSecret
+}

 if ($InstallWonderwareHistorian -and -not (Test-Path "$InstallRoot\WonderwareHistorian\OtOpcUa.Driver.Historian.Wonderware.exe")) {
    Write-Error "OtOpcUa.Driver.Historian.Wonderware.exe not found at $InstallRoot\WonderwareHistorian — copy the publish output first"
@@ -76,10 +94,7 @@ $sid = if ($ServiceAccount.StartsWith('S-1-')) {
    (New-Object System.Security.Principal.NTAccount $ServiceAccount).Translate([System.Security.Principal.SecurityIdentifier]).Value
 }

-# --- Install OtOpcUaWonderwareHistorian (PR 3.W) — separate sidecar that exposes the
-#     Wonderware Historian SDK via a named-pipe protocol consumed by the .NET 10 server.
-#     Optional: only installed when -InstallWonderwareHistorian is supplied. Depends on the
-#     hard AVEVA services that host the historian SDK runtime path.
+# --- OtOpcUaWonderwareHistorian sidecar (optional, unchanged from v1) -------
 $historianDepend = $null
 if ($InstallWonderwareHistorian) {
    $historianEnv = @(
@@ -87,14 +102,10 @@ if ($InstallWonderwareHistorian) {
        "OTOPCUA_ALLOWED_SID=$sid"
        "OTOPCUA_HISTORIAN_SECRET=$HistorianSharedSecret"
        "OTOPCUA_HISTORIAN_ENABLED=true"
-        # Default-on when the historian sidecar is installed; flip to false for a
-        # read-only deployment that still loads aahClientManaged for reads but
-        # rejects WriteAlarmEvents frames.
        "OTOPCUA_HISTORIAN_ALARM_WRITE_ENABLED=true"
        "OTOPCUA_HISTORIAN_SERVER=$HistorianServer"
        "OTOPCUA_HISTORIAN_PORT=$HistorianPort"
-    ) -join "`0"
-    $historianEnv += "`0`0"
+    )

    Write-Host "Installing OtOpcUaWonderwareHistorian..."
    & sc.exe create OtOpcUaWonderwareHistorian binPath= "`"$InstallRoot\WonderwareHistorian\OtOpcUa.Driver.Historian.Wonderware.exe`"" `
@@ -105,36 +116,59 @@ if ($InstallWonderwareHistorian) {
    & sc.exe config OtOpcUaWonderwareHistorian start= delayed-auto | Out-Null

    $svcKey = "HKLM:\SYSTEM\CurrentControlSet\Services\OtOpcUaWonderwareHistorian"
-    $envValue = $historianEnv.Split("`0") | Where-Object { $_ -ne '' }
-    Set-ItemProperty -Path $svcKey -Name 'Environment' -Type MultiString -Value $envValue
+    Set-ItemProperty -Path $svcKey -Name 'Environment' -Type MultiString -Value $historianEnv
+
+    & sc.exe failure OtOpcUaWonderwareHistorian reset= 86400 actions= restart/5000/restart/30000/restart/60000 | Out-Null

    $historianDepend = 'OtOpcUaWonderwareHistorian'
 }

-# --- Install OtOpcUa. Galaxy access flows through GalaxyDriver → mxaccessgw (gRPC),
-#     so OtOpcUa no longer depends on a sibling service for Galaxy connectivity. The
-#     mxaccessgw is installed separately. When the Wonderware sidecar is installed,
-#     depend on it for startup ordering.
-$otOpcUaDepends = @()
-if ($historianDepend) { $otOpcUaDepends += $historianDepend }
+# --- OtOpcUaHost (the fused v2 binary) --------------------------------------
+$normalisedRoles = ($Roles -split ',' | ForEach-Object { $_.Trim() } | Sort-Object -Unique) -join ','

-Write-Host "Installing OtOpcUa..."
+$hasAdmin = $normalisedRoles -split ',' -contains 'admin'
+
+$hostEnv = @(
+    "OTOPCUA_ROLES=$normalisedRoles",
+    'DOTNET_ENVIRONMENT=Production'
+)
+if ($hasAdmin) {
+    $hostEnv += "ASPNETCORE_URLS=http://+:$HttpPort"
+}
+
+$hostDepends = @()
+if ($historianDepend) { $hostDepends += $historianDepend }
+
+Write-Host "Installing OtOpcUaHost (roles=$normalisedRoles)..."
 $createArgs = @(
-    'create', 'OtOpcUa',
-    'binPath=', "`"$InstallRoot\OtOpcUa.Server.exe`"",
-    'DisplayName=', 'OtOpcUa Server',
+    'create', 'OtOpcUaHost',
+    'binPath=', "`"$InstallRoot\OtOpcUa.Host.exe`"",
+    'DisplayName=', "OtOpcUa Host ($normalisedRoles)",
    'start=', 'auto',
    'obj=', $ServiceAccount
 )
-if ($otOpcUaDepends.Count -gt 0) {
-    $createArgs += @('depend=', ($otOpcUaDepends -join '/'))
+if ($hostDepends.Count -gt 0) {
+    $createArgs += @('depend=', ($hostDepends -join '/'))
 }
 & sc.exe @createArgs | Out-Null

+# Env block via registry MultiString (sc.exe doesn't take env directly).
+$svcKey = "HKLM:\SYSTEM\CurrentControlSet\Services\OtOpcUaHost"
+Set-ItemProperty -Path $svcKey -Name 'Environment' -Type MultiString -Value $hostEnv
+
+# Restart-on-failure: 5s, 30s, 60s; reset counter after a clean 24h run.
+& sc.exe failure OtOpcUaHost reset= 86400 actions= restart/5000/restart/30000/restart/60000 | Out-Null
+
 Write-Host ""
-Write-Host "Installed. Start with:"
+Write-Host "Installed OtOpcUaHost:"
+Write-Host "  Roles:        $normalisedRoles"
+if ($hasAdmin) { Write-Host "  HTTP port:    $HttpPort" }
+Write-Host "  Binary:       $InstallRoot\OtOpcUa.Host.exe"
+Write-Host "  Account:      $ServiceAccount"
+Write-Host ""
+Write-Host "Start with:"
 if ($InstallWonderwareHistorian) { Write-Host "  sc.exe start OtOpcUaWonderwareHistorian" }
-Write-Host "  sc.exe start OtOpcUa"
+Write-Host "  sc.exe start OtOpcUaHost"
 if ($InstallWonderwareHistorian) {
    Write-Host ""
    Write-Host "Wonderware historian shared secret (configure into appsettings.json Historian:Wonderware:SharedSecret):"
@@ -142,5 +176,5 @@ if ($InstallWonderwareHistorian) {
 }
 Write-Host ""
 Write-Host "NOTE: Galaxy access flows through mxaccessgw — install + run that separately"
-Write-Host "      per docs/v2/Galaxy.ParityRig.md. OtOpcUa connects via the Galaxy.Gateway"
-Write-Host "      section of appsettings.json (default endpoint http://localhost:5120)."
+Write-Host "      per docs/v2/Galaxy.ParityRig.md. OtOpcUaHost connects via the"
+Write-Host "      Galaxy.Gateway section of appsettings.json (default http://localhost:5120)."
@@ -0,0 +1,68 @@
+<#
+.SYNOPSIS
+    Installs Traefik as a Windows service that routes admin HTTP traffic to whichever
+    OtOpcUa.Host node holds the admin role-leader (via /health/active).
+
+.DESCRIPTION
+    Downloads the Traefik Windows binary into $InstallRoot, drops traefik.yml +
+    traefik-dynamic.yml from this directory next to it, and registers Traefik as a
+    Windows service via sc.exe with restart-on-failure.
+
+    Companion to Install-Services.ps1. Run on the box that fronts the admin HTTP
+    traffic (typically a separate node from OtOpcUaHost, or co-located on the
+    primary admin node).
+
+.PARAMETER InstallRoot
+    Where the Traefik binary + config land. Default 'C:\Program Files\Traefik'.
+
+.PARAMETER TraefikVersion
+    Traefik version to download. Default 'v3.1.6'.
+
+.EXAMPLE
+    .\Install-Traefik.ps1 -InstallRoot 'C:\Program Files\Traefik'
+#>
+[CmdletBinding()]
+param(
+    [string]$InstallRoot = 'C:\Program Files\Traefik',
+    [string]$TraefikVersion = 'v3.1.6'
+)
+
+$ErrorActionPreference = 'Stop'
+
+if (-not (Test-Path $InstallRoot)) {
+    New-Item -ItemType Directory -Path $InstallRoot | Out-Null
+}
+
+$zip = Join-Path $env:TEMP "traefik-$TraefikVersion.zip"
+$url = "https://github.com/traefik/traefik/releases/download/$TraefikVersion/traefik_${TraefikVersion}_windows_amd64.zip"
+
+Write-Host "Downloading Traefik $TraefikVersion..."
+Invoke-WebRequest -Uri $url -OutFile $zip
+Expand-Archive -Path $zip -DestinationPath $InstallRoot -Force
+Remove-Item $zip
+
+$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+Copy-Item -Force (Join-Path $scriptDir 'traefik.yml') $InstallRoot
+Copy-Item -Force (Join-Path $scriptDir 'traefik-dynamic.yml') (Join-Path $InstallRoot 'dynamic.yml')
+
+# Traefik reads dynamic.yml from /etc/traefik on Linux; on Windows place it next to the
+# binary and point the file provider at it. Edit traefik.yml's `filename:` if you want
+# to change the location.
+(Get-Content -Raw (Join-Path $InstallRoot 'traefik.yml')) `
+    -replace '/etc/traefik/dynamic.yml', (Join-Path $InstallRoot 'dynamic.yml').Replace('\', '/') `
+    | Set-Content (Join-Path $InstallRoot 'traefik.yml')
+
+Write-Host "Installing Traefik Windows service..."
+& sc.exe create OtOpcUaTraefik binPath= "`"$InstallRoot\traefik.exe`" --configFile=`"$InstallRoot\traefik.yml`"" `
+    DisplayName= 'OtOpcUa Traefik (admin HTTP front door)' `
+    start= auto | Out-Null
+
+& sc.exe failure OtOpcUaTraefik reset= 86400 actions= restart/5000/restart/30000/restart/60000 | Out-Null
+
+Write-Host ""
+Write-Host "Installed OtOpcUaTraefik. Edit:"
+Write-Host "  $InstallRoot\dynamic.yml  (router + service definitions)"
+Write-Host "Start with:"
+Write-Host "  sc.exe start OtOpcUaTraefik"
+Write-Host ""
+Write-Host "Traefik dashboard: http://localhost:8080  (turn off api.insecure in production)"
@@ -43,11 +43,11 @@ function Test-NssmService([string]$Name) {
 # Step 1: Stop in reverse dependency order
 # ------------------------------------------------------------------------

-Step "Stopping services (OtOpcUa → OtOpcUaWonderwareHistorian → MxAccessGw)"
+Step "Stopping services (OtOpcUaHost > OtOpcUaWonderwareHistorian > MxAccessGw)"

-foreach ($name in @('OtOpcUa', 'OtOpcUaWonderwareHistorian', 'MxAccessGw')) {
+foreach ($name in @('OtOpcUaHost', 'OtOpcUaWonderwareHistorian', 'MxAccessGw')) {
    if (Test-NssmService $name) {
-        Run { nssm stop $name } "stop $name"
+        Run { Stop-Service $name -Force -ErrorAction SilentlyContinue } "stop $name"
    }
    else {
        Write-Host "  ($name not installed; skipping)" -ForegroundColor DarkGray
@@ -56,7 +56,7 @@ foreach ($name in @('OtOpcUa', 'OtOpcUaWonderwareHistorian', 'MxAccessGw')) {

 if (-not $WhatIf) {
    Start-Sleep -Seconds 3
-    Get-Process MxGateway.Server, MxGateway.Worker, OtOpcUa.Server, OtOpcUa.Driver.Historian.Wonderware -ErrorAction SilentlyContinue |
+    Get-Process MxGateway.Server, MxGateway.Worker, OtOpcUa.Host, OtOpcUa.Driver.Historian.Wonderware -ErrorAction SilentlyContinue |
        ForEach-Object {
            Write-Host "  killing residual process $($_.ProcessName) (PID=$($_.Id))" -ForegroundColor DarkYellow
            Stop-Process -Id $_.Id -Force -ErrorAction SilentlyContinue
@@ -109,14 +109,14 @@ Run {
 # Step 4: Refresh OtOpcUa + Wonderware historian sidecar
 # ------------------------------------------------------------------------

-Step "Publishing OtOpcUa server + Wonderware historian sidecar from $RepoRoot"
+Step "Publishing OtOpcUa.Host + Wonderware historian sidecar from $RepoRoot"

 Run {
-    & dotnet publish "$RepoRoot\src\Server\ZB.MOM.WW.OtOpcUa.Server" `
+    & dotnet publish "$RepoRoot\src\Server\ZB.MOM.WW.OtOpcUa.Host" `
        -c Release -o (Join-Path $PublishRoot "lmxopcua") | Out-Null
    & dotnet publish "$RepoRoot\src\Drivers\ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware" `
        -c Release -o (Join-Path $PublishRoot "lmxopcua\WonderwareHistorian") | Out-Null
-} "dotnet publish (Server + sidecar)"
+} "dotnet publish (Host + sidecar)"

 # ------------------------------------------------------------------------
 # Step 5: Service env block — ensure OTOPCUA_HISTORIAN_ALARM_WRITE_ENABLED
@@ -143,16 +143,16 @@ if (Test-NssmService 'OtOpcUaWonderwareHistorian') {
 # Step 6: Start in forward dependency order
 # ------------------------------------------------------------------------

-Step "Starting services (MxAccessGw → OtOpcUaWonderwareHistorian → OtOpcUa)"
+Step "Starting services (MxAccessGw > OtOpcUaWonderwareHistorian > OtOpcUaHost)"

 foreach ($pair in @(
    @{ Name = 'MxAccessGw';                  Wait = 4 },
    @{ Name = 'OtOpcUaWonderwareHistorian';  Wait = 4 },
-    @{ Name = 'OtOpcUa';                     Wait = 8 }
+    @{ Name = 'OtOpcUaHost';                 Wait = 8 }
 )) {
    $name = $pair.Name
    if (Test-NssmService $name) {
-        Run { nssm start $name } "start $name"
+        Run { Start-Service $name } "start $name"
        if (-not $WhatIf) { Start-Sleep -Seconds $pair.Wait }
    }
    else {
@@ -167,7 +167,7 @@ foreach ($pair in @(
 Step "Smoke verification"

 if (-not $WhatIf) {
-    foreach ($name in @('MxAccessGw', 'OtOpcUaWonderwareHistorian', 'OtOpcUa')) {
+    foreach ($name in @('MxAccessGw', 'OtOpcUaWonderwareHistorian', 'OtOpcUaHost')) {
        if (Test-NssmService $name) {
            $status = (Get-Service $name).Status
            $color = if ($status -eq 'Running') { 'Green' } else { 'Red' }
@@ -3,16 +3,17 @@
    Stops + removes the v2 services. Mirrors Install-Services.ps1.

 .DESCRIPTION
-    PR 7.2 retired the legacy OtOpcUaGalaxyHost service. Galaxy access now flows
-    through the in-process GalaxyDriver against a separately-installed mxaccessgw.
-    OtOpcUaGalaxyHost is included in the cleanup loop below so this script safely
-    removes it from any rig still carrying the legacy service from a pre-7.2
-    install.
+    Removes the v2 OtOpcUaHost service plus the optional OtOpcUaWonderwareHistorian
+    sidecar. Also cleans up legacy service names from prior installs:
+    - OtOpcUa (v1 server) — replaced by OtOpcUaHost in v2
+    - OtOpcUaAdmin (v1 admin) — fused into OtOpcUaHost in v2
+    - OtOpcUaGalaxyHost (pre-7.2 Galaxy host) — long-retired
 #>
 [CmdletBinding()] param()
 $ErrorActionPreference = 'Continue'

-foreach ($svc in 'OtOpcUa', 'OtOpcUaWonderwareHistorian', 'OtOpcUaGalaxyHost') {
+foreach ($svc in 'OtOpcUaHost', 'OtOpcUaWonderwareHistorian',
+                 'OtOpcUa', 'OtOpcUaAdmin', 'OtOpcUaGalaxyHost') {
    if (Get-Service $svc -ErrorAction SilentlyContinue) {
        Write-Host "Stopping $svc..."
        Stop-Service $svc -Force -ErrorAction SilentlyContinue
@@ -0,0 +1,24 @@
+# Dynamic (file-provider) Traefik config for the OtOpcUa admin HTTP routing.
+# Picked up by traefik.yml's file provider (with watch: true) so router/service
+# edits hot-reload without a Traefik restart.
+
+http:
+  routers:
+    otopcua-admin:
+      entryPoints: ["web"]
+      rule: "HostRegexp(`otopcua.*`)"
+      service: otopcua-admin
+
+  services:
+    otopcua-admin:
+      loadBalancer:
+        servers:
+          - url: "http://admin-a:9000"
+          - url: "http://admin-b:9000"
+        healthCheck:
+          path: /health/active
+          interval: 5s
+          timeout: 2s
+          # Default expected status is 2xx. Followers return 503 from
+          # /health/active so Traefik will drop them from the balancer
+          # within the next interval after a leadership change.
@@ -0,0 +1,30 @@
+# Traefik static configuration for the OtOpcUa fleet HTTP front door.
+#
+# Routes admin-role HTTP traffic (Blazor + auth + SignalR + /auth/*) to whichever
+# OtOpcUa.Host node currently holds the admin role-leader. Uses the /health/active
+# endpoint as the active-leader signal: a node returns 200 only when it is the
+# Akka admin role-leader; followers return 503 and Traefik routes around them.
+#
+# OPC UA traffic is NOT routed through Traefik — clients connect directly to
+# opc.tcp://node:4840 on every driver node and use the standard ServiceLevel
+# heuristic for failover.
+
+entryPoints:
+  web:
+    address: ":80"
+
+providers:
+  file:
+    filename: /etc/traefik/dynamic.yml
+    watch: true
+
+api:
+  insecure: true
+  dashboard: true
+
+log:
+  level: INFO
+  format: common
+
+accessLog:
+  format: common
@@ -1,97 +0,0 @@
-using Akka.Actor;
-using Akka.Configuration;
-using Microsoft.Extensions.Hosting;
-using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Options;
-
-namespace ZB.MOM.WW.OtOpcUa.Cluster;
-
-/// <summary>
-/// Starts the local <see cref="ActorSystem"/>, applies the embedded HOCON plus an overlay
-/// generated from <see cref="AkkaClusterOptions"/>, and joins the cluster. On shutdown,
-/// runs <c>CoordinatedShutdown</c> with the <c>ClusterLeavingReason</c> so the local node
-/// leaves the cluster cleanly before the process exits.
-/// </summary>
-public sealed class AkkaHostedService : IHostedService
-{
-    private readonly AkkaClusterOptions _options;
-    private readonly ILogger<AkkaHostedService> _logger;
-    private ActorSystem? _actorSystem;
-
-    public AkkaHostedService(IOptions<AkkaClusterOptions> options, ILogger<AkkaHostedService> logger)
-    {
-        _options = options.Value;
-        _logger = logger;
-    }
-
-    public ActorSystem ActorSystem =>
-        _actorSystem ?? throw new InvalidOperationException(
-            "ActorSystem requested before AkkaHostedService.StartAsync ran.");
-
-    public Task StartAsync(CancellationToken cancellationToken)
-    {
-        var overlay = BuildOverlay(_options);
-        var baseConfig = ConfigurationFactory.ParseString(HoconLoader.LoadBaseConfig());
-        var config = ConfigurationFactory.ParseString(overlay).WithFallback(baseConfig);
-
-        _logger.LogInformation(
-            "Starting ActorSystem '{System}' on {Host}:{Port} with roles=[{Roles}]",
-            _options.SystemName, _options.PublicHostname, _options.Port,
-            string.Join(",", _options.Roles));
-
-        _actorSystem = ActorSystem.Create(_options.SystemName, config);
-
-        if (_options.SeedNodes.Length > 0)
-        {
-            var seeds = _options.SeedNodes.Select(Address.Parse).ToList();
-            Akka.Cluster.Cluster.Get(_actorSystem).JoinSeedNodes(seeds);
-        }
-
-        return Task.CompletedTask;
-    }
-
-    public async Task StopAsync(CancellationToken cancellationToken)
-    {
-        if (_actorSystem is null) return;
-
-        _logger.LogInformation("Initiating cluster-leave CoordinatedShutdown");
-        var shutdown = CoordinatedShutdown.Get(_actorSystem);
-        using var cts = CancellationTokenSource.CreateLinkedTokenSource(cancellationToken);
-        cts.CancelAfter(TimeSpan.FromSeconds(30));
-
-        try
-        {
-            await shutdown.Run(CoordinatedShutdown.ClusterLeavingReason.Instance)
-                .WaitAsync(cts.Token).ConfigureAwait(false);
-        }
-        catch (OperationCanceledException)
-        {
-            _logger.LogWarning("Cluster leave timed out after 30s; forcing terminate");
-            await _actorSystem.Terminate().ConfigureAwait(false);
-        }
-    }
-
-    private static string BuildOverlay(AkkaClusterOptions o)
-    {
-        var seeds = string.Join(",", o.SeedNodes.Select(Quote));
-        var roles = string.Join(",", o.Roles.Select(Quote));
-        return $@"
-akka {{
-    remote.dot-netty.tcp {{
-        hostname = {Quote(o.Hostname)}
-        port = {o.Port}
-        public-hostname = {Quote(o.PublicHostname)}
-    }}
-    cluster {{
-        seed-nodes = [{seeds}]
-        roles = [{roles}]
-    }}
-}}";
-    }
-
-    private static string Quote(string? value)
-    {
-        var escaped = (value ?? string.Empty).Replace("\\", "\\\\").Replace("\"", "\\\"");
-        return $"\"{escaped}\"";
-    }
-}
@@ -29,7 +29,10 @@ public sealed class ClusterRoleInfo : IClusterRoleInfo, IDisposable
    {
        _cluster = Akka.Cluster.Cluster.Get(system);
        _logger = logger;
-        _localNode = CommonsNodeId.Parse(options.Value.PublicHostname);
+        // NodeId encodes host:port so cluster members on shared hosts (test loopback, dev VMs
+        // sharing a bind IP) stay distinct. Production hosts have unique DNS names so the port
+        // suffix is harmless redundancy.
+        _localNode = CommonsNodeId.Parse($"{options.Value.PublicHostname}:{options.Value.Port}");
        _localRoles = new HashSet<string>(options.Value.Roles, StringComparer.Ordinal);

        SeedFromCurrentState();
@@ -48,7 +51,7 @@ public sealed class ClusterRoleInfo : IClusterRoleInfo, IDisposable
        {
            if (!_membersByRole.TryGetValue(role, out var members)) return Array.Empty<CommonsNodeId>();
            return members
-                .Select(m => CommonsNodeId.Parse(m.Address.Host ?? string.Empty))
+                .Select(m => ToNodeId(m.Address))
                .ToArray();
        }
    }
@@ -58,7 +61,7 @@ public sealed class ClusterRoleInfo : IClusterRoleInfo, IDisposable
        lock (_lock)
        {
            return _roleLeaders.TryGetValue(role, out var leader) && leader is not null
-                ? CommonsNodeId.Parse(leader.Address.Host ?? string.Empty)
+                ? ToNodeId(leader.Address)
                : (CommonsNodeId?)null;
        }
    }
@@ -121,7 +124,7 @@ public sealed class ClusterRoleInfo : IClusterRoleInfo, IDisposable
        {
            _roleLeaders.TryGetValue(evt.Role, out var prevMember);
            if (prevMember is not null)
-                previous = CommonsNodeId.Parse(prevMember.Address.Host ?? string.Empty);
+                previous = ToNodeId(prevMember.Address);

            var nextMember = evt.Leader is null
                ? null
@@ -129,7 +132,7 @@ public sealed class ClusterRoleInfo : IClusterRoleInfo, IDisposable

            _roleLeaders[evt.Role] = nextMember;
            if (nextMember is not null)
-                next = CommonsNodeId.Parse(nextMember.Address.Host ?? string.Empty);
+                next = ToNodeId(nextMember.Address);

            raise = !Nullable.Equals(previous, next);
        }
@@ -150,6 +153,9 @@ public sealed class ClusterRoleInfo : IClusterRoleInfo, IDisposable
        }
    }

+    private static CommonsNodeId ToNodeId(Akka.Actor.Address address) =>
+        CommonsNodeId.Parse($"{address.Host ?? string.Empty}:{address.Port ?? 0}");
+
    public void Dispose()
    {
        _subscriber?.Tell(PoisonPill.Instance);
@@ -1,7 +1,9 @@
-using Akka.Actor;
+using Akka.Cluster.Hosting;
+using Akka.Hosting;
+using Akka.Remote.Hosting;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Options;
 using ZB.MOM.WW.OtOpcUa.Commons.Interfaces;

 namespace ZB.MOM.WW.OtOpcUa.Cluster;
@@ -9,20 +11,57 @@ namespace ZB.MOM.WW.OtOpcUa.Cluster;
 public static class ServiceCollectionExtensions
 {
    /// <summary>
-    /// Registers the Akka cluster hosted service and exposes <see cref="ActorSystem"/> and
-    /// <see cref="IClusterRoleInfo"/> as singletons resolved from it. Call after binding
-    /// <c>OTOPCUA_ROLES</c> into <c>AkkaClusterOptions.Roles</c> via the calling Program.cs.
+    /// Binds <see cref="AkkaClusterOptions"/> and registers <see cref="IClusterRoleInfo"/>. The
+    /// actual ActorSystem + cluster bootstrap is layered on inside the host's <c>AddAkka(...)</c>
+    /// configurator via <see cref="WithOtOpcUaClusterBootstrap"/> — keeping the entire Akka graph
+    /// under Akka.Hosting's management so cluster singletons land on the same ActorSystem.
    /// </summary>
    public static IServiceCollection AddOtOpcUaCluster(this IServiceCollection services, IConfiguration configuration)
    {
        services.AddOptions<AkkaClusterOptions>()
            .Bind(configuration.GetSection(AkkaClusterOptions.SectionName));

