Roslyn analyzer — detect unwrapped driver-capability calls (OTOPCUA0001). Closes task #200. New netstandard2.0 analyzer project src/ZB.MOM.WW.OtOpcUa.Analyzers registered as an <Analyzer>-item ProjectReference from the Server csproj so the warning fires at every Server compile. First (and only so far) rule OTOPCUA0001 — "Driver capability call must be wrapped in CapabilityInvoker" — walks every InvocationOperation in the AST + trips when (a) the target method implements one of the seven guarded capability interfaces (IReadable / IWritable / ITagDiscovery / ISubscribable / IHostConnectivityProbe / IAlarmSource / IHistoryProvider) AND (b) the method's return type is Task, Task<T>, ValueTask, or ValueTask<T> — the async-wire-call constraint narrows the rule to the surfaces the Phase 6.1 pipeline actually wraps + sidesteps pure in-memory accessors like IHostConnectivityProbe.GetHostStatuses() which would trigger false positives AND (c) the call does NOT sit inside a lambda argument passed to CapabilityInvoker.ExecuteAsync / ExecuteWriteAsync / AlarmSurfaceInvoker.*. The wrapper detection walks up the syntax tree from the call site, finds any enclosing InvocationExpressionSyntax whose method's containing type is one of the wrapper classes, + verifies the call lives transitively inside that invocation's AnonymousFunctionExpressionSyntax argument — a sibling "result = await driver.ReadAsync(...)" followed by a separate invoker.ExecuteAsync(...) call does NOT satisfy the wrapping rule + the analyzer flags it (regression guard in the 5th test). Five xunit-v3 + Shouldly tests at tests/ZB.MOM.WW.OtOpcUa.Analyzers.Tests: direct ReadAsync in server namespace trips; wrapped ReadAsync inside CapabilityInvoker.ExecuteAsync lambda passes; direct WriteAsync trips; direct DiscoverAsync trips; sneaky pattern — read outside the lambda + ExecuteAsync with unrelated lambda nearby — still trips. Hand-rolled test harness compiles a stub-plus-user snippet via CSharpCompilation.WithAnalyzers + runs GetAnalyzerDiagnosticsAsync directly, deliberately avoiding Microsoft.CodeAnalysis.CSharp.Analyzer.Testing.XUnit because that package pins to xunit v2 + this repo is on xunit.v3 everywhere else. RS2008 release-tracking noise suppressed by adding AnalyzerReleases.Shipped.md + AnalyzerReleases.Unshipped.md as AdditionalFiles, which is the canonical Roslyn-analyzer hygiene path. Analyzer DLL referenced from Server.csproj via ProjectReference with OutputItemType=Analyzer + ReferenceOutputAssembly=false — the DLL ships as a compiler plugin, not a runtime dependency. Server build validates clean: the analyzer activates on every Server file but finds zero violations, which confirms the Phase 6.1 wrapping work done in prior PRs is complete + the analyzer is now the regression guard preventing the next new capability surface from being added raw. slnx updated with both the src + tests project entries. Full solution build clean, analyzer suite 5/5 passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ZB.MOM.WW.OtOpcUa.slnx

@@ -18,6 +18,7 @@
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.Shared/ZB.MOM.WW.OtOpcUa.Client.Shared.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.CLI/ZB.MOM.WW.OtOpcUa.Client.CLI.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.UI/ZB.MOM.WW.OtOpcUa.Client.UI.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Analyzers/ZB.MOM.WW.OtOpcUa.Analyzers.csproj"/>
     </Folder>
     <Folder Name="/tests/">
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Core.Abstractions.Tests/ZB.MOM.WW.OtOpcUa.Core.Abstractions.Tests.csproj"/>
@@ -42,5 +43,6 @@
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.UI.Tests/ZB.MOM.WW.OtOpcUa.Client.UI.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Analyzers.Tests/ZB.MOM.WW.OtOpcUa.Analyzers.Tests.csproj"/>
     </Folder>
 </Solution>

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AclsTab.razor

@@ -1,9 +1,13 @@
+@using Microsoft.AspNetCore.SignalR.Client
+@using ZB.MOM.WW.OtOpcUa.Admin.Hubs
 @using ZB.MOM.WW.OtOpcUa.Admin.Services
 @using ZB.MOM.WW.OtOpcUa.Configuration.Entities
 @using ZB.MOM.WW.OtOpcUa.Configuration.Enums
 @using ZB.MOM.WW.OtOpcUa.Core.Authorization
 @inject NodeAclService AclSvc
 @inject PermissionProbeService ProbeSvc
+@inject NavigationManager Nav
+@implements IAsyncDisposable
 
 <div class="d-flex justify-content-between mb-3">
     <h4>Access-control grants</h4>
@@ -205,6 +209,30 @@ else
 
     private static string? NullIfBlank(string s) => string.IsNullOrWhiteSpace(s) ? null : s;
 
