Phase 1 LDAP auth + SignalR real-time — closes the last two open Admin UI TODOs. LDAP: Admin/Security/ gets SecurityOptions (bound from appsettings.json Authentication:Ldap), LdapAuthResult record, ILdapAuthService + LdapAuthService ported from scadalink-design's LdapAuthService (TLS guard, search-then-bind when a service account is configured, direct-bind fallback, service-account re-bind after user bind so attribute lookup uses the service principal's read rights, LdapException-to-friendly-message translation, OperationCanceledException pass-through), RoleMapper (pure function: case-insensitive group-name match against LdapOptions.GroupToRole, returns the distinct set of mapped Admin roles). EscapeLdapFilter escapes the five LDAP filter control chars (\, *, (, ), \0); ExtractFirstRdnValue pulls the value portion of a DN's leading RDN for memberOf parsing; ExtractOuSegment added as a GLAuth-specific fallback when the directory doesn't populate memberOf but does embed ou=PrimaryGroup into user DNs (actual GLAuth config in C:\publish\glauth\glauth.cfg uses nameformat=cn, groupformat=ou — direct bind is enough). Login page rewritten: EditForm → ILdapAuthService.AuthenticateAsync → cookie sign-in with claims (Name = displayName, NameIdentifier = username, Role for each mapped role, ldap_group for each raw group); failed bind shows the service's error; empty-role-map returns an explicit "no Admin role mapped" message rather than silently succeeding. appsettings.json gains an Authentication:Ldap section with dev-GLAuth defaults (localhost:3893, UseTls=false, AllowInsecureLdap=true for dev, GroupToRole maps GLAuth's ReadOnly/WriteOperate/AlarmAck → ConfigViewer/ConfigEditor/FleetAdmin). SignalR: two hubs + a BackgroundService poller. FleetStatusHub routes per-cluster NodeStateChanged pushes (SubscribeCluster/UnsubscribeCluster on connection; FleetGroup for dashboard-wide) with a typed NodeStateChangedMessage payload. AlertHub auto-subscribes every connection to the AllAlertsGroup and exposes AcknowledgeAsync (ack persistence deferred to v2.1). FleetStatusPoller (IHostedService, 5s default cadence) scans ClusterNodeGenerationState joined with ClusterNode, caches the prior snapshot per NodeId, pushes NodeStateChanged on any delta, raises AlertMessage("apply-failed") on transition INTO Failed (sticky — the hub client acks later). Program.cs registers HttpContextAccessor (sign-in needs it), SignalR, LdapOptions + ILdapAuthService, the poller as hosted service, and maps /hubs/fleet + /hubs/alerts endpoints. ClusterDetail adds @rendermode RenderMode.InteractiveServer, @implements IAsyncDisposable, and a HubConnectionBuilder subscription that calls LoadAsync() on each NodeStateChanged for its cluster so the "current published" card refreshes without a page reload; a dismissable "Live update" info banner surfaces the most recent event. Microsoft.AspNetCore.SignalR.Client 10.0.0 + Novell.Directory.Ldap.NETStandard 3.6.0 added. Tests: 13 new — RoleMapperTests (single group, case-insensitive match, multi-group distinct-roles, unknown-group ignored, empty-map); LdapAuthServiceTests (EscapeLdapFilter with 4 inputs, ExtractFirstRdnValue with 4 inputs — all via reflection against internals); LdapLiveBindTests (skip when localhost:3893 unreachable; valid-credentials-bind-succeeds; wrong-password-fails-with-recognizable-error; empty-username-rejected-before-hitting-directory); FleetStatusPollerTests (throwaway DB, seeds cluster+node+generation+apply-state, runs PollOnceAsync, asserts NodeStateChanged hit the recorder; second test seeds a Failed state and asserts AlertRaised fired) — backed by RecordingHubContext/RecordingHubClients/RecordingClientProxy that capture SendCoreAsync invocations while throwing NotImplementedException for the IHubClients methods the poller doesn't call (fail-fast if evolution adds new dependencies). InternalsVisibleTo added so the test project can call FleetStatusPoller.PollOnceAsync directly. Full solution 946 pass / 1 pre-existing Phase 0 baseline failure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ZB.MOM.WW.OtOpcUa.slnx

@@ -1,6 +1,13 @@
 <Solution>
     <Folder Name="/src/">
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/ZB.MOM.WW.OtOpcUa.Core.Abstractions.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Configuration/ZB.MOM.WW.OtOpcUa.Configuration.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Core/ZB.MOM.WW.OtOpcUa.Core.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Server/ZB.MOM.WW.OtOpcUa.Server.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Admin/ZB.MOM.WW.OtOpcUa.Admin.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Host/ZB.MOM.WW.OtOpcUa.Host.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Historian.Aveva/ZB.MOM.WW.OtOpcUa.Historian.Aveva.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.Shared/ZB.MOM.WW.OtOpcUa.Client.Shared.csproj"/>
@@ -9,6 +16,13 @@
     </Folder>
     <Folder Name="/tests/">
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Core.Abstractions.Tests/ZB.MOM.WW.OtOpcUa.Core.Abstractions.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Core.Tests/ZB.MOM.WW.OtOpcUa.Core.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Server.Tests/ZB.MOM.WW.OtOpcUa.Server.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/ZB.MOM.WW.OtOpcUa.Admin.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Tests/ZB.MOM.WW.OtOpcUa.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Historian.Aveva.Tests/ZB.MOM.WW.OtOpcUa.Historian.Aveva.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.IntegrationTests/ZB.MOM.WW.OtOpcUa.IntegrationTests.csproj"/>

docs/v2/dev-environment.md

@@ -58,7 +58,7 @@ Running record of every v2 dev service stood up on this developer machine. Updat
 
 | Service | Container / Process | Version | Host:Port | Credentials (dev-only) | Data location | Status |
 |---------|---------------------|---------|-----------|------------------------|---------------|--------|
-| **Central config DB** | Docker container `otopcua-mssql` (image `mcr.microsoft.com/mssql/server:2022-latest`) | 16.0.4250.1 (RTM-CU24-GDR, KB5083252) | `localhost:1433` | User `sa` / Password `OtOpcUaDev_2026!` | Docker named volume `otopcua-mssql-data` (mounted at `/var/opt/mssql` inside container) | ✅ Running |
+| **Central config DB** | Docker container `otopcua-mssql` (image `mcr.microsoft.com/mssql/server:2022-latest`) | 16.0.4250.1 (RTM-CU24-GDR, KB5083252) | `localhost:14330` (host) → `1433` (container) — remapped from 1433 to avoid collision with the native MSSQL14 instance that hosts the Galaxy `ZB` DB (both bind 0.0.0.0:1433; whichever wins the race gets connections) | User `sa` / Password `OtOpcUaDev_2026!` | Docker named volume `otopcua-mssql-data` (mounted at `/var/opt/mssql` inside container) | ✅ Running — `InitialSchema` migration applied, 16 entity tables live |
 | Dev Galaxy (AVEVA System Platform) | Local install on this dev box | v1 baseline | Local COM via MXAccess | Windows Auth | Galaxy repository DB `ZB` on local SQL Server (separate instance from `otopcua-mssql` — legacy v1 Galaxy DB, not related to v2 config DB) | ✅ Available (per CLAUDE.md) |
 | GLAuth (LDAP) | Local install at `C:\publish\glauth\` | v1 baseline | `localhost:3893` (LDAP) / `3894` (LDAPS) | Bind DN `cn=admin,dc=otopcua,dc=local` / password in `glauth-otopcua.cfg` | `C:\publish\glauth\` | Pending — v2 test users + groups config not yet seeded (Phase 1 Stream E task) |
 | OPC Foundation reference server | Not yet built | — | `localhost:62541` (target) | `user1` / `password1` (reference-server defaults) | — | Pending (needed for Phase 5 OPC UA Client driver testing) |
@@ -75,7 +75,7 @@ Copy-paste-ready. **Never commit these to the repo** — they go in `appsettings
 ```jsonc
 {
   "ConfigDatabase": {
-    "ConnectionString": "Server=localhost,1433;Database=OtOpcUaConfig_Dev;User Id=sa;Password=OtOpcUaDev_2026!;TrustServerCertificate=true;Encrypt=false;"
+    "ConnectionString": "Server=localhost,14330;Database=OtOpcUaConfig_Dev;User Id=sa;Password=OtOpcUaDev_2026!;TrustServerCertificate=true;Encrypt=false;"
   },
   "Authentication": {
     "Ldap": {
@@ -135,7 +135,7 @@ Dev credentials in this inventory are convenience defaults, not secrets. Change
 
 | Resource | Purpose | Type | Default port | Default credentials | Owner |
 |----------|---------|------|--------------|---------------------|-------|
-| **SQL Server 2022 dev edition** | Central config DB; integration tests against `Configuration` project | Local install OR Docker container `mcr.microsoft.com/mssql/server:2022-latest` | 1433 | `sa` / `OtOpcUaDev_2026!` (dev only — production uses Integrated Security or gMSA per decision #46) | Developer (per machine) |
+| **SQL Server 2022 dev edition** | Central config DB; integration tests against `Configuration` project | Local install OR Docker container `mcr.microsoft.com/mssql/server:2022-latest` | 1433 default, or 14330 when a native MSSQL instance (e.g. the Galaxy `ZB` host) already occupies 1433 | `sa` / `OtOpcUaDev_2026!` (dev only — production uses Integrated Security or gMSA per decision #46) | Developer (per machine) |
 | **GLAuth (LDAP server)** | Admin UI authentication tests; data-path ACL evaluation tests | Local binary at `C:\publish\glauth\` per existing CLAUDE.md | 3893 (LDAP) / 3894 (LDAPS) | Service principal: `cn=admin,dc=otopcua,dc=local` / `OtOpcUaDev_2026!`; test users defined in GLAuth config | Developer (per machine) |
 | **Local dev Galaxy** (Aveva System Platform) | Galaxy driver tests; v1 IntegrationTests parity | Existing on dev box per CLAUDE.md | n/a (local COM) | Windows Auth | Developer (already present per project setup) |
 
@@ -270,11 +270,13 @@ Order matters because some installs have prerequisites and several need admin el
    docker run --name otopcua-mssql `
        -e "ACCEPT_EULA=Y" `
        -e "MSSQL_SA_PASSWORD=OtOpcUaDev_2026!" `
-       -p 1433:1433 `
+       -p 14330:1433 `
        -v otopcua-mssql-data:/var/opt/mssql `
        -d mcr.microsoft.com/mssql/server:2022-latest
    ```
 
+   The host port is **14330**, not 1433, to coexist with the native MSSQL14 instance that hosts the Galaxy `ZB` DB on port 1433. Both the native instance and Docker's port-proxy will happily bind `0.0.0.0:1433`, but only one of them catches any given connection — which is effectively non-deterministic and produces confusing "Login failed for user 'sa'" errors when the native instance wins. Using 14330 eliminates the race entirely.
+
    The `-v otopcua-mssql-data:/var/opt/mssql` named volume preserves database files across container restarts and `docker rm` — drop it only if you want a strictly throwaway instance.
 
    Verify:

docs/v2/implementation/phase-2-partial-exit-evidence.md

@@ -0,0 +1,163 @@
+# Phase 2 — Partial Exit Evidence (2026-04-17)
+
+> This records what Phase 2 of v2 completed in the current session and what was explicitly
+> deferred. See `phase-2-galaxy-out-of-process.md` for the full task plan; this is the as-built
+> delta.
+
+## Status: **Streams A + B + C scaffolded and test-green. Streams D + E deferred.**
+
+The goal per the plan is "parity, not regression" — the phase exit gate requires v1
+IntegrationTests to pass against the v2 Galaxy.Proxy + Galaxy.Host topology byte-for-byte.
+Achieving that requires live MXAccess runtime plus the Galaxy code lift out of the legacy
+`OtOpcUa.Host`. Both are operations that need a dev Galaxy up and a parity test cycle to verify.
+Without that cycle, deleting the legacy Host would break the 494 passing v1 tests that are the
+parity baseline.
+
+What *is* done: all scaffolding, IPC contracts, supervisor logic, and stability protections
+needed to hang the real MXAccess code onto. Every piece has unit-level or IPC-level test
+coverage.
+
+## Delivered
+
+### Stream A — `Driver.Galaxy.Shared` (1 week estimate, **complete**)
+
+- `src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared/` (.NET Standard 2.0, MessagePack-only
+  dependency)
+- **Contracts**: `Hello`/`HelloAck` (version negotiation per Task A.3), `OpenSessionRequest`/
+  `OpenSessionResponse`/`CloseSessionRequest`, `Heartbeat`/`HeartbeatAck`, `ErrorResponse`,
+  `DiscoverHierarchyRequest`/`Response` + `GalaxyObjectInfo` + `GalaxyAttributeInfo`,
+  `ReadValuesRequest`/`Response`, `WriteValuesRequest`/`Response`, `SubscribeRequest`/
+  `Response`/`UnsubscribeRequest`/`OnDataChangeNotification`, `AlarmSubscribeRequest`/
+  `GalaxyAlarmEvent`/`AlarmAckRequest`, `HistoryReadRequest`/`Response`+`HistoryTagValues`,
+  `HostConnectivityStatus`+`RuntimeStatusChangeNotification`, `RecycleHostRequest`/
+  `RecycleStatusResponse`
+- **Framing**: length-prefixed (decision #28) + 1-byte kind tag + MessagePack body. 16 MiB
+  body cap. `FrameWriter`/`FrameReader` with thread-safe write gate.
+- **Tests (6)**: reflection-scan round-trip for every `[MessagePackObject]`, referenced-
+  assemblies guard (only MessagePack allowed outside BCL), Hello version defaults,
+  `FrameWriter`↔`FrameReader` interop, oversize-frame rejection.
+
+### Stream B — `Driver.Galaxy.Host` (3–4 week estimate, **scaffold complete; MXAccess lift deferred**)
+
+- `src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/` (.NET Framework 4.8 AnyCPU — flips to x86 when
+  the Galaxy code lift happens per Task B.1 scope)
+- **`Ipc/PipeAcl`**: builds the strict `PipeSecurity` — allow configured server-principal SID,
+  explicit deny on LocalSystem + Administrators, owner = allowed SID (decision #76).
+- **`Ipc/PipeServer`**: named-pipe server that (1) enforces the ACL, (2) verifies caller SID
+  via `pipe.RunAsClient` + `WindowsIdentity.GetCurrent`, (3) requires the per-process shared
+  secret in the Hello frame before any other RPC, (4) rejects major-version mismatches.
+- **`Stability/MemoryWatchdog`**: Galaxy thresholds — warn at `max(1.5×baseline, +200 MB)`,
+  soft-recycle at `max(2×baseline, +200 MB)`, hard ceiling 1.5 GB, slope ≥5 MB/min over 30 min.
+  Pluggable RSS source for unit testability.
+- **`Stability/RecyclePolicy`**: 1-recycle/hr cap; 03:00 local daily scheduled recycle.
+- **`Stability/PostMortemMmf`**: ring buffer of 1000 × 256-byte entries in `%ProgramData%\
+  OtOpcUa\driver-postmortem\galaxy.mmf`. Single-writer / multi-reader. Survives hard crash;
+  supervisor reads the MMF via a second process.
+- **`Sta/MxAccessHandle`**: `SafeHandle` subclass — `ReleaseHandle` calls `Marshal.ReleaseComObject`
+  in a loop until refcount = 0 then invokes the optional `unregister` callback. Finalizer-safe.
+  Wraps any RCW via `object` so we can unit-test against a mock; the real wiring to
+  `ArchestrA.MxAccess.LMXProxyServer` lands with the deferred code move.
+- **`Sta/StaPump`**: dedicated STA thread with `BlockingCollection` work queue + `InvokeAsync`
+  dispatch. Responsiveness probe (`IsResponsiveAsync`) returns false on wedge. The real
+  Win32 `GetMessage/DispatchMessage` pump from v1 `LmxProxy.Host` slots in here with the same
+  dispatch semantics.
+- **`IsExternalInit` shim**: required for `init` setters on .NET 4.8.
+- **`Program.cs`**: reads `OTOPCUA_GALAXY_PIPE`, `OTOPCUA_ALLOWED_SID`, `OTOPCUA_GALAXY_SECRET`
+  from env (supervisor sets at spawn), runs the pipe server, logs via Serilog to
+  `%ProgramData%\OtOpcUa\galaxy-host-YYYY-MM-DD.log`.
+- **`Ipc/StubFrameHandler`**: placeholder that heartbeat-acks and returns `not-implemented`
+  errors. Swapped for the real Galaxy-backed handler when the MXAccess code move completes.
+- **Tests (15)**: `MemoryWatchdog` thresholds + slope detection; `RecyclePolicy` cap + daily
+  schedule; `PostMortemMmf` round-trip + ring-wrap + truncation-safety; `StaPump`
+  apartment-state + responsiveness-probe wedge detection.
+
+### Stream C — `Driver.Galaxy.Proxy` (1.5 week estimate, **complete as IPC-forwarder**)
+
+- `src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/` (.NET 10)
+- **`Ipc/GalaxyIpcClient`**: Hello handshake + shared-secret authentication + single-call
+  request/response over the data-plane pipe. Serializes concurrent callers via
+  `SemaphoreSlim`. Lifts `ErrorResponse` to `GalaxyIpcException` with the error code.
+- **`GalaxyProxyDriver`**: implements `IDriver` + `ITagDiscovery`. Forwards lifecycle and
+  discovery over IPC; maps Galaxy MX data types → `DriverDataType` and security classifications
+  → `SecurityClassification`. Stream C-plan capability interfaces for `IReadable`, `IWritable`,
+  `ISubscribable`, `IAlarmSource`, `IHistoryProvider`, `IHostConnectivityProbe`,
+  `IRediscoverable` are structured identically — wire them in when the Host's MXAccess backend
+  exists so the round-trips can actually serve data.
+- **`Supervisor/Backoff`**: 5s → 15s → 60s capped; `RecordStableRun` resets after 2-min
+  successful run.
+- **`Supervisor/CircuitBreaker`**: 3 crashes per 5 min opens; cooldown escalates
+  1h → 4h → manual (`TimeSpan.MaxValue`). Sticky alert doesn't auto-clear when cooldown
+  elapses; `ManualReset` only.
+- **`Supervisor/HeartbeatMonitor`**: 2s cadence, 3 consecutive misses = host dead.
+- **Tests (11)**: `Backoff` sequence + reset; `CircuitBreaker` full 1h/4h/manual escalation
+  path; `HeartbeatMonitor` miss-count + ack-reset; full IPC handshake round-trip
+  (Host + Proxy over a real named pipe, heartbeat ack verified; shared-secret mismatch
+  rejected with `UnauthorizedAccessException`).
+
+## Deferred (explicitly noted as TODO)
+
+### Stream D — Retire legacy `OtOpcUa.Host`
+
+**Not executable until Stream E parity passes.** Deleting the legacy project now would break
+the 494 v1 IntegrationTests that are the parity baseline. Recovery requires:
+
+1. Host MXAccess code lift (Task B.1 "move Galaxy code") from `OtOpcUa.Host/` into
+   `OtOpcUa.Driver.Galaxy.Host/` — STA pump wiring, `MxAccessHandle` backing the real
+   `LMXProxyServer`, `GalaxyRepository` and its SQL queries, `GalaxyRuntimeProbeManager`,
+   Historian loader, the Ipc stub handler replaced with a real `IFrameHandler` that invokes
+   the handle.
+2. Address-space build via `IAddressSpaceBuilder` produces byte-equivalent OPC UA browse
+   output to v1 (Task C.4).
+3. Windows service installer registers two services (`OtOpcUa` + `OtOpcUaGalaxyHost`) with
+   the correct service-account SIDs and per-process secret provisioning. Galaxy.Host starts
+   before OtOpcUa.
+4. `appsettings.json` Galaxy config (MxAccess / Galaxy / Historian sections) migrated into
+   `DriverInstance.DriverConfig` JSON in the Configuration DB via an idempotent migration
+   script. Post-migration, the local `appsettings.json` keeps only `Cluster.NodeId`,
+   `ClusterId`, and the DB conn string per decision #18.
+
+### Stream E — Parity validation
+
+Requires live MXAccess + Galaxy runtime and the above lift complete. Work items:
+
+- Run v1 IntegrationTests against the v2 Galaxy.Proxy + Galaxy.Host topology. Pass count =
+  v1 baseline; failures = 0. Per-test duration regression report flags any test >2× baseline.
+- Scripted Client.CLI walkthrough recorded at Phase 2 entry gate against v1, replayed
+  against v2; diff must show only timestamp/latency differences.
+- Regression tests for the four 2026-04-13 stability findings (phantom probe, cross-host
+  quality clear, sync-over-async guard, fire-and-forget alarm drain).
+- `/codex:adversarial-review --base v2` on the merged Phase 2 diff — findings closed or
+  deferred with rationale.
+
+## Also deferred from Stream B
+
+- **Task B.10 FaultShim** (test-only `ArchestrA.MxAccess` substitute for fault injection).
+  Needs the production `ArchestrA.MxAccess` reference in place first; flagged as part of the
+  plan's "mid-gate review" fallback (Risk row 7).
+- **Task B.8 WM_QUIT hard-exit escalation** — wired in when the real Win32 pump replaces the
+  `BlockingCollection` dispatcher. The `StaPump.IsResponsiveAsync` probe already exists; the
+  supervisor escalation-to-`Environment.Exit(2)` belongs to the Program main loop after the
+  pump integration.
+
+## Cross-session impact on the build
+
+- **Full solution**: 926 tests pass, 1 fails (pre-existing Phase 0 baseline
+  `Client.CLI.Tests.SubscribeCommandTests.Execute_PrintsSubscriptionMessage` — not a Phase 2
+  regression; was red before Phase 1 and stays red through Phase 2).
+- **New projects added to `.slnx`**: `Driver.Galaxy.Shared`, `Driver.Galaxy.Host`,
+  `Driver.Galaxy.Proxy`, plus the three matching test projects.
+- **No existing tests broke.** The 494 v1 `OtOpcUa.Tests` (net48) and 6 `IntegrationTests`
+  (net48) still pass because the legacy `OtOpcUa.Host` is untouched.
+
+## Next-session checklist for Stream D + E
+
+1. Stand up dev Galaxy; capture Client.CLI walkthrough baseline against v1.
+2. Move Galaxy-specific files from `OtOpcUa.Host` into `Driver.Galaxy.Host`, renaming
+   namespaces. Replace `StubFrameHandler` with the real one.
+3. Wire up the real Win32 pump inside `StaPump` (lift from scadalink-design's
+   `LmxProxy.Host` reference per CLAUDE.md).
+4. Run v1 IntegrationTests against the v2 topology — iterate on parity defects until green.
+5. Run Client.CLI walkthrough and diff.
+6. Regression tests for the four stability findings.
+7. Delete legacy `OtOpcUa.Host`; update `.slnx`; update installer scripts.
+8. Adversarial review; `exit-gate-phase-2.md` recorded; PR merged.