-        services.AddSingleton<AkkaHostedService>();
-        services.AddHostedService(sp => sp.GetRequiredService<AkkaHostedService>());
-        services.AddSingleton<ActorSystem>(sp => sp.GetRequiredService<AkkaHostedService>().ActorSystem);
        services.AddSingleton<IClusterRoleInfo, ClusterRoleInfo>();

        return services;
    }
+
+    /// <summary>
+    /// Configures the Akka.Hosting builder with the embedded OtOpcUa HOCON (split-brain resolver,
+    /// pinned dispatcher, failure detector tuning) + remote endpoint + cluster bootstrap derived
+    /// from <see cref="AkkaClusterOptions"/>.
+    ///
+    /// Wire from Program.cs:
+    /// <code>
+    /// services.AddAkka("otopcua", (ab, sp) =>
+    /// {
+    ///     ab.WithOtOpcUaClusterBootstrap(sp);
+    ///     if (hasAdmin) ab.WithOtOpcUaControlPlaneSingletons();
+    ///     if (hasDriver) ab.WithOtOpcUaRuntimeActors();
+    /// });
+    /// </code>
+    /// </summary>
+    public static AkkaConfigurationBuilder WithOtOpcUaClusterBootstrap(
+        this AkkaConfigurationBuilder builder,
+        IServiceProvider serviceProvider)
+    {
+        var options = serviceProvider.GetRequiredService<IOptions<AkkaClusterOptions>>().Value;
+
+        builder.AddHocon(HoconLoader.LoadBaseConfig(), HoconAddMode.Append);
+
+        builder.WithRemoting(new RemoteOptions
+        {
+            HostName = options.Hostname,
+            Port = options.Port,
+            PublicHostName = options.PublicHostname,
+        });
+
+        builder.WithClustering(new ClusterOptions
+        {
+            SeedNodes = options.SeedNodes,
+            Roles = options.Roles,
+        });
+
+        return builder;
+    }
 }
@@ -0,0 +1,41 @@
+namespace ZB.MOM.WW.OtOpcUa.Commons.Engines;
+
+/// <summary>
+///     Persistence seam for <c>ScriptedAlarmActor</c>'s in-memory state across actor restarts.
+///     Captures only the slice the actor's 3-state machine needs (Inactive / Active /
+///     Acknowledged + last transition + last-ack user). The fuller GxP audit trail
+///     (<see cref="Configuration.Entities.ScriptedAlarmState"/>'s Comments/Confirmed/Shelving)
+///     stays in the production engine binding — this seam is the small surface the actor
+///     consumes directly.
+/// </summary>
+public interface IAlarmActorStateStore
+{
+    Task<AlarmActorStateSnapshot?> LoadAsync(string alarmId, CancellationToken ct);
+    Task SaveAsync(AlarmActorStateSnapshot snapshot, CancellationToken ct);
+}
+
+/// <summary>Persisted slice of <c>ScriptedAlarmActor</c>'s state. Active is NOT persisted —
+/// it re-derives from the evaluator on startup per Phase 7 decision #14. <c>State</c> here
+/// distinguishes Acknowledged vs not-yet-acknowledged for cases where the actor came up
+/// Active and operator interaction had already happened.</summary>
+/// <param name="AlarmId">Matches <c>ScriptedAlarm.ScriptedAlarmId</c>.</param>
+/// <param name="State">Inactive / Active / Acknowledged — the actor's 3-state enum, projected to string.</param>
+/// <param name="LastTransitionUtc">When the actor last transitioned.</param>
+/// <param name="LastAckUser">Who acknowledged most recently. Null when never acked.</param>
+public sealed record AlarmActorStateSnapshot(
+    string AlarmId,
+    string State,
+    DateTime LastTransitionUtc,
+    string? LastAckUser);
+
+/// <summary>No-op default. Bound when no production store is configured (tests, smoke runs).
+/// Load returns null → actor boots Inactive; Save is a no-op so state doesn't leak.</summary>
+public sealed class NullAlarmActorStateStore : IAlarmActorStateStore
+{
+    public static readonly NullAlarmActorStateStore Instance = new();
+    private NullAlarmActorStateStore() { }
+    public Task<AlarmActorStateSnapshot?> LoadAsync(string alarmId, CancellationToken ct) =>
+        Task.FromResult<AlarmActorStateSnapshot?>(null);
+    public Task SaveAsync(AlarmActorStateSnapshot snapshot, CancellationToken ct) =>
+        Task.CompletedTask;
+}
@@ -0,0 +1,30 @@
+namespace ZB.MOM.WW.OtOpcUa.Commons.Engines;
+
+/// <summary>
+///     Abstraction over the scripted-alarm predicate engine. Production binds this to a
+///     wrapper around <c>ScriptedAlarmEngine</c> from <c>Core.ScriptedAlarms</c>; default
+///     binding is <see cref="NullScriptedAlarmEvaluator"/> which keeps the alarm in its
+///     current state (so an unconfigured node never spuriously alarms).
+/// </summary>
+public interface IScriptedAlarmEvaluator
+{
+    ScriptedAlarmEvalResult Evaluate(string alarmId, string predicate, IReadOnlyDictionary<string, object?> dependencies);
+}
+
+/// <summary>Result of one alarm-predicate evaluation. <c>Active</c> is only meaningful when
+/// <c>Success</c> is true; on failure the caller should keep the prior state and log Reason.</summary>
+public sealed record ScriptedAlarmEvalResult(bool Success, bool Active, string? Reason)
+{
+    public static ScriptedAlarmEvalResult Ok(bool active) => new(true, active, null);
+    public static ScriptedAlarmEvalResult Failure(string reason) => new(false, false, reason);
+}
+
+/// <summary>Default that always returns <c>Active = false, Success = true</c>. Safe no-op:
+/// no alarm fires when no real engine is bound.</summary>
+public sealed class NullScriptedAlarmEvaluator : IScriptedAlarmEvaluator
+{
+    public static readonly NullScriptedAlarmEvaluator Instance = new();
+    private NullScriptedAlarmEvaluator() { }
+    public ScriptedAlarmEvalResult Evaluate(string alarmId, string predicate, IReadOnlyDictionary<string, object?> dependencies)
+        => ScriptedAlarmEvalResult.Ok(active: false);
+}
@@ -0,0 +1,36 @@
+namespace ZB.MOM.WW.OtOpcUa.Commons.Engines;
+
+/// <summary>
+///     Abstraction over the compiled virtual-tag expression engine. Runtime consumes this so
+///     <see cref="VirtualTagActor"/> can stay free of Roslyn / scripting machinery and the
+///     production wiring binds an adapter over <c>VirtualTagEngine</c> from
+///     <c>Core.VirtualTags</c>.
+/// </summary>
+public interface IVirtualTagEvaluator
+{
+    /// <summary>
+    ///     Evaluate <paramref name="expression"/> against the snapshot in
+    ///     <paramref name="dependencies"/>. Implementations must not throw — script failures
+    ///     are reported via <see cref="VirtualTagEvalResult.Failure"/>.
+    /// </summary>
+    VirtualTagEvalResult Evaluate(string virtualTagId, string expression, IReadOnlyDictionary<string, object?> dependencies);
+}
+
+/// <summary>Result of one virtual-tag expression eval. Stash a Reason on every Failure so
+/// callers can emit a useful <c>ScriptLogEntry</c> to operators.</summary>
+public sealed record VirtualTagEvalResult(bool Success, object? Value, string? Reason)
+{
+    public static readonly VirtualTagEvalResult NoChange = new(true, null, "no-change");
+    public static VirtualTagEvalResult Ok(object? value) => new(true, value, null);
+    public static VirtualTagEvalResult Failure(string reason) => new(false, null, reason);
+}
+
+/// <summary>Returns <see cref="VirtualTagEvalResult.NoChange"/> from every call. Bound by default
+/// when the production <c>VirtualTagEngine</c> adapter hasn't been registered (Mac dev, tests).</summary>
+public sealed class NullVirtualTagEvaluator : IVirtualTagEvaluator
+{
+    public static readonly NullVirtualTagEvaluator Instance = new();
+    private NullVirtualTagEvaluator() { }
+    public VirtualTagEvalResult Evaluate(string virtualTagId, string expression, IReadOnlyDictionary<string, object?> dependencies)
+        => VirtualTagEvalResult.NoChange;
+}
@@ -0,0 +1,25 @@
+namespace ZB.MOM.WW.OtOpcUa.Commons.Messages.Alerts;
+
+/// <summary>
+/// Live alarm transition published on the cluster <c>alerts</c> DistributedPubSub topic.
+/// Emitted by ScriptedAlarmActor (and future native-alarm bridges) when an alarm condition
+/// transitions; consumed by <c>AlertSignalRBridge</c> for browser fan-out and by historian
+/// adapters for durable storage.
+/// </summary>
+/// <param name="AlarmId">Stable condition identity (matches <c>ScriptedAlarm.ScriptedAlarmId</c> for scripted alarms).</param>
+/// <param name="EquipmentPath">UNS path of the Equipment node the alarm hangs under. Doubles as the SourceNode.</param>
+/// <param name="AlarmName">Operator-visible alarm name.</param>
+/// <param name="TransitionKind">Activated / Cleared / Acknowledged / Confirmed / Shelved / Unshelved / Disabled / Enabled / CommentAdded.</param>
+/// <param name="Severity">1–1000 numeric severity (OPC UA convention).</param>
+/// <param name="Message">Fully-rendered message text — template tokens already resolved.</param>
+/// <param name="User">Operator who triggered the transition. "system" for engine-driven events.</param>
+/// <param name="TimestampUtc">When the transition occurred.</param>
+public sealed record AlarmTransitionEvent(
+    string AlarmId,
+    string EquipmentPath,
+    string AlarmName,
+    string TransitionKind,
+    int Severity,
+    string Message,
+    string User,
+    DateTime TimestampUtc);
@@ -0,0 +1,10 @@
+using ZB.MOM.WW.OtOpcUa.Commons.Types;
+
+namespace ZB.MOM.WW.OtOpcUa.Commons.Messages.Fleet;
+
+/// <summary>
+/// Request a diagnostic snapshot from a per-node <c>DriverHostActor</c>. Sent by the admin UI's
+/// <c>IFleetDiagnosticsClient</c> via <c>ActorSelection</c> over the cluster; the local
+/// DriverHostActor responds with a <c>NodeDiagnosticsSnapshot</c>.
+/// </summary>
+public sealed record GetDiagnostics(CorrelationId CorrelationId);
@@ -0,0 +1,23 @@
+namespace ZB.MOM.WW.OtOpcUa.Commons.Messages.Logging;
+
+/// <summary>
+/// One line of script log output published on the cluster <c>script-logs</c> DPS topic.
+/// Emitted by VirtualTagActor + ScriptedAlarmActor when their hosted scripts call into
+/// the runtime's logging facade; consumed by <c>ScriptLogSignalRBridge</c> for live
+/// browser tail-style viewing.
+/// </summary>
+/// <param name="ScriptId">The Script row this entry came from (matches <c>Script.ScriptId</c>).</param>
+/// <param name="Level">"Trace" / "Debug" / "Information" / "Warning" / "Error" / "Critical" — Serilog levels.</param>
+/// <param name="Message">Operator-facing log message; template tokens already resolved.</param>
+/// <param name="TimestampUtc">When the script emitted the entry.</param>
+/// <param name="VirtualTagId">VirtualTag context, if logged from a virtual tag evaluation. Null otherwise.</param>
+/// <param name="AlarmId">ScriptedAlarm context, if logged from an alarm predicate. Null otherwise.</param>
+/// <param name="EquipmentId">Equipment scope, if the script ran in a per-equipment context. Null for fleet-wide scripts.</param>
+public sealed record ScriptLogEntry(
+    string ScriptId,
+    string Level,
+    string Message,
+    DateTime TimestampUtc,
+    string? VirtualTagId,
+    string? AlarmId,
+    string? EquipmentId);
@@ -0,0 +1,81 @@
+using System.Diagnostics;
+using System.Diagnostics.Metrics;
+
+namespace ZB.MOM.WW.OtOpcUa.Commons.Observability;
+
+/// <summary>
+/// Central <see cref="Meter"/> + <see cref="ActivitySource"/> definitions for OtOpcUa.
+/// All Akka actors, the OPC UA publish path, and the deploy coordinator emit through these
+/// pre-created instruments so a single OpenTelemetry / Prometheus binding in <c>Host</c>
+/// catches everything. No exporter is required — instruments are no-op until a listener
+/// attaches, so tests and dev hosts pay nothing for instrumentation that nobody scrapes.
+///
+/// Instrument names follow the OpenTelemetry semantic convention pattern
+/// <c>otopcua.&lt;subsystem&gt;.&lt;event&gt;</c>. Subsystem is one of: deploy, driver,
+/// virtualtag, scriptedalarm, opcua, redundancy.
+/// </summary>
+public static class OtOpcUaTelemetry
+{
+    public const string MeterName = "ZB.MOM.WW.OtOpcUa";
+    public const string ActivitySourceName = "ZB.MOM.WW.OtOpcUa";
+
+    /// <summary>Singleton <see cref="Meter"/> all counters/histograms hang off.</summary>
+    public static readonly Meter Meter = new(MeterName);
+
+    /// <summary>Singleton <see cref="ActivitySource"/> used to start spans wrapping deploy/apply/rebuild.</summary>
+    public static readonly ActivitySource ActivitySource = new(ActivitySourceName);
+
+    // ---------------- Deployment / driver-host coordination ----------------
+
+    /// <summary>Incremented every time DriverHostActor finishes applying a deployment (Ack or Reject).</summary>
+    public static readonly Counter<long> DeploymentApplied =
+        Meter.CreateCounter<long>("otopcua.deploy.applied", unit: "{deployment}",
+            description: "Deployments applied by a driver-role node (outcome=ack|reject).");
+
+    /// <summary>Time from DriverHostActor receiving DispatchDeployment to emitting the ack/reject.</summary>
+    public static readonly Histogram<double> DeploymentApplyDurationSec =
+        Meter.CreateHistogram<double>("otopcua.deploy.apply.duration", unit: "s",
+            description: "Driver-role apply latency from DispatchDeployment → Ack/Reject.");
+
+    /// <summary>DriverInstanceActor spawn count (added=new instance; stop=disposed).</summary>
+    public static readonly Counter<long> DriverInstanceLifecycle =
+        Meter.CreateCounter<long>("otopcua.driver.lifecycle", unit: "{event}",
+            description: "DriverInstanceActor lifecycle transitions (event=spawn|stop|fault).");
+
+    // ---------------- VirtualTag / ScriptedAlarm engines ----------------
+
+    public static readonly Counter<long> VirtualTagEval =
+        Meter.CreateCounter<long>("otopcua.virtualtag.eval", unit: "{eval}",
+            description: "Virtual-tag evaluations attempted (outcome=ok|fail|skip).");
+
+    public static readonly Counter<long> ScriptedAlarmTransition =
+        Meter.CreateCounter<long>("otopcua.scriptedalarm.transition", unit: "{transition}",
+            description: "Scripted-alarm state transitions (state=active|acknowledged|inactive).");
+
+    // ---------------- OPC UA address-space + redundancy ----------------
+
+    public static readonly Counter<long> OpcUaSinkWrite =
+        Meter.CreateCounter<long>("otopcua.opcua.sink.write", unit: "{write}",
+            description: "Writes that landed in IOpcUaAddressSpaceSink (kind=value|alarm|rebuild).");
+
+    public static readonly Counter<long> ServiceLevelChange =
+        Meter.CreateCounter<long>("otopcua.redundancy.service_level_change", unit: "{change}",
+            description: "OPC UA Server.ServiceLevel transitions emitted by the redundancy state.");
+
+    // ---------------- Convenience helpers ----------------
+
+    /// <summary>
+    /// Starts a deploy span tagged with the deployment id. Caller disposes to close. Returns
+    /// null when no listener is attached so the call site stays cheap on undecorated builds.
+    /// </summary>
+    public static Activity? StartDeployApplySpan(string deploymentId)
+    {
+        var activity = ActivitySource.StartActivity("otopcua.deploy.apply", ActivityKind.Internal);
+        activity?.SetTag("otopcua.deployment_id", deploymentId);
+        return activity;
+    }
+
+    /// <summary>Span wrapping a full OPC UA address-space rebuild (Phase7 plan → apply).</summary>
+    public static Activity? StartAddressSpaceRebuildSpan()
+        => ActivitySource.StartActivity("otopcua.opcua.address_space_rebuild", ActivityKind.Internal);
+}
@@ -0,0 +1,34 @@
+namespace ZB.MOM.WW.OtOpcUa.Commons.OpcUa;
+
+/// <summary>
+///     Wrapper <see cref="IOpcUaAddressSpaceSink"/> that defers to an inner sink swapped in at
+///     runtime. Needed because the production sink (<c>SdkAddressSpaceSink</c>) wraps an
+///     <c>OtOpcUaNodeManager</c> that only exists after the SDK <c>StandardServer</c> has
+///     started — but Akka actors resolve their sink dependency at construction time, before
+///     the hosted service has booted the SDK.
+///
+///     Bound as a singleton in DI on driver-role hosts; the OPC UA hosted service calls
+///     <see cref="SetSink"/> once the server is up. Until that swap happens, every call is a
+///     no-op against <see cref="NullOpcUaAddressSpaceSink"/>, so the actor stays safe to
+///     receive messages from the moment it boots.
+/// </summary>
+public sealed class DeferredAddressSpaceSink : IOpcUaAddressSpaceSink
+{
+    private volatile IOpcUaAddressSpaceSink _inner = NullOpcUaAddressSpaceSink.Instance;
+
+    /// <summary>Swap in the production sink. Pass <c>null</c> to revert to the null sink
+    /// (used during graceful shutdown so post-stop writes don't hit a half-disposed manager).</summary>
+    public void SetSink(IOpcUaAddressSpaceSink? sink) =>
+        _inner = sink ?? NullOpcUaAddressSpaceSink.Instance;
+
+    public void WriteValue(string nodeId, object? value, OpcUaQuality quality, DateTime sourceTimestampUtc)
+        => _inner.WriteValue(nodeId, value, quality, sourceTimestampUtc);
+
+    public void WriteAlarmState(string alarmNodeId, bool active, bool acknowledged, DateTime sourceTimestampUtc)
+        => _inner.WriteAlarmState(alarmNodeId, active, acknowledged, sourceTimestampUtc);
+
+    public void EnsureFolder(string folderNodeId, string? parentNodeId, string displayName)
+        => _inner.EnsureFolder(folderNodeId, parentNodeId, displayName);
+
+    public void RebuildAddressSpace() => _inner.RebuildAddressSpace();
+}
@@ -0,0 +1,19 @@
+namespace ZB.MOM.WW.OtOpcUa.Commons.OpcUa;
+
+/// <summary>
+/// Late-binding adapter that holds an inner <see cref="IServiceLevelPublisher"/> reference
+/// swappable at runtime. Mirrors <see cref="DeferredAddressSpaceSink"/>: Akka actors resolve
+/// the publisher at DI time, but the production <c>SdkServiceLevelPublisher</c> only exists
+/// after <c>StandardServer.Start</c>. The Host's hosted service swaps the inner once the SDK
+/// is up; until then writes route through <see cref="NullServiceLevelPublisher"/>.
+/// </summary>
+public sealed class DeferredServiceLevelPublisher : IServiceLevelPublisher
+{
+    private volatile IServiceLevelPublisher _inner = NullServiceLevelPublisher.Instance;
+
+    /// <summary>Swap the underlying publisher. Pass null to revert to the Null no-op.</summary>
+    public void SetInner(IServiceLevelPublisher? inner) =>
+        _inner = inner ?? NullServiceLevelPublisher.Instance;
+
+    public void Publish(byte serviceLevel) => _inner.Publish(serviceLevel);
+}
@@ -0,0 +1,46 @@
+namespace ZB.MOM.WW.OtOpcUa.Commons.OpcUa;
+
+/// <summary>
+///     Abstraction over the OPC UA SDK's address space. <c>OpcUaPublishActor</c> consumes this
+///     so the Runtime project doesn't reference <c>Opc.Ua.Server</c> directly — production
+///     binds a real SDK-backed sink in the fused Host's wiring, dev/Mac binds the
+///     <see cref="NullOpcUaAddressSpaceSink"/> no-op.
+/// </summary>
+public interface IOpcUaAddressSpaceSink
+{
+    /// <summary>Write a Variable node's current value + quality + source timestamp.</summary>
+    void WriteValue(string nodeId, object? value, OpcUaQuality quality, DateTime sourceTimestampUtc);
+
+    /// <summary>Write an alarm-condition Variable's active/acknowledged state.</summary>
+    void WriteAlarmState(string alarmNodeId, bool active, bool acknowledged, DateTime sourceTimestampUtc);
+
+    /// <summary>
+    ///     Ensure a folder node exists under the given parent. Used by <c>Phase7Applier</c> to
+    ///     materialise the UNS Area/Line/Equipment hierarchy in the address space. When
+    ///     <paramref name="parentNodeId"/> is null the folder is parented under the namespace
+    ///     root. Idempotent: calling twice with the same id is safe.
+    /// </summary>
+    void EnsureFolder(string folderNodeId, string? parentNodeId, string displayName);
+
+    /// <summary>
+    ///     Tear down + repopulate the address space. Called by <c>OpcUaPublishActor</c> after a
+    ///     successful deployment apply so the node manager reflects the new config. Idempotent.
+    /// </summary>
+    void RebuildAddressSpace();
+}
+
+/// <summary>OPC UA status code projection — Good / Uncertain / Bad. Real SDK has finer-grained
+/// codes; the engine actors only need this 3-state classification.</summary>
+public enum OpcUaQuality { Good, Uncertain, Bad }
+
+/// <summary>No-op sink. Bound by default so the actors are safe to run in dev / Mac /
+/// integration tests without a real SDK behind them.</summary>
+public sealed class NullOpcUaAddressSpaceSink : IOpcUaAddressSpaceSink
+{
+    public static readonly NullOpcUaAddressSpaceSink Instance = new();
+    private NullOpcUaAddressSpaceSink() { }
+    public void WriteValue(string nodeId, object? value, OpcUaQuality quality, DateTime sourceTimestampUtc) { }
+    public void WriteAlarmState(string alarmNodeId, bool active, bool acknowledged, DateTime sourceTimestampUtc) { }
+    public void EnsureFolder(string folderNodeId, string? parentNodeId, string displayName) { }
+    public void RebuildAddressSpace() { }
+}
@@ -0,0 +1,22 @@
+namespace ZB.MOM.WW.OtOpcUa.Commons.OpcUa;
+
+/// <summary>
+///     Writes the OPC UA Server object's <c>ServiceLevel</c> Variable (0–255). Production binds
+///     a sink that pokes the SDK's ServiceLevel node; tests + dev mode bind
+///     <see cref="NullServiceLevelPublisher"/> which just records the most recently set level
+///     for inspection.
+/// </summary>
+public interface IServiceLevelPublisher
+{
+    void Publish(byte serviceLevel);
+}
+
+/// <summary>No-op default that retains the last-written ServiceLevel in
+/// <see cref="LastPublished"/>. Used by dev mode + verified by tests.</summary>
+public sealed class NullServiceLevelPublisher : IServiceLevelPublisher
+{
+    public static readonly NullServiceLevelPublisher Instance = new();
+    private NullServiceLevelPublisher() { }
+    public byte LastPublished { get; private set; }
+    public void Publish(byte serviceLevel) => LastPublished = serviceLevel;
+}
@@ -22,4 +22,16 @@ public sealed class ConfigAuditLog
    public long? GenerationId { get; set; }

    public string? DetailsJson { get; set; }
+
+    /// <summary>
+    /// Stable per-event identifier from <c>AuditEvent.EventId</c>. Filtered unique index on
+    /// this column gives cross-restart idempotency for the batched AuditWriterActor: a flush
+    /// that retries after a process crash can re-send the same EventId without producing a
+    /// duplicate row. Nullable so pre-v2 rows backfill cleanly.
+    /// </summary>
+    public Guid? EventId { get; set; }
+
+    /// <summary>Correlation ID from <c>AuditEvent.CorrelationId</c> so an audit row joins to its
+    /// originating request/workflow. Nullable for the same backfill reason as <see cref="EventId"/>.</summary>
+    public Guid? CorrelationId { get; set; }
 }
@@ -0,0 +1,50 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddConfigAuditLogEventIdColumns : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<Guid>(
+                name: "CorrelationId",
+                table: "ConfigAuditLog",
+                type: "uniqueidentifier",
+                nullable: true);
+
+            migrationBuilder.AddColumn<Guid>(
+                name: "EventId",
+                table: "ConfigAuditLog",
+                type: "uniqueidentifier",
+                nullable: true);
+
+            migrationBuilder.CreateIndex(
+                name: "UX_ConfigAuditLog_EventId",
+                table: "ConfigAuditLog",
+                column: "EventId",
+                unique: true,
+                filter: "[EventId] IS NOT NULL");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropIndex(
+                name: "UX_ConfigAuditLog_EventId",
+                table: "ConfigAuditLog");
+
+            migrationBuilder.DropColumn(
+                name: "CorrelationId",
+                table: "ConfigAuditLog");
+
+            migrationBuilder.DropColumn(
+                name: "EventId",
+                table: "ConfigAuditLog");
+        }
+    }
+}
@@ -165,9 +165,15 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
                        .HasMaxLength(64)
                        .HasColumnType("nvarchar(64)");

+                    b.Property<Guid?>("CorrelationId")
+                        .HasColumnType("uniqueidentifier");
+
                    b.Property<string>("DetailsJson")
                        .HasColumnType("nvarchar(max)");

+                    b.Property<Guid?>("EventId")
+                        .HasColumnType("uniqueidentifier");
+
                    b.Property<string>("EventType")
                        .IsRequired()
                        .HasMaxLength(64)
@@ -192,6 +198,11 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations

                    b.HasKey("AuditId");

+                    b.HasIndex("EventId")
+                        .IsUnique()
+                        .HasDatabaseName("UX_ConfigAuditLog_EventId")
+                        .HasFilter("[EventId] IS NOT NULL");
+
                    b.HasIndex("GenerationId")
                        .HasDatabaseName("IX_ConfigAuditLog_Generation")
                        .HasFilter("[GenerationId] IS NOT NULL");
@@ -413,6 +413,8 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
            e.Property(x => x.ClusterId).HasMaxLength(64);
            e.Property(x => x.NodeId).HasMaxLength(64);
            e.Property(x => x.DetailsJson).HasColumnType("nvarchar(max)");
+            e.Property(x => x.EventId);
+            e.Property(x => x.CorrelationId);

            e.HasIndex(x => new { x.ClusterId, x.Timestamp })
                .IsDescending(false, true)
@@ -420,6 +422,14 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
            e.HasIndex(x => x.GenerationId)
                .HasFilter("[GenerationId] IS NOT NULL")
                .HasDatabaseName("IX_ConfigAuditLog_Generation");
+            // Filtered unique index gives cross-restart idempotency for the AuditWriterActor:
+            // a retry of an already-flushed batch will hit this constraint and the catch in
+            // FlushBuffer drops the duplicate insert. Nullable + filter so legacy backfill rows
+            // (EventId=NULL) don't collide.
+            e.HasIndex(x => x.EventId)
+                .IsUnique()
+                .HasFilter("[EventId] IS NOT NULL")
+                .HasDatabaseName("UX_ConfigAuditLog_EventId");
        });
    }

@@ -0,0 +1,35 @@
+namespace ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+/// <summary>
+///     Abstraction over the process-wide driver registry. Runtime consumes this instead of
+///     <c>DriverFactoryRegistry</c> directly so the Runtime project doesn't pull in
+///     <c>ZB.MOM.WW.OtOpcUa.Core</c> (which would drag in Polly + driver hosting). The fused
+///     Host binds a <c>DriverFactoryRegistryAdapter</c> after every <c>Driver.*.Register()</c>
+///     extension has run.
+/// </summary>
+public interface IDriverFactory
+{
+    /// <summary>
+    ///     Return a new <see cref="IDriver"/> for the given <paramref name="driverType"/>, or
+    ///     <c>null</c> when no factory is registered for that type (missing assembly, typo, etc.).
+    ///     The DriverHostActor logs + skips the row rather than failing the whole apply.
+    /// </summary>
+    IDriver? TryCreate(string driverType, string driverInstanceId, string driverConfigJson);
+
+    /// <summary>Driver-type names this factory can materialise. Mostly for diagnostics + logs.</summary>
+    IReadOnlyCollection<string> SupportedTypes { get; }
+}
+
+/// <summary>
+///     Returns <c>null</c> from every <see cref="IDriverFactory.TryCreate"/> call. Bound when the
+///     fused Host hasn't registered any concrete driver assemblies yet (Mac dev path, smoke
+///     tests). DriverHostActor sees zero supported types and treats the deployment as a no-op.
+/// </summary>
+public sealed class NullDriverFactory : IDriverFactory
+{
+    public static readonly NullDriverFactory Instance = new();
+    private NullDriverFactory() { }
+
+    public IDriver? TryCreate(string driverType, string driverInstanceId, string driverConfigJson) => null;
+    public IReadOnlyCollection<string> SupportedTypes { get; } = Array.Empty<string>();
+}
@@ -0,0 +1,28 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+/// <summary>
+///     Adapts the existing <see cref="DriverFactoryRegistry"/> (v1 surface, still the
+///     concrete singleton every driver assembly registers itself against) to the v2
+///     <see cref="IDriverFactory"/> abstraction consumed by Runtime. The fused Host binds
+///     this in DI once each <c>Driver.*.Register(registry)</c> call has completed.
+/// </summary>
+public sealed class DriverFactoryRegistryAdapter : IDriverFactory
+{
+    private readonly DriverFactoryRegistry _registry;
+
+    public DriverFactoryRegistryAdapter(DriverFactoryRegistry registry)
+    {
+        ArgumentNullException.ThrowIfNull(registry);
+        _registry = registry;
+    }
+
+    public IDriver? TryCreate(string driverType, string driverInstanceId, string driverConfigJson)
+    {
+        var factory = _registry.TryGet(driverType);
+        return factory?.Invoke(driverInstanceId, driverConfigJson);
+    }
+
+    public IReadOnlyCollection<string> SupportedTypes => _registry.RegisteredTypes;
+}
@@ -1,36 +1,50 @@
 using Akka.Actor;
+using Microsoft.Extensions.Options;
+using ZB.MOM.WW.OtOpcUa.Cluster;
 using ZB.MOM.WW.OtOpcUa.Commons.Interfaces;
+using ZB.MOM.WW.OtOpcUa.Commons.Messages.Fleet;
 using ZB.MOM.WW.OtOpcUa.Commons.Types;

 namespace ZB.MOM.WW.OtOpcUa.AdminUI.Clients;

 /// <summary>
-/// <see cref="IFleetDiagnosticsClient"/> that targets a named node's <c>DriverHostActor</c> over
-/// Akka cluster <see cref="ActorSelection"/>.
+/// <see cref="IFleetDiagnosticsClient"/> backed by an Akka <see cref="ActorSelection"/> against
+/// the target node's <c>DriverHostActor</c> at <c>akka.tcp://otopcua@&lt;host&gt;:&lt;port&gt;/user/driver-host</c>.
+/// Sends <see cref="GetDiagnostics"/>; expects a <see cref="NodeDiagnosticsSnapshot"/> reply.
 ///
-/// The actual <c>GetDiagnosticsRequest</c>/<c>NodeDiagnosticsSnapshot</c> round-trip on the
-/// driver side is staged for follow-up F17 (depends on DriverHostActor exposing the request
-/// handler; right now it only handles DispatchDeployment). For now the client returns an empty
-/// snapshot so the UI can render a "no data yet" state.
+/// On timeout or any other failure (peer down, GetDiagnostics handler missing) returns an
+/// empty snapshot so the UI degrades to "no data" instead of throwing.
 /// </summary>
 public sealed class FleetDiagnosticsClient : IFleetDiagnosticsClient
 {
-    private readonly ActorSystem _system;
+    private static readonly TimeSpan AskTimeout = TimeSpan.FromSeconds(3);

-    public FleetDiagnosticsClient(ActorSystem system)
+    private readonly ActorSystem _system;
+    private readonly string _systemName;
+
+    public FleetDiagnosticsClient(ActorSystem system, IOptions<AkkaClusterOptions> options)
    {
        _system = system;
+        _systemName = options.Value.SystemName;
    }

-    public Task<NodeDiagnosticsSnapshot> GetDiagnosticsAsync(NodeId nodeId, CancellationToken ct)
+    public async Task<NodeDiagnosticsSnapshot> GetDiagnosticsAsync(NodeId nodeId, CancellationToken ct)
    {
-        // F17: ActorSelection at $"akka.tcp://{system}@{nodeId.Value}:4053/user/driver-host"
-        // → Ask<NodeDiagnosticsSnapshot>(new GetDiagnostics(), timeout).
-        var snapshot = new NodeDiagnosticsSnapshot(
-            nodeId,
-            CurrentRevision: null,
-            Drivers: Array.Empty<DriverInstanceDiagnostics>(),
-            AsOfUtc: DateTime.UtcNow);
-        return Task.FromResult(snapshot);
+        var selection = _system.ActorSelection($"akka.tcp://{_systemName}@{nodeId.Value}/user/driver-host");
+        try
+        {
+            using var linked = CancellationTokenSource.CreateLinkedTokenSource(ct);
+            linked.CancelAfter(AskTimeout);
+            return await selection.Ask<NodeDiagnosticsSnapshot>(
+                new GetDiagnostics(CorrelationId.NewId()), AskTimeout, linked.Token);
+        }
+        catch (Exception)
+        {
+            return new NodeDiagnosticsSnapshot(
+                nodeId,
+                CurrentRevision: null,
+                Drivers: Array.Empty<DriverInstanceDiagnostics>(),
+                AsOfUtc: DateTime.UtcNow);
+        }
    }
 }
@@ -0,0 +1,27 @@
+@* Root Blazor component for the fused OtOpcUa.Host. Static-rendered shell; child components
+   opt into InteractiveServer on a per-component basis (the auth-related <Routes/> stays
+   non-interactive so cookie SignInAsync still runs while ASP.NET owns the HTTP response).
+
+   Vendored Bootstrap 5 lives in this RCL's wwwroot/lib/bootstrap; the RCL static-asset
+   pipeline maps it under /_content/ZB.MOM.WW.OtOpcUa.AdminUI/... — no public-CDN dependency
+   so air-gapped fleet deployments keep working (Admin-010). *@
+
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+    <title>OtOpcUa Admin</title>
+    <base href="/"/>
+    <link rel="stylesheet" href="_content/ZB.MOM.WW.OtOpcUa.AdminUI/lib/bootstrap/css/bootstrap.min.css"/>
+    <link rel="stylesheet" href="_content/ZB.MOM.WW.OtOpcUa.AdminUI/css/theme.css"/>
+    <link rel="stylesheet" href="_content/ZB.MOM.WW.OtOpcUa.AdminUI/css/site.css"/>
+    <HeadOutlet/>
+</head>
+<body>
+    <Routes/>
+    <script src="_content/ZB.MOM.WW.OtOpcUa.AdminUI/lib/bootstrap/js/bootstrap.bundle.min.js"></script>
+    <script src="_content/ZB.MOM.WW.OtOpcUa.AdminUI/js/nav-state.js"></script>
+    <script src="_framework/blazor.web.js"></script>
+</body>
+</html>
@@ -0,0 +1,5 @@
+@inherits LayoutComponentBase
+
+@* Minimal layout for the login page: no side rail, no brand block. The page
+   renders its own centred card. Mirrors ScadaLink CentralUI's LoginLayout. *@
+@Body
@@ -1,24 +1,9 @@
@inherits LayoutComponentBase