+    private HubConnection? _hub;
+
+    protected override async Task OnAfterRenderAsync(bool firstRender)
+    {
+        if (!firstRender || _hub is not null) return;
+        _hub = new HubConnectionBuilder()
+            .WithUrl(Nav.ToAbsoluteUri("/hubs/fleet-status"))
+            .WithAutomaticReconnect()
+            .Build();
+        _hub.On<NodeAclChangedMessage>("NodeAclChanged", async msg =>
+        {
+            if (msg.ClusterId != ClusterId || msg.GenerationId != GenerationId) return;
+            _acls = await AclSvc.ListAsync(GenerationId, CancellationToken.None);
+            await InvokeAsync(StateHasChanged);
+        });
+        await _hub.StartAsync();
+        await _hub.SendAsync("SubscribeCluster", ClusterId);
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_hub is not null) { await _hub.DisposeAsync(); _hub = null; }
+    }
+
     protected override async Task OnParametersSetAsync() =>
         _acls = await AclSvc.ListAsync(GenerationId, CancellationToken.None);
 

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DiffViewer.razor

@@ -59,7 +59,7 @@ else
         new SectionDef("Equipment",      "Equipment",       "UNS level-5 rows + identification fields"),
         new SectionDef("Tag",            "Tags",            "Per-device tag definitions + poll-group binding"),
         new SectionDef("UnsLine",        "UNS structure",   "Site / Area / Line hierarchy (proc-extension pending)"),
-        new SectionDef("NodeAcl",        "ACLs",            "LDAP-group → node-scope permission grants (proc-extension pending)"),
+        new SectionDef("NodeAcl",        "ACLs",            "LDAP-group → node-scope permission grants (logical id = LdapGroup|ScopeKind|ScopeId)"),
     };
 
     private List<DiffRow>? _rows;

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/RoleGrants.razor

@@ -1,10 +1,16 @@
 @page "/role-grants"
+@using Microsoft.AspNetCore.Components.Web
+@using Microsoft.AspNetCore.SignalR.Client
+@using ZB.MOM.WW.OtOpcUa.Admin.Hubs
 @using ZB.MOM.WW.OtOpcUa.Admin.Services
 @using ZB.MOM.WW.OtOpcUa.Configuration.Entities
 @using ZB.MOM.WW.OtOpcUa.Configuration.Enums
 @using ZB.MOM.WW.OtOpcUa.Configuration.Services
 @inject ILdapGroupRoleMappingService RoleSvc
 @inject ClusterService ClusterSvc
+@inject AclChangeNotifier Notifier
+@inject NavigationManager Nav
+@implements IAsyncDisposable
 
 <h1 class="mb-4">LDAP group → Admin role grants</h1>
 
@@ -147,6 +153,7 @@ else
                 Notes = string.IsNullOrWhiteSpace(_notes) ? null : _notes,
             };
             await RoleSvc.CreateAsync(row, CancellationToken.None);
+            await Notifier.NotifyRoleGrantsChangedAsync(CancellationToken.None);
             _showForm = false;
             await ReloadAsync();
         }
@@ -156,6 +163,30 @@ else
     private async Task DeleteAsync(Guid id)
     {
         await RoleSvc.DeleteAsync(id, CancellationToken.None);
+        await Notifier.NotifyRoleGrantsChangedAsync(CancellationToken.None);
         await ReloadAsync();
     }
+
+    private HubConnection? _hub;
+
+    protected override async Task OnAfterRenderAsync(bool firstRender)
+    {
+        if (!firstRender || _hub is not null) return;
+        _hub = new HubConnectionBuilder()
+            .WithUrl(Nav.ToAbsoluteUri("/hubs/fleet-status"))
+            .WithAutomaticReconnect()
+            .Build();
+        _hub.On<RoleGrantsChangedMessage>("RoleGrantsChanged", async _ =>
+        {
+            await ReloadAsync();
+            await InvokeAsync(StateHasChanged);
+        });
+        await _hub.StartAsync();
+        await _hub.SendAsync("SubscribeFleet");
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_hub is not null) { await _hub.DisposeAsync(); _hub = null; }
+    }
 }

src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs

@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.EntityFrameworkCore;
+using OpenTelemetry.Metrics;
 using Serilog;
 using ZB.MOM.WW.OtOpcUa.Admin.Components;
 using ZB.MOM.WW.OtOpcUa.Admin.Hubs;
@@ -45,6 +46,7 @@ builder.Services.AddScoped<NamespaceService>();
 builder.Services.AddScoped<DriverInstanceService>();
 builder.Services.AddScoped<NodeAclService>();
 builder.Services.AddScoped<PermissionProbeService>();
+builder.Services.AddScoped<AclChangeNotifier>();
 builder.Services.AddScoped<ReservationService>();
 builder.Services.AddScoped<DraftValidationService>();
 builder.Services.AddScoped<AuditLogService>();
@@ -69,6 +71,19 @@ builder.Services.AddScoped<ILdapAuthService, LdapAuthService>();
 // SignalR real-time fleet status + alerts (admin-ui.md §"Real-Time Updates").
 builder.Services.AddHostedService<FleetStatusPoller>();
 
+// OpenTelemetry Prometheus exporter — Meter stream from RedundancyMetrics + any future
+// Admin-side instrumentation lands on the /metrics endpoint Prometheus scrapes. Pull-based
+// means no OTel Collector deployment required for the common deploy-in-a-K8s case; appsettings
+// Metrics:Prometheus:Enabled=false disables the endpoint entirely for locked-down deployments.
+var metricsEnabled = builder.Configuration.GetValue("Metrics:Prometheus:Enabled", true);
+if (metricsEnabled)
+{
+    builder.Services.AddOpenTelemetry()
+        .WithMetrics(m => m
+            .AddMeter(RedundancyMetrics.MeterName)
+            .AddPrometheusExporter());
+}
+
 var app = builder.Build();
 
 app.UseSerilogRequestLogging();
@@ -86,6 +101,15 @@ app.MapPost("/auth/logout", async (HttpContext ctx) =>
 app.MapHub<FleetStatusHub>("/hubs/fleet");
 app.MapHub<AlertHub>("/hubs/alerts");
 