src/ZB.MOM.WW.OtOpcUa.Admin/Components/App.razor

@@ -0,0 +1,18 @@
+@* Root Blazor component. *@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+    <title>OtOpcUa Admin</title>
+    <base href="/"/>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css"/>
+    <link rel="stylesheet" href="app.css"/>
+    <HeadOutlet/>
+</head>
+<body>
+    <Routes/>
+    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.bundle.min.js"></script>
+    <script src="_framework/blazor.web.js"></script>
+</body>
+</html>

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor

@@ -0,0 +1,34 @@
+@inherits LayoutComponentBase
+
+<div class="d-flex" style="min-height: 100vh;">
+    <nav class="bg-dark text-light p-3" style="width: 220px;">
+        <h5 class="mb-4">OtOpcUa Admin</h5>
+        <ul class="nav flex-column">
+            <li class="nav-item"><a class="nav-link text-light" href="/">Overview</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/clusters">Clusters</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/reservations">Reservations</a></li>
+        </ul>
+
+        <div class="mt-5">
+            <AuthorizeView>
+                <Authorized>
+                    <div class="small text-light">
+                        Signed in as <strong>@context.User.Identity?.Name</strong>
+                    </div>
+                    <div class="small text-muted">
+                        @string.Join(", ", context.User.Claims.Where(c => c.Type.EndsWith("/role")).Select(c => c.Value))
+                    </div>
+                    <form method="post" action="/auth/logout">
+                        <button class="btn btn-sm btn-outline-light mt-2" type="submit">Sign out</button>
+                    </form>
+                </Authorized>
+                <NotAuthorized>
+                    <a class="btn btn-sm btn-outline-light" href="/login">Sign in</a>
+                </NotAuthorized>
+            </AuthorizeView>
+        </div>
+    </nav>
+    <main class="flex-grow-1 p-4">
+        @Body
+    </main>
+</div>

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AclsTab.razor

@@ -0,0 +1,126 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject NodeAclService AclSvc
+
+<div class="d-flex justify-content-between mb-3">
+    <h4>Access-control grants</h4>
+    <button class="btn btn-sm btn-primary" @onclick="() => _showForm = true">Add grant</button>
+</div>
+
+@if (_acls is null) { <p>Loading…</p> }
+else if (_acls.Count == 0) { <p class="text-muted">No ACL grants in this draft. Publish will result in a cluster with no external access.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>LDAP group</th><th>Scope</th><th>Scope ID</th><th>Permissions</th><th></th></tr></thead>
+        <tbody>
+        @foreach (var a in _acls)
+        {
+            <tr>
+                <td>@a.LdapGroup</td>
+                <td>@a.ScopeKind</td>
+                <td><code>@(a.ScopeId ?? "-")</code></td>
+                <td><code>@a.PermissionFlags</code></td>
+                <td><button class="btn btn-sm btn-outline-danger" @onclick="() => RevokeAsync(a.NodeAclRowId)">Revoke</button></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_showForm)
+{
+    <div class="card">
+        <div class="card-body">
+            <div class="row g-3">
+                <div class="col-md-4">
+                    <label class="form-label">LDAP group</label>
+                    <input class="form-control" @bind="_group"/>
+                </div>
+                <div class="col-md-4">
+                    <label class="form-label">Scope kind</label>
+                    <select class="form-select" @bind="_scopeKind">
+                        @foreach (var k in Enum.GetValues<NodeAclScopeKind>()) { <option value="@k">@k</option> }
+                    </select>
+                </div>
+                <div class="col-md-4">
+                    <label class="form-label">Scope ID (empty for Cluster-wide)</label>
+                    <input class="form-control" @bind="_scopeId"/>
+                </div>
+                <div class="col-12">
+                    <label class="form-label">Permissions (bundled presets — per-flag editor in v2.1)</label>
+                    <select class="form-select" @bind="_preset">
+                        <option value="Read">Read (Browse + Read)</option>
+                        <option value="WriteOperate">Read + Write Operate</option>
+                        <option value="Engineer">Read + Write Tune + Write Configure</option>
+                        <option value="AlarmAck">Read + Alarm Ack</option>
+                        <option value="Full">Full (every flag)</option>
+                    </select>
+                </div>
+            </div>
+            @if (_error is not null) { <div class="alert alert-danger mt-3">@_error</div> }
+            <div class="mt-3">
+                <button class="btn btn-sm btn-primary" @onclick="SaveAsync">Save</button>
+                <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showForm = false">Cancel</button>
+            </div>
+        </div>
+    </div>
+}
+
+@code {
+    [Parameter] public long GenerationId { get; set; }
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+
+    private List<NodeAcl>? _acls;
+    private bool _showForm;
+    private string _group = string.Empty;
+    private NodeAclScopeKind _scopeKind = NodeAclScopeKind.Cluster;
+    private string _scopeId = string.Empty;
+    private string _preset = "Read";
+    private string? _error;
+
+    protected override async Task OnParametersSetAsync() =>
+        _acls = await AclSvc.ListAsync(GenerationId, CancellationToken.None);
+
+    private NodePermissions ResolvePreset() => _preset switch
+    {
+        "Read"          => NodePermissions.Browse | NodePermissions.Read,
+        "WriteOperate"  => NodePermissions.Browse | NodePermissions.Read | NodePermissions.WriteOperate,
+        "Engineer"      => NodePermissions.Browse | NodePermissions.Read | NodePermissions.WriteTune | NodePermissions.WriteConfigure,
+        "AlarmAck"      => NodePermissions.Browse | NodePermissions.Read | NodePermissions.AlarmRead | NodePermissions.AlarmAcknowledge,
+        "Full"          => unchecked((NodePermissions)(-1)),
+        _               => NodePermissions.Browse | NodePermissions.Read,
+    };
+
+    private async Task SaveAsync()
+    {
+        _error = null;
+        if (string.IsNullOrWhiteSpace(_group)) { _error = "LDAP group is required"; return; }
+
+        var scopeId = _scopeKind == NodeAclScopeKind.Cluster ? null
+                     : string.IsNullOrWhiteSpace(_scopeId) ? null : _scopeId;
+
+        if (_scopeKind != NodeAclScopeKind.Cluster && scopeId is null)
+        {
+            _error = $"ScopeId required for {_scopeKind}";
+            return;
+        }
+
+        try
+        {
+            await AclSvc.GrantAsync(GenerationId, ClusterId, _group, _scopeKind, scopeId,
+                ResolvePreset(), notes: null, CancellationToken.None);
+            _group = string.Empty; _scopeId = string.Empty;
+            _showForm = false;
+            _acls = await AclSvc.ListAsync(GenerationId, CancellationToken.None);
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+
+    private async Task RevokeAsync(Guid rowId)
+    {
+        await AclSvc.RevokeAsync(rowId, CancellationToken.None);
+        _acls = await AclSvc.ListAsync(GenerationId, CancellationToken.None);
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AuditTab.razor

@@ -0,0 +1,35 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject AuditLogService AuditSvc
+
+<h4>Recent audit log</h4>
+
+@if (_entries is null) { <p>Loading…</p> }
+else if (_entries.Count == 0) { <p class="text-muted">No audit entries for this cluster yet.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>When</th><th>Principal</th><th>Event</th><th>Node</th><th>Generation</th><th>Details</th></tr></thead>
+        <tbody>
+        @foreach (var a in _entries)
+        {
+            <tr>
+                <td>@a.Timestamp.ToString("u")</td>
+                <td>@a.Principal</td>
+                <td><code>@a.EventType</code></td>
+                <td>@a.NodeId</td>
+                <td>@a.GenerationId</td>
+                <td><small class="text-muted">@a.DetailsJson</small></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    private List<ConfigAuditLog>? _entries;
+
+    protected override async Task OnParametersSetAsync() =>
+        _entries = await AuditSvc.ListRecentAsync(ClusterId, limit: 100, CancellationToken.None);
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/ClusterDetail.razor

@@ -0,0 +1,165 @@
+@page "/clusters/{ClusterId}"
+@using Microsoft.AspNetCore.Components.Web
+@using Microsoft.AspNetCore.SignalR.Client
+@using ZB.MOM.WW.OtOpcUa.Admin.Hubs
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@implements IAsyncDisposable
+@rendermode RenderMode.InteractiveServer
+@inject ClusterService ClusterSvc
+@inject GenerationService GenerationSvc
+@inject NavigationManager Nav
+
+@if (_cluster is null)
+{
+    <p>Loading…</p>
+}
+else
+{
+    @if (_liveBanner is not null)
+    {
+        <div class="alert alert-info py-2 small">
+            <strong>Live update:</strong> @_liveBanner
+            <button type="button" class="btn-close float-end" @onclick="() => _liveBanner = null"></button>
+        </div>
+    }
+    <div class="d-flex justify-content-between align-items-center mb-3">
+        <div>
+            <h1 class="mb-0">@_cluster.Name</h1>
+            <code class="text-muted">@_cluster.ClusterId</code>
+            @if (!_cluster.Enabled) { <span class="badge bg-secondary ms-2">Disabled</span> }
+        </div>
+        <div>
+            @if (_currentDraft is not null)
+            {
+                <a href="/clusters/@ClusterId/draft/@_currentDraft.GenerationId" class="btn btn-outline-primary">
+                    Edit current draft (gen @_currentDraft.GenerationId)
+                </a>
+            }
+            else
+            {
+                <button class="btn btn-primary" @onclick="CreateDraftAsync" disabled="@_busy">New draft</button>
+            }
+        </div>
+    </div>
+
+    <ul class="nav nav-tabs mb-3">
+        <li class="nav-item"><button class="nav-link @Tab("overview")" @onclick='() => _tab = "overview"'>Overview</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("generations")" @onclick='() => _tab = "generations"'>Generations</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("equipment")" @onclick='() => _tab = "equipment"'>Equipment</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("uns")" @onclick='() => _tab = "uns"'>UNS Structure</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("namespaces")" @onclick='() => _tab = "namespaces"'>Namespaces</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("drivers")" @onclick='() => _tab = "drivers"'>Drivers</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("acls")" @onclick='() => _tab = "acls"'>ACLs</button></li>
+        <li class="nav-item"><button class="nav-link @Tab("audit")" @onclick='() => _tab = "audit"'>Audit</button></li>
+    </ul>
+
+    @if (_tab == "overview")
+    {
+        <dl class="row">
+            <dt class="col-sm-3">Enterprise / Site</dt><dd class="col-sm-9">@_cluster.Enterprise / @_cluster.Site</dd>
+            <dt class="col-sm-3">Redundancy</dt><dd class="col-sm-9">@_cluster.RedundancyMode (@_cluster.NodeCount node@(_cluster.NodeCount == 1 ? "" : "s"))</dd>
+            <dt class="col-sm-3">Current published</dt>
+            <dd class="col-sm-9">
+                @if (_currentPublished is not null) { <span>@_currentPublished.GenerationId (@_currentPublished.PublishedAt?.ToString("u"))</span> }
+                else { <span class="text-muted">none published yet</span> }
+            </dd>
+            <dt class="col-sm-3">Created</dt><dd class="col-sm-9">@_cluster.CreatedAt.ToString("u") by @_cluster.CreatedBy</dd>
+        </dl>
+    }
+    else if (_tab == "generations")
+    {
+        <Generations ClusterId="@ClusterId"/>
+    }
+    else if (_tab == "equipment" && _currentDraft is not null)
+    {
+        <EquipmentTab GenerationId="@_currentDraft.GenerationId"/>
+    }
+    else if (_tab == "uns" && _currentDraft is not null)
+    {
+        <UnsTab GenerationId="@_currentDraft.GenerationId" ClusterId="@ClusterId"/>
+    }
+    else if (_tab == "namespaces" && _currentDraft is not null)
+    {
+        <NamespacesTab GenerationId="@_currentDraft.GenerationId" ClusterId="@ClusterId"/>
+    }
+    else if (_tab == "drivers" && _currentDraft is not null)
+    {
+        <DriversTab GenerationId="@_currentDraft.GenerationId" ClusterId="@ClusterId"/>
+    }
+    else if (_tab == "acls" && _currentDraft is not null)
+    {
+        <AclsTab GenerationId="@_currentDraft.GenerationId" ClusterId="@ClusterId"/>
+    }
+    else if (_tab == "audit")
+    {
+        <AuditTab ClusterId="@ClusterId"/>
+    }
+    else
+    {
+        <p class="text-muted">Open a draft to edit this cluster's content.</p>
+    }
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    private ServerCluster? _cluster;
+    private ConfigGeneration? _currentDraft;
+    private ConfigGeneration? _currentPublished;
+    private string _tab = "overview";
+    private bool _busy;
+    private HubConnection? _hub;
+    private string? _liveBanner;
+
+    private string Tab(string key) => _tab == key ? "active" : string.Empty;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await LoadAsync();
+        await ConnectHubAsync();
+    }
+
+    private async Task LoadAsync()
+    {
+        _cluster = await ClusterSvc.FindAsync(ClusterId, CancellationToken.None);
+        var gens = await GenerationSvc.ListRecentAsync(ClusterId, 50, CancellationToken.None);
+        _currentDraft = gens.FirstOrDefault(g => g.Status == GenerationStatus.Draft);
+        _currentPublished = gens.FirstOrDefault(g => g.Status == GenerationStatus.Published);
+    }
+
+    private async Task ConnectHubAsync()
+    {
+        _hub = new HubConnectionBuilder()
+            .WithUrl(Nav.ToAbsoluteUri("/hubs/fleet"))
+            .WithAutomaticReconnect()
+            .Build();
+
+        _hub.On<NodeStateChangedMessage>("NodeStateChanged", async msg =>
+        {
+            if (msg.ClusterId != ClusterId) return;
+            _liveBanner = $"Node {msg.NodeId}: {msg.LastAppliedStatus ?? "seen"} at {msg.LastAppliedAt?.ToString("u") ?? msg.LastSeenAt?.ToString("u") ?? "-"}";
+            await LoadAsync();
+            await InvokeAsync(StateHasChanged);
+        });
+
+        await _hub.StartAsync();
+        await _hub.SendAsync("SubscribeCluster", ClusterId);
+    }
+
+    private async Task CreateDraftAsync()
+    {
+        _busy = true;
+        try
+        {
+            var draft = await GenerationSvc.CreateDraftAsync(ClusterId, createdBy: "admin-ui", CancellationToken.None);
+            Nav.NavigateTo($"/clusters/{ClusterId}/draft/{draft.GenerationId}");
+        }
+        finally { _busy = false; }
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_hub is not null) await _hub.DisposeAsync();
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/ClustersList.razor

@@ -0,0 +1,56 @@
+@page "/clusters"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject ClusterService ClusterSvc
+
+<div class="d-flex justify-content-between align-items-center mb-4">
+    <h1>Clusters</h1>
+    <a href="/clusters/new" class="btn btn-primary">New cluster</a>
+</div>
+
+@if (_clusters is null)
+{
+    <p>Loading…</p>
+}
+else if (_clusters.Count == 0)
+{
+    <p class="text-muted">No clusters yet. Create the first one.</p>
+}
+else
+{
+    <table class="table table-hover">
+        <thead>
+            <tr>
+                <th>ClusterId</th><th>Name</th><th>Enterprise</th><th>Site</th>
+                <th>RedundancyMode</th><th>NodeCount</th><th>Enabled</th><th></th>
+            </tr>
+        </thead>
+        <tbody>
+        @foreach (var c in _clusters)
+        {
+            <tr>
+                <td><code>@c.ClusterId</code></td>
+                <td>@c.Name</td>
+                <td>@c.Enterprise</td>
+                <td>@c.Site</td>
+                <td>@c.RedundancyMode</td>
+                <td>@c.NodeCount</td>
+                <td>
+                    @if (c.Enabled) { <span class="badge bg-success">Active</span> }
+                    else { <span class="badge bg-secondary">Disabled</span> }
+                </td>
+                <td><a href="/clusters/@c.ClusterId" class="btn btn-sm btn-outline-primary">Open</a></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    private List<ServerCluster>? _clusters;
+
+    protected override async Task OnInitializedAsync()
+    {
+        _clusters = await ClusterSvc.ListAsync(CancellationToken.None);
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DiffViewer.razor

@@ -0,0 +1,73 @@
+@page "/clusters/{ClusterId}/draft/{GenerationId:long}/diff"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject GenerationService GenerationSvc
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <div>
+        <h1 class="mb-0">Draft diff</h1>
+        <small class="text-muted">
+            Cluster <code>@ClusterId</code> — from last published (@(_fromLabel)) → to draft @GenerationId
+        </small>
+    </div>
+    <a class="btn btn-outline-secondary" href="/clusters/@ClusterId/draft/@GenerationId">Back to editor</a>
+</div>
+
+@if (_rows is null)
+{
+    <p>Computing diff…</p>
+}
+else if (_error is not null)
+{
+    <div class="alert alert-danger">@_error</div>
+}
+else if (_rows.Count == 0)
+{
+    <p class="text-muted">No differences — draft is structurally identical to the last published generation.</p>
+}
+else
+{
+    <table class="table table-hover table-sm">
+        <thead><tr><th>Table</th><th>LogicalId</th><th>ChangeKind</th></tr></thead>
+        <tbody>
+        @foreach (var r in _rows)
+        {
+            <tr>
+                <td>@r.TableName</td>
+                <td><code>@r.LogicalId</code></td>
+                <td>
+                    @switch (r.ChangeKind)
+                    {
+                        case "Added":    <span class="badge bg-success">@r.ChangeKind</span> break;
+                        case "Removed":  <span class="badge bg-danger">@r.ChangeKind</span> break;
+                        case "Modified": <span class="badge bg-warning text-dark">@r.ChangeKind</span> break;
+                        default:         <span class="badge bg-secondary">@r.ChangeKind</span> break;
+                    }
+                </td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    [Parameter] public long GenerationId { get; set; }
+
+    private List<DiffRow>? _rows;
+    private string _fromLabel = "(empty)";
+    private string? _error;
+
+    protected override async Task OnParametersSetAsync()
+    {
+        try
+        {
+            var all = await GenerationSvc.ListRecentAsync(ClusterId, 50, CancellationToken.None);
+            var from = all.FirstOrDefault(g => g.Status == GenerationStatus.Published);
+            _fromLabel = from is null ? "(empty)" : $"gen {from.GenerationId}";
+            _rows = await GenerationSvc.ComputeDiffAsync(from?.GenerationId ?? 0, GenerationId, CancellationToken.None);
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DraftEditor.razor

@@ -0,0 +1,103 @@
+@page "/clusters/{ClusterId}/draft/{GenerationId:long}"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Validation
+@inject GenerationService GenerationSvc
+@inject DraftValidationService ValidationSvc
+@inject NavigationManager Nav
+
+<div class="d-flex justify-content-between align-items-center mb-3">
+    <div>
+        <h1 class="mb-0">Draft editor</h1>
+        <small class="text-muted">Cluster <code>@ClusterId</code> · generation @GenerationId</small>
+    </div>
+    <div>
+        <a class="btn btn-outline-secondary" href="/clusters/@ClusterId">Back to cluster</a>
+        <a class="btn btn-outline-primary ms-2" href="/clusters/@ClusterId/draft/@GenerationId/diff">View diff</a>
+        <button class="btn btn-primary ms-2" disabled="@(_errors.Count != 0 || _busy)" @onclick="PublishAsync">Publish</button>
+    </div>
+</div>
+
+<ul class="nav nav-tabs mb-3">
+    <li class="nav-item"><button class="nav-link @Active("equipment")" @onclick='() => _tab = "equipment"'>Equipment</button></li>
+    <li class="nav-item"><button class="nav-link @Active("uns")" @onclick='() => _tab = "uns"'>UNS</button></li>
+    <li class="nav-item"><button class="nav-link @Active("namespaces")" @onclick='() => _tab = "namespaces"'>Namespaces</button></li>
+    <li class="nav-item"><button class="nav-link @Active("drivers")" @onclick='() => _tab = "drivers"'>Drivers</button></li>
+    <li class="nav-item"><button class="nav-link @Active("acls")" @onclick='() => _tab = "acls"'>ACLs</button></li>
+</ul>
+
+<div class="row">
+    <div class="col-md-8">
+        @if (_tab == "equipment") { <EquipmentTab GenerationId="@GenerationId"/> }
+        else if (_tab == "uns") { <UnsTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
+        else if (_tab == "namespaces") { <NamespacesTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
+        else if (_tab == "drivers") { <DriversTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
+        else if (_tab == "acls") { <AclsTab GenerationId="@GenerationId" ClusterId="@ClusterId"/> }
+    </div>
+    <div class="col-md-4">
+        <div class="card sticky-top">
+            <div class="card-header d-flex justify-content-between align-items-center">
+                <strong>Validation</strong>
+                <button class="btn btn-sm btn-outline-secondary" @onclick="RevalidateAsync">Re-run</button>
+            </div>
+            <div class="card-body">
+                @if (_validating) { <p class="text-muted">Checking…</p> }
+                else if (_errors.Count == 0) { <div class="alert alert-success mb-0">No validation errors — safe to publish.</div> }
+                else
+                {
+                    <div class="alert alert-danger mb-2">@_errors.Count error@(_errors.Count == 1 ? "" : "s")</div>
+                    <ul class="list-unstyled">
+                        @foreach (var e in _errors)
+                        {
+                            <li class="mb-2">
+                                <span class="badge bg-danger me-1">@e.Code</span>
+                                <small>@e.Message</small>
+                                @if (!string.IsNullOrEmpty(e.Context)) { <div class="text-muted"><code>@e.Context</code></div> }
+                            </li>
+                        }
+                    </ul>
+                }
+            </div>
+        </div>
+
+        @if (_publishError is not null) { <div class="alert alert-danger mt-3">@_publishError</div> }
+    </div>
+</div>
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    [Parameter] public long GenerationId { get; set; }
+
+    private string _tab = "equipment";
+    private List<ValidationError> _errors = [];
+    private bool _validating;
+    private bool _busy;
+    private string? _publishError;
+
+    private string Active(string k) => _tab == k ? "active" : string.Empty;
+
+    protected override async Task OnParametersSetAsync() => await RevalidateAsync();
+
+    private async Task RevalidateAsync()
+    {
+        _validating = true;
+        try
+        {
+            var errors = await ValidationSvc.ValidateAsync(GenerationId, CancellationToken.None);
+            _errors = errors.ToList();
+        }
+        finally { _validating = false; }
+    }
+
+    private async Task PublishAsync()
+    {
+        _busy = true;
+        _publishError = null;
+        try
+        {
+            await GenerationSvc.PublishAsync(ClusterId, GenerationId, notes: "Published via Admin UI", CancellationToken.None);
+            Nav.NavigateTo($"/clusters/{ClusterId}");
+        }
+        catch (Exception ex) { _publishError = ex.Message; }
+        finally { _busy = false; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DriversTab.razor

@@ -0,0 +1,107 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject DriverInstanceService DriverSvc
+@inject NamespaceService NsSvc
+
+<div class="d-flex justify-content-between mb-3">
+    <h4>DriverInstances</h4>
+    <button class="btn btn-sm btn-primary" @onclick="() => _showForm = true">Add driver</button>
+</div>
+
+@if (_drivers is null) { <p>Loading…</p> }
+else if (_drivers.Count == 0) { <p class="text-muted">No drivers configured in this draft.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>DriverInstanceId</th><th>Name</th><th>Type</th><th>Namespace</th></tr></thead>
+        <tbody>
+        @foreach (var d in _drivers)
+        {
+            <tr><td><code>@d.DriverInstanceId</code></td><td>@d.Name</td><td>@d.DriverType</td><td><code>@d.NamespaceId</code></td></tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_showForm && _namespaces is not null)
+{
+    <div class="card">
+        <div class="card-body">
+            <div class="row g-3">
+                <div class="col-md-3">
+                    <label class="form-label">Name</label>
+                    <input class="form-control" @bind="_name"/>
+                </div>
+                <div class="col-md-3">
+                    <label class="form-label">DriverType</label>
+                    <select class="form-select" @bind="_type">
+                        <option>Galaxy</option>
+                        <option>ModbusTcp</option>
+                        <option>AbCip</option>
+                        <option>AbLegacy</option>
+                        <option>S7</option>
+                        <option>Focas</option>
+                        <option>OpcUaClient</option>
+                    </select>
+                </div>
+                <div class="col-md-6">
+                    <label class="form-label">Namespace</label>
+                    <select class="form-select" @bind="_nsId">
+                        @foreach (var n in _namespaces) { <option value="@n.NamespaceId">@n.Kind — @n.NamespaceUri</option> }
+                    </select>
+                </div>
+                <div class="col-12">
+                    <label class="form-label">DriverConfig JSON (schemaless per driver type)</label>
+                    <textarea class="form-control font-monospace" rows="6" @bind="_config"></textarea>
+                    <div class="form-text">Phase 1: generic JSON editor — per-driver schema validation arrives in each driver's phase (decision #94).</div>
+                </div>
+            </div>
+            @if (_error is not null) { <div class="alert alert-danger mt-3">@_error</div> }
+            <div class="mt-3">
+                <button class="btn btn-sm btn-primary" @onclick="SaveAsync">Save</button>
+                <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showForm = false">Cancel</button>
+            </div>
+        </div>
+    </div>
+}
+
+@code {
+    [Parameter] public long GenerationId { get; set; }
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+
+    private List<DriverInstance>? _drivers;
+    private List<Namespace>? _namespaces;
+    private bool _showForm;
+    private string _name = string.Empty;
+    private string _type = "ModbusTcp";
+    private string _nsId = string.Empty;
+    private string _config = "{}";
+    private string? _error;
+
+    protected override async Task OnParametersSetAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync()
+    {
+        _drivers = await DriverSvc.ListAsync(GenerationId, CancellationToken.None);
+        _namespaces = await NsSvc.ListAsync(GenerationId, CancellationToken.None);
+        _nsId = _namespaces.FirstOrDefault()?.NamespaceId ?? string.Empty;
+    }
+
+    private async Task SaveAsync()
+    {
+        _error = null;
+        if (string.IsNullOrWhiteSpace(_name) || string.IsNullOrWhiteSpace(_nsId))
+        {
+            _error = "Name and Namespace are required";
+            return;
+        }
+        try
+        {
+            await DriverSvc.AddAsync(GenerationId, ClusterId, _nsId, _name, _type, _config, CancellationToken.None);
+            _name = string.Empty; _config = "{}";
+            _showForm = false;
+            await ReloadAsync();
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/EquipmentTab.razor

@@ -0,0 +1,152 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Validation
+@inject EquipmentService EquipmentSvc
+
+<div class="d-flex justify-content-between mb-3">
+    <h4>Equipment (draft gen @GenerationId)</h4>
+    <button class="btn btn-primary btn-sm" @onclick="StartAdd">Add equipment</button>
+</div>
+
+@if (_equipment is null)
+{
+    <p>Loading…</p>
+}
+else if (_equipment.Count == 0 && !_showForm)
+{
+    <p class="text-muted">No equipment in this draft yet.</p>
+}
+else if (_equipment.Count > 0)
+{
+    <table class="table table-sm table-hover">
+        <thead>
+            <tr>
+                <th>EquipmentId</th><th>Name</th><th>MachineCode</th><th>ZTag</th><th>SAPID</th>
+                <th>Manufacturer / Model</th><th>Serial</th><th></th>
+            </tr>
+        </thead>
+        <tbody>
+        @foreach (var e in _equipment)
+        {
+            <tr>
+                <td><code>@e.EquipmentId</code></td>
+                <td>@e.Name</td>
+                <td>@e.MachineCode</td>
+                <td>@e.ZTag</td>
+                <td>@e.SAPID</td>
+                <td>@e.Manufacturer / @e.Model</td>
+                <td>@e.SerialNumber</td>
+                <td><button class="btn btn-sm btn-outline-danger" @onclick="() => DeleteAsync(e.EquipmentRowId)">Remove</button></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_showForm)
+{
+    <div class="card mt-3">
+        <div class="card-body">
+            <h5>New equipment</h5>
+            <EditForm Model="_draft" OnValidSubmit="SaveAsync" FormName="new-equipment">
+                <DataAnnotationsValidator/>
+                <div class="row g-3">
+                    <div class="col-md-4">
+                        <label class="form-label">Name (UNS segment)</label>
+                        <InputText @bind-Value="_draft.Name" class="form-control"/>
+                        <ValidationMessage For="() => _draft.Name"/>
+                    </div>
+                    <div class="col-md-4">
+                        <label class="form-label">MachineCode</label>
+                        <InputText @bind-Value="_draft.MachineCode" class="form-control"/>
+                    </div>
+                    <div class="col-md-4">