-<header class="app-bar">
-    <span class="brand"><span class="mark">&#9646;</span> OtOpcUa</span>
-    <span class="crumb">&rsaquo;</span>
-    <span class="crumb">admin console</span>
-    <span class="spacer"></span>
-    <AuthorizeView>
-        <Authorized>
-            <span class="meta">@context.User.Identity?.Name</span>
-            <span class="conn-pill" data-state="connected">
-                <span class="dot"></span><span>signed in</span>
-            </span>
-        </Authorized>
-        <NotAuthorized>
-            <span class="conn-pill" data-state="disconnected">
-                <span class="dot"></span><span>signed out</span>
-            </span>
-        </NotAuthorized>
-    </AuthorizeView>
-</header>
+@* Layout chrome ported from ScadaLink CentralUI: no separate top bar — brand sits
+   at the top of the side rail. The sidebar itself is the interactive island
+   (<NavSidebar/>); MainLayout stays statically rendered so the Body RenderFragment
+   doesn't have to cross an interactive boundary. *@

 <div class="app-shell d-flex flex-column flex-lg-row">
    @* Hamburger toggle: visible only on viewports <lg.
@@ -34,41 +19,7 @@
    </button>

    <div class="collapse d-lg-block" id="sidebar-collapse">
-        <nav class="side-rail">
-            <div class="rail-eyebrow">Navigation</div>
-            <NavLink class="rail-link" href="/" Match="NavLinkMatch.All">Overview</NavLink>
-            <NavLink class="rail-link" href="/fleet" Match="NavLinkMatch.Prefix">Fleet status</NavLink>
-            <NavLink class="rail-link" href="/hosts" Match="NavLinkMatch.Prefix">Host status</NavLink>
-            <NavLink class="rail-link" href="/clusters" Match="NavLinkMatch.Prefix">Clusters</NavLink>
-            <NavLink class="rail-link" href="/reservations" Match="NavLinkMatch.Prefix">Reservations</NavLink>
-            <NavLink class="rail-link" href="/certificates" Match="NavLinkMatch.Prefix">Certificates</NavLink>
-            <NavLink class="rail-link" href="/role-grants" Match="NavLinkMatch.Prefix">Role grants</NavLink>
-            <div class="rail-eyebrow">Scripting</div>
-            <NavLink class="rail-link" href="/virtual-tags" Match="NavLinkMatch.Prefix">Virtual tags</NavLink>
-            <NavLink class="rail-link" href="/scripted-alarms" Match="NavLinkMatch.Prefix">Scripted alarms</NavLink>
-            <NavLink class="rail-link" href="/script-log" Match="NavLinkMatch.Prefix">Script log</NavLink>
-
-            <div class="rail-foot">
-                <AuthorizeView>
-                    <Authorized>
-                        <div class="rail-eyebrow">Session</div>
-                        <a class="rail-user" href="/account">@context.User.Identity?.Name</a>
-                        <div class="rail-roles">
-                            @string.Join(", ", context.User.Claims
-                                .Where(c => c.Type.EndsWith("/role")).Select(c => c.Value))
-                        </div>
-                        <form method="post" action="/auth/logout">
-                            <AntiforgeryToken />
-                            <button class="rail-btn" type="submit">Sign out</button>
-                        </form>
-                    </Authorized>
-                    <NotAuthorized>
-                        <div class="rail-eyebrow">Session</div>
-                        <a class="rail-btn" href="/login">Sign in</a>
-                    </NotAuthorized>
-                </AuthorizeView>
-            </div>
-        </nav>
+        <NavSidebar />
    </div>