+if (metricsEnabled)
+{
+    // Prometheus scrape endpoint — expose instrumentation registered in the OTel MeterProvider
+    // above. Emits text-format metrics at /metrics; auth is intentionally NOT required (Prometheus
+    // scrape jobs typically run on a trusted network). Operators who need auth put the endpoint
+    // behind a reverse-proxy basic-auth gate per fleet-ops convention.
+    app.MapPrometheusScrapingEndpoint();
+}
+
 app.MapRazorComponents<App>().AddInteractiveServerRenderMode();
 
 await app.RunAsync();

src/ZB.MOM.WW.OtOpcUa.Admin/Services/AclChangeNotifier.cs

@@ -0,0 +1,49 @@
+using Microsoft.AspNetCore.SignalR;
+using ZB.MOM.WW.OtOpcUa.Admin.Hubs;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Thin SignalR push helper for ACL + role-grant invalidation — slice 2 of task #196.
+///     Lets the Admin services + razor pages invalidate connected peers' views without each
+///     one having to know the hub wiring. Two message kinds: <c>NodeAclChanged</c> (cluster-scoped)
+///     and <c>RoleGrantsChanged</c> (fleet-wide — role mappings cross cluster boundaries).
+/// </summary>
+/// <remarks>
+///     Intentionally fire-and-forget — a failed hub send doesn't rollback the DB write that
+///     triggered it. Worst-case an operator sees stale data until their next poll or manual
+///     refresh; better than a transient hub blip blocking the authoritative write path.
+/// </remarks>
+public sealed class AclChangeNotifier(IHubContext<FleetStatusHub> fleetHub, ILogger<AclChangeNotifier> logger)
+{
+    public async Task NotifyNodeAclChangedAsync(string clusterId, long generationId, CancellationToken ct)
+    {
+        try
+        {
+            var msg = new NodeAclChangedMessage(ClusterId: clusterId, GenerationId: generationId, ObservedAtUtc: DateTime.UtcNow);
+            await fleetHub.Clients.Group(FleetStatusHub.GroupName(clusterId))
+                .SendAsync("NodeAclChanged", msg, ct).ConfigureAwait(false);
+        }
+        catch (Exception ex) when (ex is not OperationCanceledException)
+        {
+            logger.LogWarning(ex, "NodeAclChanged push failed for cluster {ClusterId} gen {GenerationId}", clusterId, generationId);
+        }
+    }
+
+    public async Task NotifyRoleGrantsChangedAsync(CancellationToken ct)
+    {
+        try
+        {
+            var msg = new RoleGrantsChangedMessage(ObservedAtUtc: DateTime.UtcNow);
+            await fleetHub.Clients.Group(FleetStatusHub.FleetGroup)
+                .SendAsync("RoleGrantsChanged", msg, ct).ConfigureAwait(false);
+        }
+        catch (Exception ex) when (ex is not OperationCanceledException)
+        {
+            logger.LogWarning(ex, "RoleGrantsChanged push failed");
+        }
+    }
+}
+
+public sealed record NodeAclChangedMessage(string ClusterId, long GenerationId, DateTime ObservedAtUtc);
+public sealed record RoleGrantsChangedMessage(DateTime ObservedAtUtc);

src/ZB.MOM.WW.OtOpcUa.Admin/Services/NodeAclService.cs

@@ -5,7 +5,7 @@ using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
 
 namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
 
-public sealed class NodeAclService(OtOpcUaConfigDbContext db)
+public sealed class NodeAclService(OtOpcUaConfigDbContext db, AclChangeNotifier? notifier = null)
 {
     public Task<List<NodeAcl>> ListAsync(long generationId, CancellationToken ct) =>
         db.NodeAcls.AsNoTracking()
@@ -31,6 +31,10 @@ public sealed class NodeAclService(OtOpcUaConfigDbContext db)
         };
         db.NodeAcls.Add(acl);
         await db.SaveChangesAsync(ct);
+
+        if (notifier is not null)
+            await notifier.NotifyNodeAclChangedAsync(clusterId, draftId, ct);
+
         return acl;
     }
 
@@ -40,5 +44,8 @@ public sealed class NodeAclService(OtOpcUaConfigDbContext db)
         if (row is null) return;
         db.NodeAcls.Remove(row);
         await db.SaveChangesAsync(ct);
+
+        if (notifier is not null)
+            await notifier.NotifyNodeAclChangedAsync(row.ClusterId, row.GenerationId, ct);
     }
 }

src/ZB.MOM.WW.OtOpcUa.Admin/ZB.MOM.WW.OtOpcUa.Admin.csproj

@@ -16,6 +16,8 @@
         <PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.6.0"/>
         <PackageReference Include="Microsoft.AspNetCore.SignalR.Client" Version="10.0.0"/>
         <PackageReference Include="Serilog.AspNetCore" Version="9.0.0"/>
+        <PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.15.2"/>
+        <PackageReference Include="OpenTelemetry.Exporter.Prometheus.AspNetCore" Version="1.15.2-beta.1"/>
     </ItemGroup>
 