+                        <label class="form-label">DriverInstanceId</label>
+                        <InputText @bind-Value="_draft.DriverInstanceId" class="form-control"/>
+                    </div>
+                    <div class="col-md-4">
+                        <label class="form-label">UnsLineId</label>
+                        <InputText @bind-Value="_draft.UnsLineId" class="form-control"/>
+                    </div>
+                    <div class="col-md-4">
+                        <label class="form-label">ZTag</label>
+                        <InputText @bind-Value="_draft.ZTag" class="form-control"/>
+                    </div>
+                    <div class="col-md-4">
+                        <label class="form-label">SAPID</label>
+                        <InputText @bind-Value="_draft.SAPID" class="form-control"/>
+                    </div>
+                </div>
+
+                <h6 class="mt-4">OPC 40010 Identification</h6>
+                <div class="row g-3">
+                    <div class="col-md-4"><label class="form-label">Manufacturer</label><InputText @bind-Value="_draft.Manufacturer" class="form-control"/></div>
+                    <div class="col-md-4"><label class="form-label">Model</label><InputText @bind-Value="_draft.Model" class="form-control"/></div>
+                    <div class="col-md-4"><label class="form-label">Serial number</label><InputText @bind-Value="_draft.SerialNumber" class="form-control"/></div>
+                    <div class="col-md-4"><label class="form-label">Hardware rev</label><InputText @bind-Value="_draft.HardwareRevision" class="form-control"/></div>
+                    <div class="col-md-4"><label class="form-label">Software rev</label><InputText @bind-Value="_draft.SoftwareRevision" class="form-control"/></div>
+                    <div class="col-md-4">
+                        <label class="form-label">Year of construction</label>
+                        <InputNumber @bind-Value="_draft.YearOfConstruction" class="form-control"/>
+                    </div>
+                </div>
+
+                @if (_error is not null) { <div class="alert alert-danger mt-3">@_error</div> }
+
+                <div class="mt-3">
+                    <button type="submit" class="btn btn-primary btn-sm">Save</button>
+                    <button type="button" class="btn btn-secondary btn-sm ms-2" @onclick="() => _showForm = false">Cancel</button>
+                </div>
+            </EditForm>
+        </div>
+    </div>
+}
+
+@code {
+    [Parameter] public long GenerationId { get; set; }
+    private List<Equipment>? _equipment;
+    private bool _showForm;
+    private Equipment _draft = NewBlankDraft();
+    private string? _error;
+
+    private static Equipment NewBlankDraft() => new()
+    {
+        EquipmentId = string.Empty, DriverInstanceId = string.Empty,
+        UnsLineId = string.Empty, Name = string.Empty, MachineCode = string.Empty,
+    };
+
+    protected override async Task OnParametersSetAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync()
+    {
+        _equipment = await EquipmentSvc.ListAsync(GenerationId, CancellationToken.None);
+    }
+
+    private void StartAdd()
+    {
+        _draft = NewBlankDraft();
+        _error = null;
+        _showForm = true;
+    }
+
+    private async Task SaveAsync()
+    {
+        _error = null;
+        _draft.EquipmentUuid = Guid.NewGuid();
+        _draft.EquipmentId = DraftValidator.DeriveEquipmentId(_draft.EquipmentUuid);
+        _draft.GenerationId = GenerationId;
+        try
+        {
+            await EquipmentSvc.CreateAsync(GenerationId, _draft, CancellationToken.None);
+            _showForm = false;
+            await ReloadAsync();
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+
+    private async Task DeleteAsync(Guid id)
+    {
+        await EquipmentSvc.DeleteAsync(id, CancellationToken.None);
+        await ReloadAsync();
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/Generations.razor

@@ -0,0 +1,73 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject GenerationService GenerationSvc
+@inject NavigationManager Nav
+
+<h4>Generations</h4>
+
+@if (_generations is null) { <p>Loading…</p> }
+else if (_generations.Count == 0) { <p class="text-muted">No generations in this cluster yet.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead>
+            <tr><th>ID</th><th>Status</th><th>Created</th><th>Published</th><th>PublishedBy</th><th>Notes</th><th></th></tr>
+        </thead>
+        <tbody>
+        @foreach (var g in _generations)
+        {
+            <tr>
+                <td><code>@g.GenerationId</code></td>
+                <td>@StatusBadge(g.Status)</td>
+                <td><small>@g.CreatedAt.ToString("u") by @g.CreatedBy</small></td>
+                <td><small>@(g.PublishedAt?.ToString("u") ?? "-")</small></td>
+                <td><small>@g.PublishedBy</small></td>
+                <td><small>@g.Notes</small></td>
+                <td>
+                    @if (g.Status == GenerationStatus.Draft)
+                    {
+                        <a class="btn btn-sm btn-primary" href="/clusters/@ClusterId/draft/@g.GenerationId">Open</a>
+                    }
+                    else if (g.Status is GenerationStatus.Published or GenerationStatus.Superseded)
+                    {
+                        <button class="btn btn-sm btn-outline-warning" @onclick="() => RollbackAsync(g.GenerationId)">Roll back to this</button>
+                    }
+                </td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_error is not null) { <div class="alert alert-danger">@_error</div> }
+
+@code {
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    private List<ConfigGeneration>? _generations;
+    private string? _error;
+
+    protected override async Task OnParametersSetAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync() =>
+        _generations = await GenerationSvc.ListRecentAsync(ClusterId, 100, CancellationToken.None);
+
+    private async Task RollbackAsync(long targetId)
+    {
+        _error = null;
+        try
+        {
+            await GenerationSvc.RollbackAsync(ClusterId, targetId, notes: $"Rollback via Admin UI", CancellationToken.None);
+            await ReloadAsync();
+        }
+        catch (Exception ex) { _error = ex.Message; }
+    }
+
+    private static MarkupString StatusBadge(GenerationStatus s) => s switch
+    {
+        GenerationStatus.Draft      => new MarkupString("<span class='badge bg-info'>Draft</span>"),
+        GenerationStatus.Published  => new MarkupString("<span class='badge bg-success'>Published</span>"),
+        GenerationStatus.Superseded => new MarkupString("<span class='badge bg-secondary'>Superseded</span>"),
+        _                           => new MarkupString($"<span class='badge bg-light text-dark'>{s}</span>"),
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/NamespacesTab.razor

@@ -0,0 +1,69 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject NamespaceService NsSvc
+
+<div class="d-flex justify-content-between mb-3">
+    <h4>Namespaces</h4>
+    <button class="btn btn-sm btn-primary" @onclick="() => _showForm = true">Add namespace</button>
+</div>
+
+@if (_namespaces is null) { <p>Loading…</p> }
+else if (_namespaces.Count == 0) { <p class="text-muted">No namespaces defined in this draft.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>NamespaceId</th><th>Kind</th><th>URI</th><th>Enabled</th></tr></thead>
+        <tbody>
+        @foreach (var n in _namespaces)
+        {
+            <tr><td><code>@n.NamespaceId</code></td><td>@n.Kind</td><td>@n.NamespaceUri</td><td>@(n.Enabled ? "yes" : "no")</td></tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_showForm)
+{
+    <div class="card">
+        <div class="card-body">
+            <div class="row g-3">
+                <div class="col-md-6"><label class="form-label">NamespaceUri</label><input class="form-control" @bind="_uri"/></div>
+                <div class="col-md-6">
+                    <label class="form-label">Kind</label>
+                    <select class="form-select" @bind="_kind">
+                        <option value="@NamespaceKind.Equipment">Equipment</option>
+                        <option value="@NamespaceKind.SystemPlatform">SystemPlatform (Galaxy)</option>
+                    </select>
+                </div>
+            </div>
+            <div class="mt-3">
+                <button class="btn btn-sm btn-primary" @onclick="SaveAsync">Save</button>
+                <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showForm = false">Cancel</button>
+            </div>
+        </div>
+    </div>
+}
+
+@code {
+    [Parameter] public long GenerationId { get; set; }
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+    private List<Namespace>? _namespaces;
+    private bool _showForm;
+    private string _uri = string.Empty;
+    private NamespaceKind _kind = NamespaceKind.Equipment;
+
+    protected override async Task OnParametersSetAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync() =>
+        _namespaces = await NsSvc.ListAsync(GenerationId, CancellationToken.None);
+
+    private async Task SaveAsync()
+    {
+        if (string.IsNullOrWhiteSpace(_uri)) return;
+        await NsSvc.AddAsync(GenerationId, ClusterId, _uri, _kind, CancellationToken.None);
+        _uri = string.Empty;
+        _showForm = false;
+        await ReloadAsync();
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/NewCluster.razor

@@ -0,0 +1,104 @@
+@page "/clusters/new"
+@using System.ComponentModel.DataAnnotations
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject ClusterService ClusterSvc
+@inject GenerationService GenerationSvc
+@inject NavigationManager Nav
+
+<h1 class="mb-4">New cluster</h1>
+
+<EditForm Model="_input" OnValidSubmit="CreateAsync" FormName="new-cluster">
+    <DataAnnotationsValidator/>
+
+    <div class="row g-3">
+        <div class="col-md-6">
+            <label class="form-label">ClusterId <span class="text-danger">*</span></label>
+            <InputText @bind-Value="_input.ClusterId" class="form-control"/>
+            <div class="form-text">Stable internal ID. Lowercase alphanumeric + hyphens; ≤ 64 chars.</div>
+            <ValidationMessage For="() => _input.ClusterId"/>
+        </div>
+        <div class="col-md-6">
+            <label class="form-label">Display name <span class="text-danger">*</span></label>
+            <InputText @bind-Value="_input.Name" class="form-control"/>
+            <ValidationMessage For="() => _input.Name"/>
+        </div>
+        <div class="col-md-4">
+            <label class="form-label">Enterprise</label>
+            <InputText @bind-Value="_input.Enterprise" class="form-control"/>
+        </div>
+        <div class="col-md-4">
+            <label class="form-label">Site</label>
+            <InputText @bind-Value="_input.Site" class="form-control"/>
+        </div>
+        <div class="col-md-4">
+            <label class="form-label">Redundancy</label>
+            <InputSelect @bind-Value="_input.RedundancyMode" class="form-select">
+                <option value="@RedundancyMode.None">None (single node)</option>
+                <option value="@RedundancyMode.Warm">Warm (2 nodes)</option>
+                <option value="@RedundancyMode.Hot">Hot (2 nodes)</option>
+            </InputSelect>
+        </div>
+    </div>
+
+    @if (!string.IsNullOrEmpty(_error))
+    {
+        <div class="alert alert-danger mt-3">@_error</div>
+    }
+
+    <div class="mt-4">
+        <button type="submit" class="btn btn-primary" disabled="@_submitting">Create cluster</button>
+        <a href="/clusters" class="btn btn-secondary ms-2">Cancel</a>
+    </div>
+</EditForm>
+
+@code {
+    private sealed class Input
+    {
+        [Required, RegularExpression("^[a-z0-9-]{1,64}$", ErrorMessage = "Lowercase alphanumeric + hyphens only")]
+        public string ClusterId { get; set; } = string.Empty;
+
+        [Required, StringLength(128)]
+        public string Name { get; set; } = string.Empty;
+
+        [StringLength(32)] public string Enterprise { get; set; } = "zb";
+        [StringLength(32)] public string Site { get; set; } = "dev";
+        public RedundancyMode RedundancyMode { get; set; } = RedundancyMode.None;
+    }
+
+    private Input _input = new();
+    private bool _submitting;
+    private string? _error;
+
+    private async Task CreateAsync()
+    {
+        _submitting = true;
+        _error = null;
+
+        try
+        {
+            var cluster = new ServerCluster
+            {
+                ClusterId = _input.ClusterId,
+                Name = _input.Name,
+                Enterprise = _input.Enterprise,
+                Site = _input.Site,
+                RedundancyMode = _input.RedundancyMode,
+                NodeCount = _input.RedundancyMode == RedundancyMode.None ? (byte)1 : (byte)2,
+                Enabled = true,
+                CreatedBy = "admin-ui",
+            };
+
+            await ClusterSvc.CreateAsync(cluster, createdBy: "admin-ui", CancellationToken.None);
+            await GenerationSvc.CreateDraftAsync(cluster.ClusterId, createdBy: "admin-ui", CancellationToken.None);
+
+            Nav.NavigateTo($"/clusters/{cluster.ClusterId}");
+        }
+        catch (Exception ex)
+        {
+            _error = ex.Message;
+        }
+        finally { _submitting = false; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/UnsTab.razor

@@ -0,0 +1,115 @@
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject UnsService UnsSvc
+
+<div class="row">
+    <div class="col-md-6">
+        <div class="d-flex justify-content-between mb-2">
+            <h4>UNS Areas</h4>
+            <button class="btn btn-sm btn-primary" @onclick="() => _showAreaForm = true">Add area</button>
+        </div>
+
+        @if (_areas is null) { <p>Loading…</p> }
+        else if (_areas.Count == 0) { <p class="text-muted">No areas yet.</p> }
+        else
+        {
+            <table class="table table-sm">
+                <thead><tr><th>AreaId</th><th>Name</th></tr></thead>
+                <tbody>
+                @foreach (var a in _areas)
+                {
+                    <tr><td><code>@a.UnsAreaId</code></td><td>@a.Name</td></tr>
+                }
+                </tbody>
+            </table>
+        }
+
+        @if (_showAreaForm)
+        {
+            <div class="card">
+                <div class="card-body">
+                    <div class="mb-2"><label class="form-label">Name (lowercase segment)</label><input class="form-control" @bind="_newAreaName"/></div>
+                    <button class="btn btn-sm btn-primary" @onclick="AddAreaAsync">Save</button>
+                    <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showAreaForm = false">Cancel</button>
+                </div>
+            </div>
+        }
+    </div>
+    <div class="col-md-6">
+        <div class="d-flex justify-content-between mb-2">
+            <h4>UNS Lines</h4>
+            <button class="btn btn-sm btn-primary" @onclick="() => _showLineForm = true" disabled="@(_areas is null || _areas.Count == 0)">Add line</button>
+        </div>
+
+        @if (_lines is null) { <p>Loading…</p> }
+        else if (_lines.Count == 0) { <p class="text-muted">No lines yet.</p> }
+        else
+        {
+            <table class="table table-sm">
+                <thead><tr><th>LineId</th><th>Area</th><th>Name</th></tr></thead>
+                <tbody>
+                @foreach (var l in _lines)
+                {
+                    <tr><td><code>@l.UnsLineId</code></td><td><code>@l.UnsAreaId</code></td><td>@l.Name</td></tr>
+                }
+                </tbody>
+            </table>
+        }
+
+        @if (_showLineForm && _areas is not null)
+        {
+            <div class="card">
+                <div class="card-body">
+                    <div class="mb-2">
+                        <label class="form-label">Area</label>
+                        <select class="form-select" @bind="_newLineAreaId">
+                            @foreach (var a in _areas) { <option value="@a.UnsAreaId">@a.Name (@a.UnsAreaId)</option> }
+                        </select>
+                    </div>
+                    <div class="mb-2"><label class="form-label">Name</label><input class="form-control" @bind="_newLineName"/></div>
+                    <button class="btn btn-sm btn-primary" @onclick="AddLineAsync">Save</button>
+                    <button class="btn btn-sm btn-secondary ms-2" @onclick="() => _showLineForm = false">Cancel</button>
+                </div>
+            </div>
+        }
+    </div>
+</div>
+
+@code {
+    [Parameter] public long GenerationId { get; set; }
+    [Parameter] public string ClusterId { get; set; } = string.Empty;
+
+    private List<UnsArea>? _areas;
+    private List<UnsLine>? _lines;
+    private bool _showAreaForm;
+    private bool _showLineForm;
+    private string _newAreaName = string.Empty;
+    private string _newLineName = string.Empty;
+    private string _newLineAreaId = string.Empty;
+
+    protected override async Task OnParametersSetAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync()
+    {
+        _areas = await UnsSvc.ListAreasAsync(GenerationId, CancellationToken.None);
+        _lines = await UnsSvc.ListLinesAsync(GenerationId, CancellationToken.None);
+    }
+
+    private async Task AddAreaAsync()
+    {
+        if (string.IsNullOrWhiteSpace(_newAreaName)) return;
+        await UnsSvc.AddAreaAsync(GenerationId, ClusterId, _newAreaName, notes: null, CancellationToken.None);
+        _newAreaName = string.Empty;
+        _showAreaForm = false;
+        await ReloadAsync();
+    }
+
+    private async Task AddLineAsync()
+    {
+        if (string.IsNullOrWhiteSpace(_newLineName) || string.IsNullOrWhiteSpace(_newLineAreaId)) return;
+        await UnsSvc.AddLineAsync(GenerationId, _newLineAreaId, _newLineName, notes: null, CancellationToken.None);
+        _newLineName = string.Empty;
+        _showLineForm = false;
+        await ReloadAsync();
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Home.razor

@@ -0,0 +1,72 @@
+@page "/"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject ClusterService ClusterSvc
+@inject GenerationService GenerationSvc
+@inject NavigationManager Nav
+
+<h1 class="mb-4">Fleet overview</h1>
+
+@if (_clusters is null)
+{
+    <p>Loading…</p>
+}
+else if (_clusters.Count == 0)
+{
+    <div class="alert alert-info">
+        No clusters configured yet. <a href="/clusters/new">Create the first cluster</a>.
+    </div>
+}
+else
+{
+    <div class="row g-3 mb-4">
+        <div class="col-md-3">
+            <div class="card"><div class="card-body"><h6 class="text-muted">Clusters</h6><div class="fs-2">@_clusters.Count</div></div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card"><div class="card-body"><h6 class="text-muted">Active drafts</h6><div class="fs-2">@_activeDraftCount</div></div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card"><div class="card-body"><h6 class="text-muted">Published generations</h6><div class="fs-2">@_publishedCount</div></div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card"><div class="card-body"><h6 class="text-muted">Disabled clusters</h6><div class="fs-2">@_clusters.Count(c => !c.Enabled)</div></div></div>
+        </div>
+    </div>
+
+    <h4 class="mt-4 mb-3">Clusters</h4>
+    <table class="table table-hover">
+        <thead><tr><th>ClusterId</th><th>Name</th><th>Enterprise / Site</th><th>Redundancy</th><th>Enabled</th><th></th></tr></thead>
+        <tbody>
+        @foreach (var c in _clusters)
+        {
+            <tr style="cursor: pointer;">
+                <td><code>@c.ClusterId</code></td>
+                <td>@c.Name</td>
+                <td>@c.Enterprise / @c.Site</td>
+                <td>@c.RedundancyMode</td>
+                <td>@(c.Enabled ? "Yes" : "No")</td>
+                <td><a href="/clusters/@c.ClusterId" class="btn btn-sm btn-outline-primary">Open</a></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    private List<ServerCluster>? _clusters;
+    private int _activeDraftCount;
+    private int _publishedCount;
+
+    protected override async Task OnInitializedAsync()
+    {
+        _clusters = await ClusterSvc.ListAsync(CancellationToken.None);
+
+        foreach (var c in _clusters)
+        {
+            var gens = await GenerationSvc.ListRecentAsync(c.ClusterId, 50, CancellationToken.None);
+            _activeDraftCount += gens.Count(g => g.Status.ToString() == "Draft");
+            _publishedCount += gens.Count(g => g.Status.ToString() == "Published");
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Login.razor

@@ -0,0 +1,100 @@
+@page "/login"
+@using System.Security.Claims
+@using Microsoft.AspNetCore.Authentication
+@using Microsoft.AspNetCore.Authentication.Cookies
+@using ZB.MOM.WW.OtOpcUa.Admin.Security
+@inject IHttpContextAccessor Http
+@inject ILdapAuthService LdapAuth
+@inject NavigationManager Nav
+
+<div class="row justify-content-center mt-5">
+    <div class="col-md-5">
+        <div class="card">
+            <div class="card-body">
+                <h4 class="mb-4">OtOpcUa Admin — sign in</h4>
+
+                <EditForm Model="_input" OnValidSubmit="SignInAsync" FormName="login">
+                    <div class="mb-3">
+                        <label class="form-label">Username</label>
+                        <InputText @bind-Value="_input.Username" class="form-control" autocomplete="username"/>
+                    </div>
+                    <div class="mb-3">
+                        <label class="form-label">Password</label>
+                        <InputText type="password" @bind-Value="_input.Password" class="form-control" autocomplete="current-password"/>
+                    </div>
+
+                    @if (_error is not null) { <div class="alert alert-danger">@_error</div> }
+
+                    <button class="btn btn-primary w-100" type="submit" disabled="@_busy">
+                        @(_busy ? "Signing in…" : "Sign in")
+                    </button>
+                </EditForm>
+
+                <hr/>
+                <small class="text-muted">
+                    LDAP bind against the configured directory. Dev defaults to GLAuth on
+                    <code>localhost:3893</code>.
+                </small>
+            </div>
+        </div>
+    </div>
+</div>
+
+@code {
+    private sealed class Input
+    {
+        public string Username { get; set; } = string.Empty;
+        public string Password { get; set; } = string.Empty;
+    }
+
+    private Input _input = new();
+    private string? _error;
+    private bool _busy;
+
+    private async Task SignInAsync()
+    {
+        _error = null;
+        _busy = true;
+        try
+        {
+            if (string.IsNullOrWhiteSpace(_input.Username) || string.IsNullOrWhiteSpace(_input.Password))
+            {
+                _error = "Username and password are required";
+                return;
+            }
+
+            var result = await LdapAuth.AuthenticateAsync(_input.Username, _input.Password, CancellationToken.None);
+            if (!result.Success)
+            {
+                _error = result.Error ?? "Sign-in failed";
+                return;
+            }
+
+            if (result.Roles.Count == 0)
+            {
+                _error = "Sign-in succeeded but no Admin roles mapped for your LDAP groups. Contact your administrator.";
+                return;
+            }
+
+            var ctx = Http.HttpContext
+                ?? throw new InvalidOperationException("HttpContext unavailable at sign-in");
+
+            var claims = new List<Claim>
+            {
+                new(ClaimTypes.Name, result.DisplayName ?? result.Username ?? _input.Username),
+                new(ClaimTypes.NameIdentifier, _input.Username),
+            };
+            foreach (var role in result.Roles)
+                claims.Add(new Claim(ClaimTypes.Role, role));
+            foreach (var group in result.Groups)
+                claims.Add(new Claim("ldap_group", group));
+
+            var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
+            await ctx.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme,
+                new ClaimsPrincipal(identity));
+
+            ctx.Response.Redirect("/");
+        }
+        finally { _busy = false; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Reservations.razor

@@ -0,0 +1,114 @@
+@page "/reservations"
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@using Microsoft.AspNetCore.Authorization
+@attribute [Authorize(Policy = "CanPublish")]
+@inject ReservationService ReservationSvc
+
+<h1 class="mb-4">External-ID reservations</h1>
+<p class="text-muted">
+    Fleet-wide ZTag + SAPID reservation state (decision #124). Releasing a reservation is a
+    FleetAdmin-only audit-logged action — only release when the physical asset is permanently
+    retired and its ID needs to be reused by a different equipment.
+</p>
+
+<h4 class="mt-4">Active</h4>
+@if (_active is null) { <p>Loading…</p> }
+else if (_active.Count == 0) { <p class="text-muted">No active reservations.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>Kind</th><th>Value</th><th>EquipmentUuid</th><th>Cluster</th><th>First published</th><th>Last published</th><th></th></tr></thead>
+        <tbody>
+        @foreach (var r in _active)
+        {
+            <tr>
+                <td><code>@r.Kind</code></td>
+                <td><code>@r.Value</code></td>
+                <td><code>@r.EquipmentUuid</code></td>
+                <td>@r.ClusterId</td>
+                <td><small>@r.FirstPublishedAt.ToString("u") by @r.FirstPublishedBy</small></td>
+                <td><small>@r.LastPublishedAt.ToString("u")</small></td>
+                <td><button class="btn btn-sm btn-outline-danger" @onclick='() => OpenReleaseDialog(r)'>Release…</button></td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+<h4 class="mt-4">Released (most recent 100)</h4>
+@if (_released is null) { <p>Loading…</p> }
+else if (_released.Count == 0) { <p class="text-muted">No released reservations yet.</p> }
+else
+{
+    <table class="table table-sm">
+        <thead><tr><th>Kind</th><th>Value</th><th>Released at</th><th>By</th><th>Reason</th></tr></thead>
+        <tbody>
+        @foreach (var r in _released)
+        {
+            <tr><td><code>@r.Kind</code></td><td><code>@r.Value</code></td><td>@r.ReleasedAt?.ToString("u")</td><td>@r.ReleasedBy</td><td>@r.ReleaseReason</td></tr>
+        }
+        </tbody>
+    </table>
+}
+
+@if (_releasing is not null)
+{
+    <div class="modal show d-block" tabindex="-1" style="background-color: rgba(0,0,0,0.5);">
+        <div class="modal-dialog">
+            <div class="modal-content">
+                <div class="modal-header">
+                    <h5 class="modal-title">Release reservation <code>@_releasing.Kind</code> = <code>@_releasing.Value</code></h5>
+                </div>
+                <div class="modal-body">
+                    <p>This makes the (Kind, Value) pair available for a different EquipmentUuid in a future publish. Audit-logged.</p>
+                    <label class="form-label">Reason (required)</label>
+                    <textarea class="form-control" rows="3" @bind="_reason"></textarea>
+                    @if (_error is not null) { <div class="alert alert-danger mt-2">@_error</div> }
+                </div>
+                <div class="modal-footer">
+                    <button class="btn btn-secondary" @onclick='() => _releasing = null'>Cancel</button>
+                    <button class="btn btn-danger" @onclick="ReleaseAsync" disabled="@_busy">Release</button>
+                </div>
+            </div>
+        </div>
+    </div>
+}
+
+@code {
+    private List<ExternalIdReservation>? _active;
+    private List<ExternalIdReservation>? _released;
+    private ExternalIdReservation? _releasing;
+    private string _reason = string.Empty;
+    private bool _busy;
+    private string? _error;
+
+    protected override async Task OnInitializedAsync() => await ReloadAsync();
+
+    private async Task ReloadAsync()
+    {
+        _active = await ReservationSvc.ListActiveAsync(CancellationToken.None);
+        _released = await ReservationSvc.ListReleasedAsync(CancellationToken.None);
+    }
+
+    private void OpenReleaseDialog(ExternalIdReservation r)
+    {
+        _releasing = r;
+        _reason = string.Empty;
+        _error = null;
+    }
+
+    private async Task ReleaseAsync()
+    {
+        if (_releasing is null || string.IsNullOrWhiteSpace(_reason)) { _error = "Reason is required"; return; }
+        _busy = true;
+        try
+        {
+            await ReservationSvc.ReleaseAsync(_releasing.Kind.ToString(), _releasing.Value, _reason, CancellationToken.None);
+            _releasing = null;
+            await ReloadAsync();
+        }
+        catch (Exception ex) { _error = ex.Message; }
+        finally { _busy = false; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Routes.razor

@@ -0,0 +1,11 @@
+@using Microsoft.AspNetCore.Components.Routing
+@using ZB.MOM.WW.OtOpcUa.Admin.Components.Layout
+
+<Router AppAssembly="@typeof(Program).Assembly">
+    <Found Context="routeData">
+        <RouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)"/>
+    </Found>
+    <NotFound>
+        <LayoutView Layout="@typeof(MainLayout)"><p>Not found.</p></LayoutView>
+    </NotFound>
+</Router>

src/ZB.MOM.WW.OtOpcUa.Admin/Components/_Imports.razor

@@ -0,0 +1,14 @@
+@using System.Net.Http
+@using Microsoft.AspNetCore.Components
+@using Microsoft.AspNetCore.Components.Forms
+@using Microsoft.AspNetCore.Components.Routing
+@using Microsoft.AspNetCore.Components.Web
+@using Microsoft.AspNetCore.Components.Web.Virtualization
+@using Microsoft.AspNetCore.Components.Authorization
+@using Microsoft.AspNetCore.Http
+@using Microsoft.JSInterop
+@using ZB.MOM.WW.OtOpcUa.Admin
+@using ZB.MOM.WW.OtOpcUa.Admin.Components
+@using ZB.MOM.WW.OtOpcUa.Admin.Components.Layout
+@using ZB.MOM.WW.OtOpcUa.Admin.Components.Pages
+@using ZB.MOM.WW.OtOpcUa.Admin.Components.Pages.Clusters

src/ZB.MOM.WW.OtOpcUa.Admin/Hubs/AlertHub.cs

@@ -0,0 +1,31 @@
+using Microsoft.AspNetCore.SignalR;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Hubs;
+
+/// <summary>
+///     Pushes sticky alerts (crash-loop circuit trips, failed applies, reservation-release
+///     anomalies) to subscribed admin clients. Alerts don't auto-clear — the operator acks them
+///     from the UI via <see cref="AcknowledgeAsync"/>.