    <main class="page">
@@ -0,0 +1,36 @@
+@* A collapsible sidebar nav section: an uppercase-eyebrow button that toggles
+   the visibility of its child nav items. Mirrors the ScadaLink NavSection at
+   /Users/dohertj2/Desktop/scadalink-design/src/ScadaLink.CentralUI/Components/Layout/NavSection.razor
+   but uses OtOpcUa's rail-eyebrow + rail-link classes. *@
+
+<button type="button"
+        class="rail-eyebrow-toggle"
+        @onclick="OnToggle"
+        aria-expanded="@(Expanded ? "true" : "false")">
+    <span class="rail-eyebrow-chevron">@(Expanded ? "▼" : "▶")</span>
+    <span class="rail-eyebrow-label">@Title</span>
+</button>
+@if (Expanded)
+{
+    <div class="rail-section-body">
+        @ChildContent
+    </div>
+}
+
+@code {
+    /// <summary>Section label shown in the eyebrow (e.g. "Scripting").</summary>
+    [Parameter, EditorRequired]
+    public string Title { get; set; } = string.Empty;
+
+    /// <summary>Whether the section is expanded — its child links rendered.</summary>
+    [Parameter]
+    public bool Expanded { get; set; }
+
+    /// <summary>Raised when the eyebrow button is clicked.</summary>
+    [Parameter]
+    public EventCallback OnToggle { get; set; }
+
+    /// <summary>The section's child nav links, rendered only while expanded.</summary>
+    [Parameter]
+    public RenderFragment? ChildContent { get; set; }
+}
@@ -0,0 +1,160 @@
+@rendermode InteractiveServer
+@using Microsoft.AspNetCore.Components.Routing
+@using Microsoft.JSInterop
+@implements IDisposable
+@inject NavigationManager Navigation
+@inject IJSRuntime JS
+
+@* Interactive sidebar — extracted from MainLayout so the layout itself can stay
+   statically rendered (layouts can't take RenderFragment Body across an interactive
+   boundary). Hosts the collapsible NavSection groups and cookie persistence. *@
+
+<nav class="side-rail">
+    <div class="brand"><span class="mark">&#9646;</span> OtOpcUa</div>
+
+    <NavSection Title="Navigation"
+                Expanded="@_expanded.Contains("nav")"
+                OnToggle="@(() => ToggleAsync("nav"))">
+        <NavLink class="rail-link" href="/" Match="NavLinkMatch.All">Overview</NavLink>
+        <NavLink class="rail-link" href="/fleet" Match="NavLinkMatch.Prefix">Fleet status</NavLink>
+        <NavLink class="rail-link" href="/hosts" Match="NavLinkMatch.Prefix">Host status</NavLink>
+        <NavLink class="rail-link" href="/clusters" Match="NavLinkMatch.Prefix">Clusters</NavLink>
+        <NavLink class="rail-link" href="/reservations" Match="NavLinkMatch.Prefix">Reservations</NavLink>
+        <NavLink class="rail-link" href="/certificates" Match="NavLinkMatch.Prefix">Certificates</NavLink>
+        <NavLink class="rail-link" href="/role-grants" Match="NavLinkMatch.Prefix">Role grants</NavLink>
+    </NavSection>
+
+    <NavSection Title="Scripting"
+                Expanded="@_expanded.Contains("scripting")"
+                OnToggle="@(() => ToggleAsync("scripting"))">
+        <NavLink class="rail-link" href="/virtual-tags" Match="NavLinkMatch.Prefix">Virtual tags</NavLink>
+        <NavLink class="rail-link" href="/scripted-alarms" Match="NavLinkMatch.Prefix">Scripted alarms</NavLink>
+        <NavLink class="rail-link" href="/scripts" Match="NavLinkMatch.Prefix">Scripts</NavLink>
+        <NavLink class="rail-link" href="/script-log" Match="NavLinkMatch.Prefix">Script log</NavLink>
+    </NavSection>
+
+    <NavSection Title="Live"
+                Expanded="@_expanded.Contains("live")"
+                OnToggle="@(() => ToggleAsync("live"))">
+        <NavLink class="rail-link" href="/deployments" Match="NavLinkMatch.Prefix">Deployments</NavLink>
+        <NavLink class="rail-link" href="/alerts" Match="NavLinkMatch.Prefix">Alerts</NavLink>
+        <NavLink class="rail-link" href="/alarms-historian" Match="NavLinkMatch.Prefix">Alarms historian</NavLink>
+    </NavSection>
+
+    <div class="rail-foot">
+        <AuthorizeView>
+            <Authorized>
+                <div class="rail-eyebrow">Session</div>
+                <a class="rail-user" href="/account">@context.User.Identity?.Name</a>
+                <div class="rail-roles">
+                    @string.Join(", ", context.User.Claims
+                        .Where(c => c.Type.EndsWith("/role")).Select(c => c.Value))
+                </div>
+                <form method="post" action="/auth/logout">
+                    <AntiforgeryToken />
+                    <button class="rail-btn" type="submit">Sign out</button>
+                </form>
+            </Authorized>
+            <NotAuthorized>
+                <div class="rail-eyebrow">Session</div>
+                <a class="rail-btn" href="/login">Sign in</a>
+            </NotAuthorized>
+        </AuthorizeView>
+    </div>
+</nav>
+
+@code {
+    // Expanded-section state persists in the `otopcua_nav` cookie via
+    // wwwroot/js/nav-state.js (window.navState.get/.set). Same pattern as
+    // ScadaLink CentralUI's NavMenu.
+
+    private static readonly string[] SectionIds = { "nav", "scripting", "live" };
+
+    private readonly HashSet<string> _expanded = new(StringComparer.Ordinal);
+
+    protected override void OnInitialized()
+    {
+        Navigation.LocationChanged += OnLocationChanged;
+        // Seed from the URL so the current page's section is expanded on the
+        // initial render — works even before JS interop is ready.
+        EnsureCurrentSectionExpanded();
+    }
+
+    protected override async Task OnAfterRenderAsync(bool firstRender)
+    {
+        if (!firstRender) return;
+
+        string saved;
+        try
+        {
+            saved = await JS.InvokeAsync<string>("navState.get") ?? string.Empty;
+        }
+        catch (JSDisconnectedException) { return; }
+        catch (InvalidOperationException) { return; }
+
+        foreach (var id in saved.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries))
+        {
+            if (Array.IndexOf(SectionIds, id) >= 0)
+                _expanded.Add(id);
+        }
+
+        if (EnsureCurrentSectionExpanded())
+            await PersistAsync();
+
+        StateHasChanged();
+    }
+
+    private void OnLocationChanged(object? sender, LocationChangedEventArgs e)
+    {
+        if (EnsureCurrentSectionExpanded())
+        {
+            _ = PersistAsync();
+            _ = InvokeAsync(StateHasChanged);
+        }
+    }
+
+    private async Task ToggleAsync(string id)
+    {
+        if (!_expanded.Remove(id))
+            _expanded.Add(id);
+        await PersistAsync();
+    }
+
+    private bool EnsureCurrentSectionExpanded()
+    {
+        var section = CurrentSection();
+        return section is not null && _expanded.Add(section);
+    }
+
+    private string? CurrentSection()
+    {
+        var relative = Navigation.ToBaseRelativePath(Navigation.Uri);
+        var firstSegment = relative.Split('?', '#')[0]
+            .Split('/', StringSplitOptions.RemoveEmptyEntries)
+            .FirstOrDefault();
+
+        return firstSegment switch
+        {
+            null or "" => "nav",
+            "fleet" or "hosts" or "clusters" or "reservations" or "certificates" or "role-grants" => "nav",
+            "virtual-tags" or "scripted-alarms" or "scripts" or "script-log" => "scripting",
+            "deployments" or "alerts" or "alarms-historian" => "live",
+            _ => null,
+        };
+    }
+
+    private async Task PersistAsync()
+    {
+        try
+        {
+            await JS.InvokeVoidAsync("navState.set", string.Join(',', _expanded));
+        }
+        catch (JSDisconnectedException) { }
+        catch (InvalidOperationException) { }
+    }
+
+    public void Dispose()
+    {
+        Navigation.LocationChanged -= OnLocationChanged;
+    }
+}
@@ -0,0 +1,78 @@
+@page "/account"
+@* v1's Account page surfaced per-cluster role grants alongside identity. v2 dropped per-cluster
+   grants in favour of fleet-wide LDAP-group → role mapping (Q4 of the AdminUI rebuild plan), so
+   this version only shows identity + the resolved fleet roles + raw LDAP groups for
+   troubleshooting. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@using System.Security.Claims
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">My account</h4>
+</div>
+
+<AuthorizeView>
+    <Authorized>
+        @{
+            var username = context.User.FindFirst(ClaimTypes.NameIdentifier)?.Value
+                          ?? context.User.Identity?.Name ?? "—";
+            var displayName = context.User.Identity?.Name ?? "—";
+            var roles = context.User.Claims
+                .Where(c => c.Type == ClaimTypes.Role).Select(c => c.Value)
+                .OrderBy(s => s, StringComparer.OrdinalIgnoreCase).ToList();
+            var ldapGroups = context.User.Claims
+                .Where(c => c.Type == "ldap_group").Select(c => c.Value)
+                .OrderBy(s => s, StringComparer.OrdinalIgnoreCase).ToList();
+        }
+
+        <section class="card-grid rise" style="animation-delay:.02s">
+            <div class="metric-card">
+                <div class="panel-head">Identity</div>
+                <div class="kv"><span class="k">Username</span><span class="v mono">@username</span></div>
+                <div class="kv"><span class="k">Display name</span><span class="v">@displayName</span></div>
+            </div>
+
+            <div class="metric-card">
+                <div class="panel-head">Fleet roles</div>
+                <div class="kv">
+                    <span class="k">Resolved roles</span>
+                    <span class="v">
+                        @if (roles.Count == 0)
+                        {
+                            <span class="text-muted">none — sign-in should have been blocked; session claim is likely stale</span>
+                        }
+                        else
+                        {
+                            @foreach (var r in roles)
+                            {
+                                <span class="chip chip-idle me-1">@r</span>
+                            }
+                        }
+                    </span>
+                </div>
+                <div class="kv">
+                    <span class="k">LDAP groups</span>
+                    <span class="v">
+                        @if (ldapGroups.Count == 0)
+                        {
+                            <span class="text-muted">none</span>
+                        }
+                        else
+                        {
+                            @foreach (var g in ldapGroups)
+                            {
+                                <span class="chip me-1 mono">@g</span>
+                            }
+                        }
+                    </span>
+                </div>
+            </div>
+        </section>
+
+        <section class="panel notice rise" style="animation-delay:.08s">
+            Fleet roles come from LDAP group membership via the
+            <span class="mono">Authentication:Ldap:GroupToRole</span> mapping. To change them,
+            edit the LDAP group on the directory server; the next sign-in picks up the change.
+            Sign out + sign back in to refresh the cookie claim.
+        </section>
+    </Authorized>
+</AuthorizeView>
@@ -0,0 +1,91 @@
+@page "/alarms-historian"
+@* Live status of the local node's IAlarmHistorianSink (queue depth, drain state) via the
+   HistorianAdapterActor.GetStatus query landed in F11. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Akka.Actor
+@using Akka.Hosting
+@using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian
+@using ZB.MOM.WW.OtOpcUa.Runtime
+@using ZB.MOM.WW.OtOpcUa.Runtime.Historian
+@inject IRequiredActor<HistorianAdapterActorKey> HistorianActor
+@implements IDisposable
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Alarms historian sink</h4>
+</div>
+
+<section class="panel notice rise" style="animation-delay:.02s">
+    Snapshot from the local node's <span class="mono">HistorianAdapterActor</span>. Default sink
+    is a no-op (<span class="mono">NullAlarmHistorianSink</span>); production wires
+    <span class="mono">SqliteStoreAndForwardSink</span> with the Wonderware historian sidecar
+    behind it. Polling every @PollSeconds s.
+</section>
+
+@if (_status is null)
+{
+    <p class="mt-3">Loading…</p>
+}
+else
+{
+    <section class="card-grid rise mt-3" style="animation-delay:.08s">
+        <div class="metric-card">
+            <div class="panel-head">Queue</div>
+            <div class="kv"><span class="k">Depth</span><span class="v numeric">@_status.QueueDepth</span></div>
+            <div class="kv"><span class="k">Dead-lettered</span><span class="v numeric">@_status.DeadLetterDepth</span></div>
+            <div class="kv"><span class="k">Evicted (lifetime)</span><span class="v numeric">@_status.EvictedCount</span></div>
+        </div>
+
+        <div class="metric-card">
+            <div class="panel-head">Drain state</div>
+            <div class="kv"><span class="k">State</span><span class="v"><span class="@StateChipClass(_status.DrainState)">@_status.DrainState</span></span></div>
+            <div class="kv"><span class="k">Last drain</span><span class="v">@(_status.LastDrainUtc?.ToString("u") ?? "—")</span></div>
+            <div class="kv"><span class="k">Last success</span><span class="v">@(_status.LastSuccessUtc?.ToString("u") ?? "—")</span></div>
+            @if (!string.IsNullOrWhiteSpace(_status.LastError))
+            {
+                <div class="kv"><span class="k">Last error</span><span class="v text-danger small">@_status.LastError</span></div>
+            }
+        </div>
+    </section>
+}
+
+@code {
+    private const int PollSeconds = 5;
+
+    private HistorianSinkStatus? _status;
+    private Timer? _timer;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await RefreshAsync();
+        _timer = new Timer(_ => _ = InvokeAsync(RefreshAsync), null,
+            TimeSpan.FromSeconds(PollSeconds), TimeSpan.FromSeconds(PollSeconds));
+    }
+
+    private async Task RefreshAsync()
+    {
+        try
+        {
+            _status = await HistorianActor.ActorRef.Ask<HistorianSinkStatus>(
+                HistorianAdapterActor.GetStatus.Instance, TimeSpan.FromSeconds(2));
+            StateHasChanged();
+        }
+        catch
+        {
+            // Actor unavailable (admin-only node, not driver-role) — leave _status null and let
+            // the page show "Loading…". A dedicated "this role doesn't run a historian" message
+            // would be nicer; lands when we add role gating to the UI.
+        }
+    }
+
+    private static string StateChipClass(HistorianDrainState state) => state switch
+    {
+        HistorianDrainState.Disabled => "chip chip-idle",
+        HistorianDrainState.Idle => "chip chip-idle",
+        HistorianDrainState.Draining => "chip chip-ok",
+        HistorianDrainState.BackingOff => "chip chip-caution",
+        _ => "chip chip-idle",
+    };
+
+    public void Dispose() => _timer?.Dispose();
+}
@@ -0,0 +1,126 @@
+@page "/alerts"
+@* Live alarm tail via SignalR. Subscribes to /hubs/alerts and shows the most-recent
+   AlarmTransitionEvent entries published by ScriptedAlarmActor (Runtime/ScriptedAlarms)
+   and the AB CIP ALMD bridge. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.SignalR.Client
+@using ZB.MOM.WW.OtOpcUa.AdminUI.Hubs
+@using ZB.MOM.WW.OtOpcUa.Commons.Messages.Alerts
+@inject NavigationManager Nav
+@implements IAsyncDisposable
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Alerts</h4>
+    <div class="d-flex align-items-center gap-2">
+        <span class="conn-pill" data-state="@(_connected ? "connected" : "disconnected")">
+            <span class="dot"></span><span>@(_connected ? "live" : "disconnected")</span>
+        </span>
+        <button class="btn btn-sm btn-outline-secondary" @onclick="ClearAsync">Clear</button>
+    </div>
+</div>
+
+<section class="panel notice rise" style="animation-delay:.02s">
+    Live alarm transitions from the cluster's <span class="mono">alerts</span> DPS topic. Shows
+    the most-recent @Capacity entries since the page opened; reload for a fresh window. Sources:
+    ScriptedAlarmActor, native driver alarm bridges (AB CIP ALMD, Galaxy where wired).
+</section>
+
+@if (_rows.Count == 0)
+{
+    <section class="panel notice rise mt-3" style="animation-delay:.08s">
+        No alarms in the current window. The table will populate as soon as a
+        ScriptedAlarmActor or driver alarm bridge publishes a transition.
+    </section>
+}
+else
+{
+    <section class="panel rise mt-3" style="animation-delay:.08s">
+        <div class="panel-head">Recent transitions (@_rows.Count)</div>
+        <div class="table-wrap">
+            <table class="data-table">
+                <thead>
+                    <tr>
+                        <th>Time</th>
+                        <th>Alarm</th>
+                        <th>Equipment</th>
+                        <th>Kind</th>
+                        <th class="num">Severity</th>
+                        <th>User</th>
+                        <th>Message</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    @foreach (var e in _rows)
+                    {
+                        <tr>
+                            <td><span class="mono small">@e.TimestampUtc.ToString("HH:mm:ss.fff")</span></td>
+                            <td><span class="mono">@e.AlarmId</span><div class="text-muted small">@e.AlarmName</div></td>
+                            <td><span class="mono small">@e.EquipmentPath</span></td>
+                            <td><span class="chip @KindChipClass(e.TransitionKind)">@e.TransitionKind</span></td>
+                            <td class="num">@e.Severity</td>
+                            <td>@e.User</td>
+                            <td>@e.Message</td>
+                        </tr>
+                    }
+                </tbody>
+            </table>
+        </div>
+    </section>
+}
+
+@code {
+    private const int Capacity = 200;
+
+    private readonly List<AlarmTransitionEvent> _rows = new();
+    private HubConnection? _hub;
+    private bool _connected;
+
+    protected override async Task OnInitializedAsync()
+    {
+        _hub = new HubConnectionBuilder()
+            .WithUrl(Nav.ToAbsoluteUri(AlertHub.Endpoint))
+            .WithAutomaticReconnect()
+            .Build();
+
+        _hub.On<AlarmTransitionEvent>(AlertHub.MethodName, evt =>
+        {
+            _rows.Insert(0, evt);
+            if (_rows.Count > Capacity) _rows.RemoveAt(_rows.Count - 1);
+            InvokeAsync(StateHasChanged);
+        });
+        _hub.Closed += _ => { _connected = false; return InvokeAsync(StateHasChanged); };
+        _hub.Reconnected += _ => { _connected = true; return InvokeAsync(StateHasChanged); };
+
+        try
+        {
+            await _hub.StartAsync();
+            _connected = true;
+        }
+        catch
+        {
+            // Connection failures (admin-only deployment, hub not mapped, etc.) leave the page
+            // showing "disconnected" — operator action: reload or talk to the host operator.
+        }
+    }
+
+    private async Task ClearAsync()
+    {
+        _rows.Clear();
+        await InvokeAsync(StateHasChanged);
+    }
+
+    private static string KindChipClass(string kind) => kind switch
+    {
+        "Activated" => "chip-alert",
+        "Cleared" => "chip-ok",
+        "Acknowledged" or "Confirmed" => "chip-caution",
+        "Shelved" or "Disabled" => "chip-idle",
+        _ => "chip-idle",
+    };
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_hub is not null) await _hub.DisposeAsync();
+    }
+}
@@ -0,0 +1,111 @@
+@page "/certificates"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using System.Security.Cryptography.X509Certificates
+@using Microsoft.Extensions.Configuration
+@inject IConfiguration Config
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">OPC UA certificates</h4>
+</div>
+
+<section class="panel notice rise" style="animation-delay:.02s">
+    PKI store layout: <span class="mono">{PkiStoreRoot}/own</span> (this server's identity),
+    <span class="mono">issuer</span> / <span class="mono">trusted</span> (peers we accept),
+    <span class="mono">rejected</span> (peers we've turned away). F13a wires SDK
+    auto-creation so the own-store self-signs on first boot.
+</section>
+
+@if (_rows is null)
+{
+    <p class="mt-3">Loading…</p>
+}
+else
+{
+    @foreach (var store in _rows)
+    {
+        <section class="panel rise mt-3" style="animation-delay:.08s">
+            <div class="panel-head">@store.Label &middot; @store.Certificates.Count entry@(store.Certificates.Count == 1 ? "" : "s")</div>
+            @if (string.IsNullOrEmpty(store.Path))
+            {
+                <div style="padding:1rem" class="text-muted">No path configured.</div>
+            }
+            else if (!Directory.Exists(store.Path))
+            {
+                <div style="padding:1rem" class="text-muted">
+                    <span class="mono">@store.Path</span> doesn't exist yet. It will be created on first boot.
+                </div>
+            }
+            else if (store.Certificates.Count == 0)
+            {
+                <div style="padding:1rem" class="text-muted">No certificates in <span class="mono">@store.Path</span>.</div>
+            }
+            else
+            {
+                <div class="table-wrap">
+                    <table class="data-table">
+                        <thead>
+                            <tr>
+                                <th>Subject</th>
+                                <th>Issuer</th>
+                                <th>Thumbprint</th>
+                                <th>Not before</th>
+                                <th>Not after</th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            @foreach (var c in store.Certificates)
+                            {
+                                <tr>
+                                    <td><span class="mono small">@c.Subject</span></td>
+                                    <td><span class="mono small">@c.Issuer</span></td>
+                                    <td><span class="mono small">@c.Thumbprint[..16]…</span></td>
+                                    <td>@c.NotBefore.ToString("u")</td>
+                                    <td>@c.NotAfter.ToString("u")</td>
+                                </tr>
+                            }
+                        </tbody>
+                    </table>
+                </div>
+            }
+        </section>
+    }
+}
+
+@code {
+    private List<StoreView>? _rows;
+
+    protected override void OnInitialized()
+    {
+        var pkiRoot = Config.GetValue<string?>("OpcUa:PkiStoreRoot") ?? "pki";
+        _rows = new()
+        {
+            LoadStore("Own", Path.Combine(pkiRoot, "own", "certs")),
+            LoadStore("Trusted peers", Path.Combine(pkiRoot, "trusted", "certs")),
+            LoadStore("Trusted issuers", Path.Combine(pkiRoot, "issuer", "certs")),
+            LoadStore("Rejected", Path.Combine(pkiRoot, "rejected", "certs")),
+        };
+    }
+
+    private static StoreView LoadStore(string label, string path)
+    {
+        var view = new StoreView(label, path, new List<X509Certificate2>());
+        if (!Directory.Exists(path)) return view;
+        foreach (var file in Directory.EnumerateFiles(path).Where(IsCertFile))
+        {
+            try { view.Certificates.Add(X509CertificateLoader.LoadCertificateFromFile(file)); }
+            catch { /* ignore unreadable entries */ }
+        }
+        return view;
+    }
+
+    private static bool IsCertFile(string path)
+    {
+        var ext = Path.GetExtension(path);
+        return ext.Equals(".der", StringComparison.OrdinalIgnoreCase)
+            || ext.Equals(".cer", StringComparison.OrdinalIgnoreCase)
+            || ext.Equals(".crt", StringComparison.OrdinalIgnoreCase);
+    }
+
+    private sealed record StoreView(string Label, string Path, List<X509Certificate2> Certificates);
+}
@@ -0,0 +1,228 @@
+@page "/clusters/{ClusterId}/acls/new"
+@page "/clusters/{ClusterId}/acls/{NodeAclId}"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">@(IsNew ? "New ACL grant" : "Edit ACL grant") &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/acls" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="acls" />
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (!IsNew && _existing is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">ACL <span class="mono">@NodeAclId</span> not found.</section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="aclEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise" style="animation-delay:.02s">
+            <div class="panel-head">Grant</div>
+            <div style="padding:1rem">
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="aid">NodeAclId</label>
+                        <InputText id="aid" @bind-Value="_form.NodeAclId" disabled="@(!IsNew)" class="form-control form-control-sm mono" />
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="grp">LDAP group</label>
+                        <InputText id="grp" @bind-Value="_form.LdapGroup" class="form-control form-control-sm mono"
+                                   placeholder="cn=Operators,ou=FleetAdmin,dc=lmxopcua,dc=local" />
+                    </div>
+                </div>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="scope">Scope kind</label>
+                        <InputSelect id="scope" @bind-Value="_form.ScopeKind" class="form-select form-select-sm">
+                            <option value="@NodeAclScopeKind.Cluster">Cluster</option>
+                            <option value="@NodeAclScopeKind.Namespace">Namespace</option>
+                            <option value="@NodeAclScopeKind.UnsArea">UnsArea</option>
+                            <option value="@NodeAclScopeKind.UnsLine">UnsLine</option>
+                            <option value="@NodeAclScopeKind.Equipment">Equipment</option>
+                            <option value="@NodeAclScopeKind.FolderSegment">FolderSegment</option>
+                            <option value="@NodeAclScopeKind.Tag">Tag</option>
+                        </InputSelect>
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="target">Scope target ID</label>
+                        <InputText id="target" @bind-Value="_form.ScopeId" class="form-control form-control-sm mono"
+                                   placeholder="Leave blank for cluster-wide" />
+                    </div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label">Permissions</label>
+                    <div>
+                        @foreach (var bit in PermissionBits)
+                        {
+                            <div class="form-check form-check-inline">
+                                <input type="checkbox" class="form-check-input"
+                                       id="perm-@bit"
+                                       checked="@_form.HasPerm(bit)"
+                                       @onchange="e => _form.SetPerm(bit, (bool)e.Value!)" />
+                                <label class="form-check-label" for="perm-@bit">@bit</label>
+                            </div>
+                        }
+                    </div>
+                    <div class="form-text mt-2">
+                        Bundles:
+                        <button type="button" class="btn btn-sm btn-link p-0 ms-1" @onclick="() => _form.PermissionFlags = NodePermissions.ReadOnly">ReadOnly</button>
+                        &middot;
+                        <button type="button" class="btn btn-sm btn-link p-0" @onclick="() => _form.PermissionFlags = NodePermissions.Operator">Operator</button>
+                        &middot;
+                        <button type="button" class="btn btn-sm btn-link p-0" @onclick="() => _form.PermissionFlags = NodePermissions.Engineer">Engineer</button>
+                        &middot;
+                        <button type="button" class="btn btn-sm btn-link p-0" @onclick="() => _form.PermissionFlags = NodePermissions.Admin">Admin</button>
+                    </div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label">Notes</label>
+                    <InputTextArea @bind-Value="_form.Notes" class="form-control form-control-sm" rows="3" />
+                </div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error)) { <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div> }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">@(IsNew ? "Create" : "Save changes")</button>
+            <a href="/clusters/@ClusterId/acls" class="btn btn-outline-secondary">Cancel</a>
+            @if (!IsNew) { <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">Delete</button> }
+        </div>
+    </EditForm>
+}
+
+@code {
+    private static readonly NodePermissions[] PermissionBits =
+    [
+        NodePermissions.Browse, NodePermissions.Read, NodePermissions.Subscribe, NodePermissions.HistoryRead,
+        NodePermissions.WriteOperate, NodePermissions.WriteTune, NodePermissions.WriteConfigure,
+        NodePermissions.AlarmRead, NodePermissions.AlarmAcknowledge, NodePermissions.AlarmConfirm, NodePermissions.AlarmShelve,
+        NodePermissions.MethodCall,
+    ];
+
+    [Parameter] public string ClusterId { get; set; } = "";
+    [Parameter] public string? NodeAclId { get; set; }
+
+    private bool IsNew => string.IsNullOrEmpty(NodeAclId);
+
+    private FormModel _form = new();
+    private NodeAcl? _existing;
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        if (!IsNew)
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            _existing = await db.NodeAcls.AsNoTracking().FirstOrDefaultAsync(
+                a => a.ClusterId == ClusterId && a.NodeAclId == NodeAclId);
+            if (_existing is not null)
+            {
+                _form = new FormModel
+                {
+                    NodeAclId = _existing.NodeAclId,
+                    LdapGroup = _existing.LdapGroup,
+                    ScopeKind = _existing.ScopeKind,
+                    ScopeId = _existing.ScopeId,
+                    PermissionFlags = _existing.PermissionFlags,
+                    Notes = _existing.Notes,
+                    RowVersion = _existing.RowVersion,
+                };
+            }
+        }
+        _loaded = true;
+    }
+
+    private async Task SubmitAsync()
+    {
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (IsNew)
+            {
+                if (await db.NodeAcls.AnyAsync(a => a.NodeAclId == _form.NodeAclId))
+                { _error = $"ACL '{_form.NodeAclId}' already exists."; return; }
+                db.NodeAcls.Add(new NodeAcl
+                {
+                    NodeAclId = _form.NodeAclId,
+                    ClusterId = ClusterId,
+                    LdapGroup = _form.LdapGroup,
+                    ScopeKind = _form.ScopeKind,
+                    ScopeId = string.IsNullOrWhiteSpace(_form.ScopeId) ? null : _form.ScopeId,
+                    PermissionFlags = _form.PermissionFlags,
+                    Notes = string.IsNullOrWhiteSpace(_form.Notes) ? null : _form.Notes,
+                });
+            }
+            else
+            {
+                var entity = await db.NodeAcls.FirstOrDefaultAsync(a => a.ClusterId == ClusterId && a.NodeAclId == NodeAclId);
+                if (entity is null) { _error = "Row no longer exists."; return; }
+                db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+                entity.LdapGroup = _form.LdapGroup;
+                entity.ScopeKind = _form.ScopeKind;
+                entity.ScopeId = string.IsNullOrWhiteSpace(_form.ScopeId) ? null : _form.ScopeId;
+                entity.PermissionFlags = _form.PermissionFlags;
+                entity.Notes = string.IsNullOrWhiteSpace(_form.Notes) ? null : _form.Notes;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/acls");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this ACL while you were editing."; }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private async Task DeleteAsync()
+    {
+        if (IsNew) return;
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.NodeAcls.FirstOrDefaultAsync(a => a.ClusterId == ClusterId && a.NodeAclId == NodeAclId);
+            if (entity is null) { Nav.NavigateTo($"/clusters/{ClusterId}/acls"); return; }
+            db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+            db.NodeAcls.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/acls");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this ACL while you were viewing it."; }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private sealed class FormModel
+    {
+        [Required, RegularExpression("^[A-Za-z0-9_-]+$")] public string NodeAclId { get; set; } = "";
+        [Required] public string LdapGroup { get; set; } = "";
+        public NodeAclScopeKind ScopeKind { get; set; } = NodeAclScopeKind.Cluster;
+        public string? ScopeId { get; set; }
+        public NodePermissions PermissionFlags { get; set; } = NodePermissions.None;
+        public string? Notes { get; set; }
+        public byte[] RowVersion { get; set; } = [];
+
+        public bool HasPerm(NodePermissions bit) => PermissionFlags.HasFlag(bit);
+        public void SetPerm(NodePermissions bit, bool on)
+        {
+            if (on) PermissionFlags |= bit;
+            else PermissionFlags &= ~bit;
+        }
+    }
+}
@@ -0,0 +1,99 @@
+@page "/clusters/{ClusterId}/acls"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">ACLs &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/acls/new" class="btn btn-primary btn-sm">New ACL grant</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="acls" />
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        ACL rows grant LDAP groups specific <span class="mono">NodePermissions</span> on a scope
+        (a folder, an equipment, a tag). Q4 of the AdminUI rebuild plan dropped per-cluster role
+        grants in favour of fleet-wide LDAP-group → role mapping; ACLs here are the finer-grained
+        per-node scope. Live editing lands in a Phase C.2 follow-up.
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.08s">
+        <div class="panel-head">@_rows.Count ACL row@(_rows.Count == 1 ? "" : "s")</div>
+        @if (_rows.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No ACL rows for this cluster — default permissions from the fleet-wide LDAP group mapping apply.</div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>NodeAclId</th>
+                            <th>LDAP group</th>
+                            <th>Scope</th>
+                            <th>Scope target</th>
+                            <th>Permissions</th>
+                            <th>Notes</th>
+                            <th></th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        @foreach (var a in _rows)
+                        {
+                            <tr>
+                                <td><span class="mono small">@a.NodeAclId</span></td>
+                                <td><span class="mono">@a.LdapGroup</span></td>
+                                <td>@a.ScopeKind</td>
+                                <td><span class="mono small">@(a.ScopeId ?? "—")</span></td>
+                                <td>
+                                    @foreach (var perm in PermissionChips(a.PermissionFlags))
+                                    {
+                                        <span class="chip chip-idle me-1">@perm</span>
+                                    }
+                                </td>
+                                <td class="text-muted small">@(a.Notes ?? "")</td>
+                                <td><a href="/clusters/@ClusterId/acls/@a.NodeAclId" class="btn btn-sm btn-outline-primary">Edit</a></td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    private List<NodeAcl>? _rows;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _rows = await db.NodeAcls.AsNoTracking()
+            .Where(a => a.ClusterId == ClusterId)
+            .OrderBy(a => a.NodeAclId)
+            .ToListAsync();
+    }
+
+    private static IEnumerable<string> PermissionChips(ZB.MOM.WW.OtOpcUa.Configuration.Enums.NodePermissions flags)
+    {
+        foreach (var v in Enum.GetValues<ZB.MOM.WW.OtOpcUa.Configuration.Enums.NodePermissions>())
+        {
+            // Skip None (zero) and composite values that aren't single bits.
+            var n = (int)v;
+            if (n == 0) continue;
+            if ((n & (n - 1)) != 0) continue;
+            if (flags.HasFlag(v)) yield return v.ToString();
+        }
+    }
+}
@@ -0,0 +1,83 @@
+@page "/clusters/{ClusterId}/audit"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Audit log &middot; <span class="mono">@ClusterId</span></h4>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="audit" />
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Latest @PageSize audit rows scoped to this cluster, newest first. EventId/CorrelationId
+        columns (F3) make cross-restart deduplication possible — Akka actors that retry an apply
+        won't insert duplicate rows. Details JSON is shown verbatim.
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.08s">
+        <div class="panel-head">@_rows.Count row@(_rows.Count == 1 ? "" : "s")</div>
+        @if (_rows.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No audit rows for this cluster yet.</div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>Timestamp</th>
+                            <th>Principal</th>
+                            <th>Event</th>
+                            <th>Node</th>
+                            <th>Correlation</th>
+                            <th>Details</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        @foreach (var a in _rows)
+                        {
+                            <tr>
+                                <td><span class="mono small">@a.Timestamp.ToString("u")</span></td>
+                                <td>@a.Principal</td>
+                                <td><span class="chip chip-idle">@a.EventType</span></td>
+                                <td><span class="mono small">@(a.NodeId ?? "—")</span></td>
+                                <td><span class="mono small">@(a.CorrelationId?.ToString("N")[..8] ?? "—")</span></td>
+                                <td class="text-muted small" style="max-width:400px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap">
+                                    @(a.DetailsJson ?? "")
+                                </td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+@code {
+    private const int PageSize = 200;
+
+    [Parameter] public string ClusterId { get; set; } = "";
+    private List<ConfigAuditLog>? _rows;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _rows = await db.ConfigAuditLogs.AsNoTracking()
+            .Where(a => a.ClusterId == ClusterId)
+            .OrderByDescending(a => a.Timestamp)
+            .Take(PageSize)
+            .ToListAsync();
+    }
+}
@@ -0,0 +1,90 @@
+@page "/clusters/{ClusterId}/drivers"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Drivers &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/drivers/new" class="btn btn-primary btn-sm">New driver</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="drivers" />
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Per Q1 of the AdminUI rebuild plan, typed driver editors (Modbus, FOCAS) are deferred.
+        The expanded view below shows raw JSON config. Live editing — including a generic JSON
+        editor and per-driver-type forms when operators ask — lands in a Phase C.2 follow-up.
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.08s">
+        <div class="panel-head">@_rows.Count driver instance@(_rows.Count == 1 ? "" : "s")</div>