     <ItemGroup>

src/ZB.MOM.WW.OtOpcUa.Admin/appsettings.json

@@ -23,5 +23,10 @@
   },
   "Serilog": {
     "MinimumLevel": "Information"
+  },
+  "Metrics": {
+    "Prometheus": {
+      "Enabled": true
+    }
   }
 }

src/ZB.MOM.WW.OtOpcUa.Analyzers/AnalyzerReleases.Shipped.md

@@ -0,0 +1,10 @@
+; Shipped analyzer releases.
+; See https://github.com/dotnet/roslyn-analyzers/blob/main/src/Microsoft.CodeAnalysis.Analyzers/ReleaseTrackingAnalyzers.Help.md
+
+## Release 1.0
+
+### New Rules
+
+Rule ID | Category | Severity | Notes
+--------|----------|----------|-------
+OTOPCUA0001 | OtOpcUa.Resilience | Warning | Direct driver-capability call bypasses CapabilityInvoker

src/ZB.MOM.WW.OtOpcUa.Analyzers/AnalyzerReleases.Unshipped.md

@@ -0,0 +1,2 @@
+; Unshipped analyzer release.
+; See https://github.com/dotnet/roslyn-analyzers/blob/main/src/Microsoft.CodeAnalysis.Analyzers/ReleaseTrackingAnalyzers.Help.md