+/// </summary>
+public sealed class AlertHub : Hub
+{
+    public const string AllAlertsGroup = "__alerts__";
+
+    public override async Task OnConnectedAsync()
+    {
+        await Groups.AddToGroupAsync(Context.ConnectionId, AllAlertsGroup);
+        await base.OnConnectedAsync();
+    }
+
+    /// <summary>Client-initiated ack. The server side of ack persistence is deferred — v2.1.</summary>
+    public Task AcknowledgeAsync(string alertId) => Task.CompletedTask;
+}
+
+public sealed record AlertMessage(
+    string AlertId,
+    string Severity,
+    string Title,
+    string Detail,
+    DateTime RaisedAtUtc,
+    string? ClusterId,
+    string? NodeId);

src/ZB.MOM.WW.OtOpcUa.Admin/Hubs/FleetStatusHub.cs

@@ -0,0 +1,39 @@
+using Microsoft.AspNetCore.SignalR;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Hubs;
+
+/// <summary>
+///     Pushes per-node generation-apply state changes (<c>ClusterNodeGenerationState</c>) to
+///     subscribed browser clients. Clients call <c>SubscribeCluster(clusterId)</c> on connect to
+///     scope notifications; the server sends <c>NodeStateChanged</c> messages whenever the poller
+///     observes a delta.
+/// </summary>
+public sealed class FleetStatusHub : Hub
+{
+    public Task SubscribeCluster(string clusterId)
+    {
+        if (string.IsNullOrWhiteSpace(clusterId)) return Task.CompletedTask;
+        return Groups.AddToGroupAsync(Context.ConnectionId, GroupName(clusterId));
+    }
+
+    public Task UnsubscribeCluster(string clusterId)
+    {
+        if (string.IsNullOrWhiteSpace(clusterId)) return Task.CompletedTask;
+        return Groups.RemoveFromGroupAsync(Context.ConnectionId, GroupName(clusterId));
+    }
+
+    /// <summary>Clients call this once to also receive fleet-wide status — used by the dashboard.</summary>
+    public Task SubscribeFleet() => Groups.AddToGroupAsync(Context.ConnectionId, FleetGroup);
+
+    public const string FleetGroup = "__fleet__";
+    public static string GroupName(string clusterId) => $"cluster:{clusterId}";
+}
+
+public sealed record NodeStateChangedMessage(
+    string NodeId,
+    string ClusterId,
+    long? CurrentGenerationId,
+    string? LastAppliedStatus,
+    string? LastAppliedError,
+    DateTime? LastAppliedAt,
+    DateTime? LastSeenAt);

src/ZB.MOM.WW.OtOpcUa.Admin/Hubs/FleetStatusPoller.cs

@@ -0,0 +1,93 @@
+using Microsoft.AspNetCore.SignalR;
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Hubs;
+
+/// <summary>
+///     Polls <c>ClusterNodeGenerationState</c> every <see cref="PollInterval"/> and publishes
+///     per-node deltas to <see cref="FleetStatusHub"/>. Also raises sticky
+///     <see cref="AlertMessage"/>s on transitions into <c>Failed</c>.
+/// </summary>
+public sealed class FleetStatusPoller(
+    IServiceScopeFactory scopeFactory,
+    IHubContext<FleetStatusHub> fleetHub,
+    IHubContext<AlertHub> alertHub,
+    ILogger<FleetStatusPoller> logger) : BackgroundService
+{
+    public TimeSpan PollInterval { get; init; } = TimeSpan.FromSeconds(5);
+
+    private readonly Dictionary<string, NodeStateSnapshot> _last = new();
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        logger.LogInformation("FleetStatusPoller starting — interval {Interval}s", PollInterval.TotalSeconds);
+
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            try { await PollOnceAsync(stoppingToken); }
+            catch (Exception ex) when (ex is not OperationCanceledException)
+            {
+                logger.LogWarning(ex, "FleetStatusPoller tick failed");
+            }
+
+            try { await Task.Delay(PollInterval, stoppingToken); }
+            catch (OperationCanceledException) { break; }
+        }
+    }
+
+    internal async Task PollOnceAsync(CancellationToken ct)
+    {
+        using var scope = scopeFactory.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+
+        var rows = await db.ClusterNodeGenerationStates.AsNoTracking()
+            .Join(db.ClusterNodes.AsNoTracking(), s => s.NodeId, n => n.NodeId, (s, n) => new { s, n.ClusterId })
+            .ToListAsync(ct);
+
+        foreach (var r in rows)
+        {
+            var snapshot = new NodeStateSnapshot(
+                r.s.NodeId, r.ClusterId, r.s.CurrentGenerationId,
+                r.s.LastAppliedStatus?.ToString(), r.s.LastAppliedError,
+                r.s.LastAppliedAt, r.s.LastSeenAt);
+
+            var hadPrior = _last.TryGetValue(r.s.NodeId, out var prior);
+            if (!hadPrior || prior != snapshot)
+            {
+                _last[r.s.NodeId] = snapshot;
+
+                var msg = new NodeStateChangedMessage(
+                    snapshot.NodeId, snapshot.ClusterId, snapshot.GenerationId,
+                    snapshot.Status, snapshot.Error, snapshot.AppliedAt, snapshot.SeenAt);
+
+                await fleetHub.Clients.Group(FleetStatusHub.GroupName(snapshot.ClusterId))
+                    .SendAsync("NodeStateChanged", msg, ct);
+                await fleetHub.Clients.Group(FleetStatusHub.FleetGroup)
+                    .SendAsync("NodeStateChanged", msg, ct);
+
+                if (snapshot.Status == "Failed" && (!hadPrior || prior.Status != "Failed"))
+                {
+                    var alert = new AlertMessage(
+                        AlertId: $"{snapshot.NodeId}:apply-failed",
+                        Severity: "error",
+                        Title: $"Apply failed on {snapshot.NodeId}",
+                        Detail: snapshot.Error ?? "(no detail)",
+                        RaisedAtUtc: DateTime.UtcNow,
+                        ClusterId: snapshot.ClusterId,
+                        NodeId: snapshot.NodeId);
+                    await alertHub.Clients.Group(AlertHub.AllAlertsGroup)
+                        .SendAsync("AlertRaised", alert, ct);
+                }
+            }
+        }
+    }
+
+    /// <summary>Exposed for tests — forces a snapshot reset so stub data re-seeds.</summary>
+    internal void ResetCache() => _last.Clear();
+
+    private readonly record struct NodeStateSnapshot(
+        string NodeId, string ClusterId, long? GenerationId,
+        string? Status, string? Error, DateTime? AppliedAt, DateTime? SeenAt);
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs

@@ -0,0 +1,80 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.EntityFrameworkCore;
+using Serilog;
+using ZB.MOM.WW.OtOpcUa.Admin.Components;
+using ZB.MOM.WW.OtOpcUa.Admin.Hubs;
+using ZB.MOM.WW.OtOpcUa.Admin.Security;
+using ZB.MOM.WW.OtOpcUa.Admin.Services;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Host.UseSerilog((ctx, cfg) => cfg
+    .MinimumLevel.Information()
+    .WriteTo.Console()
+    .WriteTo.File("logs/otopcua-admin-.log", rollingInterval: RollingInterval.Day));
+
+builder.Services.AddRazorComponents().AddInteractiveServerComponents();
+builder.Services.AddHttpContextAccessor();
+builder.Services.AddSignalR();
+
+builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
+    .AddCookie(o =>
+    {
+        o.Cookie.Name = "OtOpcUa.Admin";
+        o.LoginPath = "/login";
+        o.ExpireTimeSpan = TimeSpan.FromHours(8);
+    });
+
+builder.Services.AddAuthorizationBuilder()
+    .AddPolicy("CanEdit", p => p.RequireRole(AdminRoles.ConfigEditor, AdminRoles.FleetAdmin))
+    .AddPolicy("CanPublish", p => p.RequireRole(AdminRoles.FleetAdmin));
+
+builder.Services.AddCascadingAuthenticationState();
+
+builder.Services.AddDbContext<OtOpcUaConfigDbContext>(opt =>
+    opt.UseSqlServer(builder.Configuration.GetConnectionString("ConfigDb")
+        ?? throw new InvalidOperationException("ConnectionStrings:ConfigDb not configured")));
+
+builder.Services.AddScoped<ClusterService>();
+builder.Services.AddScoped<GenerationService>();
+builder.Services.AddScoped<EquipmentService>();
+builder.Services.AddScoped<UnsService>();
+builder.Services.AddScoped<NamespaceService>();
+builder.Services.AddScoped<DriverInstanceService>();
+builder.Services.AddScoped<NodeAclService>();
+builder.Services.AddScoped<ReservationService>();
+builder.Services.AddScoped<DraftValidationService>();
+builder.Services.AddScoped<AuditLogService>();
+
+// LDAP auth — parity with ScadaLink's LdapAuthService (decision #102).
+builder.Services.Configure<LdapOptions>(
+    builder.Configuration.GetSection("Authentication:Ldap"));
+builder.Services.AddScoped<ILdapAuthService, LdapAuthService>();
+
+// SignalR real-time fleet status + alerts (admin-ui.md §"Real-Time Updates").
+builder.Services.AddHostedService<FleetStatusPoller>();
+
+var app = builder.Build();
+
+app.UseSerilogRequestLogging();
+app.UseStaticFiles();
+app.UseAuthentication();
+app.UseAuthorization();
+app.UseAntiforgery();
+
+app.MapPost("/auth/logout", async (HttpContext ctx) =>
+{
+    await ctx.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+    ctx.Response.Redirect("/");
+});
+
+app.MapHub<FleetStatusHub>("/hubs/fleet");
+app.MapHub<AlertHub>("/hubs/alerts");
+
+app.MapRazorComponents<App>().AddInteractiveServerRenderMode();
+
+await app.RunAsync();
+
+public partial class Program;

src/ZB.MOM.WW.OtOpcUa.Admin/Security/ILdapAuthService.cs

@@ -0,0 +1,6 @@
+namespace ZB.MOM.WW.OtOpcUa.Admin.Security;
+
+public interface ILdapAuthService
+{
+    Task<LdapAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct = default);
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapAuthResult.cs

@@ -0,0 +1,10 @@
+namespace ZB.MOM.WW.OtOpcUa.Admin.Security;
+
+/// <summary>Outcome of an LDAP bind attempt. <see cref="Roles"/> is the mapped-set of Admin roles.</summary>
+public sealed record LdapAuthResult(
+    bool Success,
+    string? DisplayName,
+    string? Username,
+    IReadOnlyList<string> Groups,
+    IReadOnlyList<string> Roles,
+    string? Error);

src/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapAuthService.cs

@@ -0,0 +1,160 @@
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Novell.Directory.Ldap;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Security;
+
+/// <summary>
+///     LDAP bind-and-search authentication mirrored from ScadaLink's <c>LdapAuthService</c>
+///     (CLAUDE.md memory: <c>scadalink_reference.md</c>) — same bind semantics, TLS guard, and
+///     service-account search-then-bind path. Adapted for the Admin app's role-mapping shape
+///     (LDAP group names → Admin roles via <see cref="LdapOptions.GroupToRole"/>).
+/// </summary>
+public sealed class LdapAuthService(IOptions<LdapOptions> options, ILogger<LdapAuthService> logger)
+    : ILdapAuthService
+{
+    private readonly LdapOptions _options = options.Value;
+
+    public async Task<LdapAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct = default)
+    {
+        if (string.IsNullOrWhiteSpace(username))
+            return new(false, null, null, [], [], "Username is required");
+        if (string.IsNullOrWhiteSpace(password))
+            return new(false, null, null, [], [], "Password is required");
+
+        if (!_options.UseTls && !_options.AllowInsecureLdap)
+            return new(false, null, username, [], [],
+                "Insecure LDAP is disabled. Enable UseTls or set AllowInsecureLdap for dev/test.");
+
+        try
+        {
+            using var conn = new LdapConnection();
+            if (_options.UseTls) conn.SecureSocketLayer = true;
+
+            await Task.Run(() => conn.Connect(_options.Server, _options.Port), ct);
+
+            var bindDn = await ResolveUserDnAsync(conn, username, ct);
+            await Task.Run(() => conn.Bind(bindDn, password), ct);
+
+            if (!string.IsNullOrWhiteSpace(_options.ServiceAccountDn))
+                await Task.Run(() => conn.Bind(_options.ServiceAccountDn, _options.ServiceAccountPassword), ct);
+
+            var displayName = username;
+            var groups = new List<string>();
+
+            try
+            {
+                var filter = $"(cn={EscapeLdapFilter(username)})";
+                var results = await Task.Run(() =>
+                    conn.Search(_options.SearchBase, LdapConnection.ScopeSub, filter,
+                        attrs: null, // request ALL attributes so we can inspect memberOf + dn-derived group
+                        typesOnly: false), ct);
+
+                while (results.HasMore())
+                {
+                    try
+                    {
+                        var entry = results.Next();
+                        var name = entry.GetAttribute(_options.DisplayNameAttribute);
+                        if (name is not null) displayName = name.StringValue;
+
+                        var groupAttr = entry.GetAttribute(_options.GroupAttribute);
+                        if (groupAttr is not null)
+                        {
+                            foreach (var groupDn in groupAttr.StringValueArray)
+                                groups.Add(ExtractFirstRdnValue(groupDn));
+                        }
+
+                        // Fallback: GLAuth places users under ou=PrimaryGroup,baseDN. When the
+                        // directory doesn't populate memberOf (or populates it differently), the
+                        // user's primary group name is recoverable from the second RDN of the DN.
+                        if (groups.Count == 0 && !string.IsNullOrEmpty(entry.Dn))
+                        {
+                            var primary = ExtractOuSegment(entry.Dn);
+                            if (primary is not null) groups.Add(primary);
+                        }
+                    }
+                    catch (LdapException) { break; } // no-more-entries signalled by exception
+                }
+            }
+            catch (LdapException ex)
+            {
+                logger.LogWarning(ex, "LDAP attribute lookup failed for {User}", username);
+            }
+
+            conn.Disconnect();
+
+            var roles = RoleMapper.Map(groups, _options.GroupToRole);
+            return new(true, displayName, username, groups, roles, null);
+        }
+        catch (LdapException ex)
+        {
+            logger.LogWarning(ex, "LDAP bind failed for {User}", username);
+            return new(false, null, username, [], [], "Invalid username or password");
+        }
+        catch (Exception ex) when (ex is not OperationCanceledException)
+        {
+            logger.LogError(ex, "Unexpected LDAP error for {User}", username);
+            return new(false, null, username, [], [], "Unexpected authentication error");
+        }
+    }
+
+    private async Task<string> ResolveUserDnAsync(LdapConnection conn, string username, CancellationToken ct)
+    {
+        if (username.Contains('=')) return username; // already a DN
+
+        if (!string.IsNullOrWhiteSpace(_options.ServiceAccountDn))
+        {
+            await Task.Run(() =>
+                conn.Bind(_options.ServiceAccountDn, _options.ServiceAccountPassword), ct);
+
+            var filter = $"(uid={EscapeLdapFilter(username)})";
+            var results = await Task.Run(() =>
+                conn.Search(_options.SearchBase, LdapConnection.ScopeSub, filter, ["dn"], false), ct);
+
+            if (results.HasMore())
+                return results.Next().Dn;
+
+            throw new LdapException("User not found", LdapException.NoSuchObject,
+                $"No entry for uid={username}");
+        }
+
+        return string.IsNullOrWhiteSpace(_options.SearchBase)
+            ? $"cn={username}"
+            : $"cn={username},{_options.SearchBase}";
+    }
+
+    internal static string EscapeLdapFilter(string input) =>
+        input.Replace("\\", "\\5c")
+             .Replace("*", "\\2a")
+             .Replace("(", "\\28")
+             .Replace(")", "\\29")
+             .Replace("\0", "\\00");
+
+    /// <summary>
+    ///     Pulls the first <c>ou=Value</c> segment from a DN. GLAuth encodes a user's primary
+    ///     group as an <c>ou=</c> RDN immediately above the user's <c>cn=</c>, so this recovers
+    ///     the group name when <see cref="LdapOptions.GroupAttribute"/> is absent from the entry.
+    /// </summary>
+    internal static string? ExtractOuSegment(string dn)
+    {
+        var segments = dn.Split(',');
+        foreach (var segment in segments)
+        {
+            var trimmed = segment.Trim();
+            if (trimmed.StartsWith("ou=", StringComparison.OrdinalIgnoreCase))
+                return trimmed[3..];
+        }
+        return null;
+    }
+
+    internal static string ExtractFirstRdnValue(string dn)
+    {
+        var equalsIdx = dn.IndexOf('=');
+        if (equalsIdx < 0) return dn;
+
+        var valueStart = equalsIdx + 1;
+        var commaIdx = dn.IndexOf(',', valueStart);
+        return commaIdx > valueStart ? dn[valueStart..commaIdx] : dn[valueStart..];
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Security/LdapOptions.cs

@@ -0,0 +1,38 @@
+namespace ZB.MOM.WW.OtOpcUa.Admin.Security;
+
+/// <summary>
+///     LDAP + role-mapping configuration for the Admin UI. Bound from <c>appsettings.json</c>
+///     <c>Authentication:Ldap</c> section. Defaults point at the local GLAuth dev instance (see
+///     <c>C:\publish\glauth\auth.md</c>).
+/// </summary>
+public sealed class LdapOptions
+{
+    public const string SectionName = "Authentication:Ldap";
+
+    public bool Enabled { get; set; } = true;
+    public string Server { get; set; } = "localhost";
+    public int Port { get; set; } = 3893;
+    public bool UseTls { get; set; }
+
+    /// <summary>Dev-only escape hatch — must be <c>false</c> in production.</summary>
+    public bool AllowInsecureLdap { get; set; }
+
+    public string SearchBase { get; set; } = "dc=lmxopcua,dc=local";
+
+    /// <summary>
+    ///     Service-account DN used for search-then-bind. When empty, a direct-bind with
+    ///     <c>cn={user},{SearchBase}</c> is attempted.
+    /// </summary>
+    public string ServiceAccountDn { get; set; } = string.Empty;
+    public string ServiceAccountPassword { get; set; } = string.Empty;
+
+    public string DisplayNameAttribute { get; set; } = "cn";
+    public string GroupAttribute { get; set; } = "memberOf";
+
+    /// <summary>
+    ///     Maps LDAP group name → Admin role. Group match is case-insensitive. A user gets every
+    ///     role whose source group is in their membership list. Example dev mapping:
+    ///     <code>"ReadOnly":"ConfigViewer","ReadWrite":"ConfigEditor","AlarmAck":"FleetAdmin"</code>
+    /// </summary>
+    public Dictionary<string, string> GroupToRole { get; set; } = new(StringComparer.OrdinalIgnoreCase);
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Security/RoleMapper.cs

@@ -0,0 +1,23 @@
+namespace ZB.MOM.WW.OtOpcUa.Admin.Security;
+
+/// <summary>
+///     Deterministic LDAP-group-to-Admin-role mapper driven by <see cref="LdapOptions.GroupToRole"/>.
+///     Every returned role corresponds to a group the user actually holds; no inference.
+/// </summary>
+public static class RoleMapper
+{
+    public static IReadOnlyList<string> Map(
+        IReadOnlyCollection<string> ldapGroups,
+        IReadOnlyDictionary<string, string> groupToRole)
+    {
+        if (groupToRole.Count == 0) return [];
+
+        var roles = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        foreach (var group in ldapGroups)
+        {
+            if (groupToRole.TryGetValue(group, out var role))
+                roles.Add(role);
+        }
+        return [.. roles];
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/AdminRoles.cs

@@ -0,0 +1,16 @@
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     The three admin roles per <c>admin-ui.md</c> §"Admin Roles" — mapped from LDAP groups at
+///     sign-in. Each role has a fixed set of capabilities (cluster CRUD, draft → publish, fleet
+///     admin). The ACL-driven runtime permissions (<c>NodePermissions</c>) govern OPC UA clients;
+///     these roles govern the Admin UI itself.
+/// </summary>
+public static class AdminRoles
+{
+    public const string ConfigViewer = "ConfigViewer";
+    public const string ConfigEditor = "ConfigEditor";
+    public const string FleetAdmin = "FleetAdmin";
+
+    public static IReadOnlyList<string> All => [ConfigViewer, ConfigEditor, FleetAdmin];
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/AuditLogService.cs

@@ -0,0 +1,15 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+public sealed class AuditLogService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<ConfigAuditLog>> ListRecentAsync(string? clusterId, int limit, CancellationToken ct)
+    {
+        var q = db.ConfigAuditLogs.AsNoTracking();
+        if (clusterId is not null) q = q.Where(a => a.ClusterId == clusterId);
+        return q.OrderByDescending(a => a.Timestamp).Take(limit).ToListAsync(ct);
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/ClusterService.cs

@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Cluster CRUD surface used by the Blazor pages. Writes go through stored procs in later
+///     phases; Phase 1 reads via EF Core directly (DENY SELECT on <c>dbo</c> schema means this
+///     service connects as a DB owner during dev — production swaps in a read-only view grant).
+/// </summary>
+public sealed class ClusterService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<ServerCluster>> ListAsync(CancellationToken ct) =>
+        db.ServerClusters.AsNoTracking().OrderBy(c => c.ClusterId).ToListAsync(ct);
+
+    public Task<ServerCluster?> FindAsync(string clusterId, CancellationToken ct) =>
+        db.ServerClusters.AsNoTracking().FirstOrDefaultAsync(c => c.ClusterId == clusterId, ct);
+
+    public async Task<ServerCluster> CreateAsync(ServerCluster cluster, string createdBy, CancellationToken ct)
+    {
+        cluster.CreatedAt = DateTime.UtcNow;
+        cluster.CreatedBy = createdBy;
+        db.ServerClusters.Add(cluster);
+        await db.SaveChangesAsync(ct);
+        return cluster;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/DraftValidationService.cs

@@ -0,0 +1,45 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Validation;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Runs the managed <see cref="DraftValidator"/> against a draft's snapshot loaded from the
+///     Configuration DB. Used by the draft editor's inline validation panel and by the publish
+///     dialog's pre-check. Structural-only SQL checks live in <c>sp_ValidateDraft</c>; this layer
+///     owns the content / cross-generation / regex rules.
+/// </summary>
+public sealed class DraftValidationService(OtOpcUaConfigDbContext db)
+{
+    public async Task<IReadOnlyList<ValidationError>> ValidateAsync(long draftId, CancellationToken ct)
+    {
+        var draft = await db.ConfigGenerations.AsNoTracking()
+            .FirstOrDefaultAsync(g => g.GenerationId == draftId, ct)
+            ?? throw new InvalidOperationException($"Draft {draftId} not found");
+
+        var snapshot = new DraftSnapshot
+        {
+            GenerationId = draft.GenerationId,
+            ClusterId = draft.ClusterId,
+            Namespaces = await db.Namespaces.AsNoTracking().Where(n => n.GenerationId == draftId).ToListAsync(ct),
+            DriverInstances = await db.DriverInstances.AsNoTracking().Where(d => d.GenerationId == draftId).ToListAsync(ct),
+            Devices = await db.Devices.AsNoTracking().Where(d => d.GenerationId == draftId).ToListAsync(ct),
+            UnsAreas = await db.UnsAreas.AsNoTracking().Where(a => a.GenerationId == draftId).ToListAsync(ct),
+            UnsLines = await db.UnsLines.AsNoTracking().Where(l => l.GenerationId == draftId).ToListAsync(ct),
+            Equipment = await db.Equipment.AsNoTracking().Where(e => e.GenerationId == draftId).ToListAsync(ct),
+            Tags = await db.Tags.AsNoTracking().Where(t => t.GenerationId == draftId).ToListAsync(ct),
+            PollGroups = await db.PollGroups.AsNoTracking().Where(p => p.GenerationId == draftId).ToListAsync(ct),
+
+            PriorEquipment = await db.Equipment.AsNoTracking()
+                .Where(e => e.GenerationId != draftId
+                         && db.ConfigGenerations.Any(g => g.GenerationId == e.GenerationId && g.ClusterId == draft.ClusterId))
+                .ToListAsync(ct),
+            ActiveReservations = await db.ExternalIdReservations.AsNoTracking()
+                .Where(r => r.ReleasedAt == null)
+                .ToListAsync(ct),
+        };
+
+        return DraftValidator.Validate(snapshot);
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/DriverInstanceService.cs

@@ -0,0 +1,33 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+public sealed class DriverInstanceService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<DriverInstance>> ListAsync(long generationId, CancellationToken ct) =>
+        db.DriverInstances.AsNoTracking()
+            .Where(d => d.GenerationId == generationId)
+            .OrderBy(d => d.DriverInstanceId)
+            .ToListAsync(ct);
+
+    public async Task<DriverInstance> AddAsync(
+        long draftId, string clusterId, string namespaceId, string name, string driverType,
+        string driverConfigJson, CancellationToken ct)
+    {
+        var di = new DriverInstance
+        {
+            GenerationId = draftId,
+            DriverInstanceId = $"drv-{Guid.NewGuid():N}"[..20],
+            ClusterId = clusterId,
+            NamespaceId = namespaceId,
+            Name = name,
+            DriverType = driverType,
+            DriverConfig = driverConfigJson,
+        };
+        db.DriverInstances.Add(di);
+        await db.SaveChangesAsync(ct);
+        return di;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentService.cs

@@ -0,0 +1,75 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Validation;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Equipment CRUD scoped to a generation. The Admin app writes against Draft generations only;
+///     Published generations are read-only (to create changes, clone to a new draft via
+///     <see cref="GenerationService.CreateDraftAsync"/>).
+/// </summary>
+public sealed class EquipmentService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<Equipment>> ListAsync(long generationId, CancellationToken ct) =>
+        db.Equipment.AsNoTracking()
+            .Where(e => e.GenerationId == generationId)
+            .OrderBy(e => e.Name)
+            .ToListAsync(ct);
+
+    public Task<Equipment?> FindAsync(long generationId, string equipmentId, CancellationToken ct) =>
+        db.Equipment.AsNoTracking()
+            .FirstOrDefaultAsync(e => e.GenerationId == generationId && e.EquipmentId == equipmentId, ct);
+
+    /// <summary>
+    ///     Creates a new equipment row in the given draft. The EquipmentId is auto-derived from
+    ///     a fresh EquipmentUuid per decision #125; operator-supplied IDs are rejected upstream.
+    /// </summary>
+    public async Task<Equipment> CreateAsync(long draftId, Equipment input, CancellationToken ct)
+    {
+        input.GenerationId = draftId;
+        input.EquipmentUuid = input.EquipmentUuid == Guid.Empty ? Guid.NewGuid() : input.EquipmentUuid;
+        input.EquipmentId = DraftValidator.DeriveEquipmentId(input.EquipmentUuid);
+        db.Equipment.Add(input);
+        await db.SaveChangesAsync(ct);
+        return input;
+    }
+
+    public async Task UpdateAsync(Equipment updated, CancellationToken ct)
+    {
+        // Only editable fields are persisted; EquipmentId + EquipmentUuid are immutable once set.