+        @if (_rows.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No driver instances for this cluster.</div>
+        }
+        else
+        {
+            @foreach (var d in _rows)
+            {
+                <details style="border-top:1px solid var(--rule)">
+                    <summary style="padding:.75rem 1rem;cursor:pointer">
+                        <span class="mono">@d.DriverInstanceId</span>
+                        &middot; <span>@d.Name</span>
+                        &middot; <span class="chip chip-idle ms-1">@d.DriverType</span>
+                        @if (!d.Enabled) { <span class="chip chip-idle ms-1">Disabled</span> }
+                        <span class="text-muted small ms-2">ns=@d.NamespaceId</span>
+                    </summary>
+                    <div style="padding:0 1rem 1rem">
+                        <div class="d-flex mb-2">
+                            <a href="/clusters/@ClusterId/drivers/@d.DriverInstanceId" class="btn btn-sm btn-outline-primary">Edit</a>
+                        </div>
+                        <pre class="mono small" style="background:var(--surface-2);padding:1rem;border-radius:4px;overflow:auto">@FormatJson(d.DriverConfig)</pre>
+                        @if (!string.IsNullOrWhiteSpace(d.ResilienceConfig))
+                        {
+                            <div class="text-muted small mt-2">Resilience overrides:</div>
+                            <pre class="mono small" style="background:var(--surface-2);padding:1rem;border-radius:4px;overflow:auto">@FormatJson(d.ResilienceConfig)</pre>
+                        }
+                    </div>
+                </details>
+            }
+        }
+    </section>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    private List<DriverInstance>? _rows;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _rows = await db.DriverInstances.AsNoTracking()
+            .Where(d => d.ClusterId == ClusterId)
+            .OrderBy(d => d.DriverInstanceId)
+            .ToListAsync();
+    }
+
+    private static string FormatJson(string raw)
+    {
+        if (string.IsNullOrWhiteSpace(raw)) return "";
+        try
+        {
+            using var doc = System.Text.Json.JsonDocument.Parse(raw);
+            return System.Text.Json.JsonSerializer.Serialize(doc.RootElement,
+                new System.Text.Json.JsonSerializerOptions { WriteIndented = true });
+        }
+        catch
+        {
+            return raw;
+        }
+    }
+}
@@ -0,0 +1,200 @@
+@page "/clusters/{ClusterId}/edit"
+@* Edit page for an existing ServerCluster. The /clusters/new route lives in NewCluster.razor;
+   this page handles only the update case so the form can disable ClusterId (immutable). *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+@inject AuthenticationStateProvider AuthState
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Edit cluster &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="overview" />
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (_existing is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Cluster <span class="mono">@ClusterId</span> was not found.
+    </section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="clusterEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise" style="animation-delay:.02s">
+            <div class="panel-head">Identity</div>
+            <div style="padding:1rem">
+                <div class="mb-3">
+                    <label class="form-label">ClusterId</label>
+                    <input class="form-control form-control-sm mono" value="@ClusterId" disabled />
+                    <div class="form-text">Immutable after creation. Operator-visible everywhere; renames would invalidate every downstream reference.</div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="name">Name</label>
+                    <InputText id="name" @bind-Value="_form.Name" class="form-control form-control-sm" />
+                </div>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="enterprise">Enterprise</label>
+                        <InputText id="enterprise" @bind-Value="_form.Enterprise" class="form-control form-control-sm" />
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="site">Site</label>
+                        <InputText id="site" @bind-Value="_form.Site" class="form-control form-control-sm" />
+                    </div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label">Enabled</label>
+                    <div class="form-check form-switch">
+                        <InputCheckbox @bind-Value="_form.Enabled" class="form-check-input" />
+                        <label class="form-check-label">Spawn drivers + serve endpoints in deployments</label>
+                    </div>
+                </div>
+            </div>
+        </section>
+
+        <section class="panel rise mt-3" style="animation-delay:.08s">
+            <div class="panel-head">Topology</div>
+            <div style="padding:1rem">
+                <div class="mb-3">
+                    <label class="form-label" for="redundancy">Redundancy mode</label>
+                    <InputSelect id="redundancy" @bind-Value="_form.RedundancyMode" class="form-select form-select-sm">
+                        <option value="@RedundancyMode.None">None (1 node)</option>
+                        <option value="@RedundancyMode.Warm">Warm (2 nodes)</option>
+                        <option value="@RedundancyMode.Hot">Hot (2 nodes)</option>
+                    </InputSelect>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="notes">Notes</label>
+                    <InputTextArea id="notes" @bind-Value="_form.Notes" class="form-control form-control-sm" rows="3" />
+                </div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error))
+        {
+            <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div>
+        }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">
+                @if (_busy) { <span class="spinner-border spinner-border-sm me-1"></span> }
+                Save changes
+            </button>
+            <a href="/clusters/@ClusterId" class="btn btn-outline-secondary">Cancel</a>
+            <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">
+                Delete cluster
+            </button>
+        </div>
+    </EditForm>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+
+    private FormModel _form = new();
+    private ServerCluster? _existing;
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _existing = await db.ServerClusters.AsNoTracking()
+            .FirstOrDefaultAsync(c => c.ClusterId == ClusterId);
+        if (_existing is not null)
+        {
+            _form = new FormModel
+            {
+                Name = _existing.Name,
+                Enterprise = _existing.Enterprise,
+                Site = _existing.Site,
+                RedundancyMode = _existing.RedundancyMode,
+                Enabled = _existing.Enabled,
+                Notes = _existing.Notes,
+            };
+        }
+        _loaded = true;
+    }
+
+    private async Task SubmitAsync()
+    {
+        _busy = true;
+        _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.ServerClusters.FirstOrDefaultAsync(c => c.ClusterId == ClusterId);
+            if (entity is null) { _error = "Cluster no longer exists."; return; }
+
+            var auth = await AuthState.GetAuthenticationStateAsync();
+            entity.Name = _form.Name;
+            entity.Enterprise = _form.Enterprise;
+            entity.Site = _form.Site;
+            entity.RedundancyMode = _form.RedundancyMode;
+            entity.NodeCount = _form.RedundancyMode == RedundancyMode.None ? (byte)1 : (byte)2;
+            entity.Enabled = _form.Enabled;
+            entity.Notes = string.IsNullOrWhiteSpace(_form.Notes) ? null : _form.Notes;
+            entity.ModifiedAt = DateTime.UtcNow;
+            entity.ModifiedBy = auth.User.Identity?.Name ?? "(anonymous)";
+
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}");
+        }
+        catch (Exception ex)
+        {
+            _error = ex.Message;
+        }
+        finally
+        {
+            _busy = false;
+        }
+    }
+
+    private async Task DeleteAsync()
+    {
+        _busy = true;
+        _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.ServerClusters.FirstOrDefaultAsync(c => c.ClusterId == ClusterId);
+            if (entity is null) { Nav.NavigateTo("/clusters"); return; }
+            db.ServerClusters.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo("/clusters");
+        }
+        catch (Exception ex)
+        {
+            _error = $"Delete failed: {ex.Message}. Likely because nodes, namespaces, drivers, or other rows still reference this cluster — remove them first.";
+        }
+        finally
+        {
+            _busy = false;
+        }
+    }
+
+    private sealed class FormModel
+    {
+        [Required] public string Name { get; set; } = "";
+        [Required] public string Enterprise { get; set; } = "";
+        [Required] public string Site { get; set; } = "";
+        public RedundancyMode RedundancyMode { get; set; } = RedundancyMode.None;
+        public bool Enabled { get; set; } = true;
+        public string? Notes { get; set; }
+    }
+}
@@ -0,0 +1,91 @@
+@page "/clusters/{ClusterId}/equipment"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Equipment &middot; <span class="mono">@ClusterId</span></h4>
+    <div class="d-flex gap-2">
+        <a href="/clusters/@ClusterId/equipment/import" class="btn btn-outline-primary btn-sm">Import CSV…</a>
+        <a href="/clusters/@ClusterId/equipment/new" class="btn btn-primary btn-sm">New equipment</a>
+    </div>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="equipment" />
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Equipment rows are scoped to a UNS line and bound to a single driver. EquipmentId is
+        system-generated (decision #125); browse identifiers are MachineCode (operator) + ZTag
+        (ERP). Live editing lands in a Phase C.2 follow-up.
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.08s">
+        <div class="panel-head">@_rows.Count equipment row@(_rows.Count == 1 ? "" : "s")</div>
+        @if (_rows.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No equipment defined for this cluster.</div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>EquipmentId</th>
+                            <th>Name</th>
+                            <th>MachineCode</th>
+                            <th>ZTag</th>
+                            <th>Driver</th>
+                            <th>UNS line</th>
+                            <th>Identification</th>
+                            <th></th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        @foreach (var e in _rows)
+                        {
+                            <tr>
+                                <td><span class="mono small">@e.EquipmentId</span></td>
+                                <td>@e.Name</td>
+                                <td><span class="mono">@e.MachineCode</span></td>
+                                <td>@(e.ZTag ?? "—")</td>
+                                <td><span class="mono small">@e.DriverInstanceId</span></td>
+                                <td><span class="mono small">@e.UnsLineId</span></td>
+                                <td class="text-muted small">
+                                    @if (!string.IsNullOrWhiteSpace(e.Manufacturer)) { <span>@e.Manufacturer</span> }
+                                    @if (!string.IsNullOrWhiteSpace(e.Model)) { <span class="ms-1">/ @e.Model</span> }
+                                </td>
+                                <td><a href="/clusters/@ClusterId/equipment/@e.EquipmentId" class="btn btn-sm btn-outline-primary">Edit</a></td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    private List<Equipment>? _rows;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        var driversInCluster = db.DriverInstances.AsNoTracking()
+            .Where(d => d.ClusterId == ClusterId).Select(d => d.DriverInstanceId);
+        _rows = await db.Equipment.AsNoTracking()
+            .Where(e => driversInCluster.Contains(e.DriverInstanceId))
+            .OrderBy(e => e.Name)
+            .ToListAsync();
+    }
+}
@@ -0,0 +1,82 @@
+@page "/clusters/{ClusterId}/namespaces"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Namespaces &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/namespaces/new" class="btn btn-primary btn-sm">New namespace</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="namespaces" />
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Namespaces are content (decision #123) — they're served at the OPC UA endpoint and bound
+        to driver instances. NamespaceUri must be unique fleet-wide. Live editing lands in a
+        Phase C.2 follow-up.
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.08s">
+        <div class="panel-head">@_rows.Count namespace@(_rows.Count == 1 ? "" : "s")</div>
+        @if (_rows.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No namespaces defined for this cluster.</div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>NamespaceId</th>
+                            <th>Kind</th>
+                            <th>URI</th>
+                            <th>Status</th>
+                            <th>Notes</th>
+                            <th></th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        @foreach (var n in _rows)
+                        {
+                            <tr>
+                                <td><span class="mono">@n.NamespaceId</span></td>
+                                <td>@n.Kind</td>
+                                <td><span class="mono small">@n.NamespaceUri</span></td>
+                                <td>
+                                    @if (n.Enabled) { <span class="chip chip-ok">Enabled</span> }
+                                    else { <span class="chip chip-idle">Disabled</span> }
+                                </td>
+                                <td class="text-muted small">@(n.Notes ?? "")</td>
+                                <td><a href="/clusters/@ClusterId/namespaces/@n.NamespaceId" class="btn btn-sm btn-outline-primary">Edit</a></td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    private List<Namespace>? _rows;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _rows = await db.Namespaces.AsNoTracking()
+            .Where(n => n.ClusterId == ClusterId)
+            .OrderBy(n => n.NamespaceId)
+            .ToListAsync();
+    }
+}
@@ -0,0 +1,139 @@
+@page "/clusters/{ClusterId}"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (_cluster is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Cluster <span class="mono">@ClusterId</span> was not found.
+        <a class="ms-2" href="/clusters">Back to list</a>.
+    </section>
+}
+else
+{
+    <div class="d-flex justify-content-between align-items-center mb-3">
+        <div>
+            <h4 class="mb-0">@_cluster.Name</h4>
+            <span class="mono text-muted">@_cluster.ClusterId</span>
+            @if (!_cluster.Enabled) { <span class="chip chip-idle ms-2">Disabled</span> }
+        </div>
+        <div class="d-flex gap-2">
+            <a href="/clusters/@ClusterId/edit" class="btn btn-outline-secondary btn-sm">Edit cluster</a>
+            <a href="/deployments" class="btn btn-outline-primary btn-sm">Deployments</a>
+        </div>
+    </div>
+
+    <ClusterNav ClusterId="@ClusterId" ActiveTab="overview" />
+
+    <section class="card-grid rise" style="animation-delay:.08s">
+        <div class="metric-card">
+            <div class="panel-head">Cluster details</div>
+            <div class="kv"><span class="k">Enterprise / Site</span><span class="v">@_cluster.Enterprise / @_cluster.Site</span></div>
+            <div class="kv"><span class="k">Redundancy</span><span class="v">@_cluster.RedundancyMode (@_cluster.NodeCount node@(_cluster.NodeCount == 1 ? "" : "s"))</span></div>
+            <div class="kv"><span class="k">Created</span><span class="v">@_cluster.CreatedAt.ToString("u") by @_cluster.CreatedBy</span></div>
+            @if (_cluster.ModifiedAt is not null)
+            {
+                <div class="kv"><span class="k">Modified</span><span class="v">@_cluster.ModifiedAt?.ToString("u") by @(_cluster.ModifiedBy ?? "—")</span></div>
+            }
+            @if (!string.IsNullOrWhiteSpace(_cluster.Notes))
+            {
+                <div class="kv"><span class="k">Notes</span><span class="v">@_cluster.Notes</span></div>
+            }
+        </div>
+
+        <div class="metric-card">
+            <div class="panel-head">Last deployment</div>
+            @if (_lastDeployment is null)
+            {
+                <div class="kv"><span class="k">Status</span><span class="v text-muted">none — cluster has never been deployed</span></div>
+            }
+            else
+            {
+                <div class="kv"><span class="k">Revision</span><span class="v mono">@_lastDeployment.RevisionHash[..16]…</span></div>
+                <div class="kv"><span class="k">Status</span><span class="v">@_lastDeployment.Status</span></div>
+                <div class="kv"><span class="k">Created</span><span class="v">@_lastDeployment.CreatedAtUtc.ToString("u")</span></div>
+                @if (_lastDeployment.SealedAtUtc is not null)
+                {
+                    <div class="kv"><span class="k">Sealed</span><span class="v">@_lastDeployment.SealedAtUtc?.ToString("u")</span></div>
+                }
+            }
+        </div>
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.14s">
+        <div class="panel-head d-flex align-items-center">
+            <span>Nodes</span>
+            <a href="/clusters/@ClusterId/nodes/new" class="btn btn-sm btn-outline-primary ms-auto">New node</a>
+        </div>
+        @if (_nodes is null || _nodes.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No nodes registered.</div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>Node ID</th>
+                            <th>Host</th>
+                            <th>OPC UA port</th>
+                            <th>ApplicationUri</th>
+                            <th class="num">ServiceLevel base</th>
+                            <th></th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        @foreach (var n in _nodes)
+                        {
+                            <tr>
+                                <td><span class="mono">@n.NodeId</span></td>
+                                <td>@n.Host</td>
+                                <td class="num">@n.OpcUaPort</td>
+                                <td><span class="mono small">@n.ApplicationUri</span></td>
+                                <td class="num">@n.ServiceLevelBase</td>
+                                <td><a href="/clusters/@ClusterId/nodes/@n.NodeId" class="btn btn-sm btn-outline-primary">Edit</a></td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+
+    private bool _loaded;
+    private ServerCluster? _cluster;
+    private List<ClusterNode>? _nodes;
+    private Deployment? _lastDeployment;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _cluster = await db.ServerClusters.AsNoTracking()
+            .FirstOrDefaultAsync(c => c.ClusterId == ClusterId);
+        if (_cluster is not null)
+        {
+            _nodes = await db.ClusterNodes.AsNoTracking()
+                .Where(n => n.ClusterId == ClusterId)
+                .OrderBy(n => n.NodeId)
+                .ToListAsync();
+            _lastDeployment = await db.Deployments.AsNoTracking()
+                .OrderByDescending(d => d.CreatedAtUtc)
+                .FirstOrDefaultAsync();
+        }
+        _loaded = true;
+    }
+}
@@ -0,0 +1,108 @@
+@page "/clusters/{ClusterId}/redundancy"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (_cluster is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Cluster <span class="mono">@ClusterId</span> was not found.
+        <a class="ms-2" href="/clusters">Back to list</a>.
+    </section>
+}
+else
+{
+    <div class="d-flex justify-content-between align-items-center mb-3">
+        <div>
+            <h4 class="mb-0">@_cluster.Name &middot; Redundancy</h4>
+            <span class="mono text-muted">@_cluster.ClusterId</span>
+        </div>
+    </div>
+
+    <ClusterNav ClusterId="@ClusterId" ActiveTab="redundancy" />
+
+    <section class="panel notice rise" style="animation-delay:.02s">
+        v2 redundancy is computed at runtime by <span class="mono">RedundancyStateActor</span>
+        on each admin node. The values below are the static configuration; the resolved live
+        <span class="mono">ServiceLevel</span> for each peer is broadcast on the
+        <span class="mono">redundancy-state</span> DPS topic and consumed by the OPC UA host's
+        <span class="mono">ServerStatus</span> publisher. See
+        <a href="/docs/v2/Architecture-v2.md">docs/v2/Architecture-v2.md</a>.
+    </section>
+
+    <section class="card-grid rise mt-3" style="animation-delay:.08s">
+        <div class="metric-card">
+            <div class="panel-head">Cluster redundancy</div>
+            <div class="kv"><span class="k">Mode</span><span class="v">@_cluster.RedundancyMode</span></div>
+            <div class="kv"><span class="k">Node count</span><span class="v">@_cluster.NodeCount</span></div>
+        </div>
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.14s">
+        <div class="panel-head">Node service-level configuration</div>
+        @if (_nodes is null || _nodes.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No nodes registered.</div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>Node ID</th>
+                            <th>ApplicationUri</th>
+                            <th class="num">ServiceLevel base</th>
+                            <th>Notes</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        @foreach (var n in _nodes)
+                        {
+                            <tr>
+                                <td><span class="mono">@n.NodeId</span></td>
+                                <td><span class="mono small">@n.ApplicationUri</span></td>
+                                <td class="num">@n.ServiceLevelBase</td>
+                                <td class="text-muted small">
+                                    @if (n.ServiceLevelBase >= 200) { <text>Primary preference</text> }
+                                    else if (n.ServiceLevelBase >= 100) { <text>Secondary preference</text> }
+                                    else { <text>Custom</text> }
+                                </td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+
+    private bool _loaded;
+    private ServerCluster? _cluster;
+    private List<ClusterNode>? _nodes;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _cluster = await db.ServerClusters.AsNoTracking()
+            .FirstOrDefaultAsync(c => c.ClusterId == ClusterId);
+        if (_cluster is not null)
+        {
+            _nodes = await db.ClusterNodes.AsNoTracking()
+                .Where(n => n.ClusterId == ClusterId)
+                .OrderBy(n => n.NodeId)
+                .ToListAsync();
+        }
+        _loaded = true;
+    }
+}
@@ -0,0 +1,106 @@
+@page "/clusters/{ClusterId}/tags"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Tags &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/tags/new" class="btn btn-primary btn-sm">New tag</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="tags" />
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Tags are bound to a driver instance and (optionally) an equipment + poll group. The view
+        below shows the first @PageSize tags by Name; full pagination + search land in Phase C.2.
+    </section>
+
+    <div class="d-flex align-items-center mb-3 gap-2 mt-3">
+        <input type="text" class="form-control form-control-sm" style="max-width:300px"
+               placeholder="Filter by name (substring)…"
+               @bind="_filter" @bind:event="oninput" />
+        <span class="text-muted small">
+            Showing @VisibleRows.Count of @_rows.Count
+        </span>
+    </div>
+
+    <section class="panel rise" style="animation-delay:.08s">
+        <div class="panel-head">Tags</div>
+        @if (VisibleRows.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No tags match the current filter.</div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>TagId</th>
+                            <th>Name</th>
+                            <th>Driver</th>
+                            <th>Equipment</th>
+                            <th>Data type</th>
+                            <th>Access</th>
+                            <th>Folder</th>
+                            <th>Poll group</th>
+                            <th></th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        @foreach (var t in VisibleRows)
+                        {
+                            <tr>
+                                <td><span class="mono small">@t.TagId</span></td>
+                                <td>@t.Name</td>
+                                <td><span class="mono small">@t.DriverInstanceId</span></td>
+                                <td>@(t.EquipmentId ?? "—")</td>
+                                <td><span class="mono small">@t.DataType</span></td>
+                                <td>@t.AccessLevel</td>
+                                <td class="text-muted small">@(t.FolderPath ?? "")</td>
+                                <td>@(t.PollGroupId ?? "—")</td>
+                                <td><a href="/clusters/@ClusterId/tags/@t.TagId" class="btn btn-sm btn-outline-primary">Edit</a></td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+@code {
+    private const int PageSize = 200;
+
+    [Parameter] public string ClusterId { get; set; } = "";
+    private List<Tag>? _rows;
+    private string _filter = "";
+
+    private List<Tag> VisibleRows => (_rows ?? new())
+        .Where(t => string.IsNullOrWhiteSpace(_filter)
+                 || t.Name.Contains(_filter, StringComparison.OrdinalIgnoreCase))
+        .Take(PageSize)
+        .ToList();
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        // Tags don't carry ClusterId; resolve via DriverInstance scoping.
+        var driverIds = db.DriverInstances.AsNoTracking()
+            .Where(d => d.ClusterId == ClusterId)
+            .Select(d => d.DriverInstanceId);
+        _rows = await db.Tags.AsNoTracking()
+            .Where(t => driverIds.Contains(t.DriverInstanceId))
+            .OrderBy(t => t.Name)
+            .ToListAsync();
+    }
+}
@@ -0,0 +1,107 @@
+@page "/clusters/{ClusterId}/uns"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">UNS structure &middot; <span class="mono">@ClusterId</span></h4>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="uns" />
+
+@if (_areas is null || _lines is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        UNS levels: Enterprise (cluster) → Site (cluster) → Area → Line → Equipment. Areas and
+        lines are cluster-scoped; equipment hangs under a single line. Live editing lands in a
+        Phase C.2 follow-up.
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.08s">
+        <div class="panel-head d-flex align-items-center">
+            <span>Areas (level 3) &middot; @_areas.Count</span>
+            <a href="/clusters/@ClusterId/uns/areas/new" class="btn btn-sm btn-outline-primary ms-auto">New area</a>
+        </div>
+        @if (_areas.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No areas defined.</div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead><tr><th>UnsAreaId</th><th>Name</th><th>Notes</th><th></th></tr></thead>
+                    <tbody>
+                        @foreach (var a in _areas)
+                        {
+                            <tr>
+                                <td><span class="mono">@a.UnsAreaId</span></td>
+                                <td>@a.Name</td>
+                                <td class="text-muted small">@(a.Notes ?? "")</td>
+                                <td><a href="/clusters/@ClusterId/uns/areas/@a.UnsAreaId" class="btn btn-sm btn-outline-primary">Edit</a></td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.14s">
+        <div class="panel-head d-flex align-items-center">
+            <span>Lines (level 4) &middot; @_lines.Count</span>
+            <a href="/clusters/@ClusterId/uns/lines/new" class="btn btn-sm btn-outline-primary ms-auto">New line</a>
+        </div>
+        @if (_lines.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No lines defined.</div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead><tr><th>UnsLineId</th><th>Name</th><th>Area</th><th>Notes</th><th></th></tr></thead>
+                    <tbody>
+                        @foreach (var l in _lines)
+                        {
+                            <tr>
+                                <td><span class="mono">@l.UnsLineId</span></td>
+                                <td>@l.Name</td>
+                                <td><span class="mono">@l.UnsAreaId</span></td>
+                                <td class="text-muted small">@(l.Notes ?? "")</td>
+                                <td><a href="/clusters/@ClusterId/uns/lines/@l.UnsLineId" class="btn btn-sm btn-outline-primary">Edit</a></td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    private List<UnsArea>? _areas;
+    private List<UnsLine>? _lines;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _areas = await db.UnsAreas.AsNoTracking()
+            .Where(a => a.ClusterId == ClusterId)
+            .OrderBy(a => a.UnsAreaId)
+            .ToListAsync();
+        var areaIds = _areas.Select(a => a.UnsAreaId).ToList();
+        _lines = await db.UnsLines.AsNoTracking()
+            .Where(l => areaIds.Contains(l.UnsAreaId))
+            .OrderBy(l => l.UnsAreaId).ThenBy(l => l.UnsLineId)
+            .ToListAsync();
+    }
+}
@@ -0,0 +1,77 @@
+@page "/clusters"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Clusters</h4>
+    <a href="/clusters/new" class="btn btn-primary btn-sm">New cluster</a>
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        No clusters defined yet. Use <strong>New cluster</strong> above to create one.
+    </section>
+}
+else
+{
+    <section class="panel rise" style="animation-delay:.08s">
+        <div class="panel-head">All clusters</div>
+        <div class="table-wrap">
+            <table class="data-table">
+                <thead>
+                    <tr>
+                        <th>Cluster</th>
+                        <th>Site</th>
+                        <th>Nodes</th>
+                        <th>Redundancy</th>
+                        <th>Status</th>
+                        <th>Created</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    @foreach (var c in _rows)
+                    {
+                        <tr style="cursor:pointer" @onclick="() => OpenCluster(c.ClusterId)">
+                            <td>
+                                <span class="mono">@c.ClusterId</span>
+                                <div class="text-muted small">@c.Name</div>
+                            </td>
+                            <td>@c.Enterprise / @c.Site</td>
+                            <td class="num">@c.NodeCount</td>
+                            <td>@c.RedundancyMode</td>
+                            <td>
+                                @if (c.Enabled) { <span class="chip chip-ok">Enabled</span> }
+                                else { <span class="chip chip-idle">Disabled</span> }
+                            </td>
+                            <td class="text-muted small">@c.CreatedAt.ToString("u")</td>
+                        </tr>
+                    }
+                </tbody>
+            </table>
+        </div>
+    </section>
+}
+
+@code {
+    private List<ServerCluster>? _rows;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _rows = await db.ServerClusters.AsNoTracking()
+            .OrderBy(c => c.ClusterId)
+            .ToListAsync();
+    }
+
+    private void OpenCluster(string clusterId) => Nav.NavigateTo($"/clusters/{clusterId}");
+}
@@ -0,0 +1,323 @@
+@page "/clusters/{ClusterId}/drivers/new"
+@page "/clusters/{ClusterId}/drivers/{DriverInstanceId}"
+@* Per Q1 of the AdminUI rebuild plan — JSON editor only, typed driver editors deferred.
+   DriverInstance is the keystone for everything downstream (Equipment, Tag, VirtualTag,
+   ScriptedAlarm all reference DriverInstanceId), so this is the second edit page after
+   Namespace. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">@(IsNew ? "New driver instance" : "Edit driver instance") &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/drivers" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="drivers" />
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (!IsNew && _existing is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Driver instance <span class="mono">@DriverInstanceId</span> was not found in cluster <span class="mono">@ClusterId</span>.
+    </section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="driverEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise" style="animation-delay:.02s">
+            <div class="panel-head">@(IsNew ? "Identity" : $"Edit {_form.DriverInstanceId}")</div>
+            <div style="padding:1rem">
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="instId">DriverInstanceId</label>
+                        <InputText id="instId" @bind-Value="_form.DriverInstanceId" disabled="@(!IsNew)"
+                                   class="form-control form-control-sm mono"
+                                   placeholder="drv-modbus-line3-01" />
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="name">Display name</label>
+                        <InputText id="name" @bind-Value="_form.Name" class="form-control form-control-sm"
+                                   placeholder="Line 3 Modbus" />
+                    </div>
+                </div>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="dtype">Driver type</label>
+                        <InputSelect id="dtype" @bind-Value="_form.DriverType" disabled="@(!IsNew)"
+                                     class="form-select form-select-sm">
+                            <option value="ModbusTcp">ModbusTcp</option>
+                            <option value="AbCip">AbCip</option>
+                            <option value="AbLegacy">AbLegacy</option>
+                            <option value="S7">S7</option>
+                            <option value="TwinCat">TwinCat</option>
+                            <option value="Focas">Focas</option>
+                            <option value="OpcUaClient">OpcUaClient</option>
+                            <option value="Galaxy">Galaxy</option>
+                            <option value="Historian.Wonderware">Historian.Wonderware</option>
+                        </InputSelect>
+                        <div class="form-text">Cannot be changed after creation — drives the actor type that owns this instance.</div>
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="ns">Namespace</label>
+                        <InputSelect id="ns" @bind-Value="_form.NamespaceId" class="form-select form-select-sm">
+                            @foreach (var ns in _namespaces)
+                            {
+                                <option value="@ns.NamespaceId">@ns.NamespaceId (@ns.Kind)</option>
+                            }
+                        </InputSelect>
+                    </div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="enabled">Enabled</label>
+                    <div class="form-check form-switch">
+                        <InputCheckbox id="enabled" @bind-Value="_form.Enabled" class="form-check-input" />
+                        <label class="form-check-label" for="enabled">Spawn this driver in deployments</label>
+                    </div>
+                </div>
+            </div>
+        </section>
+
+        <section class="panel rise mt-3" style="animation-delay:.08s">
+            <div class="panel-head">Driver config (JSON)</div>
+            <div style="padding:1rem">
+                <InputTextArea @bind-Value="_form.DriverConfig" rows="12"
+                               class="form-control form-control-sm mono"
+                               placeholder='{ "endpoint": "10.0.0.42:502", "slaveId": 1 }' />
+                <div class="form-text">Schemaless per driver type — validated server-side at deploy time. JSON is reformatted on save.</div>
+            </div>
+        </section>
+
+        <section class="panel rise mt-3" style="animation-delay:.14s">
+            <div class="panel-head">Resilience overrides (optional)</div>
+            <div style="padding:1rem">
+                <InputTextArea @bind-Value="_form.ResilienceConfig" rows="6"
+                               class="form-control form-control-sm mono"
+                               placeholder='Leave blank to use tier defaults' />
+                <div class="form-text">Polly pipeline overrides per docs/v2/driver-stability.md — bulkhead, retry counts, breaker thresholds. Null = use the driver type's tier defaults.</div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error))
+        {
+            <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div>
+        }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">
+                @if (_busy) { <span class="spinner-border spinner-border-sm me-1"></span> }
+                @(IsNew ? "Create" : "Save changes")
+            </button>
+            <a href="/clusters/@ClusterId/drivers" class="btn btn-outline-secondary">Cancel</a>
+            @if (!IsNew)
+            {
+                <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">
+                    Delete
+                </button>
+            }
+        </div>
+    </EditForm>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    [Parameter] public string? DriverInstanceId { get; set; }
+
+    private bool IsNew => string.IsNullOrEmpty(DriverInstanceId);
+
+    private FormModel _form = new();
+    private DriverInstance? _existing;
+    private List<Namespace> _namespaces = new();
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _namespaces = await db.Namespaces.AsNoTracking()
+            .Where(n => n.ClusterId == ClusterId)
+            .OrderBy(n => n.NamespaceId)
+            .ToListAsync();
+
+        if (IsNew)
+        {
+            _form = new FormModel
+            {
+                DriverInstanceId = "",
+                Name = "",
+                DriverType = "ModbusTcp",
+                NamespaceId = _namespaces.FirstOrDefault()?.NamespaceId ?? "",
+                Enabled = true,
+                DriverConfig = "{}",
+            };
+        }
+        else
+        {
+            _existing = await db.DriverInstances.AsNoTracking()
+                .FirstOrDefaultAsync(d => d.ClusterId == ClusterId && d.DriverInstanceId == DriverInstanceId);
+            if (_existing is not null)
+            {
+                _form = new FormModel
+                {
+                    DriverInstanceId = _existing.DriverInstanceId,
+                    Name = _existing.Name,
+                    DriverType = _existing.DriverType,
+                    NamespaceId = _existing.NamespaceId,
+                    Enabled = _existing.Enabled,
+                    DriverConfig = _existing.DriverConfig,
+                    ResilienceConfig = _existing.ResilienceConfig,
+                    RowVersion = _existing.RowVersion,
+                };
+            }
+        }
+        _loaded = true;
+    }
+
+    private async Task SubmitAsync()
+    {
+        _busy = true;