src/ZB.MOM.WW.OtOpcUa.Analyzers/UnwrappedCapabilityCallAnalyzer.cs

@@ -0,0 +1,143 @@
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Linq;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Microsoft.CodeAnalysis.Diagnostics;
+using Microsoft.CodeAnalysis.Operations;
+
+namespace ZB.MOM.WW.OtOpcUa.Analyzers;
+
+/// <summary>
+///     Diagnostic analyzer that flags direct invocations of Phase 6.1-wrapped driver-capability
+///     methods when the call is NOT already running inside a <c>CapabilityInvoker.ExecuteAsync</c>,
+///     <c>CapabilityInvoker.ExecuteWriteAsync</c>, or <c>AlarmSurfaceInvoker.*Async</c> lambda.
+///     The wrapping is what gives us per-host breaker isolation, retry semantics, bulkhead-depth
+///     accounting, and alarm-ack idempotence guards — raw calls bypass all of that.
+/// </summary>
+/// <remarks>
+///     The analyzer matches by receiver-interface identity using Roslyn's semantic model, not by
+///     method name, so a driver with an unusually-named method implementing <c>IReadable.ReadAsync</c>
+///     still trips the rule. Lambda-context detection walks up the syntax tree from the call site
+///     + checks whether any enclosing <c>InvocationExpressionSyntax</c> targets a member whose
+///     containing type is <c>CapabilityInvoker</c> or <c>AlarmSurfaceInvoker</c>. The rule is
+///     intentionally narrow: it does NOT try to enforce the capability argument matches the
+///     method (e.g. ReadAsync wrapped in <c>ExecuteAsync(DriverCapability.Write, ...)</c> still
+///     passes) — that'd require flow analysis beyond single-expression scope.
+/// </remarks>
+[DiagnosticAnalyzer(Microsoft.CodeAnalysis.LanguageNames.CSharp)]
+public sealed class UnwrappedCapabilityCallAnalyzer : DiagnosticAnalyzer
+{
+    public const string DiagnosticId = "OTOPCUA0001";
+
+    /// <summary>Interfaces whose methods must be called through the capability invoker.</summary>
+    private static readonly string[] GuardedInterfaces =
+    [
+        "ZB.MOM.WW.OtOpcUa.Core.Abstractions.IReadable",
+        "ZB.MOM.WW.OtOpcUa.Core.Abstractions.IWritable",
+        "ZB.MOM.WW.OtOpcUa.Core.Abstractions.ITagDiscovery",
+        "ZB.MOM.WW.OtOpcUa.Core.Abstractions.ISubscribable",
+        "ZB.MOM.WW.OtOpcUa.Core.Abstractions.IHostConnectivityProbe",
+        "ZB.MOM.WW.OtOpcUa.Core.Abstractions.IAlarmSource",
+        "ZB.MOM.WW.OtOpcUa.Core.Abstractions.IHistoryProvider",
+    ];
+
+    /// <summary>Wrapper types whose lambda arguments are the allowed home for guarded calls.</summary>
+    private static readonly string[] WrapperTypes =
+    [
+        "ZB.MOM.WW.OtOpcUa.Core.Resilience.CapabilityInvoker",
+        "ZB.MOM.WW.OtOpcUa.Core.Resilience.AlarmSurfaceInvoker",
+    ];
+
+    private static readonly DiagnosticDescriptor Rule = new(
+        id: DiagnosticId,
+        title: "Driver capability call must be wrapped in CapabilityInvoker",
+        messageFormat: "Call to '{0}' is not wrapped in CapabilityInvoker.ExecuteAsync / ExecuteWriteAsync / AlarmSurfaceInvoker.*. Without the wrapping, Phase 6.1 resilience (retry, breaker, bulkhead, tracker telemetry) is bypassed for this call.",
+        category: "OtOpcUa.Resilience",
+        defaultSeverity: DiagnosticSeverity.Warning,
+        isEnabledByDefault: true,
+        description: "Phase 6.1 Stream A requires every IReadable/IWritable/ITagDiscovery/ISubscribable/IHostConnectivityProbe/IAlarmSource/IHistoryProvider call to route through the shared Polly pipeline. Direct calls skip the pipeline + lose per-host isolation, retry semantics, and telemetry. If the caller is Core/Server/Driver dispatch code, wrap the call in CapabilityInvoker.ExecuteAsync. If the caller is a unit test invoking the driver directly to test its wire-level behavior, either suppress with a pragma or move the suppression into a NoWarn for the test project.");
+
+    public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics { get; } = ImmutableArray.Create(Rule);
+
+    public override void Initialize(AnalysisContext context)
+    {
+        context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.None);
+        context.EnableConcurrentExecution();
+        context.RegisterOperationAction(AnalyzeInvocation, OperationKind.Invocation);
+    }
+
+    private static void AnalyzeInvocation(OperationAnalysisContext context)
+    {
+        var invocation = (Microsoft.CodeAnalysis.Operations.IInvocationOperation)context.Operation;
+        var method = invocation.TargetMethod;
+