+        var existing = await db.Equipment
+            .FirstOrDefaultAsync(e => e.EquipmentRowId == updated.EquipmentRowId, ct)
+            ?? throw new InvalidOperationException($"Equipment row {updated.EquipmentRowId} not found");
+
+        existing.Name = updated.Name;
+        existing.MachineCode = updated.MachineCode;
+        existing.ZTag = updated.ZTag;
+        existing.SAPID = updated.SAPID;
+        existing.Manufacturer = updated.Manufacturer;
+        existing.Model = updated.Model;
+        existing.SerialNumber = updated.SerialNumber;
+        existing.HardwareRevision = updated.HardwareRevision;
+        existing.SoftwareRevision = updated.SoftwareRevision;
+        existing.YearOfConstruction = updated.YearOfConstruction;
+        existing.AssetLocation = updated.AssetLocation;
+        existing.ManufacturerUri = updated.ManufacturerUri;
+        existing.DeviceManualUri = updated.DeviceManualUri;
+        existing.DriverInstanceId = updated.DriverInstanceId;
+        existing.DeviceId = updated.DeviceId;
+        existing.UnsLineId = updated.UnsLineId;
+        existing.EquipmentClassRef = updated.EquipmentClassRef;
+        existing.Enabled = updated.Enabled;
+
+        await db.SaveChangesAsync(ct);
+    }
+
+    public async Task DeleteAsync(Guid equipmentRowId, CancellationToken ct)
+    {
+        var row = await db.Equipment.FirstOrDefaultAsync(e => e.EquipmentRowId == equipmentRowId, ct);
+        if (row is null) return;
+        db.Equipment.Remove(row);
+        await db.SaveChangesAsync(ct);
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/GenerationService.cs

@@ -0,0 +1,71 @@
+using Microsoft.Data.SqlClient;
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Owns the draft → diff → publish workflow (decision #89). Publish + rollback call into the
+///     stored procedures; diff queries <c>sp_ComputeGenerationDiff</c>.
+/// </summary>
+public sealed class GenerationService(OtOpcUaConfigDbContext db)
+{
+    public async Task<ConfigGeneration> CreateDraftAsync(string clusterId, string createdBy, CancellationToken ct)
+    {
+        var gen = new ConfigGeneration
+        {
+            ClusterId = clusterId,
+            Status = GenerationStatus.Draft,
+            CreatedBy = createdBy,
+            CreatedAt = DateTime.UtcNow,
+        };
+        db.ConfigGenerations.Add(gen);
+        await db.SaveChangesAsync(ct);
+        return gen;
+    }
+
+    public Task<List<ConfigGeneration>> ListRecentAsync(string clusterId, int limit, CancellationToken ct) =>
+        db.ConfigGenerations.AsNoTracking()
+            .Where(g => g.ClusterId == clusterId)
+            .OrderByDescending(g => g.GenerationId)
+            .Take(limit)
+            .ToListAsync(ct);
+
+    public async Task PublishAsync(string clusterId, long draftGenerationId, string? notes, CancellationToken ct)
+    {
+        await db.Database.ExecuteSqlRawAsync(
+            "EXEC dbo.sp_PublishGeneration @ClusterId = {0}, @DraftGenerationId = {1}, @Notes = {2}",
+            [clusterId, draftGenerationId, (object?)notes ?? DBNull.Value],
+            ct);
+    }
+
+    public async Task RollbackAsync(string clusterId, long targetGenerationId, string? notes, CancellationToken ct)
+    {
+        await db.Database.ExecuteSqlRawAsync(
+            "EXEC dbo.sp_RollbackToGeneration @ClusterId = {0}, @TargetGenerationId = {1}, @Notes = {2}",
+            [clusterId, targetGenerationId, (object?)notes ?? DBNull.Value],
+            ct);
+    }
+
+    public async Task<List<DiffRow>> ComputeDiffAsync(long from, long to, CancellationToken ct)
+    {
+        var results = new List<DiffRow>();
+        await using var conn = (SqlConnection)db.Database.GetDbConnection();
+        if (conn.State != System.Data.ConnectionState.Open) await conn.OpenAsync(ct);
+
+        await using var cmd = conn.CreateCommand();
+        cmd.CommandText = "EXEC dbo.sp_ComputeGenerationDiff @FromGenerationId = @f, @ToGenerationId = @t";
+        cmd.Parameters.AddWithValue("@f", from);
+        cmd.Parameters.AddWithValue("@t", to);
+
+        await using var reader = await cmd.ExecuteReaderAsync(ct);
+        while (await reader.ReadAsync(ct))
+            results.Add(new DiffRow(reader.GetString(0), reader.GetString(1), reader.GetString(2)));
+
+        return results;
+    }
+}
+
+public sealed record DiffRow(string TableName, string LogicalId, string ChangeKind);

src/ZB.MOM.WW.OtOpcUa.Admin/Services/NamespaceService.cs

@@ -0,0 +1,31 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+public sealed class NamespaceService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<Namespace>> ListAsync(long generationId, CancellationToken ct) =>
+        db.Namespaces.AsNoTracking()
+            .Where(n => n.GenerationId == generationId)
+            .OrderBy(n => n.NamespaceId)
+            .ToListAsync(ct);
+
+    public async Task<Namespace> AddAsync(
+        long draftId, string clusterId, string namespaceUri, NamespaceKind kind, CancellationToken ct)
+    {
+        var ns = new Namespace
+        {
+            GenerationId = draftId,
+            NamespaceId = $"ns-{Guid.NewGuid():N}"[..20],
+            ClusterId = clusterId,
+            NamespaceUri = namespaceUri,
+            Kind = kind,
+        };
+        db.Namespaces.Add(ns);
+        await db.SaveChangesAsync(ct);
+        return ns;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/NodeAclService.cs

@@ -0,0 +1,44 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+public sealed class NodeAclService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<NodeAcl>> ListAsync(long generationId, CancellationToken ct) =>
+        db.NodeAcls.AsNoTracking()
+            .Where(a => a.GenerationId == generationId)
+            .OrderBy(a => a.LdapGroup)
+            .ThenBy(a => a.ScopeKind)
+            .ToListAsync(ct);
+
+    public async Task<NodeAcl> GrantAsync(
+        long draftId, string clusterId, string ldapGroup, NodeAclScopeKind scopeKind, string? scopeId,
+        NodePermissions permissions, string? notes, CancellationToken ct)
+    {
+        var acl = new NodeAcl
+        {
+            GenerationId = draftId,
+            NodeAclId = $"acl-{Guid.NewGuid():N}"[..20],
+            ClusterId = clusterId,
+            LdapGroup = ldapGroup,
+            ScopeKind = scopeKind,
+            ScopeId = scopeId,
+            PermissionFlags = permissions,
+            Notes = notes,
+        };
+        db.NodeAcls.Add(acl);
+        await db.SaveChangesAsync(ct);
+        return acl;
+    }
+
+    public async Task RevokeAsync(Guid nodeAclRowId, CancellationToken ct)
+    {
+        var row = await db.NodeAcls.FirstOrDefaultAsync(a => a.NodeAclRowId == nodeAclRowId, ct);
+        if (row is null) return;
+        db.NodeAcls.Remove(row);
+        await db.SaveChangesAsync(ct);
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/ReservationService.cs

@@ -0,0 +1,38 @@
+using Microsoft.Data.SqlClient;
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Fleet-wide external-ID reservation inspector + FleetAdmin-only release flow per
+///     <c>admin-ui.md §"Release an external-ID reservation"</c>. Release is audit-logged
+///     (<see cref="ConfigAuditLog"/>) via <c>sp_ReleaseExternalIdReservation</c>.
+/// </summary>
+public sealed class ReservationService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<ExternalIdReservation>> ListActiveAsync(CancellationToken ct) =>
+        db.ExternalIdReservations.AsNoTracking()
+            .Where(r => r.ReleasedAt == null)
+            .OrderBy(r => r.Kind).ThenBy(r => r.Value)
+            .ToListAsync(ct);
+
+    public Task<List<ExternalIdReservation>> ListReleasedAsync(CancellationToken ct) =>
+        db.ExternalIdReservations.AsNoTracking()
+            .Where(r => r.ReleasedAt != null)
+            .OrderByDescending(r => r.ReleasedAt)
+            .Take(100)
+            .ToListAsync(ct);
+
+    public async Task ReleaseAsync(string kind, string value, string reason, CancellationToken ct)
+    {
+        if (string.IsNullOrWhiteSpace(reason))
+            throw new ArgumentException("ReleaseReason is required (audit invariant)", nameof(reason));
+
+        await db.Database.ExecuteSqlRawAsync(
+            "EXEC dbo.sp_ReleaseExternalIdReservation @Kind = {0}, @Value = {1}, @ReleaseReason = {2}",
+            [kind, value, reason],
+            ct);
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/UnsService.cs

@@ -0,0 +1,50 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+public sealed class UnsService(OtOpcUaConfigDbContext db)
+{
+    public Task<List<UnsArea>> ListAreasAsync(long generationId, CancellationToken ct) =>
+        db.UnsAreas.AsNoTracking()
+            .Where(a => a.GenerationId == generationId)
+            .OrderBy(a => a.Name)
+            .ToListAsync(ct);
+
+    public Task<List<UnsLine>> ListLinesAsync(long generationId, CancellationToken ct) =>
+        db.UnsLines.AsNoTracking()
+            .Where(l => l.GenerationId == generationId)
+            .OrderBy(l => l.Name)
+            .ToListAsync(ct);
+
+    public async Task<UnsArea> AddAreaAsync(long draftId, string clusterId, string name, string? notes, CancellationToken ct)
+    {
+        var area = new UnsArea
+        {
+            GenerationId = draftId,
+            UnsAreaId = $"area-{Guid.NewGuid():N}"[..20],
+            ClusterId = clusterId,
+            Name = name,
+            Notes = notes,
+        };
+        db.UnsAreas.Add(area);
+        await db.SaveChangesAsync(ct);
+        return area;
+    }
+
+    public async Task<UnsLine> AddLineAsync(long draftId, string unsAreaId, string name, string? notes, CancellationToken ct)
+    {
+        var line = new UnsLine
+        {
+            GenerationId = draftId,
+            UnsLineId = $"line-{Guid.NewGuid():N}"[..20],
+            UnsAreaId = unsAreaId,
+            Name = name,
+            Notes = notes,
+        };
+        db.UnsLines.Add(line);
+        await db.SaveChangesAsync(ct);
+        return line;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/ZB.MOM.WW.OtOpcUa.Admin.csproj

@@ -0,0 +1,34 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <LangVersion>latest</LangVersion>
+        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+        <NoWarn>$(NoWarn);CS1591</NoWarn>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Admin</RootNamespace>
+        <AssemblyName>OtOpcUa.Admin</AssemblyName>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="10.0.0"/>
+        <PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.6.0"/>
+        <PackageReference Include="Microsoft.AspNetCore.SignalR.Client" Version="10.0.0"/>
+        <PackageReference Include="Serilog.AspNetCore" Version="9.0.0"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Configuration\ZB.MOM.WW.OtOpcUa.Configuration.csproj"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <InternalsVisibleTo Include="ZB.MOM.WW.OtOpcUa.Admin.Tests"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+</Project>

src/ZB.MOM.WW.OtOpcUa.Admin/appsettings.json

@@ -0,0 +1,27 @@
+{
+  "ConnectionStrings": {
+    "ConfigDb": "Server=localhost,14330;Database=OtOpcUaConfig;User Id=sa;Password=OtOpcUaDev_2026!;TrustServerCertificate=True;Encrypt=False;"
+  },
+  "Authentication": {
+    "Ldap": {
+      "Enabled": true,
+      "Server": "localhost",
+      "Port": 3893,
+      "UseTls": false,
+      "AllowInsecureLdap": true,
+      "SearchBase": "dc=lmxopcua,dc=local",
+      "ServiceAccountDn": "cn=serviceaccount,ou=svcaccts,dc=lmxopcua,dc=local",
+      "ServiceAccountPassword": "serviceaccount123",
+      "DisplayNameAttribute": "cn",
+      "GroupAttribute": "memberOf",
+      "GroupToRole": {
+        "ReadOnly": "ConfigViewer",
+        "ReadWrite": "ConfigEditor",
+        "AlarmAck": "FleetAdmin"
+      }
+    }
+  },
+  "Serilog": {
+    "MinimumLevel": "Information"
+  }
+}

src/ZB.MOM.WW.OtOpcUa.Admin/wwwroot/app.css

@@ -0,0 +1,3 @@
+/* OtOpcUa Admin — ScadaLink-parity palette. Keep it minimal here; lean on Bootstrap 5. */
+body { background-color: #f5f6fa; }
+.nav-link.active { background-color: rgba(255,255,255,0.1); border-radius: 4px; }

src/ZB.MOM.WW.OtOpcUa.Configuration/Apply/ApplyCallbacks.cs

@@ -0,0 +1,19 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Apply;
+
+/// <summary>
+///     Host-supplied callbacks invoked as the applier walks the diff. Callbacks are idempotent on
+///     retry (the applier may re-invoke with the same inputs if a later stage fails — nodes
+///     register-applied to the central DB only after success). Order: namespace → driver → device →
+///     equipment → poll group → tag, with Removed before Added/Modified.
+/// </summary>
+public sealed class ApplyCallbacks
+{
+    public Func<EntityChange<Namespace>, CancellationToken, Task>? OnNamespace { get; init; }
+    public Func<EntityChange<DriverInstance>, CancellationToken, Task>? OnDriver { get; init; }
+    public Func<EntityChange<Device>, CancellationToken, Task>? OnDevice { get; init; }
+    public Func<EntityChange<Equipment>, CancellationToken, Task>? OnEquipment { get; init; }
+    public Func<EntityChange<PollGroup>, CancellationToken, Task>? OnPollGroup { get; init; }
+    public Func<EntityChange<Tag>, CancellationToken, Task>? OnTag { get; init; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Apply/ChangeKind.cs

@@ -0,0 +1,8 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Apply;
+
+public enum ChangeKind
+{
+    Added,
+    Removed,
+    Modified,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Apply/GenerationApplier.cs

@@ -0,0 +1,48 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Validation;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Apply;
+
+public sealed class GenerationApplier(ApplyCallbacks callbacks) : IGenerationApplier
+{
+    public async Task<ApplyResult> ApplyAsync(DraftSnapshot? from, DraftSnapshot to, CancellationToken ct)
+    {
+        var diff = GenerationDiffer.Compute(from, to);
+        var errors = new List<string>();
+
+        // Removed first, then Added/Modified — prevents FK dangling while cascades settle.
+        await ApplyPass(diff.Tags, ChangeKind.Removed, callbacks.OnTag, errors, ct);
+        await ApplyPass(diff.PollGroups, ChangeKind.Removed, callbacks.OnPollGroup, errors, ct);
+        await ApplyPass(diff.Equipment, ChangeKind.Removed, callbacks.OnEquipment, errors, ct);
+        await ApplyPass(diff.Devices, ChangeKind.Removed, callbacks.OnDevice, errors, ct);
+        await ApplyPass(diff.Drivers, ChangeKind.Removed, callbacks.OnDriver, errors, ct);
+        await ApplyPass(diff.Namespaces, ChangeKind.Removed, callbacks.OnNamespace, errors, ct);
+
+        foreach (var kind in new[] { ChangeKind.Added, ChangeKind.Modified })
+        {
+            await ApplyPass(diff.Namespaces, kind, callbacks.OnNamespace, errors, ct);
+            await ApplyPass(diff.Drivers, kind, callbacks.OnDriver, errors, ct);
+            await ApplyPass(diff.Devices, kind, callbacks.OnDevice, errors, ct);
+            await ApplyPass(diff.Equipment, kind, callbacks.OnEquipment, errors, ct);
+            await ApplyPass(diff.PollGroups, kind, callbacks.OnPollGroup, errors, ct);
+            await ApplyPass(diff.Tags, kind, callbacks.OnTag, errors, ct);
+        }
+
+        return errors.Count == 0 ? ApplyResult.Ok(diff) : ApplyResult.Fail(diff, errors);
+    }
+
+    private static async Task ApplyPass<T>(
+        IReadOnlyList<EntityChange<T>> changes,
+        ChangeKind kind,
+        Func<EntityChange<T>, CancellationToken, Task>? callback,
+        List<string> errors,
+        CancellationToken ct)
+    {
+        if (callback is null) return;
+
+        foreach (var change in changes.Where(c => c.Kind == kind))
+        {
+            try { await callback(change, ct); }
+            catch (Exception ex) { errors.Add($"{typeof(T).Name} {change.Kind} '{change.LogicalId}': {ex.Message}"); }
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Apply/GenerationDiff.cs

@@ -0,0 +1,70 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Validation;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Apply;
+
+/// <summary>
+///     Per-entity diff computed locally on the node. The enumerable order matches the dependency
+///     order expected by <see cref="IGenerationApplier"/>: namespace → driver → device → equipment →
+///     poll group → tag → ACL, with Removed processed before Added inside each bucket so cascades
+///     settle before new rows appear.
+/// </summary>
+public sealed record GenerationDiff(
+    IReadOnlyList<EntityChange<Namespace>> Namespaces,
+    IReadOnlyList<EntityChange<DriverInstance>> Drivers,
+    IReadOnlyList<EntityChange<Device>> Devices,
+    IReadOnlyList<EntityChange<Equipment>> Equipment,
+    IReadOnlyList<EntityChange<PollGroup>> PollGroups,
+    IReadOnlyList<EntityChange<Tag>> Tags);
+
+public sealed record EntityChange<T>(ChangeKind Kind, string LogicalId, T? From, T? To);
+
+public static class GenerationDiffer
+{
+    public static GenerationDiff Compute(DraftSnapshot? from, DraftSnapshot to)
+    {
+        from ??= new DraftSnapshot { GenerationId = 0, ClusterId = to.ClusterId };
+
+        return new GenerationDiff(
+            Namespaces: DiffById(from.Namespaces, to.Namespaces, x => x.NamespaceId,
+                (a, b) => (a.ClusterId, a.NamespaceUri, a.Kind, a.Enabled, a.Notes)
+                      == (b.ClusterId, b.NamespaceUri, b.Kind, b.Enabled, b.Notes)),
+            Drivers: DiffById(from.DriverInstances, to.DriverInstances, x => x.DriverInstanceId,
+                (a, b) => (a.ClusterId, a.NamespaceId, a.Name, a.DriverType, a.Enabled, a.DriverConfig)
+                      == (b.ClusterId, b.NamespaceId, b.Name, b.DriverType, b.Enabled, b.DriverConfig)),
+            Devices: DiffById(from.Devices, to.Devices, x => x.DeviceId,
+                (a, b) => (a.DriverInstanceId, a.Name, a.Enabled, a.DeviceConfig)
+                      == (b.DriverInstanceId, b.Name, b.Enabled, b.DeviceConfig)),
+            Equipment: DiffById(from.Equipment, to.Equipment, x => x.EquipmentId,
+                (a, b) => (a.EquipmentUuid, a.DriverInstanceId, a.UnsLineId, a.Name, a.MachineCode, a.ZTag, a.SAPID, a.Enabled)
+                      == (b.EquipmentUuid, b.DriverInstanceId, b.UnsLineId, b.Name, b.MachineCode, b.ZTag, b.SAPID, b.Enabled)),
+            PollGroups: DiffById(from.PollGroups, to.PollGroups, x => x.PollGroupId,
+                (a, b) => (a.DriverInstanceId, a.Name, a.IntervalMs)
+                      == (b.DriverInstanceId, b.Name, b.IntervalMs)),
+            Tags: DiffById(from.Tags, to.Tags, x => x.TagId,
+                (a, b) => (a.DriverInstanceId, a.DeviceId, a.EquipmentId, a.PollGroupId, a.FolderPath, a.Name, a.DataType, a.AccessLevel, a.WriteIdempotent, a.TagConfig)
+                      == (b.DriverInstanceId, b.DeviceId, b.EquipmentId, b.PollGroupId, b.FolderPath, b.Name, b.DataType, b.AccessLevel, b.WriteIdempotent, b.TagConfig)));
+    }
+
+    private static List<EntityChange<T>> DiffById<T>(
+        IReadOnlyList<T> from, IReadOnlyList<T> to,
+        Func<T, string> id, Func<T, T, bool> equal)
+    {
+        var fromById = from.ToDictionary(id);
+        var toById = to.ToDictionary(id);
+        var result = new List<EntityChange<T>>();
+
+        foreach (var (logicalId, src) in fromById.Where(kv => !toById.ContainsKey(kv.Key)))
+            result.Add(new(ChangeKind.Removed, logicalId, src, default));
+
+        foreach (var (logicalId, dst) in toById)
+        {
+            if (!fromById.TryGetValue(logicalId, out var src))
+                result.Add(new(ChangeKind.Added, logicalId, default, dst));
+            else if (!equal(src, dst))
+                result.Add(new(ChangeKind.Modified, logicalId, src, dst));
+        }
+
+        return result;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Apply/IGenerationApplier.cs

@@ -0,0 +1,23 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Validation;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Apply;
+
+/// <summary>
+///     Applies a <see cref="GenerationDiff"/> to whatever backing runtime the node owns: the OPC UA
+///     address space, driver subscriptions, the local cache, etc. The Core project wires concrete
+///     callbacks into this via <see cref="ApplyCallbacks"/> so the Configuration project stays free
+///     of a Core/Server dependency (interface independence per decision #59).
+/// </summary>
+public interface IGenerationApplier
+{
+    Task<ApplyResult> ApplyAsync(DraftSnapshot? from, DraftSnapshot to, CancellationToken ct);
+}
+
+public sealed record ApplyResult(
+    bool Succeeded,
+    GenerationDiff Diff,
+    IReadOnlyList<string> Errors)
+{
+    public static ApplyResult Ok(GenerationDiff diff) => new(true, diff, []);
+    public static ApplyResult Fail(GenerationDiff diff, IReadOnlyList<string> errors) => new(false, diff, errors);
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/DesignTimeDbContextFactory.cs

@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Design;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration;
+
+/// <summary>
+///     Used by <c>dotnet ef</c> at design time (migrations, scaffolding). Reads the connection string
+///     from the <c>OTOPCUA_CONFIG_CONNECTION</c> environment variable, falling back to the local dev
+///     container on <c>localhost:1433</c>.
+/// </summary>
+public sealed class DesignTimeDbContextFactory : IDesignTimeDbContextFactory<OtOpcUaConfigDbContext>
+{
+    // Host-port 14330 avoids collision with the native MSSQL14 instance on 1433 (Galaxy "ZB" DB).
+    private const string DefaultConnectionString =
+        "Server=localhost,14330;Database=OtOpcUaConfig;User Id=sa;Password=OtOpcUaDev_2026!;TrustServerCertificate=True;Encrypt=False;";
+
+    public OtOpcUaConfigDbContext CreateDbContext(string[] args)
+    {
+        var connection = Environment.GetEnvironmentVariable("OTOPCUA_CONFIG_CONNECTION")
+                         ?? DefaultConnectionString;
+
+        var options = new DbContextOptionsBuilder<OtOpcUaConfigDbContext>()
+            .UseSqlServer(connection, sql => sql.MigrationsAssembly(typeof(OtOpcUaConfigDbContext).Assembly.FullName))
+            .Options;
+
+        return new OtOpcUaConfigDbContext(options);
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/ClusterNode.cs

@@ -0,0 +1,51 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>Physical OPC UA server node within a <see cref="ServerCluster"/>.</summary>
+public sealed class ClusterNode
+{
+    /// <summary>Stable per-machine logical ID, e.g. "LINE3-OPCUA-A".</summary>
+    public required string NodeId { get; set; }
+
+    public required string ClusterId { get; set; }
+
+    public required RedundancyRole RedundancyRole { get; set; }
+
+    /// <summary>Machine hostname / IP.</summary>
+    public required string Host { get; set; }
+
+    public int OpcUaPort { get; set; } = 4840;
+
+    public int DashboardPort { get; set; } = 8081;
+
+    /// <summary>
+    ///     OPC UA <c>ApplicationUri</c> — MUST be unique per node per OPC UA spec. Clients pin trust here.
+    ///     Fleet-wide unique index enforces no two nodes share a value (decision #86).
+    ///     Stored explicitly, NOT derived from <see cref="Host"/> at runtime — silent rewrite on
+    ///     hostname change would break all client trust.
+    /// </summary>
+    public required string ApplicationUri { get; set; }
+
+    /// <summary>Primary = 200, Secondary = 150 by default.</summary>
+    public byte ServiceLevelBase { get; set; } = 200;
+
+    /// <summary>
+    ///     Per-node override JSON keyed by DriverInstanceId, merged onto cluster-level DriverConfig
+    ///     at apply time. Minimal by intent (decision #81). Nullable when no overrides exist.
+    /// </summary>
+    public string? DriverConfigOverridesJson { get; set; }
+
+    public bool Enabled { get; set; } = true;
+
+    public DateTime? LastSeenAt { get; set; }
+
+    public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
+
+    public required string CreatedBy { get; set; }
+
+    // Navigation
+    public ServerCluster? Cluster { get; set; }
+    public ICollection<ClusterNodeCredential> Credentials { get; set; } = [];
+    public ClusterNodeGenerationState? GenerationState { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/ClusterNodeCredential.cs

@@ -0,0 +1,29 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Authenticates a <see cref="ClusterNode"/> to the central config DB.
+///     Per decision #83 — credentials bind to NodeId, not ClusterId.
+/// </summary>
+public sealed class ClusterNodeCredential
+{
+    public Guid CredentialId { get; set; }
+
+    public required string NodeId { get; set; }
+
+    public required CredentialKind Kind { get; set; }
+
+    /// <summary>Login name / cert thumbprint / SID / gMSA name.</summary>
+    public required string Value { get; set; }
+
+    public bool Enabled { get; set; } = true;
+
+    public DateTime? RotatedAt { get; set; }
+
+    public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
+
+    public required string CreatedBy { get; set; }
+
+    public ClusterNode? Node { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/ClusterNodeGenerationState.cs

@@ -0,0 +1,26 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Tracks which generation each node has applied. Per-node (not per-cluster) — both nodes of a
+///     2-node cluster track independently per decision #84.
+/// </summary>
+public sealed class ClusterNodeGenerationState
+{
+    public required string NodeId { get; set; }
+
+    public long? CurrentGenerationId { get; set; }
+
+    public DateTime? LastAppliedAt { get; set; }
+
+    public NodeApplyStatus? LastAppliedStatus { get; set; }
+
+    public string? LastAppliedError { get; set; }
+
+    /// <summary>Updated on every poll for liveness detection.</summary>
+    public DateTime? LastSeenAt { get; set; }
+
+    public ClusterNode? Node { get; set; }
+    public ConfigGeneration? CurrentGeneration { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/ConfigAuditLog.cs

@@ -0,0 +1,25 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Append-only audit log for every config write + authorization-check event. Grants revoked for
+///     UPDATE / DELETE on all principals (enforced by the authorization migration in B.3).
+/// </summary>
+public sealed class ConfigAuditLog
+{
+    public long AuditId { get; set; }
+
+    public DateTime Timestamp { get; set; } = DateTime.UtcNow;
+
+    public required string Principal { get; set; }
+
+    /// <summary>DraftCreated | DraftEdited | Published | RolledBack | NodeApplied | CredentialAdded | CredentialDisabled | ClusterCreated | NodeAdded | ExternalIdReleased | CrossClusterNamespaceAttempt | OpcUaAccessDenied | …</summary>
+    public required string EventType { get; set; }
+
+    public string? ClusterId { get; set; }
+
+    public string? NodeId { get; set; }
+
+    public long? GenerationId { get; set; }
+
+    public string? DetailsJson { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/ConfigGeneration.cs

@@ -0,0 +1,32 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Atomic, immutable snapshot of one cluster's configuration.