+        _error = null;
+        try
+        {
+            var normalizedConfig = NormalizeJson(_form.DriverConfig);
+            if (normalizedConfig is null)
+            {
+                _error = "DriverConfig is not valid JSON.";
+                return;
+            }
+            var normalizedResilience = NormalizeOptionalJson(_form.ResilienceConfig);
+            if (!string.IsNullOrWhiteSpace(_form.ResilienceConfig) && normalizedResilience is null)
+            {
+                _error = "ResilienceConfig is not valid JSON. Leave blank to use defaults.";
+                return;
+            }
+
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (IsNew)
+            {
+                if (await db.DriverInstances.AnyAsync(d => d.DriverInstanceId == _form.DriverInstanceId))
+                {
+                    _error = $"Driver instance '{_form.DriverInstanceId}' already exists.";
+                    return;
+                }
+                db.DriverInstances.Add(new DriverInstance
+                {
+                    DriverInstanceId = _form.DriverInstanceId,
+                    ClusterId = ClusterId,
+                    NamespaceId = _form.NamespaceId,
+                    Name = _form.Name,
+                    DriverType = _form.DriverType,
+                    Enabled = _form.Enabled,
+                    DriverConfig = normalizedConfig,
+                    ResilienceConfig = normalizedResilience,
+                });
+            }
+            else
+            {
+                var entity = await db.DriverInstances.FirstOrDefaultAsync(
+                    d => d.ClusterId == ClusterId && d.DriverInstanceId == DriverInstanceId);
+                if (entity is null)
+                {
+                    _error = "Row no longer exists.";
+                    return;
+                }
+                db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+                entity.NamespaceId = _form.NamespaceId;
+                entity.Name = _form.Name;
+                entity.Enabled = _form.Enabled;
+                entity.DriverConfig = normalizedConfig;
+                entity.ResilienceConfig = normalizedResilience;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/drivers");
+        }
+        catch (DbUpdateConcurrencyException)
+        {
+            _error = "Another user changed this driver instance while you were editing. Reload to see the latest values, then re-apply your changes.";
+        }
+        catch (Exception ex)
+        {
+            _error = ex.Message;
+        }
+        finally
+        {
+            _busy = false;
+        }
+    }
+
+    private async Task DeleteAsync()
+    {
+        if (IsNew) return;
+        _busy = true;
+        _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.DriverInstances.FirstOrDefaultAsync(
+                d => d.ClusterId == ClusterId && d.DriverInstanceId == DriverInstanceId);
+            if (entity is null)
+            {
+                Nav.NavigateTo($"/clusters/{ClusterId}/drivers");
+                return;
+            }
+            db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+            db.DriverInstances.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/drivers");
+        }
+        catch (DbUpdateConcurrencyException)
+        {
+            _error = "Another user changed this driver instance while you were viewing it. Reload before deleting.";
+        }
+        catch (Exception ex)
+        {
+            _error = $"Delete failed: {ex.Message}. (Likely because equipment/tags still reference this driver — remove them first.)";
+        }
+        finally
+        {
+            _busy = false;
+        }
+    }
+
+    private static string? NormalizeJson(string? input)
+    {
+        if (string.IsNullOrWhiteSpace(input)) return null;
+        try
+        {
+            using var doc = System.Text.Json.JsonDocument.Parse(input);
+            return System.Text.Json.JsonSerializer.Serialize(doc.RootElement);
+        }
+        catch { return null; }
+    }
+
+    private static string? NormalizeOptionalJson(string? input) =>
+        string.IsNullOrWhiteSpace(input) ? null : NormalizeJson(input);
+
+    private sealed class FormModel
+    {
+        [Required, RegularExpression("^[A-Za-z0-9_-]+$", ErrorMessage = "Use letters, digits, dash, underscore.")]
+        public string DriverInstanceId { get; set; } = "";
+        [Required]
+        public string Name { get; set; } = "";
+        [Required]
+        public string DriverType { get; set; } = "ModbusTcp";
+        [Required]
+        public string NamespaceId { get; set; } = "";
+        public bool Enabled { get; set; } = true;
+        [Required]
+        public string DriverConfig { get; set; } = "{}";
+        public string? ResilienceConfig { get; set; }
+        public byte[] RowVersion { get; set; } = [];
+    }
+}
@@ -0,0 +1,310 @@
+@page "/clusters/{ClusterId}/equipment/new"
+@page "/clusters/{ClusterId}/equipment/{EquipmentId}"
+@* Equipment CRUD. EquipmentId is system-generated (decision #125) — operator picks Name +
+   MachineCode + UnsLine + Driver; the EquipmentId is derived from the EquipmentUuid on create.
+   OPC 40010 identification fields (Manufacturer, Model, etc.) are all optional. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">@(IsNew ? "New equipment" : "Edit equipment") &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/equipment" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="equipment" />
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (!IsNew && _existing is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Equipment <span class="mono">@EquipmentId</span> was not found.
+    </section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="equipmentEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise" style="animation-delay:.02s">
+            <div class="panel-head">Identity</div>
+            <div style="padding:1rem">
+                @if (!IsNew)
+                {
+                    <div class="mb-3">
+                        <label class="form-label">EquipmentId</label>
+                        <input class="form-control form-control-sm mono" value="@EquipmentId" disabled />
+                        <div class="form-text">System-generated; never operator-edited.</div>
+                    </div>
+                }
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="name">Name</label>
+                        <InputText id="name" @bind-Value="_form.Name" class="form-control form-control-sm mono"
+                                   placeholder="machine-01" />
+                        <div class="form-text">UNS level 5 segment; lowercase letters, digits, dashes, up to 32 chars.</div>
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="machinecode">MachineCode</label>
+                        <InputText id="machinecode" @bind-Value="_form.MachineCode" class="form-control form-control-sm mono"
+                                   placeholder="machine_001" />
+                    </div>
+                </div>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="line">UNS line</label>
+                        <InputSelect id="line" @bind-Value="_form.UnsLineId" class="form-select form-select-sm">
+                            <option value="">— pick a line —</option>
+                            @foreach (var l in _lines)
+                            {
+                                <option value="@l.UnsLineId">@l.UnsAreaId / @l.UnsLineId &mdash; @l.Name</option>
+                            }
+                        </InputSelect>
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="driver">Driver instance</label>
+                        <InputSelect id="driver" @bind-Value="_form.DriverInstanceId" class="form-select form-select-sm">
+                            <option value="">— pick a driver —</option>
+                            @foreach (var d in _drivers)
+                            {
+                                <option value="@d.DriverInstanceId">@d.DriverInstanceId &mdash; @d.Name (@d.DriverType)</option>
+                            }
+                        </InputSelect>
+                    </div>
+                </div>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="ztag">ZTag (ERP)</label>
+                        <InputText id="ztag" @bind-Value="_form.ZTag" class="form-control form-control-sm" />
+                        <div class="form-text">Unique fleet-wide via ExternalIdReservation.</div>
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="sap">SAPID</label>
+                        <InputText id="sap" @bind-Value="_form.SAPID" class="form-control form-control-sm" />
+                    </div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label">Enabled</label>
+                    <div class="form-check form-switch">
+                        <InputCheckbox @bind-Value="_form.Enabled" class="form-check-input" />
+                        <label class="form-check-label">Surface in deployments</label>
+                    </div>
+                </div>
+            </div>
+        </section>
+
+        <section class="panel rise mt-3" style="animation-delay:.08s">
+            <div class="panel-head">OPC 40010 identification (optional)</div>
+            <div style="padding:1rem">
+                <div class="row">
+                    <div class="col-md-4 mb-3"><label class="form-label">Manufacturer</label><InputText @bind-Value="_form.Manufacturer" class="form-control form-control-sm" /></div>
+                    <div class="col-md-4 mb-3"><label class="form-label">Model</label><InputText @bind-Value="_form.Model" class="form-control form-control-sm" /></div>
+                    <div class="col-md-4 mb-3"><label class="form-label">SerialNumber</label><InputText @bind-Value="_form.SerialNumber" class="form-control form-control-sm" /></div>
+                </div>
+                <div class="row">
+                    <div class="col-md-3 mb-3"><label class="form-label">HardwareRevision</label><InputText @bind-Value="_form.HardwareRevision" class="form-control form-control-sm" /></div>
+                    <div class="col-md-3 mb-3"><label class="form-label">SoftwareRevision</label><InputText @bind-Value="_form.SoftwareRevision" class="form-control form-control-sm" /></div>
+                    <div class="col-md-3 mb-3"><label class="form-label">Year of construction</label><InputNumber @bind-Value="_form.YearOfConstruction" class="form-control form-control-sm" /></div>
+                    <div class="col-md-3 mb-3"><label class="form-label">AssetLocation</label><InputText @bind-Value="_form.AssetLocation" class="form-control form-control-sm" /></div>
+                </div>
+                <div class="row">
+                    <div class="col-md-6 mb-3"><label class="form-label">ManufacturerUri</label><InputText @bind-Value="_form.ManufacturerUri" class="form-control form-control-sm mono" /></div>
+                    <div class="col-md-6 mb-3"><label class="form-label">DeviceManualUri</label><InputText @bind-Value="_form.DeviceManualUri" class="form-control form-control-sm mono" /></div>
+                </div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error))
+        {
+            <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div>
+        }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">
+                @if (_busy) { <span class="spinner-border spinner-border-sm me-1"></span> }
+                @(IsNew ? "Create" : "Save changes")
+            </button>
+            <a href="/clusters/@ClusterId/equipment" class="btn btn-outline-secondary">Cancel</a>
+            @if (!IsNew)
+            {
+                <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">Delete</button>
+            }
+        </div>
+    </EditForm>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    [Parameter] public string? EquipmentId { get; set; }
+
+    private bool IsNew => string.IsNullOrEmpty(EquipmentId);
+
+    private FormModel _form = new();
+    private Equipment? _existing;
+    private List<UnsLine> _lines = new();
+    private List<DriverInstance> _drivers = new();
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        var areaIds = await db.UnsAreas.AsNoTracking()
+            .Where(a => a.ClusterId == ClusterId).Select(a => a.UnsAreaId).ToListAsync();
+        _lines = await db.UnsLines.AsNoTracking()
+            .Where(l => areaIds.Contains(l.UnsAreaId))
+            .OrderBy(l => l.UnsAreaId).ThenBy(l => l.UnsLineId)
+            .ToListAsync();
+        _drivers = await db.DriverInstances.AsNoTracking()
+            .Where(d => d.ClusterId == ClusterId)
+            .OrderBy(d => d.DriverInstanceId)
+            .ToListAsync();
+
+        if (!IsNew)
+        {
+            _existing = await db.Equipment.AsNoTracking()
+                .FirstOrDefaultAsync(e => e.EquipmentId == EquipmentId);
+            if (_existing is not null)
+            {
+                _form = new FormModel
+                {
+                    Name = _existing.Name,
+                    MachineCode = _existing.MachineCode,
+                    UnsLineId = _existing.UnsLineId,
+                    DriverInstanceId = _existing.DriverInstanceId,
+                    ZTag = _existing.ZTag,
+                    SAPID = _existing.SAPID,
+                    Manufacturer = _existing.Manufacturer,
+                    Model = _existing.Model,
+                    SerialNumber = _existing.SerialNumber,
+                    HardwareRevision = _existing.HardwareRevision,
+                    SoftwareRevision = _existing.SoftwareRevision,
+                    YearOfConstruction = _existing.YearOfConstruction,
+                    AssetLocation = _existing.AssetLocation,
+                    ManufacturerUri = _existing.ManufacturerUri,
+                    DeviceManualUri = _existing.DeviceManualUri,
+                    Enabled = _existing.Enabled,
+                    RowVersion = _existing.RowVersion,
+                };
+            }
+        }
+        _loaded = true;
+    }
+
+    private async Task SubmitAsync()
+    {
+        _busy = true; _error = null;
+        try
+        {
+            if (string.IsNullOrEmpty(_form.UnsLineId)) { _error = "Pick a UNS line."; return; }
+            if (string.IsNullOrEmpty(_form.DriverInstanceId)) { _error = "Pick a driver instance."; return; }
+
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (IsNew)
+            {
+                var uuid = Guid.NewGuid();
+                var equipmentId = $"EQ-{uuid.ToString("N")[..12]}";
+                if (await db.Equipment.AnyAsync(e => e.MachineCode == _form.MachineCode))
+                { _error = $"MachineCode '{_form.MachineCode}' already exists in this fleet."; return; }
+                db.Equipment.Add(new Equipment
+                {
+                    EquipmentId = equipmentId,
+                    EquipmentUuid = uuid,
+                    DriverInstanceId = _form.DriverInstanceId,
+                    UnsLineId = _form.UnsLineId,
+                    Name = _form.Name,
+                    MachineCode = _form.MachineCode,
+                    ZTag = string.IsNullOrWhiteSpace(_form.ZTag) ? null : _form.ZTag,
+                    SAPID = string.IsNullOrWhiteSpace(_form.SAPID) ? null : _form.SAPID,
+                    Manufacturer = _form.Manufacturer,
+                    Model = _form.Model,
+                    SerialNumber = _form.SerialNumber,
+                    HardwareRevision = _form.HardwareRevision,
+                    SoftwareRevision = _form.SoftwareRevision,
+                    YearOfConstruction = _form.YearOfConstruction,
+                    AssetLocation = _form.AssetLocation,
+                    ManufacturerUri = _form.ManufacturerUri,
+                    DeviceManualUri = _form.DeviceManualUri,
+                    Enabled = _form.Enabled,
+                });
+            }
+            else
+            {
+                var entity = await db.Equipment.FirstOrDefaultAsync(e => e.EquipmentId == EquipmentId);
+                if (entity is null) { _error = "Row no longer exists."; return; }
+                db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+                entity.DriverInstanceId = _form.DriverInstanceId;
+                entity.UnsLineId = _form.UnsLineId;
+                entity.Name = _form.Name;
+                entity.MachineCode = _form.MachineCode;
+                entity.ZTag = string.IsNullOrWhiteSpace(_form.ZTag) ? null : _form.ZTag;
+                entity.SAPID = string.IsNullOrWhiteSpace(_form.SAPID) ? null : _form.SAPID;
+                entity.Manufacturer = _form.Manufacturer;
+                entity.Model = _form.Model;
+                entity.SerialNumber = _form.SerialNumber;
+                entity.HardwareRevision = _form.HardwareRevision;
+                entity.SoftwareRevision = _form.SoftwareRevision;
+                entity.YearOfConstruction = _form.YearOfConstruction;
+                entity.AssetLocation = _form.AssetLocation;
+                entity.ManufacturerUri = _form.ManufacturerUri;
+                entity.DeviceManualUri = _form.DeviceManualUri;
+                entity.Enabled = _form.Enabled;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/equipment");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this equipment while you were editing."; }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private async Task DeleteAsync()
+    {
+        if (IsNew) return;
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.Equipment.FirstOrDefaultAsync(e => e.EquipmentId == EquipmentId);
+            if (entity is null) { Nav.NavigateTo($"/clusters/{ClusterId}/equipment"); return; }
+            db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+            db.Equipment.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/equipment");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this equipment while you were viewing it."; }
+        catch (Exception ex) { _error = $"Delete failed: {ex.Message}. Likely because tags or virtual tags reference this equipment — remove them first."; }
+        finally { _busy = false; }
+    }
+
+    private sealed class FormModel
+    {
+        [Required, RegularExpression("^[a-z0-9-]{1,32}$", ErrorMessage = "Lowercase letters, digits, dashes only; max 32 chars.")]
+        public string Name { get; set; } = "";
+        [Required] public string MachineCode { get; set; } = "";
+        [Required] public string UnsLineId { get; set; } = "";
+        [Required] public string DriverInstanceId { get; set; } = "";
+        public string? ZTag { get; set; }
+        public string? SAPID { get; set; }
+        public string? Manufacturer { get; set; }
+        public string? Model { get; set; }
+        public string? SerialNumber { get; set; }
+        public string? HardwareRevision { get; set; }
+        public string? SoftwareRevision { get; set; }
+        public short? YearOfConstruction { get; set; }
+        public string? AssetLocation { get; set; }
+        public string? ManufacturerUri { get; set; }
+        public string? DeviceManualUri { get; set; }
+        public bool Enabled { get; set; } = true;
+        public byte[] RowVersion { get; set; } = [];
+    }
+}
@@ -0,0 +1,256 @@
+@page "/clusters/{ClusterId}/equipment/import"
+@* Bulk equipment import via pasted CSV. Header row required; columns:
+       Name, MachineCode, UnsLineId, DriverInstanceId, ZTag, SAPID, Manufacturer, Model
+   Empty optional columns parsed as null. EquipmentId is system-generated per row
+   (matches single-add path in EquipmentEdit.razor). *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Import equipment &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/equipment" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="equipment" />
+
+<section class="panel notice rise" style="animation-delay:.02s">
+    Paste CSV below. Required header columns (in order):
+    <span class="mono">Name, MachineCode, UnsLineId, DriverInstanceId</span>.
+    Optional: <span class="mono">ZTag, SAPID, Manufacturer, Model</span>.
+    Each row inserts one Equipment with a freshly-generated EquipmentId. Existing rows are
+    detected by MachineCode and skipped (the importer is additive-only — no updates).
+</section>
+
+<section class="panel rise mt-3" style="animation-delay:.08s">
+    <div class="panel-head">CSV</div>
+    <div style="padding:1rem">
+        <textarea class="form-control form-control-sm mono" rows="14"
+                  @bind="_csv" @bind:event="oninput"
+                  placeholder="Name,MachineCode,UnsLineId,DriverInstanceId,ZTag,SAPID,Manufacturer,Model&#10;mixer-01,MX_001,line-3,drv-modbus-line3-01,ZT-12345,SAP-9876,Siemens,SIMATIC-1500"></textarea>
+    </div>
+</section>
+
+@if (!string.IsNullOrWhiteSpace(_error))
+{
+    <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div>
+}
+
+@if (_preview is not null)
+{
+    <section class="panel rise mt-3" style="animation-delay:.14s">
+        <div class="panel-head">Preview &middot; @_preview.Count row@(_preview.Count == 1 ? "" : "s") to import</div>
+        @if (_preview.Count > 0)
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>Name</th>
+                            <th>MachineCode</th>
+                            <th>UNS line</th>
+                            <th>Driver</th>
+                            <th>ZTag</th>
+                            <th>SAPID</th>
+                            <th>Manufacturer</th>
+                            <th>Model</th>
+                            <th>Status</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        @foreach (var p in _preview)
+                        {
+                            <tr>
+                                <td>@p.Name</td>
+                                <td><span class="mono">@p.MachineCode</span></td>
+                                <td><span class="mono small">@p.UnsLineId</span></td>
+                                <td><span class="mono small">@p.DriverInstanceId</span></td>
+                                <td>@(p.ZTag ?? "")</td>
+                                <td>@(p.SAPID ?? "")</td>
+                                <td>@(p.Manufacturer ?? "")</td>
+                                <td>@(p.Model ?? "")</td>
+                                <td>
+                                    @if (p.IsSkipped) { <span class="chip chip-idle">skip — exists</span> }
+                                    else if (!string.IsNullOrEmpty(p.RowError)) { <span class="chip chip-alert">@p.RowError</span> }
+                                    else { <span class="chip chip-ok">ready</span> }
+                                </td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+<div class="mt-3 d-flex gap-2">
+    <button class="btn btn-outline-primary" @onclick="PreviewAsync" disabled="@_busy">
+        @if (_busy) { <span class="spinner-border spinner-border-sm me-1"></span> }
+        Preview
+    </button>
+    <button class="btn btn-primary" @onclick="ImportAsync"
+            disabled="@(_busy || _preview is null || _preview.All(p => p.IsSkipped || !string.IsNullOrEmpty(p.RowError)))">
+        Import @(_preview?.Count(p => !p.IsSkipped && string.IsNullOrEmpty(p.RowError)) ?? 0) row(s)
+    </button>
+    <a href="/clusters/@ClusterId/equipment" class="btn btn-outline-secondary">Cancel</a>
+</div>
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+
+    private string _csv = "";
+    private List<PreviewRow>? _preview;
+    private bool _busy;
+    private string? _error;
+
+    private static readonly string[] RequiredColumns = ["Name", "MachineCode", "UnsLineId", "DriverInstanceId"];
+    private static readonly string[] OptionalColumns = ["ZTag", "SAPID", "Manufacturer", "Model"];
+
+    private async Task PreviewAsync()
+    {
+        _busy = true;
+        _error = null;
+        _preview = null;
+        try
+        {
+            var parsed = ParseCsv(_csv);
+            if (parsed is null) return;
+
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var driversInCluster = await db.DriverInstances.AsNoTracking()
+                .Where(d => d.ClusterId == ClusterId)
+                .Select(d => d.DriverInstanceId)
+                .ToListAsync();
+            var driverSet = driversInCluster.ToHashSet(StringComparer.Ordinal);
+            var areaIds = await db.UnsAreas.AsNoTracking()
+                .Where(a => a.ClusterId == ClusterId)
+                .Select(a => a.UnsAreaId).ToListAsync();
+            var validLines = await db.UnsLines.AsNoTracking()
+                .Where(l => areaIds.Contains(l.UnsAreaId))
+                .Select(l => l.UnsLineId).ToListAsync();
+            var lineSet = validLines.ToHashSet(StringComparer.Ordinal);
+            var existingMachineCodes = await db.Equipment.AsNoTracking()
+                .Select(e => e.MachineCode).ToListAsync();
+            var existingSet = existingMachineCodes.ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+            foreach (var row in parsed)
+            {
+                if (existingSet.Contains(row.MachineCode))
+                {
+                    row.IsSkipped = true;
+                    continue;
+                }
+                if (!driverSet.Contains(row.DriverInstanceId))
+                {
+                    row.RowError = $"driver '{row.DriverInstanceId}' not in this cluster";
+                    continue;
+                }
+                if (!lineSet.Contains(row.UnsLineId))
+                {
+                    row.RowError = $"UNS line '{row.UnsLineId}' not in this cluster";
+                }
+            }
+            _preview = parsed;
+        }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private async Task ImportAsync()
+    {
+        if (_preview is null) return;
+        _busy = true;
+        _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var added = 0;
+            foreach (var row in _preview.Where(p => !p.IsSkipped && string.IsNullOrEmpty(p.RowError)))
+            {
+                var uuid = Guid.NewGuid();
+                var equipmentId = $"EQ-{uuid.ToString("N")[..12]}";
+                db.Equipment.Add(new Equipment
+                {
+                    EquipmentId = equipmentId,
+                    EquipmentUuid = uuid,
+                    DriverInstanceId = row.DriverInstanceId,
+                    UnsLineId = row.UnsLineId,
+                    Name = row.Name,
+                    MachineCode = row.MachineCode,
+                    ZTag = row.ZTag,
+                    SAPID = row.SAPID,
+                    Manufacturer = row.Manufacturer,
+                    Model = row.Model,
+                    Enabled = true,
+                });
+                added++;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/equipment");
+        }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private List<PreviewRow>? ParseCsv(string csv)
+    {
+        if (string.IsNullOrWhiteSpace(csv)) { _error = "CSV is empty."; return null; }
+        var lines = csv.Replace("\r\n", "\n").Split('\n', StringSplitOptions.RemoveEmptyEntries);
+        if (lines.Length < 2) { _error = "Need a header row and at least one data row."; return null; }
+
+        var header = lines[0].Split(',').Select(c => c.Trim()).ToArray();
+        for (var i = 0; i < RequiredColumns.Length; i++)
+        {
+            if (i >= header.Length || !string.Equals(header[i], RequiredColumns[i], StringComparison.OrdinalIgnoreCase))
+            {
+                _error = $"Header column #{i + 1} must be '{RequiredColumns[i]}' (got '{(i < header.Length ? header[i] : "")}').";
+                return null;
+            }
+        }
+
+        var rows = new List<PreviewRow>();
+        for (var lineIdx = 1; lineIdx < lines.Length; lineIdx++)
+        {
+            var parts = lines[lineIdx].Split(',').Select(c => c.Trim()).ToArray();
+            if (parts.Length < RequiredColumns.Length)
+            {
+                rows.Add(new PreviewRow { RowError = $"too few columns (got {parts.Length}, need {RequiredColumns.Length})" });
+                continue;
+            }
+            rows.Add(new PreviewRow
+            {
+                Name = parts[0],
+                MachineCode = parts[1],
+                UnsLineId = parts[2],
+                DriverInstanceId = parts[3],
+                ZTag = NullIfEmpty(parts, 4),
+                SAPID = NullIfEmpty(parts, 5),
+                Manufacturer = NullIfEmpty(parts, 6),
+                Model = NullIfEmpty(parts, 7),
+            });
+        }
+        return rows;
+    }
+
+    private static string? NullIfEmpty(string[] parts, int idx) =>
+        idx < parts.Length && !string.IsNullOrWhiteSpace(parts[idx]) ? parts[idx] : null;
+
+    private sealed class PreviewRow
+    {
+        public string Name { get; set; } = "";
+        public string MachineCode { get; set; } = "";
+        public string UnsLineId { get; set; } = "";
+        public string DriverInstanceId { get; set; } = "";
+        public string? ZTag { get; set; }
+        public string? SAPID { get; set; }
+        public string? Manufacturer { get; set; }
+        public string? Model { get; set; }
+        public bool IsSkipped { get; set; }
+        public string? RowError { get; set; }
+    }
+}
@@ -0,0 +1,244 @@
+@page "/clusters/{ClusterId}/namespaces/new"
+@page "/clusters/{ClusterId}/namespaces/{NamespaceId}"
+@* Live-edit form pattern — one page handles both create (NamespaceId is null) and update.
+   RowVersion is preserved across post-back so EF Core enforces last-write-wins; concurrency
+   conflicts surface as a toast and reload the current row. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">@(IsNew ? "New namespace" : "Edit namespace") &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/namespaces" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="namespaces" />
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (!IsNew && _existing is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Namespace <span class="mono">@NamespaceId</span> was not found in cluster <span class="mono">@ClusterId</span>.
+    </section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="namespaceEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise" style="animation-delay:.02s">
+            <div class="panel-head">@(IsNew ? "Identity" : $"Edit {_form.NamespaceId}")</div>
+            <div style="padding:1rem">
+                <div class="mb-3">
+                    <label class="form-label" for="nsId">NamespaceId</label>
+                    <InputText id="nsId" @bind-Value="_form.NamespaceId" disabled="@(!IsNew)"
+                               class="form-control form-control-sm mono"
+                               placeholder="LINE3-equipment" />
+                </div>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="kind">Kind</label>
+                        <InputSelect id="kind" @bind-Value="_form.Kind" class="form-select form-select-sm">
+                            <option value="@NamespaceKind.Equipment">Equipment (raw signals)</option>
+                            <option value="@NamespaceKind.SystemPlatform">System Platform (Galaxy / MXAccess)</option>
+                            <option value="@NamespaceKind.Simulated">Simulated (replay — reserved)</option>
+                        </InputSelect>
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="enabled">Enabled</label>
+                        <div class="form-check form-switch">
+                            <InputCheckbox id="enabled" @bind-Value="_form.Enabled" class="form-check-input" />
+                            <label class="form-check-label" for="enabled">Active in deployments</label>
+                        </div>
+                    </div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="uri">NamespaceUri</label>
+                    <InputText id="uri" @bind-Value="_form.NamespaceUri" class="form-control form-control-sm mono"
+                               placeholder="urn:zb:warsaw-west:equipment" />
+                    <div class="form-text">Must be unique fleet-wide. Clients pin discovery here.</div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="notes">Notes</label>
+                    <InputTextArea id="notes" @bind-Value="_form.Notes" class="form-control form-control-sm" rows="3" />
+                </div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error))
+        {
+            <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div>
+        }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">
+                @if (_busy) { <span class="spinner-border spinner-border-sm me-1"></span> }
+                @(IsNew ? "Create" : "Save changes")
+            </button>
+            <a href="/clusters/@ClusterId/namespaces" class="btn btn-outline-secondary">Cancel</a>
+            @if (!IsNew)
+            {
+                <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">
+                    Delete
+                </button>
+            }
+        </div>
+    </EditForm>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    [Parameter] public string? NamespaceId { get; set; }
+
+    private bool IsNew => string.IsNullOrEmpty(NamespaceId);
+
+    private FormModel _form = new();
+    private Namespace? _existing;
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        if (IsNew)
+        {
+            _form = new FormModel
+            {
+                NamespaceId = "",
+                Kind = NamespaceKind.Equipment,
+                NamespaceUri = "",
+                Enabled = true,
+            };
+        }
+        else
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            _existing = await db.Namespaces.AsNoTracking()
+                .FirstOrDefaultAsync(n => n.ClusterId == ClusterId && n.NamespaceId == NamespaceId);
+            if (_existing is not null)
+            {
+                _form = new FormModel
+                {
+                    NamespaceId = _existing.NamespaceId,
+                    Kind = _existing.Kind,
+                    NamespaceUri = _existing.NamespaceUri,
+                    Enabled = _existing.Enabled,
+                    Notes = _existing.Notes,
+                    RowVersion = _existing.RowVersion,
+                };
+            }
+        }
+        _loaded = true;
+    }
+
+    private async Task SubmitAsync()
+    {
+        _busy = true;
+        _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (IsNew)
+            {
+                if (await db.Namespaces.AnyAsync(n => n.NamespaceId == _form.NamespaceId))
+                {
+                    _error = $"Namespace '{_form.NamespaceId}' already exists.";
+                    return;
+                }
+                db.Namespaces.Add(new Namespace
+                {
+                    NamespaceId = _form.NamespaceId,
+                    ClusterId = ClusterId,
+                    Kind = _form.Kind,
+                    NamespaceUri = _form.NamespaceUri,
+                    Enabled = _form.Enabled,
+                    Notes = string.IsNullOrWhiteSpace(_form.Notes) ? null : _form.Notes,
+                });
+            }
+            else
+            {
+                var entity = await db.Namespaces.FirstOrDefaultAsync(
+                    n => n.ClusterId == ClusterId && n.NamespaceId == NamespaceId);
+                if (entity is null)
+                {
+                    _error = "Row no longer exists.";
+                    return;
+                }
+                db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+                entity.Kind = _form.Kind;
+                entity.NamespaceUri = _form.NamespaceUri;
+                entity.Enabled = _form.Enabled;
+                entity.Notes = string.IsNullOrWhiteSpace(_form.Notes) ? null : _form.Notes;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/namespaces");
+        }
+        catch (DbUpdateConcurrencyException)
+        {
+            _error = "Another user changed this namespace while you were editing. Reload to see the latest values, then re-apply your changes.";
+        }
+        catch (Exception ex)
+        {
+            _error = ex.Message;
+        }
+        finally
+        {
+            _busy = false;
+        }
+    }
+
+    private async Task DeleteAsync()
+    {
+        if (IsNew) return;
+        _busy = true;
+        _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.Namespaces.FirstOrDefaultAsync(
+                n => n.ClusterId == ClusterId && n.NamespaceId == NamespaceId);
+            if (entity is null)
+            {
+                Nav.NavigateTo($"/clusters/{ClusterId}/namespaces");
+                return;
+            }
+            db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+            db.Namespaces.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/namespaces");
+        }
+        catch (DbUpdateConcurrencyException)
+        {
+            _error = "Another user changed this namespace while you were viewing it. Reload before deleting.";
+        }
+        catch (Exception ex)
+        {
+            _error = ex.Message;
+        }
+        finally
+        {
+            _busy = false;
+        }
+    }
+
+    private sealed class FormModel
+    {
+        [Required, RegularExpression("^[A-Za-z0-9_-]+$", ErrorMessage = "Use letters, digits, dash, underscore.")]
+        public string NamespaceId { get; set; } = "";
+        public NamespaceKind Kind { get; set; } = NamespaceKind.Equipment;
+        [Required, RegularExpression("^urn:[A-Za-z0-9_:./-]+$", ErrorMessage = "Use a URN, e.g. urn:zb:warsaw-west:equipment.")]
+        public string NamespaceUri { get; set; } = "";
+        public bool Enabled { get; set; } = true;
+        public string? Notes { get; set; }
+        public byte[] RowVersion { get; set; } = [];
+    }
+}
@@ -0,0 +1,141 @@
+@page "/clusters/new"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+@inject AuthenticationStateProvider AuthState
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">New cluster</h4>
+    <a href="/clusters" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="newCluster">
+    <DataAnnotationsValidator />
+    <section class="panel rise" style="animation-delay:.02s">
+        <div class="panel-head">Identity</div>
+        <div style="padding:1rem">
+            <div class="mb-3">
+                <label class="form-label" for="clusterId">Cluster ID</label>
+                <InputText id="clusterId" @bind-Value="_form.ClusterId" class="form-control form-control-sm mono"
+                           placeholder="LINE3-OPCUA" />
+            </div>
+            <div class="mb-3">
+                <label class="form-label" for="name">Name</label>
+                <InputText id="name" @bind-Value="_form.Name" class="form-control form-control-sm" />
+            </div>
+            <div class="row">
+                <div class="col-md-6 mb-3">
+                    <label class="form-label" for="enterprise">Enterprise</label>
+                    <InputText id="enterprise" @bind-Value="_form.Enterprise" class="form-control form-control-sm"
+                               placeholder="zb" />
+                </div>
+                <div class="col-md-6 mb-3">
+                    <label class="form-label" for="site">Site</label>
+                    <InputText id="site" @bind-Value="_form.Site" class="form-control form-control-sm"
+                               placeholder="warsaw-west" />
+                </div>
+            </div>
+        </div>
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.08s">
+        <div class="panel-head">Topology</div>
+        <div style="padding:1rem">
+            <div class="mb-3">