+        // Narrow the rule to async wire calls. Synchronous accessors like
+        // IHostConnectivityProbe.GetHostStatuses() are pure in-memory snapshots + would never
+        // benefit from the Polly pipeline; flagging them just creates false-positives.
+        if (!IsAsyncReturningType(method.ReturnType)) return;
+        if (!ImplementsGuardedInterface(method)) return;
+        if (IsInsideWrapperLambda(invocation.Syntax, context.Operation.SemanticModel, context.CancellationToken)) return;
+
+        var diag = Diagnostic.Create(Rule, invocation.Syntax.GetLocation(), $"{method.ContainingType.Name}.{method.Name}");
+        context.ReportDiagnostic(diag);
+    }
+
+    private static bool IsAsyncReturningType(ITypeSymbol type)
+    {
+        var name = type.OriginalDefinition.ToDisplayString(SymbolDisplayFormat.FullyQualifiedFormat);
+        return name is "global::System.Threading.Tasks.Task"
+            or "global::System.Threading.Tasks.Task<TResult>"
+            or "global::System.Threading.Tasks.ValueTask"
+            or "global::System.Threading.Tasks.ValueTask<TResult>";
+    }
+
+    private static bool ImplementsGuardedInterface(IMethodSymbol method)
+    {
+        foreach (var iface in method.ContainingType.AllInterfaces.Concat(new[] { method.ContainingType }))
+        {
+            var ifaceFqn = iface.OriginalDefinition.ToDisplayString(SymbolDisplayFormat.FullyQualifiedFormat)
+                .Replace("global::", string.Empty);
+            if (!GuardedInterfaces.Contains(ifaceFqn)) continue;
+
+            foreach (var member in iface.GetMembers().OfType<IMethodSymbol>())
+            {
+                var impl = method.ContainingType.FindImplementationForInterfaceMember(member);
+                if (SymbolEqualityComparer.Default.Equals(impl, method) ||
+                    SymbolEqualityComparer.Default.Equals(method.OriginalDefinition, member))
+                    return true;
+            }
+        }
+        return false;
+    }
+
+    private static bool IsInsideWrapperLambda(SyntaxNode startNode, SemanticModel? semanticModel, System.Threading.CancellationToken ct)
+    {
+        if (semanticModel is null) return false;
+
+        for (var node = startNode.Parent; node is not null; node = node.Parent)
+        {
+            // We only care about an enclosing invocation — the call we're auditing must literally
+            // live inside a lambda (ParenthesizedLambda / SimpleLambda / AnonymousMethod) that is
+            // an argument of a CapabilityInvoker.Execute* / AlarmSurfaceInvoker.* call.
+            if (node is not InvocationExpressionSyntax outer) continue;
+
+            var sym = semanticModel.GetSymbolInfo(outer, ct).Symbol as IMethodSymbol;
+            if (sym is null) continue;
+
+            var outerTypeFqn = sym.ContainingType.OriginalDefinition.ToDisplayString(SymbolDisplayFormat.FullyQualifiedFormat)
+                .Replace("global::", string.Empty);
+            if (!WrapperTypes.Contains(outerTypeFqn)) continue;
+
+            // The call is wrapped IFF our startNode is transitively inside one of the outer
+            // call's argument lambdas. Walk the outer invocation's argument list + check whether
+            // any lambda body contains the startNode's position.
+            foreach (var arg in outer.ArgumentList.Arguments)
+            {
+                if (arg.Expression is not AnonymousFunctionExpressionSyntax lambda) continue;
+                if (lambda.Span.Contains(startNode.Span)) return true;
+            }
+        }
+        return false;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Analyzers/ZB.MOM.WW.OtOpcUa.Analyzers.csproj

@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <!-- Roslyn analyzers ship as netstandard2.0 so they load into the MSBuild compiler host
+             (which on .NET Framework 4.7.2 and .NET 6+ equally resolves netstandard2.0). -->
+        <TargetFramework>netstandard2.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <LangVersion>latest</LangVersion>
+        <IsPackable>false</IsPackable>
+        <IsRoslynComponent>true</IsRoslynComponent>
+        <EnforceExtendedAnalyzerRules>true</EnforceExtendedAnalyzerRules>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Analyzers</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="5.3.0" PrivateAssets="all"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <AdditionalFiles Include="AnalyzerReleases.Shipped.md"/>
+        <AdditionalFiles Include="AnalyzerReleases.Unshipped.md"/>
+    </ItemGroup>
+
+</Project>