+///     Per decision #82 — cluster-scoped, not fleet-scoped.
+/// </summary>
+public sealed class ConfigGeneration
+{
+    /// <summary>Monotonically increasing ID, generated by <c>IDENTITY(1, 1)</c>.</summary>
+    public long GenerationId { get; set; }
+
+    public required string ClusterId { get; set; }
+
+    public required GenerationStatus Status { get; set; }
+
+    public long? ParentGenerationId { get; set; }
+
+    public DateTime? PublishedAt { get; set; }
+
+    public string? PublishedBy { get; set; }
+
+    public string? Notes { get; set; }
+
+    public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
+
+    public required string CreatedBy { get; set; }
+
+    public ServerCluster? Cluster { get; set; }
+    public ConfigGeneration? Parent { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/Device.cs

@@ -0,0 +1,23 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>Per-device row for multi-device drivers (Modbus, AB CIP). Optional for single-device drivers.</summary>
+public sealed class Device
+{
+    public Guid DeviceRowId { get; set; }
+
+    public long GenerationId { get; set; }
+
+    public required string DeviceId { get; set; }
+
+    /// <summary>Logical FK to <see cref="DriverInstance.DriverInstanceId"/>.</summary>
+    public required string DriverInstanceId { get; set; }
+
+    public required string Name { get; set; }
+
+    public bool Enabled { get; set; } = true;
+
+    /// <summary>Schemaless per-driver-type device config (host, port, unit ID, slot, etc.).</summary>
+    public required string DeviceConfig { get; set; }
+
+    public ConfigGeneration? Generation { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/DriverInstance.cs

@@ -0,0 +1,32 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>One driver instance in a cluster's generation. JSON config is schemaless per-driver-type.</summary>
+public sealed class DriverInstance
+{
+    public Guid DriverInstanceRowId { get; set; }
+
+    public long GenerationId { get; set; }
+
+    public required string DriverInstanceId { get; set; }
+
+    public required string ClusterId { get; set; }
+
+    /// <summary>
+    ///     Logical FK to <see cref="Namespace.NamespaceId"/>. Same-cluster binding enforced by
+    ///     <c>sp_ValidateDraft</c> per decision #122: Namespace.ClusterId must equal DriverInstance.ClusterId.
+    /// </summary>
+    public required string NamespaceId { get; set; }
+
+    public required string Name { get; set; }
+
+    /// <summary>Galaxy | ModbusTcp | AbCip | AbLegacy | S7 | TwinCat | Focas | OpcUaClient</summary>
+    public required string DriverType { get; set; }
+
+    public bool Enabled { get; set; } = true;
+
+    /// <summary>Schemaless per-driver-type JSON config. Validated against registered JSON schema at draft-publish time (decision #91).</summary>
+    public required string DriverConfig { get; set; }
+
+    public ConfigGeneration? Generation { get; set; }
+    public ServerCluster? Cluster { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/Equipment.cs

@@ -0,0 +1,64 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     UNS level-5 entity. Only for drivers in Equipment-kind namespaces.
+///     Per decisions #109 (first-class), #116 (5-identifier model), #125 (system-generated EquipmentId),
+///     #138–139 (OPC 40010 Identification fields as first-class columns).
+/// </summary>
+public sealed class Equipment
+{
+    public Guid EquipmentRowId { get; set; }
+
+    public long GenerationId { get; set; }
+
+    /// <summary>
+    ///     System-generated stable internal logical ID. Format: <c>'EQ-' + first 12 hex chars of EquipmentUuid</c>.
+    ///     NEVER operator-supplied, NEVER in CSV imports, NEVER editable in Admin UI (decision #125).
+    /// </summary>
+    public required string EquipmentId { get; set; }
+
+    /// <summary>UUIDv4, IMMUTABLE across all generations of the same EquipmentId. Downstream-consumer join key.</summary>
+    public Guid EquipmentUuid { get; set; }
+
+    /// <summary>Logical FK to the driver providing data for this equipment.</summary>
+    public required string DriverInstanceId { get; set; }
+
+    /// <summary>Optional logical FK to a multi-device driver's device.</summary>
+    public string? DeviceId { get; set; }
+
+    /// <summary>Logical FK to <see cref="UnsLine.UnsLineId"/>.</summary>
+    public required string UnsLineId { get; set; }
+
+    /// <summary>UNS level 5 segment, matches <c>^[a-z0-9-]{1,32}$</c>.</summary>
+    public required string Name { get; set; }
+
+    // Operator-facing / external-system identifiers (decision #116)
+
+    /// <summary>Operator colloquial id (e.g. "machine_001"). Unique within cluster. Required.</summary>
+    public required string MachineCode { get; set; }
+
+    /// <summary>ERP equipment id. Unique fleet-wide via <see cref="ExternalIdReservation"/>. Primary browse identifier in Admin UI.</summary>
+    public string? ZTag { get; set; }
+
+    /// <summary>SAP PM equipment id. Unique fleet-wide via <see cref="ExternalIdReservation"/>.</summary>
+    public string? SAPID { get; set; }
+
+    // OPC UA Companion Spec OPC 40010 Machinery Identification fields (decision #139).
+    // All nullable so equipment can be added before identity is fully captured.
+    public string? Manufacturer { get; set; }
+    public string? Model { get; set; }
+    public string? SerialNumber { get; set; }
+    public string? HardwareRevision { get; set; }
+    public string? SoftwareRevision { get; set; }
+    public short? YearOfConstruction { get; set; }
+    public string? AssetLocation { get; set; }
+    public string? ManufacturerUri { get; set; }
+    public string? DeviceManualUri { get; set; }
+
+    /// <summary>Nullable hook for future schemas-repo template ID (decision #112).</summary>
+    public string? EquipmentClassRef { get; set; }
+
+    public bool Enabled { get; set; } = true;
+
+    public ConfigGeneration? Generation { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/ExternalIdReservation.cs

@@ -0,0 +1,36 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Fleet-wide rollback-safe reservation of ZTag and SAPID. Per decision #124 — NOT generation-versioned.
+///     Exists outside generation flow specifically because old generations and disabled equipment can
+///     still hold the same external IDs; per-generation uniqueness indexes fail under rollback/re-enable.
+/// </summary>
+public sealed class ExternalIdReservation
+{
+    public Guid ReservationId { get; set; }
+
+    public required ReservationKind Kind { get; set; }
+
+    public required string Value { get; set; }
+
+    /// <summary>The equipment that owns this reservation. Stays bound even when equipment is disabled.</summary>
+    public Guid EquipmentUuid { get; set; }
+
+    /// <summary>First cluster to publish this reservation.</summary>
+    public required string ClusterId { get; set; }
+
+    public DateTime FirstPublishedAt { get; set; } = DateTime.UtcNow;
+
+    public required string FirstPublishedBy { get; set; }
+
+    public DateTime LastPublishedAt { get; set; } = DateTime.UtcNow;
+
+    /// <summary>Non-null when explicitly released by FleetAdmin (audit-logged, requires reason).</summary>
+    public DateTime? ReleasedAt { get; set; }
+
+    public string? ReleasedBy { get; set; }
+
+    public string? ReleaseReason { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/Namespace.cs

@@ -0,0 +1,31 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     OPC UA namespace served by a cluster. Generation-versioned per decision #123 —
+///     namespaces are content (affect what consumers see at the endpoint), not topology.
+/// </summary>
+public sealed class Namespace
+{
+    public Guid NamespaceRowId { get; set; }
+
+    public long GenerationId { get; set; }
+
+    /// <summary>Stable logical ID across generations, e.g. "LINE3-OPCUA-equipment".</summary>
+    public required string NamespaceId { get; set; }
+
+    public required string ClusterId { get; set; }
+
+    public required NamespaceKind Kind { get; set; }
+
+    /// <summary>E.g. "urn:zb:warsaw-west:equipment". Unique fleet-wide per generation.</summary>
+    public required string NamespaceUri { get; set; }
+
+    public bool Enabled { get; set; } = true;
+
+    public string? Notes { get; set; }
+
+    public ConfigGeneration? Generation { get; set; }
+    public ServerCluster? Cluster { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/NodeAcl.cs

@@ -0,0 +1,32 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     One ACL grant: an LDAP group gets a set of <see cref="NodePermissions"/> at a specific scope.
+///     Generation-versioned per decision #130. See <c>acl-design.md</c> for evaluation algorithm.
+/// </summary>
+public sealed class NodeAcl
+{
+    public Guid NodeAclRowId { get; set; }
+
+    public long GenerationId { get; set; }
+
+    public required string NodeAclId { get; set; }
+
+    public required string ClusterId { get; set; }
+
+    public required string LdapGroup { get; set; }
+
+    public required NodeAclScopeKind ScopeKind { get; set; }
+
+    /// <summary>NULL when <see cref="ScopeKind"/> = <see cref="NodeAclScopeKind.Cluster"/>; otherwise the scoped entity's logical ID.</summary>
+    public string? ScopeId { get; set; }
+
+    /// <summary>Bitmask of <see cref="NodePermissions"/>. Stored as int in SQL.</summary>
+    public required NodePermissions PermissionFlags { get; set; }
+
+    public string? Notes { get; set; }
+
+    public ConfigGeneration? Generation { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/PollGroup.cs

@@ -0,0 +1,19 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>Driver-scoped polling group. Tags reference it via <see cref="Tag.PollGroupId"/>.</summary>
+public sealed class PollGroup
+{
+    public Guid PollGroupRowId { get; set; }
+
+    public long GenerationId { get; set; }
+
+    public required string PollGroupId { get; set; }
+
+    public required string DriverInstanceId { get; set; }
+
+    public required string Name { get; set; }
+
+    public int IntervalMs { get; set; }
+
+    public ConfigGeneration? Generation { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/ServerCluster.cs

@@ -0,0 +1,42 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Top-level deployment unit. 1 or 2 <see cref="ClusterNode"/> members.
+///     Per <c>config-db-schema.md</c> ServerCluster table.
+/// </summary>
+public sealed class ServerCluster
+{
+    /// <summary>Stable logical ID, e.g. "LINE3-OPCUA".</summary>
+    public required string ClusterId { get; set; }
+
+    public required string Name { get; set; }
+
+    /// <summary>UNS level 1. Canonical org value: "zb" per decision #140.</summary>
+    public required string Enterprise { get; set; }
+
+    /// <summary>UNS level 2, e.g. "warsaw-west".</summary>
+    public required string Site { get; set; }
+
+    public byte NodeCount { get; set; }
+
+    public required RedundancyMode RedundancyMode { get; set; }
+
+    public bool Enabled { get; set; } = true;
+
+    public string? Notes { get; set; }
+
+    public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
+
+    public required string CreatedBy { get; set; }
+
+    public DateTime? ModifiedAt { get; set; }
+
+    public string? ModifiedBy { get; set; }
+
+    // Navigation
+    public ICollection<ClusterNode> Nodes { get; set; } = [];
+    public ICollection<Namespace> Namespaces { get; set; } = [];
+    public ICollection<ConfigGeneration> Generations { get; set; } = [];
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/Tag.cs

@@ -0,0 +1,47 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     One canonical tag (signal) in a cluster's generation. Per decision #110:
+///     <see cref="EquipmentId"/> is REQUIRED when the driver is in an Equipment-kind namespace
+///     and NULL when in SystemPlatform-kind namespace (Galaxy hierarchy preserved).
+/// </summary>
+public sealed class Tag
+{
+    public Guid TagRowId { get; set; }
+
+    public long GenerationId { get; set; }
+
+    public required string TagId { get; set; }
+
+    public required string DriverInstanceId { get; set; }
+
+    public string? DeviceId { get; set; }
+
+    /// <summary>
+    ///     Required when driver is in Equipment-kind namespace; NULL when in SystemPlatform-kind.
+    ///     Cross-table invariant enforced by sp_ValidateDraft (decision #110).
+    /// </summary>
+    public string? EquipmentId { get; set; }
+
+    public required string Name { get; set; }
+
+    /// <summary>Only used when <see cref="EquipmentId"/> is NULL (SystemPlatform namespace).</summary>
+    public string? FolderPath { get; set; }
+
+    /// <summary>OPC UA built-in type name (Boolean / Int32 / Float / etc.).</summary>
+    public required string DataType { get; set; }
+
+    public required TagAccessLevel AccessLevel { get; set; }
+
+    /// <summary>Per decisions #44–45 — opt-in for write retry eligibility.</summary>
+    public bool WriteIdempotent { get; set; }
+
+    public string? PollGroupId { get; set; }
+
+    /// <summary>Register address / scaling / poll group / byte-order / etc. — schemaless per driver type.</summary>
+    public required string TagConfig { get; set; }
+
+    public ConfigGeneration? Generation { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/UnsArea.cs

@@ -0,0 +1,21 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>UNS level-3 segment. Generation-versioned per decision #115.</summary>
+public sealed class UnsArea
+{
+    public Guid UnsAreaRowId { get; set; }
+
+    public long GenerationId { get; set; }
+
+    public required string UnsAreaId { get; set; }
+
+    public required string ClusterId { get; set; }
+
+    /// <summary>UNS level 3 segment: matches <c>^[a-z0-9-]{1,32}$</c> OR equals literal <c>_default</c>.</summary>
+    public required string Name { get; set; }
+
+    public string? Notes { get; set; }
+
+    public ConfigGeneration? Generation { get; set; }
+    public ServerCluster? Cluster { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/UnsLine.cs

@@ -0,0 +1,21 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>UNS level-4 segment. Generation-versioned per decision #115.</summary>
+public sealed class UnsLine
+{
+    public Guid UnsLineRowId { get; set; }
+
+    public long GenerationId { get; set; }
+
+    public required string UnsLineId { get; set; }
+
+    /// <summary>Logical FK to <see cref="UnsArea.UnsAreaId"/>; resolved within the same generation.</summary>
+    public required string UnsAreaId { get; set; }
+
+    /// <summary>UNS level 4 segment: matches <c>^[a-z0-9-]{1,32}$</c> OR equals literal <c>_default</c>.</summary>
+    public required string Name { get; set; }
+
+    public string? Notes { get; set; }
+
+    public ConfigGeneration? Generation { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/CredentialKind.cs

@@ -0,0 +1,10 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>Credential kind for <see cref="Entities.ClusterNodeCredential"/>. Per decision #83.</summary>
+public enum CredentialKind
+{
+    SqlLogin,
+    ClientCertThumbprint,
+    ADPrincipal,
+    gMSA,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/GenerationStatus.cs

@@ -0,0 +1,10 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>Generation lifecycle state. Draft → Published → Superseded | RolledBack.</summary>
+public enum GenerationStatus
+{
+    Draft,
+    Published,
+    Superseded,
+    RolledBack,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/NamespaceKind.cs

@@ -0,0 +1,25 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>OPC UA namespace kind per decision #107. One of each kind per cluster per generation.</summary>
+public enum NamespaceKind
+{
+    /// <summary>
+    ///     Equipment namespace — raw signals from native-protocol drivers (Modbus, AB CIP, AB Legacy,
+    ///     S7, TwinCAT, FOCAS, and OpcUaClient when gatewaying raw equipment). UNS 5-level hierarchy
+    ///     applies.
+    /// </summary>
+    Equipment,
+
+    /// <summary>
+    ///     System Platform namespace — Galaxy / MXAccess processed data (v1 LmxOpcUa folded in).
+    ///     UNS rules do NOT apply; Galaxy hierarchy preserved as v1 expressed it.
+    /// </summary>
+    SystemPlatform,
+
+    /// <summary>
+    ///     Reserved for future replay driver per handoff §"Digital Twin Touchpoints" — not populated
+    ///     in v2.0 but enum value reserved so the schema does not need to change when the replay
+    ///     driver lands.
+    /// </summary>
+    Simulated,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/NodeAclScopeKind.cs

@@ -0,0 +1,12 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>ACL scope level. Per <c>acl-design.md</c> §"Scope Hierarchy".</summary>
+public enum NodeAclScopeKind
+{
+    Cluster,
+    Namespace,
+    UnsArea,
+    UnsLine,
+    Equipment,
+    Tag,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/NodeApplyStatus.cs

@@ -0,0 +1,10 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>Status tracked per node in <see cref="Entities.ClusterNodeGenerationState"/>.</summary>
+public enum NodeApplyStatus
+{
+    Applied,
+    RolledBack,
+    Failed,
+    InProgress,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/NodePermissions.cs

@@ -0,0 +1,37 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>
+///     OPC UA client data-path permissions per <c>acl-design.md</c>.
+///     Stored as <c>int</c> bitmask in <see cref="Entities.NodeAcl.PermissionFlags"/>.
+/// </summary>
+[Flags]
+public enum NodePermissions : uint
+{
+    None = 0,
+
+    // Read-side
+    Browse = 1 << 0,
+    Read = 1 << 1,
+    Subscribe = 1 << 2,
+    HistoryRead = 1 << 3,
+
+    // Write-side (mirrors v1 SecurityClassification model)
+    WriteOperate = 1 << 4,
+    WriteTune = 1 << 5,
+    WriteConfigure = 1 << 6,
+
+    // Alarm-side
+    AlarmRead = 1 << 7,
+    AlarmAcknowledge = 1 << 8,
+    AlarmConfirm = 1 << 9,
+    AlarmShelve = 1 << 10,
+
+    // OPC UA Part 4 §5.11
+    MethodCall = 1 << 11,
+
+    // Bundles (one-click grants in Admin UI)
+    ReadOnly = Browse | Read | Subscribe | HistoryRead | AlarmRead,
+    Operator = ReadOnly | WriteOperate | AlarmAcknowledge | AlarmConfirm,
+    Engineer = Operator | WriteTune | AlarmShelve,
+    Admin = Engineer | WriteConfigure | MethodCall,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/RedundancyMode.cs

@@ -0,0 +1,17 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>
+///     Cluster redundancy mode per OPC UA Part 5 §6.5. Persisted as string in
+///     <c>ServerCluster.RedundancyMode</c> with a CHECK constraint coupling to <c>NodeCount</c>.
+/// </summary>
+public enum RedundancyMode
+{
+    /// <summary>Single-node cluster. Required when <c>NodeCount = 1</c>.</summary>
+    None,
+
+    /// <summary>Warm redundancy (non-transparent). Two-node cluster.</summary>
+    Warm,
+
+    /// <summary>Hot redundancy (non-transparent). Two-node cluster.</summary>
+    Hot,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/RedundancyRole.cs

@@ -0,0 +1,9 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>Per-node redundancy role within a cluster. Per decision #84.</summary>
+public enum RedundancyRole
+{
+    Primary,
+    Secondary,
+    Standalone,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/ReservationKind.cs

@@ -0,0 +1,8 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>External-ID reservation kind. Per decision #124.</summary>
+public enum ReservationKind
+{
+    ZTag,
+    SAPID,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/TagAccessLevel.cs

@@ -0,0 +1,8 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>Tag-level OPC UA access level baseline. Further narrowed per-user by NodeAcl grants.</summary>
+public enum TagAccessLevel
+{
+    Read,
+    ReadWrite,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/LocalCache/GenerationSnapshot.cs

@@ -0,0 +1,15 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
+
+/// <summary>
+///     A self-contained snapshot of one generation — enough to rebuild the address space on a node
+///     that has lost DB connectivity. The payload is the JSON-serialized <c>sp_GetGenerationContent</c>
+///     result; the local cache doesn't inspect the shape, it just round-trips bytes.
+/// </summary>
+public sealed class GenerationSnapshot
+{
+    public int Id { get; set; } // LiteDB auto-ID
+    public required string ClusterId { get; set; }
+    public required long GenerationId { get; set; }
+    public required DateTime CachedAt { get; set; }
+    public required string PayloadJson { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/LocalCache/ILocalConfigCache.cs

@@ -0,0 +1,12 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
+
+/// <summary>
+///     Per-node local cache of the most-recently-applied generation(s). Used to bootstrap the
+///     address space when the central DB is unreachable (decision #79 — degraded-but-running).
+/// </summary>
+public interface ILocalConfigCache
+{
+    Task<GenerationSnapshot?> GetMostRecentAsync(string clusterId, CancellationToken ct = default);
+    Task PutAsync(GenerationSnapshot snapshot, CancellationToken ct = default);
+    Task PruneOldGenerationsAsync(string clusterId, int keepLatest = 10, CancellationToken ct = default);
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/LocalCache/LiteDbConfigCache.cs

@@ -0,0 +1,89 @@
+using LiteDB;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
+
+/// <summary>
+///     LiteDB-backed <see cref="ILocalConfigCache"/>. One file per node (default
+///     <c>config_cache.db</c>), one collection per snapshot. Corruption surfaces as
+///     <see cref="LocalConfigCacheCorruptException"/> on construction or read — callers should
+///     delete and re-fetch from the central DB (decision #80).
+/// </summary>
+public sealed class LiteDbConfigCache : ILocalConfigCache, IDisposable
+{
+    private const string CollectionName = "generations";
+    private readonly LiteDatabase _db;
+    private readonly ILiteCollection<GenerationSnapshot> _col;
+
+    public LiteDbConfigCache(string dbPath)
+    {
+        // LiteDB can be tolerant of header-only corruption at construction time (it may overwrite
+        // the header and "recover"), so we force a write + read probe to fail fast on real corruption.