+                <label class="form-label" for="redundancy">Redundancy mode</label>
+                <InputSelect id="redundancy" @bind-Value="_form.RedundancyMode" class="form-select form-select-sm">
+                    <option value="@RedundancyMode.None">None (1 node)</option>
+                    <option value="@RedundancyMode.Warm">Warm (2 nodes, non-transparent)</option>
+                    <option value="@RedundancyMode.Hot">Hot (2 nodes, non-transparent)</option>
+                </InputSelect>
+                <div class="form-text">NodeCount is implied — 1 for None, 2 for Warm/Hot.</div>
+            </div>
+            <div class="mb-3">
+                <label class="form-label" for="notes">Notes</label>
+                <InputTextArea id="notes" @bind-Value="_form.Notes" class="form-control form-control-sm" rows="3" />
+            </div>
+        </div>
+    </section>
+
+    @if (!string.IsNullOrWhiteSpace(_error))
+    {
+        <div class="panel notice mt-3">@_error</div>
+    }
+
+    <div class="mt-3 d-flex gap-2">
+        <button type="submit" class="btn btn-primary" disabled="@_busy">
+            @if (_busy) { <span class="spinner-border spinner-border-sm me-1"></span> }
+            Create cluster
+        </button>
+        <a href="/clusters" class="btn btn-outline-secondary">Cancel</a>
+    </div>
+</EditForm>
+
+@code {
+    private FormModel _form = new();
+    private string? _error;
+    private bool _busy;
+
+    private async Task SubmitAsync()
+    {
+        _busy = true;
+        _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (await db.ServerClusters.AnyAsync(c => c.ClusterId == _form.ClusterId))
+            {
+                _error = $"Cluster '{_form.ClusterId}' already exists.";
+                return;
+            }
+
+            var auth = await AuthState.GetAuthenticationStateAsync();
+            var createdBy = auth.User.Identity?.Name ?? "(anonymous)";
+
+            var entity = new ServerCluster
+            {
+                ClusterId = _form.ClusterId,
+                Name = _form.Name,
+                Enterprise = _form.Enterprise,
+                Site = _form.Site,
+                RedundancyMode = _form.RedundancyMode,
+                NodeCount = _form.RedundancyMode == RedundancyMode.None ? (byte)1 : (byte)2,
+                Notes = string.IsNullOrWhiteSpace(_form.Notes) ? null : _form.Notes,
+                Enabled = true,
+                CreatedAt = DateTime.UtcNow,
+                CreatedBy = createdBy,
+            };
+            db.ServerClusters.Add(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{entity.ClusterId}");
+        }
+        catch (Exception ex)
+        {
+            _error = ex.Message;
+        }
+        finally
+        {
+            _busy = false;
+        }
+    }
+
+    private sealed class FormModel
+    {
+        [System.ComponentModel.DataAnnotations.Required, System.ComponentModel.DataAnnotations.RegularExpression("^[A-Z0-9_-]+$", ErrorMessage = "Use uppercase letters, digits, dash, underscore.")]
+        public string ClusterId { get; set; } = "";
+        [System.ComponentModel.DataAnnotations.Required]
+        public string Name { get; set; } = "";
+        [System.ComponentModel.DataAnnotations.Required]
+        public string Enterprise { get; set; } = "zb";
+        [System.ComponentModel.DataAnnotations.Required]
+        public string Site { get; set; } = "";
+        public RedundancyMode RedundancyMode { get; set; } = RedundancyMode.None;
+        public string? Notes { get; set; }
+    }
+}
@@ -0,0 +1,268 @@
+@page "/clusters/{ClusterId}/nodes/new"
+@page "/clusters/{ClusterId}/nodes/{NodeId}"
+@* ClusterNode CRUD. ApplicationUri is fleet-wide unique — the EF unique index enforces this
+   at SaveChanges. ServiceLevelBase defaults: 200 primary, 150 secondary. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+@inject AuthenticationStateProvider AuthState
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">@(IsNew ? "New node" : "Edit node") &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="overview" />
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (!IsNew && _existing is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Node <span class="mono">@NodeId</span> was not found in cluster <span class="mono">@ClusterId</span>.
+    </section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="nodeEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise" style="animation-delay:.02s">
+            <div class="panel-head">Identity</div>
+            <div style="padding:1rem">
+                <div class="mb-3">
+                    <label class="form-label" for="nodeId">NodeId</label>
+                    <InputText id="nodeId" @bind-Value="_form.NodeId" disabled="@(!IsNew)"
+                               class="form-control form-control-sm mono"
+                               placeholder="LINE3-OPCUA-A" />
+                </div>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="host">Host</label>
+                        <InputText id="host" @bind-Value="_form.Host" class="form-control form-control-sm mono"
+                                   placeholder="line3-opc-a.plant.local" />
+                    </div>
+                    <div class="col-md-3 mb-3">
+                        <label class="form-label" for="port">OPC UA port</label>
+                        <InputNumber id="port" @bind-Value="_form.OpcUaPort" class="form-control form-control-sm" />
+                    </div>
+                    <div class="col-md-3 mb-3">
+                        <label class="form-label" for="dashport">Dashboard port</label>
+                        <InputNumber id="dashport" @bind-Value="_form.DashboardPort" class="form-control form-control-sm" />
+                    </div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="uri">ApplicationUri</label>
+                    <InputText id="uri" @bind-Value="_form.ApplicationUri" class="form-control form-control-sm mono"
+                               placeholder="urn:zb:warsaw-west:line3:opc-a" />
+                    <div class="form-text">Must be unique fleet-wide. Clients pin trust here — never silently rewrite based on Host.</div>
+                </div>
+            </div>
+        </section>
+
+        <section class="panel rise mt-3" style="animation-delay:.08s">
+            <div class="panel-head">Redundancy + behaviour</div>
+            <div style="padding:1rem">
+                <div class="row">
+                    <div class="col-md-4 mb-3">
+                        <label class="form-label" for="slbase">ServiceLevel base</label>
+                        <InputNumber id="slbase" @bind-Value="_form.ServiceLevelBase" class="form-control form-control-sm" />
+                        <div class="form-text">200 = primary preference, 150 = secondary preference. Live ServiceLevel adjusts down on faults.</div>
+                    </div>
+                    <div class="col-md-4 mb-3">
+                        <label class="form-label">Enabled</label>
+                        <div class="form-check form-switch">
+                            <InputCheckbox @bind-Value="_form.Enabled" class="form-check-input" />
+                            <label class="form-check-label">Join the Akka cluster + serve endpoints</label>
+                        </div>
+                    </div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="overrides">Driver config overrides (JSON, optional)</label>
+                    <InputTextArea id="overrides" @bind-Value="_form.DriverConfigOverridesJson" rows="6"
+                                   class="form-control form-control-sm mono"
+                                   placeholder='{ "drv-modbus-line3-01": { "endpoint": "10.0.0.43:502" } }' />
+                    <div class="form-text">Per-node merge over cluster-level <span class="mono">DriverInstance.DriverConfig</span>. Minimal by design — heavy node-specific config is a smell.</div>
+                </div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error))
+        {
+            <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div>
+        }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">
+                @if (_busy) { <span class="spinner-border spinner-border-sm me-1"></span> }
+                @(IsNew ? "Create" : "Save changes")
+            </button>
+            <a href="/clusters/@ClusterId" class="btn btn-outline-secondary">Cancel</a>
+            @if (!IsNew)
+            {
+                <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">
+                    Delete
+                </button>
+            }
+        </div>
+    </EditForm>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    [Parameter] public string? NodeId { get; set; }
+
+    private bool IsNew => string.IsNullOrEmpty(NodeId);
+
+    private FormModel _form = new();
+    private ClusterNode? _existing;
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        if (IsNew)
+        {
+            _form = new FormModel
+            {
+                NodeId = "",
+                Host = "",
+                OpcUaPort = 4840,
+                DashboardPort = 8081,
+                ApplicationUri = "",
+                ServiceLevelBase = 200,
+                Enabled = true,
+            };
+        }
+        else
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            _existing = await db.ClusterNodes.AsNoTracking()
+                .FirstOrDefaultAsync(n => n.ClusterId == ClusterId && n.NodeId == NodeId);
+            if (_existing is not null)
+            {
+                _form = new FormModel
+                {
+                    NodeId = _existing.NodeId,
+                    Host = _existing.Host,
+                    OpcUaPort = _existing.OpcUaPort,
+                    DashboardPort = _existing.DashboardPort,
+                    ApplicationUri = _existing.ApplicationUri,
+                    ServiceLevelBase = _existing.ServiceLevelBase,
+                    Enabled = _existing.Enabled,
+                    DriverConfigOverridesJson = _existing.DriverConfigOverridesJson,
+                };
+            }
+        }
+        _loaded = true;
+    }
+
+    private async Task SubmitAsync()
+    {
+        _busy = true;
+        _error = null;
+        try
+        {
+            if (!string.IsNullOrWhiteSpace(_form.DriverConfigOverridesJson))
+            {
+                try { using var _ = System.Text.Json.JsonDocument.Parse(_form.DriverConfigOverridesJson); }
+                catch { _error = "DriverConfigOverridesJson is not valid JSON."; return; }
+            }
+
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (IsNew)
+            {
+                if (await db.ClusterNodes.AnyAsync(n => n.NodeId == _form.NodeId))
+                {
+                    _error = $"Node '{_form.NodeId}' already exists.";
+                    return;
+                }
+                var auth = await AuthState.GetAuthenticationStateAsync();
+                db.ClusterNodes.Add(new ClusterNode
+                {
+                    NodeId = _form.NodeId,
+                    ClusterId = ClusterId,
+                    Host = _form.Host,
+                    OpcUaPort = _form.OpcUaPort,
+                    DashboardPort = _form.DashboardPort,
+                    ApplicationUri = _form.ApplicationUri,
+                    ServiceLevelBase = _form.ServiceLevelBase,
+                    Enabled = _form.Enabled,
+                    DriverConfigOverridesJson = string.IsNullOrWhiteSpace(_form.DriverConfigOverridesJson) ? null : _form.DriverConfigOverridesJson,
+                    CreatedAt = DateTime.UtcNow,
+                    CreatedBy = auth.User.Identity?.Name ?? "(anonymous)",
+                });
+            }
+            else
+            {
+                var entity = await db.ClusterNodes.FirstOrDefaultAsync(
+                    n => n.ClusterId == ClusterId && n.NodeId == NodeId);
+                if (entity is null) { _error = "Row no longer exists."; return; }
+                entity.Host = _form.Host;
+                entity.OpcUaPort = _form.OpcUaPort;
+                entity.DashboardPort = _form.DashboardPort;
+                entity.ApplicationUri = _form.ApplicationUri;
+                entity.ServiceLevelBase = _form.ServiceLevelBase;
+                entity.Enabled = _form.Enabled;
+                entity.DriverConfigOverridesJson = string.IsNullOrWhiteSpace(_form.DriverConfigOverridesJson) ? null : _form.DriverConfigOverridesJson;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}");
+        }
+        catch (Exception ex)
+        {
+            _error = ex.Message;
+        }
+        finally
+        {
+            _busy = false;
+        }
+    }
+
+    private async Task DeleteAsync()
+    {
+        if (IsNew) return;
+        _busy = true;
+        _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.ClusterNodes.FirstOrDefaultAsync(
+                n => n.ClusterId == ClusterId && n.NodeId == NodeId);
+            if (entity is null) { Nav.NavigateTo($"/clusters/{ClusterId}"); return; }
+            db.ClusterNodes.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}");
+        }
+        catch (Exception ex)
+        {
+            _error = ex.Message;
+        }
+        finally
+        {
+            _busy = false;
+        }
+    }
+
+    private sealed class FormModel
+    {
+        [Required, RegularExpression("^[A-Za-z0-9_-]+$")]
+        public string NodeId { get; set; } = "";
+        [Required] public string Host { get; set; } = "";
+        [Range(1, 65535)] public int OpcUaPort { get; set; } = 4840;
+        [Range(1, 65535)] public int DashboardPort { get; set; } = 8081;
+        [Required, RegularExpression("^urn:[A-Za-z0-9_:./-]+$")]
+        public string ApplicationUri { get; set; } = "";
+        [Range(0, 255)] public byte ServiceLevelBase { get; set; } = 200;
+        public bool Enabled { get; set; } = true;
+        public string? DriverConfigOverridesJson { get; set; }
+    }
+}
@@ -0,0 +1,320 @@
+@page "/clusters/{ClusterId}/tags/new"
+@page "/clusters/{ClusterId}/tags/{TagId}"
+@* Tag CRUD. EquipmentId is required when the chosen driver's namespace is Equipment-kind,
+   forbidden when SystemPlatform-kind (decision #110); the form switches between
+   "pick equipment" and "FolderPath input" based on namespace kind. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">@(IsNew ? "New tag" : "Edit tag") &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/tags" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="tags" />
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (!IsNew && _existing is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Tag <span class="mono">@TagId</span> was not found.
+    </section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="tagEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise" style="animation-delay:.02s">
+            <div class="panel-head">Identity</div>
+            <div style="padding:1rem">
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="tagId">TagId</label>
+                        <InputText id="tagId" @bind-Value="_form.TagId" disabled="@(!IsNew)"
+                                   class="form-control form-control-sm mono"
+                                   placeholder="tag-line3-temp-01" />
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="name">Name</label>
+                        <InputText id="name" @bind-Value="_form.Name" class="form-control form-control-sm"
+                                   placeholder="Temperature setpoint" />
+                    </div>
+                </div>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="driver">Driver instance</label>
+                        <InputSelect id="driver" @bind-Value="_form.DriverInstanceId" class="form-select form-select-sm">
+                            <option value="">— pick a driver —</option>
+                            @foreach (var d in _drivers)
+                            {
+                                <option value="@d.DriverInstanceId">@d.DriverInstanceId &mdash; @d.Name</option>
+                            }
+                        </InputSelect>
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="dtype">Data type</label>
+                        <InputSelect id="dtype" @bind-Value="_form.DataType" class="form-select form-select-sm">
+                            @foreach (var dt in DataTypes)
+                            {
+                                <option value="@dt">@dt</option>
+                            }
+                        </InputSelect>
+                    </div>
+                </div>
+
+                @{ var driverNamespace = ResolveDriverNamespace(_form.DriverInstanceId); }
+                @if (driverNamespace?.Kind == NamespaceKind.Equipment)
+                {
+                    <div class="mb-3">
+                        <label class="form-label" for="equipment">Equipment</label>
+                        <InputSelect id="equipment" @bind-Value="_form.EquipmentId" class="form-select form-select-sm">
+                            <option value="">— pick equipment —</option>
+                            @foreach (var e in _equipment.Where(e => e.DriverInstanceId == _form.DriverInstanceId))
+                            {
+                                <option value="@e.EquipmentId">@e.MachineCode &mdash; @e.Name</option>
+                            }
+                        </InputSelect>
+                    </div>
+                }
+                else if (driverNamespace?.Kind == NamespaceKind.SystemPlatform)
+                {
+                    <div class="mb-3">
+                        <label class="form-label" for="folder">FolderPath (SystemPlatform namespace)</label>
+                        <InputText id="folder" @bind-Value="_form.FolderPath" class="form-control form-control-sm mono"
+                                   placeholder="GalaxyArea/Machine_001" />
+                        <div class="form-text">Galaxy hierarchy preserved as v1 expressed it — no UNS rule.</div>
+                    </div>
+                }
+                else if (!string.IsNullOrEmpty(_form.DriverInstanceId))
+                {
+                    <div class="text-muted small mb-3">Pick a driver to see its namespace kind.</div>
+                }
+
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label" for="access">Access level</label>
+                        <InputSelect id="access" @bind-Value="_form.AccessLevel" class="form-select form-select-sm">
+                            <option value="@TagAccessLevel.Read">Read</option>
+                            <option value="@TagAccessLevel.ReadWrite">ReadWrite</option>
+                        </InputSelect>
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label">WriteIdempotent</label>
+                        <div class="form-check form-switch">
+                            <InputCheckbox @bind-Value="_form.WriteIdempotent" class="form-check-input" />
+                            <label class="form-check-label">Safe to retry writes (decision #44–45)</label>
+                        </div>
+                    </div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="pgroup">PollGroupId (optional)</label>
+                    <InputText id="pgroup" @bind-Value="_form.PollGroupId" class="form-control form-control-sm mono" />
+                </div>
+            </div>
+        </section>
+
+        <section class="panel rise mt-3" style="animation-delay:.08s">
+            <div class="panel-head">Tag config (JSON)</div>
+            <div style="padding:1rem">
+                <InputTextArea @bind-Value="_form.TagConfig" rows="8"
+                               class="form-control form-control-sm mono"
+                               placeholder='{ "register": 40001, "scale": 0.1 }' />
+                <div class="form-text">Schemaless per driver type — register / address / scaling / byte-order. Validated server-side at deploy.</div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error))
+        {
+            <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div>
+        }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">
+                @if (_busy) { <span class="spinner-border spinner-border-sm me-1"></span> }
+                @(IsNew ? "Create" : "Save changes")
+            </button>
+            <a href="/clusters/@ClusterId/tags" class="btn btn-outline-secondary">Cancel</a>
+            @if (!IsNew)
+            {
+                <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">Delete</button>
+            }
+        </div>
+    </EditForm>
+}
+
+@code {
+    private static readonly string[] DataTypes =
+        ["Boolean", "SByte", "Byte", "Int16", "UInt16", "Int32", "UInt32",
+         "Int64", "UInt64", "Float", "Double", "String", "DateTime", "Guid", "ByteString"];
+
+    [Parameter] public string ClusterId { get; set; } = "";
+    [Parameter] public string? TagId { get; set; }
+
+    private bool IsNew => string.IsNullOrEmpty(TagId);
+
+    private FormModel _form = new();
+    private Tag? _existing;
+    private List<DriverInstance> _drivers = new();
+    private List<Equipment> _equipment = new();
+    private Dictionary<string, Namespace> _namespacesByDriverInstance = new();
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _drivers = await db.DriverInstances.AsNoTracking()
+            .Where(d => d.ClusterId == ClusterId)
+            .OrderBy(d => d.DriverInstanceId)
+            .ToListAsync();
+        var namespaces = await db.Namespaces.AsNoTracking()
+            .Where(n => n.ClusterId == ClusterId)
+            .ToListAsync();
+        var nsById = namespaces.ToDictionary(n => n.NamespaceId);
+        _namespacesByDriverInstance = _drivers.ToDictionary(
+            d => d.DriverInstanceId,
+            d => nsById.TryGetValue(d.NamespaceId, out var ns) ? ns : namespaces.First());
+        var driverIds = _drivers.Select(d => d.DriverInstanceId).ToHashSet();
+        _equipment = await db.Equipment.AsNoTracking()
+            .Where(e => driverIds.Contains(e.DriverInstanceId))
+            .OrderBy(e => e.MachineCode)
+            .ToListAsync();
+
+        if (!IsNew)
+        {
+            _existing = await db.Tags.AsNoTracking()
+                .FirstOrDefaultAsync(t => t.TagId == TagId);
+            if (_existing is not null)
+            {
+                _form = new FormModel
+                {
+                    TagId = _existing.TagId,
+                    Name = _existing.Name,
+                    DriverInstanceId = _existing.DriverInstanceId,
+                    EquipmentId = _existing.EquipmentId,
+                    FolderPath = _existing.FolderPath,
+                    DataType = _existing.DataType,
+                    AccessLevel = _existing.AccessLevel,
+                    WriteIdempotent = _existing.WriteIdempotent,
+                    PollGroupId = _existing.PollGroupId,
+                    TagConfig = _existing.TagConfig,
+                    RowVersion = _existing.RowVersion,
+                };
+            }
+        }
+        else
+        {
+            _form.DataType = "Float";
+            _form.AccessLevel = TagAccessLevel.Read;
+            _form.TagConfig = "{}";
+        }
+        _loaded = true;
+    }
+
+    private Namespace? ResolveDriverNamespace(string driverId) =>
+        string.IsNullOrEmpty(driverId) ? null
+        : _namespacesByDriverInstance.TryGetValue(driverId, out var ns) ? ns : null;
+
+    private async Task SubmitAsync()
+    {
+        _busy = true; _error = null;
+        try
+        {
+            if (string.IsNullOrEmpty(_form.DriverInstanceId)) { _error = "Pick a driver."; return; }
+            var ns = ResolveDriverNamespace(_form.DriverInstanceId);
+            if (ns?.Kind == NamespaceKind.Equipment && string.IsNullOrEmpty(_form.EquipmentId))
+            { _error = "Driver lives in an Equipment-kind namespace — pick an equipment."; return; }
+            if (ns?.Kind == NamespaceKind.SystemPlatform && !string.IsNullOrEmpty(_form.EquipmentId))
+            { _error = "Driver lives in a SystemPlatform namespace — EquipmentId must be empty (use FolderPath)."; return; }
+
+            try { using var _ = System.Text.Json.JsonDocument.Parse(_form.TagConfig); }
+            catch { _error = "TagConfig is not valid JSON."; return; }
+
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (IsNew)
+            {
+                if (await db.Tags.AnyAsync(t => t.TagId == _form.TagId))
+                { _error = $"Tag '{_form.TagId}' already exists."; return; }
+                db.Tags.Add(new Tag
+                {
+                    TagId = _form.TagId,
+                    DriverInstanceId = _form.DriverInstanceId,
+                    EquipmentId = string.IsNullOrEmpty(_form.EquipmentId) ? null : _form.EquipmentId,
+                    Name = _form.Name,
+                    FolderPath = string.IsNullOrWhiteSpace(_form.FolderPath) ? null : _form.FolderPath,
+                    DataType = _form.DataType,
+                    AccessLevel = _form.AccessLevel,
+                    WriteIdempotent = _form.WriteIdempotent,
+                    PollGroupId = string.IsNullOrWhiteSpace(_form.PollGroupId) ? null : _form.PollGroupId,
+                    TagConfig = _form.TagConfig,
+                });
+            }
+            else
+            {
+                var entity = await db.Tags.FirstOrDefaultAsync(t => t.TagId == TagId);
+                if (entity is null) { _error = "Row no longer exists."; return; }
+                db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+                entity.DriverInstanceId = _form.DriverInstanceId;
+                entity.EquipmentId = string.IsNullOrEmpty(_form.EquipmentId) ? null : _form.EquipmentId;
+                entity.Name = _form.Name;
+                entity.FolderPath = string.IsNullOrWhiteSpace(_form.FolderPath) ? null : _form.FolderPath;
+                entity.DataType = _form.DataType;
+                entity.AccessLevel = _form.AccessLevel;
+                entity.WriteIdempotent = _form.WriteIdempotent;
+                entity.PollGroupId = string.IsNullOrWhiteSpace(_form.PollGroupId) ? null : _form.PollGroupId;
+                entity.TagConfig = _form.TagConfig;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/tags");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this tag while you were editing."; }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private async Task DeleteAsync()
+    {
+        if (IsNew) return;
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.Tags.FirstOrDefaultAsync(t => t.TagId == TagId);
+            if (entity is null) { Nav.NavigateTo($"/clusters/{ClusterId}/tags"); return; }
+            db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+            db.Tags.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/tags");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this tag while you were viewing it."; }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private sealed class FormModel
+    {
+        [Required, RegularExpression("^[A-Za-z0-9_-]+$")] public string TagId { get; set; } = "";
+        [Required] public string Name { get; set; } = "";
+        [Required] public string DriverInstanceId { get; set; } = "";
+        public string? EquipmentId { get; set; }
+        public string? FolderPath { get; set; }
+        [Required] public string DataType { get; set; } = "Float";
+        public TagAccessLevel AccessLevel { get; set; } = TagAccessLevel.Read;
+        public bool WriteIdempotent { get; set; }
+        public string? PollGroupId { get; set; }
+        [Required] public string TagConfig { get; set; } = "{}";
+        public byte[] RowVersion { get; set; } = [];
+    }
+}
@@ -0,0 +1,167 @@
+@page "/clusters/{ClusterId}/uns/areas/new"
+@page "/clusters/{ClusterId}/uns/areas/{UnsAreaId}"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">@(IsNew ? "New UNS area" : "Edit UNS area") &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/uns" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="uns" />
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (!IsNew && _existing is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Area <span class="mono">@UnsAreaId</span> was not found.
+    </section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="unsAreaEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise" style="animation-delay:.02s">
+            <div class="panel-head">UNS area (level 3)</div>
+            <div style="padding:1rem">
+                <div class="mb-3">
+                    <label class="form-label" for="aid">UnsAreaId</label>
+                    <InputText id="aid" @bind-Value="_form.UnsAreaId" disabled="@(!IsNew)"
+                               class="form-control form-control-sm mono" />
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="name">Name</label>
+                    <InputText id="name" @bind-Value="_form.Name" class="form-control form-control-sm" />
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="notes">Notes</label>
+                    <InputTextArea id="notes" @bind-Value="_form.Notes" class="form-control form-control-sm" rows="3" />
+                </div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error))
+        {
+            <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div>
+        }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">
+                @if (_busy) { <span class="spinner-border spinner-border-sm me-1"></span> }
+                @(IsNew ? "Create" : "Save changes")
+            </button>
+            <a href="/clusters/@ClusterId/uns" class="btn btn-outline-secondary">Cancel</a>
+            @if (!IsNew)
+            {
+                <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">Delete</button>
+            }
+        </div>
+    </EditForm>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    [Parameter] public string? UnsAreaId { get; set; }
+
+    private bool IsNew => string.IsNullOrEmpty(UnsAreaId);
+
+    private FormModel _form = new();
+    private UnsArea? _existing;
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        if (!IsNew)
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            _existing = await db.UnsAreas.AsNoTracking()
+                .FirstOrDefaultAsync(a => a.ClusterId == ClusterId && a.UnsAreaId == UnsAreaId);
+            if (_existing is not null)
+            {
+                _form = new FormModel
+                {
+                    UnsAreaId = _existing.UnsAreaId,
+                    Name = _existing.Name,
+                    Notes = _existing.Notes,
+                    RowVersion = _existing.RowVersion,
+                };
+            }
+        }
+        _loaded = true;
+    }
+
+    private async Task SubmitAsync()
+    {
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (IsNew)
+            {
+                if (await db.UnsAreas.AnyAsync(a => a.UnsAreaId == _form.UnsAreaId))
+                { _error = $"Area '{_form.UnsAreaId}' already exists."; return; }
+                db.UnsAreas.Add(new UnsArea
+                {
+                    UnsAreaId = _form.UnsAreaId,
+                    ClusterId = ClusterId,
+                    Name = _form.Name,
+                    Notes = string.IsNullOrWhiteSpace(_form.Notes) ? null : _form.Notes,
+                });
+            }
+            else
+            {
+                var entity = await db.UnsAreas.FirstOrDefaultAsync(
+                    a => a.ClusterId == ClusterId && a.UnsAreaId == UnsAreaId);
+                if (entity is null) { _error = "Row no longer exists."; return; }
+                db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+                entity.Name = _form.Name;
+                entity.Notes = string.IsNullOrWhiteSpace(_form.Notes) ? null : _form.Notes;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/uns");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this area while you were editing. Reload to see the latest values."; }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private async Task DeleteAsync()
+    {
+        if (IsNew) return;
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.UnsAreas.FirstOrDefaultAsync(
+                a => a.ClusterId == ClusterId && a.UnsAreaId == UnsAreaId);
+            if (entity is null) { Nav.NavigateTo($"/clusters/{ClusterId}/uns"); return; }
+            db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+            db.UnsAreas.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/uns");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this area while you were viewing it."; }
+        catch (Exception ex) { _error = $"Delete failed: {ex.Message}. Likely because lines still reference this area — remove them first."; }
+        finally { _busy = false; }
+    }
+
+    private sealed class FormModel
+    {
+        [Required, RegularExpression("^[A-Za-z0-9_-]+$")] public string UnsAreaId { get; set; } = "";
+        [Required] public string Name { get; set; } = "";
+        public string? Notes { get; set; }
+        public byte[] RowVersion { get; set; } = [];
+    }
+}
@@ -0,0 +1,187 @@
+@page "/clusters/{ClusterId}/uns/lines/new"
+@page "/clusters/{ClusterId}/uns/lines/{UnsLineId}"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">@(IsNew ? "New UNS line" : "Edit UNS line") &middot; <span class="mono">@ClusterId</span></h4>
+    <a href="/clusters/@ClusterId/uns" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+<ClusterNav ClusterId="@ClusterId" ActiveTab="uns" />
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (!IsNew && _existing is null)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        Line <span class="mono">@UnsLineId</span> was not found.
+    </section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="unsLineEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise" style="animation-delay:.02s">
+            <div class="panel-head">UNS line (level 4)</div>
+            <div style="padding:1rem">
+                <div class="mb-3">
+                    <label class="form-label" for="lid">UnsLineId</label>
+                    <InputText id="lid" @bind-Value="_form.UnsLineId" disabled="@(!IsNew)"
+                               class="form-control form-control-sm mono" />
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="area">Parent area</label>
+                    <InputSelect id="area" @bind-Value="_form.UnsAreaId" class="form-select form-select-sm">
+                        @foreach (var area in _areas)
+                        {
+                            <option value="@area.UnsAreaId">@area.UnsAreaId &mdash; @area.Name</option>
+                        }
+                    </InputSelect>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="name">Name</label>
+                    <InputText id="name" @bind-Value="_form.Name" class="form-control form-control-sm" />
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="notes">Notes</label>
+                    <InputTextArea id="notes" @bind-Value="_form.Notes" class="form-control form-control-sm" rows="3" />
+                </div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error))
+        {
+            <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div>
+        }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">
+                @if (_busy) { <span class="spinner-border spinner-border-sm me-1"></span> }
+                @(IsNew ? "Create" : "Save changes")
+            </button>
+            <a href="/clusters/@ClusterId/uns" class="btn btn-outline-secondary">Cancel</a>
+            @if (!IsNew)
+            {
+                <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">Delete</button>
+            }
+        </div>
+    </EditForm>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = "";
+    [Parameter] public string? UnsLineId { get; set; }
+
+    private bool IsNew => string.IsNullOrEmpty(UnsLineId);
+
+    private FormModel _form = new();
+    private UnsLine? _existing;
+    private List<UnsArea> _areas = new();
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _areas = await db.UnsAreas.AsNoTracking()
+            .Where(a => a.ClusterId == ClusterId)
+            .OrderBy(a => a.UnsAreaId)
+            .ToListAsync();
+
+        if (!IsNew)
+        {
+            _existing = await db.UnsLines.AsNoTracking()
+                .FirstOrDefaultAsync(l => l.UnsLineId == UnsLineId);
+            if (_existing is not null)
+            {
+                _form = new FormModel
+                {
+                    UnsLineId = _existing.UnsLineId,
+                    UnsAreaId = _existing.UnsAreaId,
+                    Name = _existing.Name,
+                    Notes = _existing.Notes,
+                    RowVersion = _existing.RowVersion,
+                };
+            }
+        }
+        else
+        {
+            _form.UnsAreaId = _areas.FirstOrDefault()?.UnsAreaId ?? "";
+        }
+        _loaded = true;
+    }
+
+    private async Task SubmitAsync()
+    {
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (IsNew)
+            {
+                if (await db.UnsLines.AnyAsync(l => l.UnsLineId == _form.UnsLineId))
+                { _error = $"Line '{_form.UnsLineId}' already exists."; return; }
+                db.UnsLines.Add(new UnsLine
+                {
+                    UnsLineId = _form.UnsLineId,
+                    UnsAreaId = _form.UnsAreaId,
+                    Name = _form.Name,
+                    Notes = string.IsNullOrWhiteSpace(_form.Notes) ? null : _form.Notes,
+                });
+            }
+            else
+            {
+                var entity = await db.UnsLines.FirstOrDefaultAsync(l => l.UnsLineId == UnsLineId);
+                if (entity is null) { _error = "Row no longer exists."; return; }
+                db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+                entity.UnsAreaId = _form.UnsAreaId;
+                entity.Name = _form.Name;
+                entity.Notes = string.IsNullOrWhiteSpace(_form.Notes) ? null : _form.Notes;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/uns");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this line while you were editing."; }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private async Task DeleteAsync()
+    {
+        if (IsNew) return;
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.UnsLines.FirstOrDefaultAsync(l => l.UnsLineId == UnsLineId);
+            if (entity is null) { Nav.NavigateTo($"/clusters/{ClusterId}/uns"); return; }
+            db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+            db.UnsLines.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo($"/clusters/{ClusterId}/uns");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this line while you were viewing it."; }
+        catch (Exception ex) { _error = $"Delete failed: {ex.Message}. Likely because equipment still references this line — remove or re-home it first."; }
+        finally { _busy = false; }
+    }
+
+    private sealed class FormModel
+    {
+        [Required, RegularExpression("^[A-Za-z0-9_-]+$")] public string UnsLineId { get; set; } = "";
+        [Required] public string UnsAreaId { get; set; } = "";
+        [Required] public string Name { get; set; } = "";
+        public string? Notes { get; set; }
+        public byte[] RowVersion { get; set; } = [];
+    }
+}
@@ -1,5 +1,6 @@
@page "/deployments"
@using Microsoft.AspNetCore.Authorization
+@using Microsoft.AspNetCore.Components.Authorization
@using Microsoft.EntityFrameworkCore
@using ZB.MOM.WW.OtOpcUa.Commons.Interfaces
@using ZB.MOM.WW.OtOpcUa.Commons.Messages.Admin
@@ -12,6 +13,7 @@