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260420000001_ExtendComputeGenerationDiffWithNodeAcl.cs

@@ -0,0 +1,172 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
+{
+    /// <summary>
+    ///     Extends <c>dbo.sp_ComputeGenerationDiff</c> to emit <c>NodeAcl</c> rows alongside the
+    ///     existing Namespace/DriverInstance/Equipment/Tag output — closes the final slice of
+    ///     task #196 (DiffViewer ACL section). Logical id for NodeAcl is a composite
+    ///     <c>LdapGroup|ScopeKind|ScopeId</c> triple so a Change row surfaces whether the grant
+    ///     shifted permissions, moved scope, or was added/removed outright.
+    /// </summary>
+    /// <inheritdoc />
+    public partial class ExtendComputeGenerationDiffWithNodeAcl : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.Sql(Procs.ComputeGenerationDiffV2);
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.Sql(Procs.ComputeGenerationDiffV1);
+        }
+
+        private static class Procs
+        {
+            /// <summary>V2 — adds the NodeAcl section to the diff output.</summary>
+            public const string ComputeGenerationDiffV2 = @"
+CREATE OR ALTER PROCEDURE dbo.sp_ComputeGenerationDiff
+    @FromGenerationId bigint,
+    @ToGenerationId   bigint
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    CREATE TABLE #diff (TableName nvarchar(32), LogicalId nvarchar(128), ChangeKind nvarchar(16));
+
+    WITH f AS (SELECT NamespaceId AS LogicalId, CHECKSUM(NamespaceUri, Kind, Enabled, Notes) AS Sig FROM dbo.Namespace WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT NamespaceId AS LogicalId, CHECKSUM(NamespaceUri, Kind, Enabled, Notes) AS Sig FROM dbo.Namespace WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'Namespace', CONVERT(nvarchar(128), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    WITH f AS (SELECT DriverInstanceId AS LogicalId, CHECKSUM(ClusterId, NamespaceId, Name, DriverType, Enabled, CONVERT(varchar(max), DriverConfig)) AS Sig FROM dbo.DriverInstance WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT DriverInstanceId AS LogicalId, CHECKSUM(ClusterId, NamespaceId, Name, DriverType, Enabled, CONVERT(varchar(max), DriverConfig)) AS Sig FROM dbo.DriverInstance WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'DriverInstance', CONVERT(nvarchar(128), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    WITH f AS (SELECT EquipmentId AS LogicalId, CHECKSUM(EquipmentUuid, DriverInstanceId, UnsLineId, Name, MachineCode, ZTag, SAPID, EquipmentClassRef, Manufacturer, Model, SerialNumber) AS Sig FROM dbo.Equipment WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT EquipmentId AS LogicalId, CHECKSUM(EquipmentUuid, DriverInstanceId, UnsLineId, Name, MachineCode, ZTag, SAPID, EquipmentClassRef, Manufacturer, Model, SerialNumber) AS Sig FROM dbo.Equipment WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'Equipment', CONVERT(nvarchar(128), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    WITH f AS (SELECT TagId AS LogicalId, CHECKSUM(DriverInstanceId, DeviceId, EquipmentId, PollGroupId, FolderPath, Name, DataType, AccessLevel, WriteIdempotent, CONVERT(varchar(max), TagConfig)) AS Sig FROM dbo.Tag WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT TagId AS LogicalId, CHECKSUM(DriverInstanceId, DeviceId, EquipmentId, PollGroupId, FolderPath, Name, DataType, AccessLevel, WriteIdempotent, CONVERT(varchar(max), TagConfig)) AS Sig FROM dbo.Tag WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'Tag', CONVERT(nvarchar(128), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    -- NodeAcl section. Logical id is the (LdapGroup, ScopeKind, ScopeId) triple so the diff
+    -- distinguishes same row with new permissions (Modified via CHECKSUM on PermissionFlags + Notes)
+    -- from a scope move (which surfaces as Added + Removed of different logical ids).
+    WITH f AS (
+            SELECT  CONVERT(nvarchar(128), LdapGroup + '|' + CONVERT(nvarchar(16), ScopeKind) + '|' + ISNULL(ScopeId, '(cluster)')) AS LogicalId,
+                    CHECKSUM(ClusterId, PermissionFlags, Notes) AS Sig
+            FROM    dbo.NodeAcl WHERE GenerationId = @FromGenerationId),
+         t AS (
+            SELECT  CONVERT(nvarchar(128), LdapGroup + '|' + CONVERT(nvarchar(16), ScopeKind) + '|' + ISNULL(ScopeId, '(cluster)')) AS LogicalId,
+                    CHECKSUM(ClusterId, PermissionFlags, Notes) AS Sig
+            FROM    dbo.NodeAcl WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'NodeAcl', COALESCE(f.LogicalId, t.LogicalId),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    SELECT TableName, LogicalId, ChangeKind FROM #diff;
+    DROP TABLE #diff;
+END
+";
+
+            /// <summary>V1 — exact proc shipped in migration 20260417215224_StoredProcedures. Restored on Down().</summary>
+            public const string ComputeGenerationDiffV1 = @"
+CREATE OR ALTER PROCEDURE dbo.sp_ComputeGenerationDiff
+    @FromGenerationId bigint,
+    @ToGenerationId   bigint
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    CREATE TABLE #diff (TableName nvarchar(32), LogicalId nvarchar(64), ChangeKind nvarchar(16));
+
+    WITH f AS (SELECT NamespaceId AS LogicalId, CHECKSUM(NamespaceUri, Kind, Enabled, Notes) AS Sig FROM dbo.Namespace WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT NamespaceId AS LogicalId, CHECKSUM(NamespaceUri, Kind, Enabled, Notes) AS Sig FROM dbo.Namespace WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'Namespace', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    WITH f AS (SELECT DriverInstanceId AS LogicalId, CHECKSUM(ClusterId, NamespaceId, Name, DriverType, Enabled, CONVERT(varchar(max), DriverConfig)) AS Sig FROM dbo.DriverInstance WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT DriverInstanceId AS LogicalId, CHECKSUM(ClusterId, NamespaceId, Name, DriverType, Enabled, CONVERT(varchar(max), DriverConfig)) AS Sig FROM dbo.DriverInstance WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'DriverInstance', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    WITH f AS (SELECT EquipmentId AS LogicalId, CHECKSUM(EquipmentUuid, DriverInstanceId, UnsLineId, Name, MachineCode, ZTag, SAPID, EquipmentClassRef, Manufacturer, Model, SerialNumber) AS Sig FROM dbo.Equipment WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT EquipmentId AS LogicalId, CHECKSUM(EquipmentUuid, DriverInstanceId, UnsLineId, Name, MachineCode, ZTag, SAPID, EquipmentClassRef, Manufacturer, Model, SerialNumber) AS Sig FROM dbo.Equipment WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'Equipment', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    WITH f AS (SELECT TagId AS LogicalId, CHECKSUM(DriverInstanceId, DeviceId, EquipmentId, PollGroupId, FolderPath, Name, DataType, AccessLevel, WriteIdempotent, CONVERT(varchar(max), TagConfig)) AS Sig FROM dbo.Tag WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT TagId AS LogicalId, CHECKSUM(DriverInstanceId, DeviceId, EquipmentId, PollGroupId, FolderPath, Name, DataType, AccessLevel, WriteIdempotent, CONVERT(varchar(max), TagConfig)) AS Sig FROM dbo.Tag WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'Tag', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    SELECT TableName, LogicalId, ChangeKind FROM #diff;
+    DROP TABLE #diff;
+END
+";
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Server/ZB.MOM.WW.OtOpcUa.Server.csproj