+        try
+        {
+            _db = new LiteDatabase(new ConnectionString { Filename = dbPath, Upgrade = true });
+            _col = _db.GetCollection<GenerationSnapshot>(CollectionName);
+            _col.EnsureIndex(s => s.ClusterId);
+            _col.EnsureIndex(s => s.GenerationId);
+            _ = _col.Count();
+        }
+        catch (Exception ex) when (ex is LiteException or InvalidDataException or IOException
+                                      or NotSupportedException or UnauthorizedAccessException
+                                      or ArgumentOutOfRangeException or FormatException)
+        {
+            _db?.Dispose();
+            throw new LocalConfigCacheCorruptException(
+                $"LiteDB cache at '{dbPath}' is corrupt or unreadable — delete the file and refetch from the central DB.",
+                ex);
+        }
+    }
+
+    public Task<GenerationSnapshot?> GetMostRecentAsync(string clusterId, CancellationToken ct = default)
+    {
+        ct.ThrowIfCancellationRequested();
+        var snapshot = _col
+            .Find(s => s.ClusterId == clusterId)
+            .OrderByDescending(s => s.GenerationId)
+            .FirstOrDefault();
+        return Task.FromResult<GenerationSnapshot?>(snapshot);
+    }
+
+    public Task PutAsync(GenerationSnapshot snapshot, CancellationToken ct = default)
+    {
+        ct.ThrowIfCancellationRequested();
+        // upsert by (ClusterId, GenerationId) — replace in place if already cached
+        var existing = _col
+            .Find(s => s.ClusterId == snapshot.ClusterId && s.GenerationId == snapshot.GenerationId)
+            .FirstOrDefault();
+
+        if (existing is null)
+            _col.Insert(snapshot);
+        else
+        {
+            snapshot.Id = existing.Id;
+            _col.Update(snapshot);
+        }
+
+        return Task.CompletedTask;
+    }
+
+    public Task PruneOldGenerationsAsync(string clusterId, int keepLatest = 10, CancellationToken ct = default)
+    {
+        ct.ThrowIfCancellationRequested();
+        var doomed = _col
+            .Find(s => s.ClusterId == clusterId)
+            .OrderByDescending(s => s.GenerationId)
+            .Skip(keepLatest)
+            .Select(s => s.Id)
+            .ToList();
+
+        foreach (var id in doomed)
+            _col.Delete(id);
+
+        return Task.CompletedTask;
+    }
+
+    public void Dispose() => _db.Dispose();
+}
+
+public sealed class LocalConfigCacheCorruptException(string message, Exception inner)
+    : Exception(message, inner);

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260417212220_InitialSchema.cs

@@ -0,0 +1,811 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
+{
+    /// <inheritdoc />
+    public partial class InitialSchema : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "ConfigAuditLog",
+                columns: table => new
+                {
+                    AuditId = table.Column<long>(type: "bigint", nullable: false)
+                        .Annotation("SqlServer:Identity", "1, 1"),
+                    Timestamp = table.Column<DateTime>(type: "datetime2(3)", nullable: false, defaultValueSql: "SYSUTCDATETIME()"),
+                    Principal = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    EventType = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    ClusterId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    NodeId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    GenerationId = table.Column<long>(type: "bigint", nullable: true),
+                    DetailsJson = table.Column<string>(type: "nvarchar(max)", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ConfigAuditLog", x => x.AuditId);
+                    table.CheckConstraint("CK_ConfigAuditLog_DetailsJson_IsJson", "DetailsJson IS NULL OR ISJSON(DetailsJson) = 1");
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ExternalIdReservation",
+                columns: table => new
+                {
+                    ReservationId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    Kind = table.Column<string>(type: "nvarchar(16)", maxLength: 16, nullable: false),
+                    Value = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    EquipmentUuid = table.Column<Guid>(type: "uniqueidentifier", nullable: false),
+                    ClusterId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    FirstPublishedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: false, defaultValueSql: "SYSUTCDATETIME()"),
+                    FirstPublishedBy = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    LastPublishedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: false, defaultValueSql: "SYSUTCDATETIME()"),
+                    ReleasedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: true),
+                    ReleasedBy = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: true),
+                    ReleaseReason = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ExternalIdReservation", x => x.ReservationId);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ServerCluster",
+                columns: table => new
+                {
+                    ClusterId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Name = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    Enterprise = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: false),
+                    Site = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: false),
+                    NodeCount = table.Column<byte>(type: "tinyint", nullable: false),
+                    RedundancyMode = table.Column<string>(type: "nvarchar(16)", maxLength: 16, nullable: false),
+                    Enabled = table.Column<bool>(type: "bit", nullable: false),
+                    Notes = table.Column<string>(type: "nvarchar(1024)", maxLength: 1024, nullable: true),
+                    CreatedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: false, defaultValueSql: "SYSUTCDATETIME()"),
+                    CreatedBy = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    ModifiedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: true),
+                    ModifiedBy = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ServerCluster", x => x.ClusterId);
+                    table.CheckConstraint("CK_ServerCluster_RedundancyMode_NodeCount", "((NodeCount = 1 AND RedundancyMode = 'None') OR (NodeCount = 2 AND RedundancyMode IN ('Warm', 'Hot')))");
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClusterNode",
+                columns: table => new
+                {
+                    NodeId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    ClusterId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    RedundancyRole = table.Column<string>(type: "nvarchar(16)", maxLength: 16, nullable: false),
+                    Host = table.Column<string>(type: "nvarchar(255)", maxLength: 255, nullable: false),
+                    OpcUaPort = table.Column<int>(type: "int", nullable: false),
+                    DashboardPort = table.Column<int>(type: "int", nullable: false),
+                    ApplicationUri = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: false),
+                    ServiceLevelBase = table.Column<byte>(type: "tinyint", nullable: false),
+                    DriverConfigOverridesJson = table.Column<string>(type: "nvarchar(max)", nullable: true),
+                    Enabled = table.Column<bool>(type: "bit", nullable: false),
+                    LastSeenAt = table.Column<DateTime>(type: "datetime2(3)", nullable: true),
+                    CreatedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: false, defaultValueSql: "SYSUTCDATETIME()"),
+                    CreatedBy = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClusterNode", x => x.NodeId);
+                    table.ForeignKey(
+                        name: "FK_ClusterNode_ServerCluster_ClusterId",
+                        column: x => x.ClusterId,
+                        principalTable: "ServerCluster",
+                        principalColumn: "ClusterId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ConfigGeneration",
+                columns: table => new
+                {
+                    GenerationId = table.Column<long>(type: "bigint", nullable: false)
+                        .Annotation("SqlServer:Identity", "1, 1"),
+                    ClusterId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Status = table.Column<string>(type: "nvarchar(16)", maxLength: 16, nullable: false),
+                    ParentGenerationId = table.Column<long>(type: "bigint", nullable: true),
+                    PublishedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: true),
+                    PublishedBy = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: true),
+                    Notes = table.Column<string>(type: "nvarchar(1024)", maxLength: 1024, nullable: true),
+                    CreatedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: false, defaultValueSql: "SYSUTCDATETIME()"),
+                    CreatedBy = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ConfigGeneration", x => x.GenerationId);
+                    table.ForeignKey(
+                        name: "FK_ConfigGeneration_ConfigGeneration_ParentGenerationId",
+                        column: x => x.ParentGenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                    table.ForeignKey(
+                        name: "FK_ConfigGeneration_ServerCluster_ClusterId",
+                        column: x => x.ClusterId,
+                        principalTable: "ServerCluster",
+                        principalColumn: "ClusterId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClusterNodeCredential",
+                columns: table => new
+                {
+                    CredentialId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    NodeId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Kind = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: false),
+                    Value = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: false),
+                    Enabled = table.Column<bool>(type: "bit", nullable: false),
+                    RotatedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: true),
+                    CreatedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: false, defaultValueSql: "SYSUTCDATETIME()"),
+                    CreatedBy = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClusterNodeCredential", x => x.CredentialId);
+                    table.ForeignKey(
+                        name: "FK_ClusterNodeCredential_ClusterNode_NodeId",
+                        column: x => x.NodeId,
+                        principalTable: "ClusterNode",
+                        principalColumn: "NodeId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "ClusterNodeGenerationState",
+                columns: table => new
+                {
+                    NodeId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    CurrentGenerationId = table.Column<long>(type: "bigint", nullable: true),
+                    LastAppliedAt = table.Column<DateTime>(type: "datetime2(3)", nullable: true),
+                    LastAppliedStatus = table.Column<string>(type: "nvarchar(16)", maxLength: 16, nullable: true),
+                    LastAppliedError = table.Column<string>(type: "nvarchar(2048)", maxLength: 2048, nullable: true),
+                    LastSeenAt = table.Column<DateTime>(type: "datetime2(3)", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_ClusterNodeGenerationState", x => x.NodeId);
+                    table.ForeignKey(
+                        name: "FK_ClusterNodeGenerationState_ClusterNode_NodeId",
+                        column: x => x.NodeId,
+                        principalTable: "ClusterNode",
+                        principalColumn: "NodeId",
+                        onDelete: ReferentialAction.Restrict);
+                    table.ForeignKey(
+                        name: "FK_ClusterNodeGenerationState_ConfigGeneration_CurrentGenerationId",
+                        column: x => x.CurrentGenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "Device",
+                columns: table => new
+                {
+                    DeviceRowId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    GenerationId = table.Column<long>(type: "bigint", nullable: false),
+                    DeviceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    DriverInstanceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Name = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    Enabled = table.Column<bool>(type: "bit", nullable: false),
+                    DeviceConfig = table.Column<string>(type: "nvarchar(max)", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_Device", x => x.DeviceRowId);
+                    table.CheckConstraint("CK_Device_DeviceConfig_IsJson", "ISJSON(DeviceConfig) = 1");
+                    table.ForeignKey(
+                        name: "FK_Device_ConfigGeneration_GenerationId",
+                        column: x => x.GenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "DriverInstance",
+                columns: table => new
+                {
+                    DriverInstanceRowId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    GenerationId = table.Column<long>(type: "bigint", nullable: false),
+                    DriverInstanceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    ClusterId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    NamespaceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Name = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    DriverType = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: false),
+                    Enabled = table.Column<bool>(type: "bit", nullable: false),
+                    DriverConfig = table.Column<string>(type: "nvarchar(max)", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_DriverInstance", x => x.DriverInstanceRowId);
+                    table.CheckConstraint("CK_DriverInstance_DriverConfig_IsJson", "ISJSON(DriverConfig) = 1");
+                    table.ForeignKey(
+                        name: "FK_DriverInstance_ConfigGeneration_GenerationId",
+                        column: x => x.GenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                    table.ForeignKey(
+                        name: "FK_DriverInstance_ServerCluster_ClusterId",
+                        column: x => x.ClusterId,
+                        principalTable: "ServerCluster",
+                        principalColumn: "ClusterId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "Equipment",
+                columns: table => new
+                {
+                    EquipmentRowId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    GenerationId = table.Column<long>(type: "bigint", nullable: false),
+                    EquipmentId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    EquipmentUuid = table.Column<Guid>(type: "uniqueidentifier", nullable: false),
+                    DriverInstanceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    DeviceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    UnsLineId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Name = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: false),
+                    MachineCode = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    ZTag = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    SAPID = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    Manufacturer = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    Model = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    SerialNumber = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    HardwareRevision = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: true),
+                    SoftwareRevision = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: true),
+                    YearOfConstruction = table.Column<short>(type: "smallint", nullable: true),
+                    AssetLocation = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: true),
+                    ManufacturerUri = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true),
+                    DeviceManualUri = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true),
+                    EquipmentClassRef = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: true),
+                    Enabled = table.Column<bool>(type: "bit", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_Equipment", x => x.EquipmentRowId);
+                    table.ForeignKey(
+                        name: "FK_Equipment_ConfigGeneration_GenerationId",
+                        column: x => x.GenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "Namespace",
+                columns: table => new
+                {
+                    NamespaceRowId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    GenerationId = table.Column<long>(type: "bigint", nullable: false),
+                    NamespaceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    ClusterId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Kind = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: false),
+                    NamespaceUri = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: false),
+                    Enabled = table.Column<bool>(type: "bit", nullable: false),
+                    Notes = table.Column<string>(type: "nvarchar(1024)", maxLength: 1024, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_Namespace", x => x.NamespaceRowId);
+                    table.ForeignKey(
+                        name: "FK_Namespace_ConfigGeneration_GenerationId",
+                        column: x => x.GenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                    table.ForeignKey(
+                        name: "FK_Namespace_ServerCluster_ClusterId",
+                        column: x => x.ClusterId,
+                        principalTable: "ServerCluster",
+                        principalColumn: "ClusterId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "NodeAcl",
+                columns: table => new
+                {
+                    NodeAclRowId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    GenerationId = table.Column<long>(type: "bigint", nullable: false),
+                    NodeAclId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    ClusterId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    LdapGroup = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: false),
+                    ScopeKind = table.Column<string>(type: "nvarchar(16)", maxLength: 16, nullable: false),
+                    ScopeId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    PermissionFlags = table.Column<int>(type: "int", nullable: false),
+                    Notes = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_NodeAcl", x => x.NodeAclRowId);
+                    table.ForeignKey(
+                        name: "FK_NodeAcl_ConfigGeneration_GenerationId",
+                        column: x => x.GenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "PollGroup",
+                columns: table => new
+                {
+                    PollGroupRowId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    GenerationId = table.Column<long>(type: "bigint", nullable: false),
+                    PollGroupId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    DriverInstanceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Name = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    IntervalMs = table.Column<int>(type: "int", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_PollGroup", x => x.PollGroupRowId);
+                    table.CheckConstraint("CK_PollGroup_IntervalMs_Min", "IntervalMs >= 50");
+                    table.ForeignKey(
+                        name: "FK_PollGroup_ConfigGeneration_GenerationId",
+                        column: x => x.GenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "Tag",
+                columns: table => new
+                {
+                    TagRowId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    GenerationId = table.Column<long>(type: "bigint", nullable: false),
+                    TagId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    DriverInstanceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    DeviceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    EquipmentId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    Name = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    FolderPath = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true),
+                    DataType = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: false),
+                    AccessLevel = table.Column<string>(type: "nvarchar(16)", maxLength: 16, nullable: false),
+                    WriteIdempotent = table.Column<bool>(type: "bit", nullable: false),
+                    PollGroupId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    TagConfig = table.Column<string>(type: "nvarchar(max)", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_Tag", x => x.TagRowId);
+                    table.CheckConstraint("CK_Tag_TagConfig_IsJson", "ISJSON(TagConfig) = 1");
+                    table.ForeignKey(
+                        name: "FK_Tag_ConfigGeneration_GenerationId",
+                        column: x => x.GenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "UnsArea",
+                columns: table => new
+                {
+                    UnsAreaRowId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    GenerationId = table.Column<long>(type: "bigint", nullable: false),
+                    UnsAreaId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    ClusterId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Name = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: false),
+                    Notes = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_UnsArea", x => x.UnsAreaRowId);
+                    table.ForeignKey(
+                        name: "FK_UnsArea_ConfigGeneration_GenerationId",
+                        column: x => x.GenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                    table.ForeignKey(
+                        name: "FK_UnsArea_ServerCluster_ClusterId",
+                        column: x => x.ClusterId,
+                        principalTable: "ServerCluster",
+                        principalColumn: "ClusterId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "UnsLine",
+                columns: table => new
+                {
+                    UnsLineRowId = table.Column<Guid>(type: "uniqueidentifier", nullable: false, defaultValueSql: "NEWSEQUENTIALID()"),
+                    GenerationId = table.Column<long>(type: "bigint", nullable: false),
+                    UnsLineId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    UnsAreaId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Name = table.Column<string>(type: "nvarchar(32)", maxLength: 32, nullable: false),
+                    Notes = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_UnsLine", x => x.UnsLineRowId);
+                    table.ForeignKey(
+                        name: "FK_UnsLine_ConfigGeneration_GenerationId",
+                        column: x => x.GenerationId,
+                        principalTable: "ConfigGeneration",
+                        principalColumn: "GenerationId",
+                        onDelete: ReferentialAction.Restrict);
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "UX_ClusterNode_ApplicationUri",
+                table: "ClusterNode",
+                column: "ApplicationUri",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "UX_ClusterNode_Primary_Per_Cluster",
+                table: "ClusterNode",
+                column: "ClusterId",
+                unique: true,
+                filter: "[RedundancyRole] = 'Primary'");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClusterNodeCredential_NodeId",
+                table: "ClusterNodeCredential",
+                columns: new[] { "NodeId", "Enabled" });
+
+            migrationBuilder.CreateIndex(
+                name: "UX_ClusterNodeCredential_Value",
+                table: "ClusterNodeCredential",
+                columns: new[] { "Kind", "Value" },
+                unique: true,
+                filter: "[Enabled] = 1");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ClusterNodeGenerationState_Generation",
+                table: "ClusterNodeGenerationState",
+                column: "CurrentGenerationId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ConfigAuditLog_Cluster_Time",
+                table: "ConfigAuditLog",
+                columns: new[] { "ClusterId", "Timestamp" },
+                descending: new[] { false, true });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ConfigAuditLog_Generation",
+                table: "ConfigAuditLog",
+                column: "GenerationId",
+                filter: "[GenerationId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ConfigGeneration_Cluster_Published",
+                table: "ConfigGeneration",
+                columns: new[] { "ClusterId", "Status", "GenerationId" },
+                descending: new[] { false, false, true })
+                .Annotation("SqlServer:Include", new[] { "PublishedAt" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ConfigGeneration_ParentGenerationId",
+                table: "ConfigGeneration",
+                column: "ParentGenerationId");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_ConfigGeneration_Draft_Per_Cluster",
+                table: "ConfigGeneration",
+                column: "ClusterId",
+                unique: true,
+                filter: "[Status] = 'Draft'");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Device_Generation_Driver",
+                table: "Device",
+                columns: new[] { "GenerationId", "DriverInstanceId" });
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Device_Generation_LogicalId",
+                table: "Device",
+                columns: new[] { "GenerationId", "DeviceId" },
+                unique: true,
+                filter: "[DeviceId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DriverInstance_ClusterId",
+                table: "DriverInstance",
+                column: "ClusterId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DriverInstance_Generation_Cluster",
+                table: "DriverInstance",
+                columns: new[] { "GenerationId", "ClusterId" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DriverInstance_Generation_Namespace",
+                table: "DriverInstance",
+                columns: new[] { "GenerationId", "NamespaceId" });
+
+            migrationBuilder.CreateIndex(
+                name: "UX_DriverInstance_Generation_LogicalId",
+                table: "DriverInstance",
+                columns: new[] { "GenerationId", "DriverInstanceId" },
+                unique: true,
+                filter: "[DriverInstanceId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Equipment_Generation_Driver",
+                table: "Equipment",
+                columns: new[] { "GenerationId", "DriverInstanceId" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Equipment_Generation_Line",
+                table: "Equipment",
+                columns: new[] { "GenerationId", "UnsLineId" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Equipment_Generation_MachineCode",
+                table: "Equipment",
+                columns: new[] { "GenerationId", "MachineCode" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Equipment_Generation_SAPID",
+                table: "Equipment",
+                columns: new[] { "GenerationId", "SAPID" },
+                filter: "[SAPID] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Equipment_Generation_ZTag",
+                table: "Equipment",
+                columns: new[] { "GenerationId", "ZTag" },
+                filter: "[ZTag] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Equipment_Generation_LinePath",
+                table: "Equipment",
+                columns: new[] { "GenerationId", "UnsLineId", "Name" },
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Equipment_Generation_LogicalId",
+                table: "Equipment",
+                columns: new[] { "GenerationId", "EquipmentId" },
+                unique: true,
+                filter: "[EquipmentId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Equipment_Generation_Uuid",
+                table: "Equipment",
+                columns: new[] { "GenerationId", "EquipmentUuid" },
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ExternalIdReservation_Equipment",
+                table: "ExternalIdReservation",
+                column: "EquipmentUuid");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_ExternalIdReservation_KindValue_Active",
+                table: "ExternalIdReservation",
+                columns: new[] { "Kind", "Value" },
+                unique: true,
+                filter: "[ReleasedAt] IS NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Namespace_ClusterId",
+                table: "Namespace",
+                column: "ClusterId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Namespace_Generation_Cluster",
+                table: "Namespace",
+                columns: new[] { "GenerationId", "ClusterId" });
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Namespace_Generation_Cluster_Kind",
+                table: "Namespace",
+                columns: new[] { "GenerationId", "ClusterId", "Kind" },
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Namespace_Generation_LogicalId",
+                table: "Namespace",
+                columns: new[] { "GenerationId", "NamespaceId" },
+                unique: true,
+                filter: "[NamespaceId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Namespace_Generation_LogicalId_Cluster",
+                table: "Namespace",
+                columns: new[] { "GenerationId", "NamespaceId", "ClusterId" },
+                unique: true,
+                filter: "[NamespaceId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Namespace_Generation_NamespaceUri",
+                table: "Namespace",
+                columns: new[] { "GenerationId", "NamespaceUri" },
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_NodeAcl_Generation_Cluster",
+                table: "NodeAcl",
+                columns: new[] { "GenerationId", "ClusterId" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_NodeAcl_Generation_Group",
+                table: "NodeAcl",
+                columns: new[] { "GenerationId", "LdapGroup" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_NodeAcl_Generation_Scope",
+                table: "NodeAcl",
+                columns: new[] { "GenerationId", "ScopeKind", "ScopeId" },
+                filter: "[ScopeId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_NodeAcl_Generation_GroupScope",
+                table: "NodeAcl",
+                columns: new[] { "GenerationId", "ClusterId", "LdapGroup", "ScopeKind", "ScopeId" },
+                unique: true,
+                filter: "[ScopeId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_NodeAcl_Generation_LogicalId",
+                table: "NodeAcl",
+                columns: new[] { "GenerationId", "NodeAclId" },
+                unique: true,
+                filter: "[NodeAclId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_PollGroup_Generation_Driver",
+                table: "PollGroup",
+                columns: new[] { "GenerationId", "DriverInstanceId" });
+
+            migrationBuilder.CreateIndex(
+                name: "UX_PollGroup_Generation_LogicalId",
+                table: "PollGroup",
+                columns: new[] { "GenerationId", "PollGroupId" },
+                unique: true,
+                filter: "[PollGroupId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_ServerCluster_Site",
+                table: "ServerCluster",
+                column: "Site");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_ServerCluster_Name",
+                table: "ServerCluster",
+                column: "Name",
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Tag_Generation_Driver_Device",
+                table: "Tag",
+                columns: new[] { "GenerationId", "DriverInstanceId", "DeviceId" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_Tag_Generation_Equipment",
+                table: "Tag",
+                columns: new[] { "GenerationId", "EquipmentId" },
+                filter: "[EquipmentId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Tag_Generation_EquipmentPath",
+                table: "Tag",
+                columns: new[] { "GenerationId", "EquipmentId", "Name" },
+                unique: true,
+                filter: "[EquipmentId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Tag_Generation_FolderPath",
+                table: "Tag",
+                columns: new[] { "GenerationId", "DriverInstanceId", "FolderPath", "Name" },
+                unique: true,
+                filter: "[EquipmentId] IS NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "UX_Tag_Generation_LogicalId",
+                table: "Tag",
+                columns: new[] { "GenerationId", "TagId" },
+                unique: true,
+                filter: "[TagId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_UnsArea_ClusterId",
+                table: "UnsArea",
+                column: "ClusterId");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_UnsArea_Generation_Cluster",
+                table: "UnsArea",
+                columns: new[] { "GenerationId", "ClusterId" });
+
+            migrationBuilder.CreateIndex(
+                name: "UX_UnsArea_Generation_ClusterName",
+                table: "UnsArea",
+                columns: new[] { "GenerationId", "ClusterId", "Name" },
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "UX_UnsArea_Generation_LogicalId",
+                table: "UnsArea",
+                columns: new[] { "GenerationId", "UnsAreaId" },
+                unique: true,
+                filter: "[UnsAreaId] IS NOT NULL");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_UnsLine_Generation_Area",
+                table: "UnsLine",
+                columns: new[] { "GenerationId", "UnsAreaId" });
+
+            migrationBuilder.CreateIndex(
+                name: "UX_UnsLine_Generation_AreaName",
+                table: "UnsLine",
+                columns: new[] { "GenerationId", "UnsAreaId", "Name" },
+                unique: true);
+
+            migrationBuilder.CreateIndex(
+                name: "UX_UnsLine_Generation_LogicalId",
+                table: "UnsLine",
+                columns: new[] { "GenerationId", "UnsLineId" },
+                unique: true,
+                filter: "[UnsLineId] IS NOT NULL");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "ClusterNodeCredential");
+
+            migrationBuilder.DropTable(
+                name: "ClusterNodeGenerationState");
+
+            migrationBuilder.DropTable(
+                name: "ConfigAuditLog");
+
+            migrationBuilder.DropTable(
+                name: "Device");
+
+            migrationBuilder.DropTable(
+                name: "DriverInstance");
+
+            migrationBuilder.DropTable(
+                name: "Equipment");
+
+            migrationBuilder.DropTable(
+                name: "ExternalIdReservation");
+
+            migrationBuilder.DropTable(
+                name: "Namespace");
+
+            migrationBuilder.DropTable(
+                name: "NodeAcl");
+
+            migrationBuilder.DropTable(
+                name: "PollGroup");
+
+            migrationBuilder.DropTable(
+                name: "Tag");
+
+            migrationBuilder.DropTable(
+                name: "UnsArea");
+
+            migrationBuilder.DropTable(
+                name: "UnsLine");
+
+            migrationBuilder.DropTable(
+                name: "ClusterNode");
+
+            migrationBuilder.DropTable(
+                name: "ConfigGeneration");
+
+            migrationBuilder.DropTable(
+                name: "ServerCluster");
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260417215224_StoredProcedures.cs

@@ -0,0 +1,473 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations;
+
+/// <summary>
+///     Stored procedures per <c>config-db-schema.md §"Stored Procedures"</c>. All node + admin DB
+///     access funnels through these — direct table writes are revoked in the AuthorizationGrants
+///     migration that follows. CREATE OR ALTER style so procs version with the schema.