@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
@inject IAdminOperationsClient AdminOps
+@inject AuthenticationStateProvider AuthState
@rendermode InteractiveServer

 <PageTitle>Deployments</PageTitle>
@@ -103,8 +105,10 @@
        _lastMessage = null;
        try
        {
+            var auth = await AuthState.GetAuthenticationStateAsync();
+            var createdBy = auth.User.Identity?.Name ?? "(anonymous)";
            var result = await AdminOps.StartDeploymentAsync(
-                createdBy: "(current user)", // F18: thread HttpContext.User.Identity.Name through
+                createdBy: createdBy,
                ct: CancellationToken.None);

            _lastSuccess = result.Outcome == StartDeploymentOutcome.Accepted;
@@ -0,0 +1,180 @@
+@page "/fleet"
+@* Per-node deployment status. v2 reads NodeDeploymentState (the per-(node, deployment) apply
+   progress row owned by each DriverHostActor) and projects the most-recent row per node. The
+   Akka cluster topology comes from IClusterRoleInfo so we can show nodes that haven't applied
+   anything yet alongside nodes that have. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Commons.Interfaces
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject IClusterRoleInfo Cluster
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@implements IDisposable
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Fleet status</h4>
+</div>
+
+<div class="d-flex align-items-center mb-3 gap-2">
+    <button class="btn btn-sm btn-outline-primary" @onclick="RefreshAsync" disabled="@_refreshing">
+        @if (_refreshing) { <span class="spinner-border spinner-border-sm me-1" /> }
+        Refresh
+    </button>
+    <span class="text-muted small">
+        Auto-refresh every @RefreshIntervalSeconds s. Last updated: @(_lastRefreshUtc?.ToString("HH:mm:ss 'UTC'") ?? "—")
+    </span>
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        No driver-role nodes are currently Up in the Akka cluster, and no NodeDeploymentState
+        rows have been recorded yet. Either no driver nodes have joined or the cluster is still
+        forming.
+    </section>
+}
+else
+{
+    <section class="agg-grid rise" style="animation-delay:.02s">
+        <div class="agg-card">
+            <div class="agg-label">Nodes</div>
+            <div class="agg-value numeric">@_rows.Count</div>
+        </div>
+        <div class="agg-card">
+            <div class="agg-label">Applied</div>
+            <div class="agg-value numeric">@_rows.Count(r => r.Status == NodeDeploymentStatus.Applied)</div>
+        </div>
+        <div class="agg-card caution">
+            <div class="agg-label">Applying</div>
+            <div class="agg-value numeric">@_rows.Count(r => r.Status == NodeDeploymentStatus.Applying)</div>
+        </div>
+        <div class="agg-card alert">
+            <div class="agg-label">Failed</div>
+            <div class="agg-value numeric">@_rows.Count(r => r.Status == NodeDeploymentStatus.Failed)</div>
+        </div>
+    </section>
+
+    <section class="panel rise" style="animation-delay:.08s">
+        <div class="panel-head">Nodes</div>
+        <div class="table-wrap">
+            <table class="data-table">
+                <thead>
+                    <tr>
+                        <th>Node</th>
+                        <th>Roles</th>
+                        <th>Status</th>
+                        <th>Applied at</th>
+                        <th>Started at</th>
+                        <th>Failure reason</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    @foreach (var r in _rows)
+                    {
+                        <tr>
+                            <td><span class="mono">@r.NodeId</span></td>
+                            <td>
+                                @foreach (var role in r.Roles)
+                                {
+                                    <span class="chip chip-idle me-1">@role</span>
+                                }
+                            </td>
+                            <td><span class="chip @StatusChipClass(r.Status)">@StatusLabel(r.Status)</span></td>
+                            <td>@(r.AppliedAtUtc?.ToString("u") ?? "—")</td>
+                            <td>@(r.StartedAtUtc?.ToString("u") ?? "—")</td>
+                            <td>@(r.FailureReason ?? "")</td>
+                        </tr>
+                    }
+                </tbody>
+            </table>
+        </div>
+    </section>
+}
+
+@code {
+    private const int RefreshIntervalSeconds = 10;
+
+    private List<NodeRow>? _rows;
+    private bool _refreshing;
+    private DateTime? _lastRefreshUtc;
+    private Timer? _timer;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await LoadAsync();
+        _timer = new Timer(_ => _ = InvokeAsync(LoadAsync), null,
+            TimeSpan.FromSeconds(RefreshIntervalSeconds),
+            TimeSpan.FromSeconds(RefreshIntervalSeconds));
+    }
+
+    private async Task RefreshAsync() => await LoadAsync();
+
+    private async Task LoadAsync()
+    {
+        _refreshing = true;
+        StateHasChanged();
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            // Project the most-recent NodeDeploymentState per node — that's the row the
+            // DriverHostActor most recently touched, regardless of which deployment it was for.
+            var states = await db.NodeDeploymentStates.AsNoTracking()
+                .GroupBy(s => s.NodeId)
+                .Select(g => g.OrderByDescending(s => s.StartedAtUtc).First())
+                .ToListAsync();
+            var byNode = states.ToDictionary(s => s.NodeId);
+
+            // Union with current Akka driver members so a freshly-joined node that has no
+            // NodeDeploymentState row yet still appears as "waiting".
+            var akkaDrivers = Cluster.MembersWithRole("driver")
+                .Select(n => n.Value).ToHashSet(StringComparer.OrdinalIgnoreCase);
+            var allNodes = byNode.Keys.Union(akkaDrivers, StringComparer.OrdinalIgnoreCase)
+                .OrderBy(s => s, StringComparer.OrdinalIgnoreCase).ToList();
+
+            _rows = allNodes.Select(nodeId =>
+            {
+                byNode.TryGetValue(nodeId, out var state);
+                return new NodeRow(
+                    NodeId: nodeId,
+                    Roles: akkaDrivers.Contains(nodeId) ? new[] { "driver" } : Array.Empty<string>(),
+                    Status: state?.Status,
+                    StartedAtUtc: state?.StartedAtUtc,
+                    AppliedAtUtc: state?.AppliedAtUtc,
+                    FailureReason: state?.FailureReason);
+            }).ToList();
+            _lastRefreshUtc = DateTime.UtcNow;
+        }
+        finally
+        {
+            _refreshing = false;
+            StateHasChanged();
+        }
+    }
+
+    private static string StatusChipClass(NodeDeploymentStatus? status) => status switch
+    {
+        NodeDeploymentStatus.Applied => "chip-ok",
+        NodeDeploymentStatus.Applying => "chip-caution",
+        NodeDeploymentStatus.Failed => "chip-alert",
+        _ => "chip-idle",
+    };
+
+    private static string StatusLabel(NodeDeploymentStatus? status) => status?.ToString() ?? "waiting";
+
+    public void Dispose() => _timer?.Dispose();
+
+    private sealed record NodeRow(
+        string NodeId,
+        IReadOnlyCollection<string> Roles,
+        NodeDeploymentStatus? Status,
+        DateTime? StartedAtUtc,
+        DateTime? AppliedAtUtc,
+        string? FailureReason);
+}
@@ -0,0 +1,196 @@
+@page "/hosts"
+@* Akka cluster topology: each member's NodeId (host:port), roles, leader status. v2 reshapes
+   v1's "driver host" page — there are no per-driver host rows yet (driver-instance child actors
+   land with F7). For now this is the cluster-membership view; expand to per-driver rows when
+   DriverHostActor starts spawning DriverInstanceActor children. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Akka.Actor
+@using Akka.Cluster
+@inject ActorSystem ActorSystem
+@implements IDisposable
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Cluster hosts</h4>
+</div>
+
+<div class="d-flex align-items-center mb-3 gap-2">
+    <button class="btn btn-sm btn-outline-primary" @onclick="RefreshAsync" disabled="@_refreshing">
+        @if (_refreshing) { <span class="spinner-border spinner-border-sm me-1" /> }
+        Refresh
+    </button>
+    <span class="text-muted small">
+        Auto-refresh every @RefreshIntervalSeconds s. Last updated: @(_lastRefreshUtc?.ToString("HH:mm:ss 'UTC'") ?? "—")
+    </span>
+</div>
+
+<section class="panel notice rise" style="animation-delay:.02s">
+    Each row is one Akka cluster member identified by <span class="mono">host:port</span>. Roles
+    drive which actors run on which node — <span class="mono">admin</span> nodes host the
+    control-plane singletons, <span class="mono">driver</span> nodes host the per-node runtime
+    actors. The leader columns identify which member currently owns each role's singletons.
+</section>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <section class="panel notice rise" style="animation-delay:.08s">
+        No cluster members visible. The local node may still be joining.
+    </section>
+}
+else
+{
+    <section class="agg-grid rise" style="animation-delay:.08s">
+        <div class="agg-card">
+            <div class="agg-label">Members</div>
+            <div class="agg-value numeric">@_rows.Count</div>
+        </div>
+        <div class="agg-card">
+            <div class="agg-label">Up</div>
+            <div class="agg-value numeric">@_rows.Count(r => r.Status == "Up")</div>
+        </div>
+        <div class="agg-card caution">
+            <div class="agg-label">Joining/Leaving</div>
+            <div class="agg-value numeric">@_rows.Count(r => r.Status is "Joining" or "Leaving" or "Exiting")</div>
+        </div>
+        <div class="agg-card alert">
+            <div class="agg-label">Unreachable</div>
+            <div class="agg-value numeric">@_rows.Count(r => r.Unreachable)</div>
+        </div>
+    </section>
+
+    <section class="panel rise" style="animation-delay:.14s">
+        <div class="panel-head">Members</div>
+        <div class="table-wrap">
+            <table class="data-table">
+                <thead>
+                    <tr>
+                        <th>Address</th>
+                        <th>Status</th>
+                        <th>Roles</th>
+                        <th>Leader for</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    @foreach (var r in _rows)
+                    {
+                        <tr>
+                            <td>
+                                <span class="mono">@r.Address</span>
+                                @if (r.IsSelf) { <span class="chip chip-idle ms-2">self</span> }
+                            </td>
+                            <td>
+                                <span class="chip @StatusChipClass(r.Status, r.Unreachable)">
+                                    @(r.Unreachable ? $"{r.Status} (unreachable)" : r.Status)
+                                </span>
+                            </td>
+                            <td>
+                                @foreach (var role in r.Roles)
+                                {
+                                    <span class="chip chip-idle me-1">@role</span>
+                                }
+                            </td>
+                            <td>
+                                @if (r.LeaderRoles.Count == 0)
+                                {
+                                    <span class="text-muted">—</span>
+                                }
+                                else
+                                {
+                                    @foreach (var role in r.LeaderRoles)
+                                    {
+                                        <span class="chip chip-ok me-1">@role</span>
+                                    }
+                                }
+                            </td>
+                        </tr>
+                    }
+                </tbody>
+            </table>
+        </div>
+    </section>
+}
+
+@code {
+    private const int RefreshIntervalSeconds = 5;
+
+    private List<MemberRow>? _rows;
+    private bool _refreshing;
+    private DateTime? _lastRefreshUtc;
+    private Timer? _timer;
+
+    protected override void OnInitialized()
+    {
+        Refresh();
+        _timer = new Timer(_ => InvokeAsync(() => { Refresh(); StateHasChanged(); }), null,
+            TimeSpan.FromSeconds(RefreshIntervalSeconds),
+            TimeSpan.FromSeconds(RefreshIntervalSeconds));
+    }
+
+    private async Task RefreshAsync()
+    {
+        _refreshing = true;
+        StateHasChanged();
+        try
+        {
+            await Task.Yield();
+            Refresh();
+        }
+        finally
+        {
+            _refreshing = false;
+            StateHasChanged();
+        }
+    }
+
+    private void Refresh()
+    {
+        var cluster = Akka.Cluster.Cluster.Get(ActorSystem);
+        var state = cluster.State;
+        var unreachable = state.Unreachable
+            .Select(m => m.Address.ToString()).ToHashSet();
+        var selfAddress = cluster.SelfAddress.ToString();
+
+        _rows = state.Members.Select(m =>
+        {
+            var address = m.Address.ToString();
+            var hostPort = $"{m.Address.Host ?? "?"}:{m.Address.Port ?? 0}";
+            var leaderRoles = m.Roles
+                .Where(role => cluster.State.RoleLeader(role)?.ToString() == address)
+                .OrderBy(s => s, StringComparer.OrdinalIgnoreCase)
+                .ToList();
+            return new MemberRow(
+                Address: hostPort,
+                Status: m.Status.ToString(),
+                Roles: m.Roles.OrderBy(s => s, StringComparer.OrdinalIgnoreCase).ToList(),
+                LeaderRoles: leaderRoles,
+                Unreachable: unreachable.Contains(address),
+                IsSelf: address == selfAddress);
+        })
+        .OrderBy(r => r.Address, StringComparer.OrdinalIgnoreCase)
+        .ToList();
+        _lastRefreshUtc = DateTime.UtcNow;
+    }
+
+    private static string StatusChipClass(string status, bool unreachable) => (status, unreachable) switch
+    {
+        (_, true) => "chip-alert",
+        ("Up", _) => "chip-ok",
+        ("Joining", _) or ("Leaving", _) or ("Exiting", _) or ("WeaklyUp", _) => "chip-caution",
+        ("Down", _) or ("Removed", _) => "chip-alert",
+        _ => "chip-idle",
+    };
+
+    public void Dispose() => _timer?.Dispose();
+
+    private sealed record MemberRow(
+        string Address,
+        string Status,
+        IReadOnlyCollection<string> Roles,
+        IReadOnlyCollection<string> LeaderRoles,
+        bool Unreachable,
+        bool IsSelf);
+}
@@ -0,0 +1,50 @@
+@page "/login"
+@layout LoginLayout
+@* Login MUST stay anonymously reachable — otherwise the fallback authorization policy
+   would lock operators out of the only way in (Admin-001). Static-rendered on purpose:
+   the form POSTs to /auth/login while ASP.NET still owns an unstarted HTTP response.
+   Calling SignInAsync from an interactive circuit would be too late.
+
+   Uses LoginLayout (no side rail) so the page renders as a clean centred card. *@
+@attribute [Microsoft.AspNetCore.Authorization.AllowAnonymous]
+
+<div class="login-wrap rise" style="animation-delay:.02s">
+    <section class="panel">
+        <div class="panel-head">OtOpcUa Admin &mdash; sign in</div>
+        <div style="padding:1.1rem 1.1rem 1.25rem">
+            <form method="post" action="/auth/login" data-enhance="false">
+                @if (ReturnUrl is not null)
+                {
+                    <input type="hidden" name="returnUrl" value="@ReturnUrl"/>
+                }
+                <div class="mb-3">
+                    <label class="form-label" for="username">Username</label>
+                    <input id="username" name="username" type="text"
+                           class="form-control form-control-sm" autocomplete="username"/>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label" for="password">Password</label>
+                    <input id="password" name="password" type="password"
+                           class="form-control form-control-sm" autocomplete="current-password"/>
+                </div>
+
+                @if (!string.IsNullOrWhiteSpace(Error))
+                {
+                    <div class="panel notice" style="margin-bottom:.85rem">@Error</div>
+                }
+
+                <button class="btn btn-primary w-100" type="submit">Sign in</button>
+            </form>
+        </div>
+    </section>
+</div>
+
+@code {
+    /// <summary>Error message surfaced by /auth/login after a failed bind.</summary>
+    [SupplyParameterFromQuery]
+    private string? Error { get; set; }
+
+    /// <summary>Original protected URL the operator was bounced from; round-tripped to the endpoint.</summary>
+    [SupplyParameterFromQuery]
+    private string? ReturnUrl { get; set; }
+}
@@ -0,0 +1,70 @@
+@page "/reservations"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">External ID reservations</h4>
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    <section class="panel notice rise" style="animation-delay:.02s">
+        External IDs (ZTag, SAPID) are reserved fleet-wide via this table. Reservations bind a
+        value to an Equipment's UUID so the ID can move with the equipment across cluster
+        reshuffles without colliding with another cluster's equipment.
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.08s">
+        <div class="panel-head">@_rows.Count reservation@(_rows.Count == 1 ? "" : "s")</div>
+        @if (_rows.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">No reservations yet.</div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead>
+                        <tr>
+                            <th>Kind</th>
+                            <th>Value</th>
+                            <th>Equipment UUID</th>
+                            <th>Cluster</th>
+                        </tr>
+                    </thead>
+                    <tbody>
+                        @foreach (var r in _rows)
+                        {
+                            <tr>
+                                <td><span class="chip chip-idle">@r.Kind</span></td>
+                                <td><span class="mono">@r.Value</span></td>
+                                <td><span class="mono small">@r.EquipmentUuid</span></td>
+                                <td><span class="mono small">@r.ClusterId</span></td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+@code {
+    private List<ExternalIdReservation>? _rows;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _rows = await db.ExternalIdReservations.AsNoTracking()
+            .OrderBy(r => r.Kind).ThenBy(r => r.Value)
+            .ToListAsync();
+    }
+}
@@ -0,0 +1,81 @@
+@page "/role-grants"
+@* Per Q4 of the AdminUI rebuild plan, v2 replaced v1's per-cluster RoleGrants table with a
+   fleet-wide LDAP-group → role map. This page surfaces the mapping read-only; the source of
+   truth is Authentication:Ldap:GroupToRole in appsettings (editable on the host filesystem, not
+   from the UI yet). *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.Extensions.Options
+@using ZB.MOM.WW.OtOpcUa.Security.Ldap
+@inject IOptionsSnapshot<LdapOptions> Ldap
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Role grants</h4>
+</div>
+
+<section class="panel notice rise" style="animation-delay:.02s">
+    LDAP group membership determines fleet roles. Edit the mapping in
+    <span class="mono">appsettings.json</span> under <span class="mono">Authentication:Ldap:GroupToRole</span>
+    and restart the admin node (or sign out + back in for cached claims to refresh). UI-driven
+    editing of the mapping is deferred — it implies a config-reload mechanism that doesn't exist
+    yet.
+</section>
+
+@if (_options is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    <section class="card-grid rise mt-3" style="animation-delay:.08s">
+        <div class="metric-card">
+            <div class="panel-head">LDAP binding</div>
+            <div class="kv"><span class="k">Enabled</span><span class="v">@(_options.Enabled ? "yes" : "no")</span></div>
+            <div class="kv"><span class="k">Server</span><span class="v mono">@_options.Server:@_options.Port</span></div>
+            <div class="kv"><span class="k">UseTls</span><span class="v">@_options.UseTls</span></div>
+            <div class="kv"><span class="k">SearchBase</span><span class="v mono small">@_options.SearchBase</span></div>
+            @if (!_options.UseTls && _options.AllowInsecureLdap)
+            {
+                <div class="kv"><span class="k">Warning</span><span class="v"><span class="chip chip-alert">Plaintext credentials over LDAP — dev mode only</span></span></div>
+            }
+        </div>
+    </section>
+
+    <section class="panel rise mt-3" style="animation-delay:.14s">
+        <div class="panel-head">Group → role mapping (@(_options.GroupToRole?.Count ?? 0))</div>
+        @if (_options.GroupToRole is null || _options.GroupToRole.Count == 0)
+        {
+            <div style="padding:1rem" class="text-muted">
+                No mapping configured. Every authenticated user lands with zero roles —
+                the fallback authorization policy will refuse every request. Add a
+                <span class="mono">GroupToRole</span> entry before deploying.
+            </div>
+        }
+        else
+        {
+            <div class="table-wrap">
+                <table class="data-table">
+                    <thead><tr><th>LDAP group</th><th>Resolved role</th></tr></thead>
+                    <tbody>
+                        @foreach (var kvp in _options.GroupToRole.OrderBy(k => k.Key, StringComparer.OrdinalIgnoreCase))
+                        {
+                            <tr>
+                                <td><span class="mono">@kvp.Key</span></td>
+                                <td><span class="chip chip-idle">@kvp.Value</span></td>
+                            </tr>
+                        }
+                    </tbody>
+                </table>
+            </div>
+        }
+    </section>
+}
+
+@code {
+    private LdapOptions? _options;
+
+    protected override void OnInitialized()
+    {
+        _options = Ldap.Value;
+    }
+}
@@ -0,0 +1,199 @@
+@page "/scripts/new"
+@page "/scripts/{ScriptId}"
+@* Script CRUD. SourceHash is computed automatically from SourceCode on save so the
+   integrity check in v2's deployment pipeline doesn't require operator action. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using System.Security.Cryptography
+@using System.Text
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+@inject IJSRuntime JS
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">@(IsNew ? "New script" : "Edit script")</h4>
+    <a href="/scripts" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (!IsNew && _existing is null)
+{
+    <section class="panel notice rise"><span class="mono">@ScriptId</span> not found.</section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="scriptEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise">
+            <div class="panel-head">Identity</div>
+            <div style="padding:1rem">
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label">ScriptId</label>
+                        <InputText @bind-Value="_form.ScriptId" disabled="@(!IsNew)" class="form-control form-control-sm mono" />
+                    </div>
+                    <div class="col-md-4 mb-3">
+                        <label class="form-label">Name</label>
+                        <InputText @bind-Value="_form.Name" class="form-control form-control-sm" />
+                    </div>
+                    <div class="col-md-2 mb-3">
+                        <label class="form-label">Language</label>
+                        <InputSelect @bind-Value="_form.Language" class="form-select form-select-sm">
+                            <option value="CSharp">CSharp</option>
+                        </InputSelect>
+                    </div>
+                </div>
+            </div>
+        </section>
+
+        <section class="panel rise mt-3">
+            <div class="panel-head">Source</div>
+            <div style="padding:1rem">
+                @* The textarea stays in the DOM and remains Blazor's source of truth. Monaco
+                   mounts a <div> beside it (textarea hides), and the loader's onDidChangeModelContent
+                   handler mirrors edits back into the textarea + fires the input event so @bind
+                   picks them up. Falls back to the textarea gracefully if Monaco's CDN is
+                   unreachable (air-gapped deployments — see monaco-loader.js). *@
+                <InputTextArea id="script-source" @bind-Value="_form.SourceCode"
+                               class="form-control form-control-sm mono" rows="20"
+                               placeholder="// C# expression body" />
+                <div class="form-text">SHA-256 hash is computed automatically on save. Monaco editor attaches over the textarea on render.</div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error)) { <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div> }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">@(IsNew ? "Create" : "Save changes")</button>
+            <a href="/scripts" class="btn btn-outline-secondary">Cancel</a>
+            @if (!IsNew) { <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">Delete</button> }
+        </div>
+    </EditForm>
+}
+
+@code {
+    [Parameter] public string? ScriptId { get; set; }
+    private bool IsNew => string.IsNullOrEmpty(ScriptId);
+
+    private FormModel _form = new();
+    private Script? _existing;
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        if (!IsNew)
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            _existing = await db.Scripts.AsNoTracking().FirstOrDefaultAsync(s => s.ScriptId == ScriptId);
+            if (_existing is not null)
+            {
+                _form = new FormModel
+                {
+                    ScriptId = _existing.ScriptId,
+                    Name = _existing.Name,
+                    Language = _existing.Language,
+                    SourceCode = _existing.SourceCode,
+                    RowVersion = _existing.RowVersion,
+                };
+            }
+        }
+        _loaded = true;
+    }
+
+    protected override async Task OnAfterRenderAsync(bool firstRender)
+    {
+        if (!firstRender || !_loaded) return;
+        // Inject loader once, then attach over the textarea. Failures are silent — the page
+        // is fully usable via the underlying textarea if Monaco's CDN is unreachable.
+        try
+        {
+            await JS.InvokeVoidAsync("eval", "if (!document.querySelector('script[data-otopcua=monaco-loader]')) { var s=document.createElement('script'); s.src='/_content/ZB.MOM.WW.OtOpcUa.AdminUI/js/monaco-loader.js'; s.dataset.otopcua='monaco-loader'; document.head.appendChild(s); }");
+            // Wait a tick for the loader IIFE to register window.otOpcUaScriptEditor, then attach.
+            await Task.Delay(50);
+            await JS.InvokeVoidAsync("otOpcUaScriptEditor.attach", "script-source");
+        }
+        catch
+        {
+            // Textarea remains the editor — no-op.
+        }
+    }
+
+    private async Task SubmitAsync()
+    {
+        _busy = true; _error = null;
+        try
+        {
+            var sourceHash = HashSource(_form.SourceCode);
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (IsNew)
+            {
+                if (await db.Scripts.AnyAsync(s => s.ScriptId == _form.ScriptId))
+                { _error = $"Script '{_form.ScriptId}' already exists."; return; }
+                db.Scripts.Add(new Script
+                {
+                    ScriptId = _form.ScriptId,
+                    Name = _form.Name,
+                    Language = _form.Language,
+                    SourceCode = _form.SourceCode,
+                    SourceHash = sourceHash,
+                });
+            }
+            else
+            {
+                var entity = await db.Scripts.FirstOrDefaultAsync(s => s.ScriptId == ScriptId);
+                if (entity is null) { _error = "Row no longer exists."; return; }
+                db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+                entity.Name = _form.Name;
+                entity.Language = _form.Language;
+                entity.SourceCode = _form.SourceCode;
+                entity.SourceHash = sourceHash;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo("/scripts");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this script while you were editing."; }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private async Task DeleteAsync()
+    {
+        if (IsNew) return;
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.Scripts.FirstOrDefaultAsync(s => s.ScriptId == ScriptId);
+            if (entity is null) { Nav.NavigateTo("/scripts"); return; }
+            db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+            db.Scripts.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo("/scripts");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this script while you were viewing it."; }
+        catch (Exception ex) { _error = $"Delete failed: {ex.Message}. Likely because virtual tags or scripted alarms still reference this script — remove them first."; }
+        finally { _busy = false; }
+    }
+
+    private static string HashSource(string source) =>
+        Convert.ToHexStringLower(SHA256.HashData(Encoding.UTF8.GetBytes(source)));
+
+    private sealed class FormModel
+    {
+        [Required, RegularExpression("^[A-Za-z0-9_-]+$")] public string ScriptId { get; set; } = "";
+        [Required] public string Name { get; set; } = "";
+        [Required] public string Language { get; set; } = "CSharp";
+        [Required] public string SourceCode { get; set; } = "";
+        public byte[] RowVersion { get; set; } = [];
+    }
+}
@@ -0,0 +1,163 @@
+@page "/script-log"
+@* Live script-log tail via SignalR. Subscribes to /hubs/script-log and shows entries from
+   VirtualTagActor / ScriptedAlarmActor script execution. Engine emit lands with F8 + F9. *@
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.SignalR.Client
+@using ZB.MOM.WW.OtOpcUa.AdminUI.Hubs
+@using ZB.MOM.WW.OtOpcUa.Commons.Messages.Logging
+@inject NavigationManager Nav
+@implements IAsyncDisposable
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">Script log</h4>
+    <div class="d-flex align-items-center gap-2">
+        <select class="form-select form-select-sm" style="width:auto" @bind="_levelFilter">
+            <option value="">All levels</option>
+            <option value="Trace">Trace+</option>
+            <option value="Debug">Debug+</option>
+            <option value="Information">Information+</option>
+            <option value="Warning">Warning+</option>
+            <option value="Error">Error+</option>
+        </select>
+        <input type="text" class="form-control form-control-sm" style="width:200px"
+               placeholder="Filter script ID…" @bind="_scriptFilter" @bind:event="oninput" />
+        <span class="conn-pill" data-state="@(_connected ? "connected" : "disconnected")">
+            <span class="dot"></span><span>@(_connected ? "live" : "disconnected")</span>
+        </span>
+        <button class="btn btn-sm btn-outline-secondary" @onclick="ClearAsync">Clear</button>
+    </div>
+</div>
+
+<section class="panel notice rise" style="animation-delay:.02s">
+    Live tail of <span class="mono">script-logs</span> DPS topic, capped at @Capacity entries.
+    Filter by minimum level + script ID. Sources: VirtualTagActor (F8), ScriptedAlarmActor (F9).
+</section>
+
+@if (VisibleRows.Count == 0)
+{
+    <section class="panel notice rise mt-3" style="animation-delay:.08s">
+        @if (_rows.Count == 0)
+        {
+            <span>No script-log entries yet. Engine emit (F8/F9) is pending.</span>
+        }
+        else
+        {
+            <span>No entries match the current filter (@_rows.Count entries available).</span>
+        }
+    </section>
+}
+else
+{
+    <section class="panel rise mt-3" style="animation-delay:.08s">
+        <div class="panel-head">Showing @VisibleRows.Count of @_rows.Count</div>
+        <div class="table-wrap">
+            <table class="data-table">
+                <thead>
+                    <tr>
+                        <th>Time</th>
+                        <th>Level</th>
+                        <th>Script</th>
+                        <th>Context</th>
+                        <th>Message</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    @foreach (var e in VisibleRows)
+                    {
+                        <tr>
+                            <td><span class="mono small">@e.TimestampUtc.ToString("HH:mm:ss.fff")</span></td>
+                            <td><span class="chip @LevelChipClass(e.Level)">@e.Level</span></td>
+                            <td><span class="mono small">@e.ScriptId</span></td>
+                            <td class="text-muted small">
+                                @if (!string.IsNullOrEmpty(e.VirtualTagId)) { <span>vtag=@e.VirtualTagId</span> }
+                                @if (!string.IsNullOrEmpty(e.AlarmId)) { <span class="ms-1">alarm=@e.AlarmId</span> }
+                                @if (!string.IsNullOrEmpty(e.EquipmentId)) { <span class="ms-1">eq=@e.EquipmentId</span> }
+                            </td>
+                            <td><span class="mono small">@e.Message</span></td>
+                        </tr>
+                    }
+                </tbody>
+            </table>
+        </div>
+    </section>
+}
+
+@code {
+    private const int Capacity = 500;
+
+    private readonly List<ScriptLogEntry> _rows = new();
+    private HubConnection? _hub;
+    private bool _connected;
+    private string _levelFilter = "";
+    private string _scriptFilter = "";
+
+    private static readonly Dictionary<string, int> LevelRank = new(StringComparer.OrdinalIgnoreCase)
+    {
+        ["Trace"] = 0, ["Debug"] = 1, ["Information"] = 2, ["Warning"] = 3, ["Error"] = 4, ["Critical"] = 5,
+    };
+
+    private List<ScriptLogEntry> VisibleRows
+    {
+        get
+        {
+            IEnumerable<ScriptLogEntry> q = _rows;
+            if (!string.IsNullOrWhiteSpace(_levelFilter)
+                && LevelRank.TryGetValue(_levelFilter, out var minRank))
+            {
+                q = q.Where(e => LevelRank.TryGetValue(e.Level, out var r) && r >= minRank);
+            }
+            if (!string.IsNullOrWhiteSpace(_scriptFilter))
+            {
+                q = q.Where(e => e.ScriptId.Contains(_scriptFilter, StringComparison.OrdinalIgnoreCase));
+            }
+            return q.ToList();
+        }
+    }
+
+    protected override async Task OnInitializedAsync()
+    {
+        _hub = new HubConnectionBuilder()
+            .WithUrl(Nav.ToAbsoluteUri(ScriptLogHub.Endpoint))
+            .WithAutomaticReconnect()
+            .Build();
+
+        _hub.On<ScriptLogEntry>(ScriptLogHub.MethodName, entry =>
+        {
+            _rows.Insert(0, entry);
+            if (_rows.Count > Capacity) _rows.RemoveAt(_rows.Count - 1);
+            InvokeAsync(StateHasChanged);
+        });
+        _hub.Closed += _ => { _connected = false; return InvokeAsync(StateHasChanged); };
+        _hub.Reconnected += _ => { _connected = true; return InvokeAsync(StateHasChanged); };
+
+        try
+        {
+            await _hub.StartAsync();
+            _connected = true;
+        }
+        catch
+        {
+            // Connection error — page shows "disconnected".
+        }
+    }
+
+    private async Task ClearAsync()
+    {
+        _rows.Clear();
+        await InvokeAsync(StateHasChanged);
+    }
+
+    private static string LevelChipClass(string level) => level switch
+    {
+        "Critical" or "Error" => "chip-alert",
+        "Warning" => "chip-caution",
+        "Information" => "chip-idle",
+        _ => "chip-idle",
+    };
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_hub is not null) await _hub.DisposeAsync();
+    }
+}
@@ -0,0 +1,236 @@
+@page "/scripted-alarms/new"
+@page "/scripted-alarms/{ScriptedAlarmId}"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@rendermode RenderMode.InteractiveServer
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.EntityFrameworkCore
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IDbContextFactory<OtOpcUaConfigDbContext> DbFactory
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <h4 class="mb-0">@(IsNew ? "New scripted alarm" : "Edit scripted alarm")</h4>
+    <a href="/scripted-alarms" class="btn btn-outline-secondary btn-sm">Cancel</a>
+</div>
+
+@if (!_loaded)
+{
+    <p>Loading…</p>
+}
+else if (!IsNew && _existing is null)
+{
+    <section class="panel notice rise"><span class="mono">@ScriptedAlarmId</span> not found.</section>
+}
+else
+{
+    <EditForm Model="_form" OnValidSubmit="SubmitAsync" FormName="scriptedAlarmEdit">
+        <DataAnnotationsValidator />
+        <section class="panel rise">
+            <div class="panel-head">Identity</div>
+            <div style="padding:1rem">
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label">ScriptedAlarmId</label>
+                        <InputText @bind-Value="_form.ScriptedAlarmId" disabled="@(!IsNew)" class="form-control form-control-sm mono" />
+                    </div>
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label">Name</label>
+                        <InputText @bind-Value="_form.Name" class="form-control form-control-sm" />
+                    </div>
+                </div>
+                <div class="row">
+                    <div class="col-md-6 mb-3">
+                        <label class="form-label">Equipment</label>
+                        <InputSelect @bind-Value="_form.EquipmentId" class="form-select form-select-sm">
+                            <option value="">— pick equipment —</option>
+                            @foreach (var e in _equipment) { <option value="@e.EquipmentId">@e.MachineCode &mdash; @e.Name</option> }
+                        </InputSelect>
+                    </div>
+                    <div class="col-md-3 mb-3">
+                        <label class="form-label">AlarmType</label>
+                        <InputSelect @bind-Value="_form.AlarmType" class="form-select form-select-sm">
+                            <option value="LimitAlarm">LimitAlarm</option>
+                            <option value="DiscreteAlarm">DiscreteAlarm</option>
+                            <option value="OffNormalAlarm">OffNormalAlarm</option>
+                            <option value="AlarmCondition">AlarmCondition</option>
+                        </InputSelect>
+                    </div>
+                    <div class="col-md-3 mb-3">
+                        <label class="form-label">Severity (1-1000)</label>
+                        <InputNumber @bind-Value="_form.Severity" class="form-control form-control-sm" />
+                    </div>
+                </div>
+                <div class="row">
+                    <div class="col-md-12 mb-3">
+                        <label class="form-label">Predicate script</label>
+                        <InputSelect @bind-Value="_form.PredicateScriptId" class="form-select form-select-sm">
+                            <option value="">— pick script —</option>
+                            @foreach (var s in _scripts) { <option value="@s.ScriptId">@s.Name</option> }
+                        </InputSelect>
+                    </div>
+                </div>
+                <div class="mb-3">
+                    <label class="form-label">Message template</label>
+                    <InputTextArea @bind-Value="_form.MessageTemplate" class="form-control form-control-sm" rows="3"
+                                   placeholder="{equipment.MachineCode} temperature out of range: {value}°C" />
+                </div>
+                <div class="row">
+                    <div class="col-md-4 mb-3">
+                        <label class="form-label">HistorizeToAveva</label>
+                        <div class="form-check form-switch">
+                            <InputCheckbox @bind-Value="_form.HistorizeToAveva" class="form-check-input" />
+                            <label class="form-check-label">Route to Wonderware sidecar</label>
+                        </div>
+                    </div>
+                    <div class="col-md-4 mb-3">
+                        <label class="form-label">Retain</label>
+                        <div class="form-check form-switch">
+                            <InputCheckbox @bind-Value="_form.Retain" class="form-check-input" />
+                            <label class="form-check-label">Retain active alarms on restart</label>
+                        </div>
+                    </div>
+                    <div class="col-md-4 mb-3">
+                        <label class="form-label">Enabled</label>
+                        <div class="form-check form-switch">
+                            <InputCheckbox @bind-Value="_form.Enabled" class="form-check-input" />
+                            <label class="form-check-label">Spawn this alarm in deployments</label>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </section>
+
+        @if (!string.IsNullOrWhiteSpace(_error)) { <div class="panel notice mt-3" style="border-color:var(--alert)">@_error</div> }
+
+        <div class="mt-3 d-flex gap-2">
+            <button type="submit" class="btn btn-primary" disabled="@_busy">@(IsNew ? "Create" : "Save changes")</button>
+            <a href="/scripted-alarms" class="btn btn-outline-secondary">Cancel</a>
+            @if (!IsNew) { <button type="button" class="btn btn-outline-danger ms-auto" @onclick="DeleteAsync" disabled="@_busy">Delete</button> }
+        </div>
+    </EditForm>
+}
+
+@code {
+    [Parameter] public string? ScriptedAlarmId { get; set; }
+    private bool IsNew => string.IsNullOrEmpty(ScriptedAlarmId);
+
+    private FormModel _form = new();
+    private ScriptedAlarm? _existing;
+    private List<Equipment> _equipment = new();
+    private List<Script> _scripts = new();
+    private bool _loaded;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await using var db = await DbFactory.CreateDbContextAsync();
+        _equipment = await db.Equipment.AsNoTracking().OrderBy(e => e.MachineCode).ToListAsync();
+        _scripts = await db.Scripts.AsNoTracking().OrderBy(s => s.Name).ToListAsync();
+        if (!IsNew)
+        {
+            _existing = await db.ScriptedAlarms.AsNoTracking().FirstOrDefaultAsync(a => a.ScriptedAlarmId == ScriptedAlarmId);
+            if (_existing is not null)
+            {
+                _form = new FormModel
+                {
+                    ScriptedAlarmId = _existing.ScriptedAlarmId,
+                    Name = _existing.Name,
+                    EquipmentId = _existing.EquipmentId,
+                    AlarmType = _existing.AlarmType,
+                    Severity = _existing.Severity,
+                    PredicateScriptId = _existing.PredicateScriptId,
+                    MessageTemplate = _existing.MessageTemplate,
+                    HistorizeToAveva = _existing.HistorizeToAveva,
+                    Retain = _existing.Retain,
+                    Enabled = _existing.Enabled,
+                    RowVersion = _existing.RowVersion,
+                };
+            }
+        }
+        _loaded = true;
+    }
+
+    private async Task SubmitAsync()
+    {
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            if (IsNew)
+            {
+                if (await db.ScriptedAlarms.AnyAsync(a => a.ScriptedAlarmId == _form.ScriptedAlarmId))
+                { _error = $"ScriptedAlarm '{_form.ScriptedAlarmId}' already exists."; return; }
+                db.ScriptedAlarms.Add(new ScriptedAlarm
+                {
+                    ScriptedAlarmId = _form.ScriptedAlarmId,
+                    EquipmentId = _form.EquipmentId,
+                    Name = _form.Name,
+                    AlarmType = _form.AlarmType,
+                    Severity = _form.Severity,
+                    MessageTemplate = _form.MessageTemplate,
+                    PredicateScriptId = _form.PredicateScriptId,
+                    HistorizeToAveva = _form.HistorizeToAveva,
+                    Retain = _form.Retain,
+                    Enabled = _form.Enabled,
+                });
+            }
+            else
+            {
+                var entity = await db.ScriptedAlarms.FirstOrDefaultAsync(a => a.ScriptedAlarmId == ScriptedAlarmId);
+                if (entity is null) { _error = "Row no longer exists."; return; }
+                db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+                entity.EquipmentId = _form.EquipmentId;
+                entity.Name = _form.Name;
+                entity.AlarmType = _form.AlarmType;
+                entity.Severity = _form.Severity;
+                entity.MessageTemplate = _form.MessageTemplate;
+                entity.PredicateScriptId = _form.PredicateScriptId;
+                entity.HistorizeToAveva = _form.HistorizeToAveva;
+                entity.Retain = _form.Retain;
+                entity.Enabled = _form.Enabled;
+            }
+            await db.SaveChangesAsync();
+            Nav.NavigateTo("/scripted-alarms");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this scripted alarm while you were editing."; }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private async Task DeleteAsync()
+    {
+        if (IsNew) return;
+        _busy = true; _error = null;
+        try
+        {
+            await using var db = await DbFactory.CreateDbContextAsync();
+            var entity = await db.ScriptedAlarms.FirstOrDefaultAsync(a => a.ScriptedAlarmId == ScriptedAlarmId);
+            if (entity is null) { Nav.NavigateTo("/scripted-alarms"); return; }
+            db.Entry(entity).Property(e => e.RowVersion).OriginalValue = _form.RowVersion;
+            db.ScriptedAlarms.Remove(entity);
+            await db.SaveChangesAsync();
+            Nav.NavigateTo("/scripted-alarms");
+        }
+        catch (DbUpdateConcurrencyException) { _error = "Another user changed this alarm while you were viewing it."; }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+
+    private sealed class FormModel
+    {
+        [Required, RegularExpression("^[A-Za-z0-9_-]+$")] public string ScriptedAlarmId { get; set; } = "";
+        [Required] public string Name { get; set; } = "";
+        [Required] public string EquipmentId { get; set; } = "";
+        [Required] public string AlarmType { get; set; } = "LimitAlarm";
+        [Range(1, 1000)] public int Severity { get; set; } = 500;
+        [Required] public string PredicateScriptId { get; set; } = "";
+        [Required] public string MessageTemplate { get; set; } = "";
+        public bool HistorizeToAveva { get; set; } = true;
+        public bool Retain { get; set; } = true;
+        public bool Enabled { get; set; } = true;
+        public byte[] RowVersion { get; set; } = [];
+    }
+}
--- a/Show More
+++ b/Show More