@@ -30,6 +30,8 @@
 
     <ItemGroup>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core\ZB.MOM.WW.OtOpcUa.Core.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Analyzers\ZB.MOM.WW.OtOpcUa.Analyzers.csproj"
+                          OutputItemType="Analyzer" ReferenceOutputAssembly="false"/>
     </ItemGroup>
 
     <ItemGroup>

tests/ZB.MOM.WW.OtOpcUa.Analyzers.Tests/UnwrappedCapabilityCallAnalyzerTests.cs

@@ -0,0 +1,195 @@
+using System.Collections.Immutable;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.Diagnostics;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Analyzers;
+
+namespace ZB.MOM.WW.OtOpcUa.Analyzers.Tests;
+
+/// <summary>
+///     Compile-a-snippet-and-run-the-analyzer tests. Avoids
+///     Microsoft.CodeAnalysis.CSharp.Analyzer.Testing.XUnit because it pins to xunit v2 +
+///     this project uses xunit.v3 like the rest of the solution. Hand-rolled harness is 15
+///     lines + makes the assertion surface obvious at the test-author level.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class UnwrappedCapabilityCallAnalyzerTests
+{
+    /// <summary>Minimal stubs for the guarded interfaces + the two wrapper types. Keeps the
+    /// analyzer tests independent of the real OtOpcUa project references so a drift in those
+    /// signatures doesn't secretly mute the analyzer check.</summary>
+    private const string StubSources = """
+namespace ZB.MOM.WW.OtOpcUa.Core.Abstractions {
+    using System.Threading;
+    using System.Threading.Tasks;
+    using System.Collections.Generic;
+    public interface IReadable {
+        ValueTask<IReadOnlyList<object>> ReadAsync(IReadOnlyList<string> tags, CancellationToken ct);
+    }
+    public interface IWritable {
+        ValueTask WriteAsync(IReadOnlyList<object> ops, CancellationToken ct);
+    }
+    public interface ITagDiscovery {
+        Task DiscoverAsync(CancellationToken ct);
+    }
+    public enum DriverCapability { Read, Write, Discover }
+}
+namespace ZB.MOM.WW.OtOpcUa.Core.Resilience {
+    using System;
+    using System.Threading;
+    using System.Threading.Tasks;
+    using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+    public sealed class CapabilityInvoker {
+        public ValueTask<T> ExecuteAsync<T>(DriverCapability c, string host, Func<CancellationToken, ValueTask<T>> call, CancellationToken ct) => throw null!;
+        public ValueTask ExecuteAsync(DriverCapability c, string host, Func<CancellationToken, ValueTask> call, CancellationToken ct) => throw null!;
+        public ValueTask<T> ExecuteWriteAsync<T>(string host, bool isIdempotent, Func<CancellationToken, ValueTask<T>> call, CancellationToken ct) => throw null!;
+    }
+}
+""";
+
+    [Fact]
+    public async Task Direct_ReadAsync_Call_InServerNamespace_TripsDiagnostic()
+    {
+        const string userSrc = """
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Server {
+    public sealed class BadCaller {
+        public async Task DoIt(IReadable driver) {
+            var _ = await driver.ReadAsync(new List<string>(), CancellationToken.None);
+        }
+    }
+}
+""";
+        var diags = await Compile(userSrc);
+        diags.Length.ShouldBe(1);
+        diags[0].Id.ShouldBe(UnwrappedCapabilityCallAnalyzer.DiagnosticId);
+        diags[0].GetMessage().ShouldContain("ReadAsync");
+    }
+
+    [Fact]
+    public async Task Wrapped_ReadAsync_InsideCapabilityInvokerLambda_PassesCleanly()
+    {
+        const string userSrc = """
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Resilience;
+
+namespace ZB.MOM.WW.OtOpcUa.Server {
+    public sealed class GoodCaller {
+        public async Task DoIt(IReadable driver, CapabilityInvoker invoker) {
+            var _ = await invoker.ExecuteAsync(DriverCapability.Read, "h1",
+                async ct => await driver.ReadAsync(new List<string>(), ct), CancellationToken.None);
+        }
+    }
+}
+""";
+        var diags = await Compile(userSrc);
+        diags.ShouldBeEmpty();
+    }
+
+    [Fact]
+    public async Task DirectWrite_WithoutWrapper_TripsDiagnostic()
+    {
+        const string userSrc = """
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Server {
+    public sealed class BadWrite {
+        public async Task DoIt(IWritable driver) {
+            await driver.WriteAsync(new List<object>(), CancellationToken.None);
+        }
+    }
+}
+""";
+        var diags = await Compile(userSrc);
+        diags.Length.ShouldBe(1);
+        diags[0].GetMessage().ShouldContain("WriteAsync");
+    }
+
+    [Fact]
+    public async Task Discovery_Call_WithoutWrapper_TripsDiagnostic()
+    {
+        const string userSrc = """
+using System.Threading;
+using System.Threading.Tasks;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Server {
+    public sealed class BadDiscover {
+        public async Task DoIt(ITagDiscovery driver) {
+            await driver.DiscoverAsync(CancellationToken.None);
+        }
+    }
+}
+""";
+        var diags = await Compile(userSrc);
+        diags.Length.ShouldBe(1);
+        diags[0].GetMessage().ShouldContain("DiscoverAsync");
+    }
+
+    [Fact]
+    public async Task Call_OutsideOfLambda_ButInsideInvokerCall_StillTripsDiagnostic()
+    {
+        // Precompute the read *outside* the lambda, then pass the awaited result — that does NOT
+        // actually wrap the ReadAsync call in the resilience pipeline, so the analyzer must
+        // still flag it (regression guard: a naive "any mention of ExecuteAsync nearby" rule
+        // would silently let this pattern through).
+        const string userSrc = """
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Resilience;
+
+namespace ZB.MOM.WW.OtOpcUa.Server {
+    public sealed class SneakyCaller {
+        public async Task DoIt(IReadable driver, CapabilityInvoker invoker) {
+            var result = await driver.ReadAsync(new List<string>(), CancellationToken.None); // not inside any lambda
+            await invoker.ExecuteAsync(DriverCapability.Read, "h1",
+                async ct => { await Task.Yield(); }, CancellationToken.None);
+            _ = result;
+        }
+    }
+}
+""";
+        var diags = await Compile(userSrc);
+        diags.Length.ShouldBe(1);
+    }
+
+    private static async Task<ImmutableArray<Diagnostic>> Compile(string userSource)
+    {
+        var syntaxTrees = new[]
+        {
+            CSharpSyntaxTree.ParseText(StubSources),
+            CSharpSyntaxTree.ParseText(userSource),
+        };
+        var references = AppDomain.CurrentDomain.GetAssemblies()
+            .Where(a => !a.IsDynamic && !string.IsNullOrEmpty(a.Location))
+            .Select(a => MetadataReference.CreateFromFile(a.Location))
+            .Cast<MetadataReference>()
+            .ToList();
+
+        var compilation = CSharpCompilation.Create(
+            assemblyName: "AnalyzerTestAssembly",
+            syntaxTrees: syntaxTrees,
+            references: references,
+            options: new CSharpCompilationOptions(OutputKind.DynamicallyLinkedLibrary));
+
+        var withAnalyzers = compilation.WithAnalyzers(
+            ImmutableArray.Create<DiagnosticAnalyzer>(new UnwrappedCapabilityCallAnalyzer()));
+
+        var allDiags = await withAnalyzers.GetAnalyzerDiagnosticsAsync();
+        return allDiags.Where(d => d.Id == UnwrappedCapabilityCallAnalyzer.DiagnosticId).ToImmutableArray();
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Analyzers.Tests/ZB.MOM.WW.OtOpcUa.Analyzers.Tests.csproj

@@ -0,0 +1,26 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <LangVersion>latest</LangVersion>
+        <IsPackable>false</IsPackable>
+        <IsTestProject>true</IsTestProject>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Analyzers.Tests</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
+        <PackageReference Include="xunit.v3" Version="1.1.0"/>
+        <PackageReference Include="xunit.runner.visualstudio" Version="3.0.2"/>
+        <PackageReference Include="Shouldly" Version="4.3.0"/>
+        <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="5.3.0"/>
+        <PackageReference Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="5.3.0"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Analyzers\ZB.MOM.WW.OtOpcUa.Analyzers.csproj"/>
+    </ItemGroup>
+
+</Project>