+/// </summary>
+public partial class StoredProcedures : Migration
+{
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.Sql(Procs.GetCurrentGenerationForCluster);
+        migrationBuilder.Sql(Procs.GetGenerationContent);
+        migrationBuilder.Sql(Procs.RegisterNodeGenerationApplied);
+        migrationBuilder.Sql(Procs.ValidateDraft);
+        migrationBuilder.Sql(Procs.PublishGeneration);
+        migrationBuilder.Sql(Procs.RollbackToGeneration);
+        migrationBuilder.Sql(Procs.ComputeGenerationDiff);
+        migrationBuilder.Sql(Procs.ReleaseExternalIdReservation);
+    }
+
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        foreach (var name in new[]
+                 {
+                     "sp_ReleaseExternalIdReservation", "sp_ComputeGenerationDiff", "sp_RollbackToGeneration",
+                     "sp_PublishGeneration", "sp_ValidateDraft", "sp_RegisterNodeGenerationApplied",
+                     "sp_GetGenerationContent", "sp_GetCurrentGenerationForCluster",
+                 })
+        {
+            migrationBuilder.Sql($"IF OBJECT_ID(N'dbo.{name}', N'P') IS NOT NULL DROP PROCEDURE dbo.{name};");
+        }
+    }
+
+    private static class Procs
+    {
+        public const string GetCurrentGenerationForCluster = @"
+CREATE OR ALTER PROCEDURE dbo.sp_GetCurrentGenerationForCluster
+    @NodeId    nvarchar(64),
+    @ClusterId nvarchar(64)
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    DECLARE @Caller nvarchar(128) = SUSER_SNAME();
+
+    IF NOT EXISTS (
+        SELECT 1 FROM dbo.ClusterNodeCredential
+        WHERE NodeId = @NodeId AND Value = @Caller AND Enabled = 1)
+    BEGIN
+        RAISERROR('Unauthorized: caller %s is not bound to NodeId %s', 16, 1, @Caller, @NodeId);
+        RETURN;
+    END
+
+    IF NOT EXISTS (
+        SELECT 1 FROM dbo.ClusterNode
+        WHERE NodeId = @NodeId AND ClusterId = @ClusterId AND Enabled = 1)
+    BEGIN
+        RAISERROR('Forbidden: NodeId %s does not belong to ClusterId %s', 16, 1, @NodeId, @ClusterId);
+        RETURN;
+    END
+
+    SELECT TOP 1 GenerationId, ClusterId, Status, PublishedAt, PublishedBy, Notes
+    FROM   dbo.ConfigGeneration
+    WHERE  ClusterId = @ClusterId AND Status = 'Published'
+    ORDER BY GenerationId DESC;
+END
+";
+
+        public const string GetGenerationContent = @"
+CREATE OR ALTER PROCEDURE dbo.sp_GetGenerationContent
+    @NodeId       nvarchar(64),
+    @GenerationId bigint
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    DECLARE @Caller    nvarchar(128) = SUSER_SNAME();
+    DECLARE @ClusterId nvarchar(64);
+
+    SELECT @ClusterId = ClusterId FROM dbo.ConfigGeneration WHERE GenerationId = @GenerationId;
+
+    IF @ClusterId IS NULL
+    BEGIN
+        RAISERROR('GenerationId %I64d not found', 16, 1, @GenerationId);
+        RETURN;
+    END
+
+    IF NOT EXISTS (
+        SELECT 1
+        FROM   dbo.ClusterNodeCredential c
+        JOIN   dbo.ClusterNode n ON n.NodeId = c.NodeId
+        WHERE  c.NodeId = @NodeId AND c.Value = @Caller AND c.Enabled = 1
+          AND  n.ClusterId = @ClusterId AND n.Enabled = 1)
+    BEGIN
+        RAISERROR('Forbidden: caller %s not bound to a node in ClusterId %s', 16, 1, @Caller, @ClusterId);
+        RETURN;
+    END
+
+    SELECT * FROM dbo.Namespace       WHERE GenerationId = @GenerationId;
+    SELECT * FROM dbo.UnsArea         WHERE GenerationId = @GenerationId;
+    SELECT * FROM dbo.UnsLine         WHERE GenerationId = @GenerationId;
+    SELECT * FROM dbo.DriverInstance  WHERE GenerationId = @GenerationId;
+    SELECT * FROM dbo.Device          WHERE GenerationId = @GenerationId;
+    SELECT * FROM dbo.Equipment       WHERE GenerationId = @GenerationId;
+    SELECT * FROM dbo.PollGroup       WHERE GenerationId = @GenerationId;
+    SELECT * FROM dbo.Tag             WHERE GenerationId = @GenerationId;
+    SELECT * FROM dbo.NodeAcl         WHERE GenerationId = @GenerationId;
+END
+";
+
+        public const string RegisterNodeGenerationApplied = @"
+CREATE OR ALTER PROCEDURE dbo.sp_RegisterNodeGenerationApplied
+    @NodeId          nvarchar(64),
+    @GenerationId    bigint,
+    @Status          nvarchar(16),
+    @Error           nvarchar(max) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    DECLARE @Caller nvarchar(128) = SUSER_SNAME();
+
+    IF NOT EXISTS (
+        SELECT 1 FROM dbo.ClusterNodeCredential
+        WHERE NodeId = @NodeId AND Value = @Caller AND Enabled = 1)
+    BEGIN
+        RAISERROR('Unauthorized: caller %s is not bound to NodeId %s', 16, 1, @Caller, @NodeId);
+        RETURN;
+    END
+
+    MERGE dbo.ClusterNodeGenerationState AS tgt
+    USING (SELECT @NodeId AS NodeId) AS src ON tgt.NodeId = src.NodeId
+    WHEN MATCHED THEN UPDATE SET
+        CurrentGenerationId = @GenerationId,
+        LastAppliedAt       = SYSUTCDATETIME(),
+        LastAppliedStatus   = @Status,
+        LastAppliedError    = @Error,
+        LastSeenAt          = SYSUTCDATETIME()
+    WHEN NOT MATCHED THEN INSERT
+        (NodeId, CurrentGenerationId, LastAppliedAt, LastAppliedStatus, LastAppliedError, LastSeenAt)
+        VALUES (@NodeId, @GenerationId, SYSUTCDATETIME(), @Status, @Error, SYSUTCDATETIME());
+
+    INSERT dbo.ConfigAuditLog (Principal, EventType, NodeId, GenerationId, DetailsJson)
+    VALUES (@Caller, 'NodeApplied', @NodeId, @GenerationId,
+            CONCAT('{""status"":""', @Status, '""}'));
+END
+";
+
+        public const string ValidateDraft = @"
+CREATE OR ALTER PROCEDURE dbo.sp_ValidateDraft
+    @DraftGenerationId bigint
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    DECLARE @ClusterId nvarchar(64);
+    DECLARE @Status    nvarchar(16);
+
+    SELECT @ClusterId = ClusterId, @Status = Status
+    FROM   dbo.ConfigGeneration WHERE GenerationId = @DraftGenerationId;
+
+    IF @ClusterId IS NULL
+    BEGIN
+        RAISERROR('GenerationId %I64d not found', 16, 1, @DraftGenerationId);
+        RETURN;
+    END
+
+    IF @Status <> 'Draft'
+    BEGIN
+        RAISERROR('GenerationId %I64d is not in Draft status (current=%s)', 16, 1, @DraftGenerationId, @Status);
+        RETURN;
+    END
+
+    IF EXISTS (
+        SELECT 1 FROM dbo.Tag t
+        LEFT JOIN dbo.DriverInstance d ON d.GenerationId = t.GenerationId AND d.DriverInstanceId = t.DriverInstanceId
+        WHERE t.GenerationId = @DraftGenerationId AND d.DriverInstanceId IS NULL)
+    BEGIN
+        RAISERROR('Draft has tags with unresolved DriverInstanceId', 16, 1);
+        RETURN;
+    END
+
+    IF EXISTS (
+        SELECT 1 FROM dbo.Tag t
+        LEFT JOIN dbo.Device dv ON dv.GenerationId = t.GenerationId AND dv.DeviceId = t.DeviceId
+        WHERE t.GenerationId = @DraftGenerationId AND t.DeviceId IS NOT NULL AND dv.DeviceId IS NULL)
+    BEGIN
+        RAISERROR('Draft has tags with unresolved DeviceId', 16, 1);
+        RETURN;
+    END
+
+    IF EXISTS (
+        SELECT 1 FROM dbo.Tag t
+        LEFT JOIN dbo.PollGroup pg ON pg.GenerationId = t.GenerationId AND pg.PollGroupId = t.PollGroupId
+        WHERE t.GenerationId = @DraftGenerationId AND t.PollGroupId IS NOT NULL AND pg.PollGroupId IS NULL)
+    BEGIN
+        RAISERROR('Draft has tags with unresolved PollGroupId', 16, 1);
+        RETURN;
+    END
+
+    IF EXISTS (
+        SELECT 1
+        FROM   dbo.DriverInstance di
+        JOIN   dbo.Namespace ns ON ns.GenerationId = di.GenerationId AND ns.NamespaceId = di.NamespaceId
+        WHERE  di.GenerationId = @DraftGenerationId
+          AND  ns.ClusterId <> di.ClusterId)
+    BEGIN
+        INSERT dbo.ConfigAuditLog (Principal, EventType, ClusterId, GenerationId)
+        VALUES (SUSER_SNAME(), 'CrossClusterNamespaceAttempt', @ClusterId, @DraftGenerationId);
+        RAISERROR('BadCrossClusterNamespaceBinding: namespace and driver must belong to the same cluster', 16, 1);
+        RETURN;
+    END
+
+    IF EXISTS (
+        SELECT 1
+        FROM   dbo.Equipment draft
+        JOIN   dbo.Equipment prior
+            ON prior.EquipmentId = draft.EquipmentId
+           AND prior.EquipmentUuid <> draft.EquipmentUuid
+           AND prior.GenerationId <> draft.GenerationId
+        JOIN   dbo.ConfigGeneration pg ON pg.GenerationId = prior.GenerationId
+        WHERE  draft.GenerationId = @DraftGenerationId
+          AND  pg.ClusterId = @ClusterId)
+    BEGIN
+        RAISERROR('EquipmentUuid immutability violated for an EquipmentId that existed in a prior generation', 16, 1);
+        RETURN;
+    END
+
+    IF EXISTS (
+        SELECT 1
+        FROM   dbo.Equipment draft
+        JOIN   dbo.ExternalIdReservation r
+            ON r.Kind = 'ZTag' AND r.Value = draft.ZTag AND r.ReleasedAt IS NULL
+           AND r.EquipmentUuid <> draft.EquipmentUuid
+        WHERE  draft.GenerationId = @DraftGenerationId AND draft.ZTag IS NOT NULL)
+    BEGIN
+        RAISERROR('BadDuplicateExternalIdentifier: a ZTag in the draft is reserved by a different EquipmentUuid', 16, 1);
+        RETURN;
+    END
+
+    IF EXISTS (
+        SELECT 1
+        FROM   dbo.Equipment draft
+        JOIN   dbo.ExternalIdReservation r
+            ON r.Kind = 'SAPID' AND r.Value = draft.SAPID AND r.ReleasedAt IS NULL
+           AND r.EquipmentUuid <> draft.EquipmentUuid
+        WHERE  draft.GenerationId = @DraftGenerationId AND draft.SAPID IS NOT NULL)
+    BEGIN
+        RAISERROR('BadDuplicateExternalIdentifier: a SAPID in the draft is reserved by a different EquipmentUuid', 16, 1);
+        RETURN;
+    END
+END
+";
+
+        public const string PublishGeneration = @"
+CREATE OR ALTER PROCEDURE dbo.sp_PublishGeneration
+    @ClusterId          nvarchar(64),
+    @DraftGenerationId  bigint,
+    @Notes              nvarchar(1024) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON;
+    SET XACT_ABORT ON;
+
+    BEGIN TRANSACTION;
+
+    DECLARE @Lock nvarchar(255) = N'OtOpcUa_Publish_' + @ClusterId;
+    DECLARE @LockResult int;
+    EXEC @LockResult = sp_getapplock @Resource = @Lock, @LockMode = 'Exclusive', @LockTimeout = 0;
+    IF @LockResult < 0
+    BEGIN
+        RAISERROR('PublishConflict: another publish is in progress for cluster %s', 16, 1, @ClusterId);
+        ROLLBACK;
+        RETURN;
+    END
+
+    EXEC dbo.sp_ValidateDraft @DraftGenerationId = @DraftGenerationId;
+
+    MERGE dbo.ExternalIdReservation AS tgt
+    USING (
+        SELECT 'ZTag' AS Kind, ZTag AS Value, EquipmentUuid
+        FROM   dbo.Equipment
+        WHERE  GenerationId = @DraftGenerationId AND ZTag IS NOT NULL
+        UNION ALL
+        SELECT 'SAPID', SAPID, EquipmentUuid
+        FROM   dbo.Equipment
+        WHERE  GenerationId = @DraftGenerationId AND SAPID IS NOT NULL
+    ) AS src
+        ON  tgt.Kind = src.Kind AND tgt.Value = src.Value AND tgt.EquipmentUuid = src.EquipmentUuid
+    WHEN MATCHED THEN UPDATE SET LastPublishedAt = SYSUTCDATETIME()
+    WHEN NOT MATCHED BY TARGET THEN
+        INSERT (Kind, Value, EquipmentUuid, ClusterId, FirstPublishedBy, LastPublishedAt)
+        VALUES (src.Kind, src.Value, src.EquipmentUuid, @ClusterId, SUSER_SNAME(), SYSUTCDATETIME());
+
+    UPDATE dbo.ConfigGeneration
+    SET    Status = 'Superseded'
+    WHERE  ClusterId = @ClusterId AND Status = 'Published';
+
+    UPDATE dbo.ConfigGeneration
+    SET    Status      = 'Published',
+           PublishedAt = SYSUTCDATETIME(),
+           PublishedBy = SUSER_SNAME(),
+           Notes       = ISNULL(@Notes, Notes)
+    WHERE  GenerationId = @DraftGenerationId AND ClusterId = @ClusterId AND Status = 'Draft';
+
+    IF @@ROWCOUNT = 0
+    BEGIN
+        RAISERROR('Draft %I64d for cluster %s not found (was it already published?)', 16, 1, @DraftGenerationId, @ClusterId);
+        ROLLBACK;
+        RETURN;
+    END
+
+    INSERT dbo.ConfigAuditLog (Principal, EventType, ClusterId, GenerationId)
+    VALUES (SUSER_SNAME(), 'Published', @ClusterId, @DraftGenerationId);
+
+    COMMIT;
+END
+";
+
+        public const string RollbackToGeneration = @"
+CREATE OR ALTER PROCEDURE dbo.sp_RollbackToGeneration
+    @ClusterId            nvarchar(64),
+    @TargetGenerationId   bigint,
+    @Notes                nvarchar(1024) = NULL
+AS
+BEGIN
+    SET NOCOUNT ON;
+    SET XACT_ABORT ON;
+    BEGIN TRANSACTION;
+
+    IF NOT EXISTS (
+        SELECT 1 FROM dbo.ConfigGeneration
+        WHERE GenerationId = @TargetGenerationId AND ClusterId = @ClusterId
+          AND Status IN ('Published', 'Superseded'))
+    BEGIN
+        RAISERROR('Target generation %I64d not found or not rollback-eligible', 16, 1, @TargetGenerationId);
+        ROLLBACK; RETURN;
+    END
+
+    DECLARE @NewGenId bigint;
+    INSERT dbo.ConfigGeneration (ClusterId, Status, CreatedAt, CreatedBy, PublishedAt, PublishedBy, Notes)
+    VALUES (@ClusterId, 'Draft', SYSUTCDATETIME(), SUSER_SNAME(), NULL, NULL,
+            ISNULL(@Notes, CONCAT('Rollback clone of generation ', @TargetGenerationId)));
+    SET @NewGenId = SCOPE_IDENTITY();
+
+    INSERT dbo.Namespace      (GenerationId, NamespaceId, ClusterId, Kind, NamespaceUri, Enabled, Notes)
+        SELECT @NewGenId, NamespaceId, ClusterId, Kind, NamespaceUri, Enabled, Notes FROM dbo.Namespace WHERE GenerationId = @TargetGenerationId;
+    INSERT dbo.UnsArea        (GenerationId, UnsAreaId, ClusterId, Name, Notes)
+        SELECT @NewGenId, UnsAreaId, ClusterId, Name, Notes FROM dbo.UnsArea WHERE GenerationId = @TargetGenerationId;
+    INSERT dbo.UnsLine        (GenerationId, UnsLineId, UnsAreaId, Name, Notes)
+        SELECT @NewGenId, UnsLineId, UnsAreaId, Name, Notes FROM dbo.UnsLine WHERE GenerationId = @TargetGenerationId;
+    INSERT dbo.DriverInstance (GenerationId, DriverInstanceId, ClusterId, NamespaceId, Name, DriverType, Enabled, DriverConfig)
+        SELECT @NewGenId, DriverInstanceId, ClusterId, NamespaceId, Name, DriverType, Enabled, DriverConfig FROM dbo.DriverInstance WHERE GenerationId = @TargetGenerationId;
+    INSERT dbo.Device         (GenerationId, DeviceId, DriverInstanceId, Name, Enabled, DeviceConfig)
+        SELECT @NewGenId, DeviceId, DriverInstanceId, Name, Enabled, DeviceConfig FROM dbo.Device WHERE GenerationId = @TargetGenerationId;
+    INSERT dbo.Equipment      (GenerationId, EquipmentId, EquipmentUuid, DriverInstanceId, DeviceId, UnsLineId, Name, MachineCode, ZTag, SAPID, Manufacturer, Model, SerialNumber, HardwareRevision, SoftwareRevision, YearOfConstruction, AssetLocation, ManufacturerUri, DeviceManualUri, EquipmentClassRef, Enabled)
+        SELECT @NewGenId, EquipmentId, EquipmentUuid, DriverInstanceId, DeviceId, UnsLineId, Name, MachineCode, ZTag, SAPID, Manufacturer, Model, SerialNumber, HardwareRevision, SoftwareRevision, YearOfConstruction, AssetLocation, ManufacturerUri, DeviceManualUri, EquipmentClassRef, Enabled FROM dbo.Equipment WHERE GenerationId = @TargetGenerationId;
+    INSERT dbo.PollGroup      (GenerationId, PollGroupId, DriverInstanceId, Name, IntervalMs)
+        SELECT @NewGenId, PollGroupId, DriverInstanceId, Name, IntervalMs FROM dbo.PollGroup WHERE GenerationId = @TargetGenerationId;
+    INSERT dbo.Tag            (GenerationId, TagId, DriverInstanceId, DeviceId, EquipmentId, Name, FolderPath, DataType, AccessLevel, WriteIdempotent, PollGroupId, TagConfig)
+        SELECT @NewGenId, TagId, DriverInstanceId, DeviceId, EquipmentId, Name, FolderPath, DataType, AccessLevel, WriteIdempotent, PollGroupId, TagConfig FROM dbo.Tag WHERE GenerationId = @TargetGenerationId;
+    INSERT dbo.NodeAcl        (GenerationId, NodeAclId, ClusterId, LdapGroup, ScopeKind, ScopeId, PermissionFlags, Notes)
+        SELECT @NewGenId, NodeAclId, ClusterId, LdapGroup, ScopeKind, ScopeId, PermissionFlags, Notes FROM dbo.NodeAcl WHERE GenerationId = @TargetGenerationId;
+
+    EXEC dbo.sp_PublishGeneration @ClusterId = @ClusterId, @DraftGenerationId = @NewGenId, @Notes = @Notes;
+
+    INSERT dbo.ConfigAuditLog (Principal, EventType, ClusterId, GenerationId, DetailsJson)
+    VALUES (SUSER_SNAME(), 'RolledBack', @ClusterId, @NewGenId,
+            CONCAT('{""rolledBackTo"":', @TargetGenerationId, '}'));
+
+    COMMIT;
+END
+";
+
+        public const string ComputeGenerationDiff = @"
+CREATE OR ALTER PROCEDURE dbo.sp_ComputeGenerationDiff
+    @FromGenerationId bigint,
+    @ToGenerationId   bigint
+AS
+BEGIN
+    SET NOCOUNT ON;
+
+    CREATE TABLE #diff (TableName nvarchar(32), LogicalId nvarchar(64), ChangeKind nvarchar(16));
+
+    WITH f AS (SELECT NamespaceId AS LogicalId, CHECKSUM(NamespaceUri, Kind, Enabled, Notes) AS Sig FROM dbo.Namespace WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT NamespaceId AS LogicalId, CHECKSUM(NamespaceUri, Kind, Enabled, Notes) AS Sig FROM dbo.Namespace WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'Namespace', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    WITH f AS (SELECT DriverInstanceId AS LogicalId, CHECKSUM(ClusterId, NamespaceId, Name, DriverType, Enabled, CONVERT(varchar(max), DriverConfig)) AS Sig FROM dbo.DriverInstance WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT DriverInstanceId AS LogicalId, CHECKSUM(ClusterId, NamespaceId, Name, DriverType, Enabled, CONVERT(varchar(max), DriverConfig)) AS Sig FROM dbo.DriverInstance WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'DriverInstance', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    WITH f AS (SELECT EquipmentId AS LogicalId, CHECKSUM(EquipmentUuid, DriverInstanceId, UnsLineId, Name, MachineCode, ZTag, SAPID, EquipmentClassRef, Manufacturer, Model, SerialNumber) AS Sig FROM dbo.Equipment WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT EquipmentId AS LogicalId, CHECKSUM(EquipmentUuid, DriverInstanceId, UnsLineId, Name, MachineCode, ZTag, SAPID, EquipmentClassRef, Manufacturer, Model, SerialNumber) AS Sig FROM dbo.Equipment WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'Equipment', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    WITH f AS (SELECT TagId AS LogicalId, CHECKSUM(DriverInstanceId, DeviceId, EquipmentId, PollGroupId, FolderPath, Name, DataType, AccessLevel, WriteIdempotent, CONVERT(varchar(max), TagConfig)) AS Sig FROM dbo.Tag WHERE GenerationId = @FromGenerationId),
+         t AS (SELECT TagId AS LogicalId, CHECKSUM(DriverInstanceId, DeviceId, EquipmentId, PollGroupId, FolderPath, Name, DataType, AccessLevel, WriteIdempotent, CONVERT(varchar(max), TagConfig)) AS Sig FROM dbo.Tag WHERE GenerationId = @ToGenerationId)
+    INSERT #diff
+    SELECT 'Tag', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
+           CASE WHEN f.LogicalId IS NULL THEN 'Added'
+                WHEN t.LogicalId IS NULL THEN 'Removed'
+                WHEN f.Sig <> t.Sig       THEN 'Modified'
+                ELSE 'Unchanged' END
+    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
+    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
+
+    SELECT TableName, LogicalId, ChangeKind FROM #diff;
+    DROP TABLE #diff;
+END
+";
+
+        public const string ReleaseExternalIdReservation = @"
+CREATE OR ALTER PROCEDURE dbo.sp_ReleaseExternalIdReservation
+    @Kind           nvarchar(16),
+    @Value          nvarchar(64),
+    @ReleaseReason  nvarchar(512)
+AS
+BEGIN
+    SET NOCOUNT ON;
+    SET XACT_ABORT ON;
+
+    IF @ReleaseReason IS NULL OR LEN(@ReleaseReason) = 0
+    BEGIN
+        RAISERROR('ReleaseReason is required', 16, 1);
+        RETURN;
+    END
+
+    UPDATE dbo.ExternalIdReservation
+    SET    ReleasedAt     = SYSUTCDATETIME(),
+           ReleasedBy     = SUSER_SNAME(),
+           ReleaseReason  = @ReleaseReason
+    WHERE  Kind = @Kind AND Value = @Value AND ReleasedAt IS NULL;
+
+    IF @@ROWCOUNT = 0
+    BEGIN
+        RAISERROR('No active reservation found for (%s, %s)', 16, 1, @Kind, @Value);
+        RETURN;
+    END
+
+    INSERT dbo.ConfigAuditLog (Principal, EventType, DetailsJson)
+    VALUES (SUSER_SNAME(), 'ExternalIdReleased',
+            CONCAT('{""kind"":""', @Kind, '"",""value"":""', @Value, '""}'));
+END
+";
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260417220857_AuthorizationGrants.cs

@@ -0,0 +1,55 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations;
+
+/// <summary>
+///     Creates the two DB roles per <c>config-db-schema.md §"Authorization Model"</c> and grants
+///     EXECUTE on the appropriate stored procedures. Deliberately grants no direct table DML — all
+///     writes funnel through the procs, which authenticate via <c>SUSER_SNAME()</c>.
+///     Principals (SQL logins, gMSA users, cert-mapped users) are provisioned by the DBA outside
+///     this migration and then added to one of the two roles.
+/// </summary>
+public partial class AuthorizationGrants : Migration
+{
+    protected override void Up(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.Sql(@"
+IF DATABASE_PRINCIPAL_ID('OtOpcUaNode') IS NULL
+    CREATE ROLE OtOpcUaNode;
+IF DATABASE_PRINCIPAL_ID('OtOpcUaAdmin') IS NULL
+    CREATE ROLE OtOpcUaAdmin;
+");
+
+        migrationBuilder.Sql(@"
+GRANT EXECUTE ON OBJECT::dbo.sp_GetCurrentGenerationForCluster TO OtOpcUaNode;
+GRANT EXECUTE ON OBJECT::dbo.sp_GetGenerationContent            TO OtOpcUaNode;
+GRANT EXECUTE ON OBJECT::dbo.sp_RegisterNodeGenerationApplied   TO OtOpcUaNode;
+
+GRANT EXECUTE ON OBJECT::dbo.sp_GetCurrentGenerationForCluster TO OtOpcUaAdmin;
+GRANT EXECUTE ON OBJECT::dbo.sp_GetGenerationContent            TO OtOpcUaAdmin;
+GRANT EXECUTE ON OBJECT::dbo.sp_ValidateDraft                   TO OtOpcUaAdmin;
+GRANT EXECUTE ON OBJECT::dbo.sp_PublishGeneration               TO OtOpcUaAdmin;
+GRANT EXECUTE ON OBJECT::dbo.sp_RollbackToGeneration            TO OtOpcUaAdmin;
+GRANT EXECUTE ON OBJECT::dbo.sp_ComputeGenerationDiff           TO OtOpcUaAdmin;
+GRANT EXECUTE ON OBJECT::dbo.sp_ReleaseExternalIdReservation    TO OtOpcUaAdmin;
+
+DENY UPDATE, DELETE, INSERT ON SCHEMA::dbo TO OtOpcUaNode;
+DENY UPDATE, DELETE, INSERT ON SCHEMA::dbo TO OtOpcUaAdmin;
+DENY SELECT ON SCHEMA::dbo TO OtOpcUaNode;
+-- Admins may SELECT for reporting views in the future — grant views explicitly, not the schema.
+DENY SELECT ON SCHEMA::dbo TO OtOpcUaAdmin;
+");
+    }
+
+    protected override void Down(MigrationBuilder migrationBuilder)
+    {
+        migrationBuilder.Sql(@"
+IF DATABASE_PRINCIPAL_ID('OtOpcUaNode') IS NOT NULL
+    DROP ROLE OtOpcUaNode;
+IF DATABASE_PRINCIPAL_ID('OtOpcUaAdmin') IS NOT NULL
+    DROP ROLE OtOpcUaAdmin;
+");
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/OtOpcUaConfigDbContext.cs

@@ -0,0 +1,487 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration;
+
+/// <summary>
+///     Central config DB context. Schema matches <c>docs/v2/config-db-schema.md</c> exactly —
+///     any divergence is a defect caught by the SchemaComplianceTests introspection check.
+/// </summary>
+public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbContext> options)
+    : DbContext(options)
+{
+    public DbSet<ServerCluster> ServerClusters => Set<ServerCluster>();
+    public DbSet<ClusterNode> ClusterNodes => Set<ClusterNode>();
+    public DbSet<ClusterNodeCredential> ClusterNodeCredentials => Set<ClusterNodeCredential>();
+    public DbSet<ConfigGeneration> ConfigGenerations => Set<ConfigGeneration>();
+    public DbSet<Namespace> Namespaces => Set<Namespace>();
+    public DbSet<UnsArea> UnsAreas => Set<UnsArea>();
+    public DbSet<UnsLine> UnsLines => Set<UnsLine>();
+    public DbSet<DriverInstance> DriverInstances => Set<DriverInstance>();
+    public DbSet<Device> Devices => Set<Device>();
+    public DbSet<Equipment> Equipment => Set<Equipment>();
+    public DbSet<Tag> Tags => Set<Tag>();
+    public DbSet<PollGroup> PollGroups => Set<PollGroup>();
+    public DbSet<NodeAcl> NodeAcls => Set<NodeAcl>();
+    public DbSet<ClusterNodeGenerationState> ClusterNodeGenerationStates => Set<ClusterNodeGenerationState>();
+    public DbSet<ConfigAuditLog> ConfigAuditLogs => Set<ConfigAuditLog>();
+    public DbSet<ExternalIdReservation> ExternalIdReservations => Set<ExternalIdReservation>();
+
+    protected override void OnModelCreating(ModelBuilder modelBuilder)
+    {
+        base.OnModelCreating(modelBuilder);
+        ConfigureServerCluster(modelBuilder);
+        ConfigureClusterNode(modelBuilder);
+        ConfigureClusterNodeCredential(modelBuilder);
+        ConfigureConfigGeneration(modelBuilder);
+        ConfigureNamespace(modelBuilder);
+        ConfigureUnsArea(modelBuilder);
+        ConfigureUnsLine(modelBuilder);
+        ConfigureDriverInstance(modelBuilder);
+        ConfigureDevice(modelBuilder);
+        ConfigureEquipment(modelBuilder);
+        ConfigureTag(modelBuilder);
+        ConfigurePollGroup(modelBuilder);
+        ConfigureNodeAcl(modelBuilder);
+        ConfigureClusterNodeGenerationState(modelBuilder);
+        ConfigureConfigAuditLog(modelBuilder);
+        ConfigureExternalIdReservation(modelBuilder);
+    }
+
+    private static void ConfigureServerCluster(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<ServerCluster>(e =>
+        {
+            e.ToTable("ServerCluster", t =>
+            {
+                t.HasCheckConstraint("CK_ServerCluster_RedundancyMode_NodeCount",
+                    "((NodeCount = 1 AND RedundancyMode = 'None') " +
+                    "OR (NodeCount = 2 AND RedundancyMode IN ('Warm', 'Hot')))");
+            });
+            e.HasKey(x => x.ClusterId);
+            e.Property(x => x.ClusterId).HasMaxLength(64);
+            e.Property(x => x.Name).HasMaxLength(128);
+            e.Property(x => x.Enterprise).HasMaxLength(32);
+            e.Property(x => x.Site).HasMaxLength(32);
+            e.Property(x => x.RedundancyMode).HasConversion<string>().HasMaxLength(16);
+            e.Property(x => x.Notes).HasMaxLength(1024);
+            e.Property(x => x.CreatedAt).HasColumnType("datetime2(3)").HasDefaultValueSql("SYSUTCDATETIME()");
+            e.Property(x => x.CreatedBy).HasMaxLength(128);
+            e.Property(x => x.ModifiedAt).HasColumnType("datetime2(3)");
+            e.Property(x => x.ModifiedBy).HasMaxLength(128);
+            e.HasIndex(x => x.Name).IsUnique().HasDatabaseName("UX_ServerCluster_Name");
+            e.HasIndex(x => x.Site).HasDatabaseName("IX_ServerCluster_Site");
+        });
+    }
+
+    private static void ConfigureClusterNode(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<ClusterNode>(e =>
+        {
+            e.ToTable("ClusterNode");
+            e.HasKey(x => x.NodeId);
+            e.Property(x => x.NodeId).HasMaxLength(64);
+            e.Property(x => x.ClusterId).HasMaxLength(64);
+            e.Property(x => x.RedundancyRole).HasConversion<string>().HasMaxLength(16);
+            e.Property(x => x.Host).HasMaxLength(255);
+            e.Property(x => x.ApplicationUri).HasMaxLength(256);
+            e.Property(x => x.DriverConfigOverridesJson).HasColumnType("nvarchar(max)");
+            e.Property(x => x.LastSeenAt).HasColumnType("datetime2(3)");
+            e.Property(x => x.CreatedAt).HasColumnType("datetime2(3)").HasDefaultValueSql("SYSUTCDATETIME()");
+            e.Property(x => x.CreatedBy).HasMaxLength(128);
+
+            e.HasOne(x => x.Cluster).WithMany(c => c.Nodes)
+                .HasForeignKey(x => x.ClusterId)
+                .OnDelete(DeleteBehavior.Restrict);
+
+            // Fleet-wide unique per decision #86
+            e.HasIndex(x => x.ApplicationUri).IsUnique().HasDatabaseName("UX_ClusterNode_ApplicationUri");
+            e.HasIndex(x => x.ClusterId).HasDatabaseName("IX_ClusterNode_ClusterId");
+            // At most one Primary per cluster
+            e.HasIndex(x => x.ClusterId).IsUnique()
+                .HasFilter("[RedundancyRole] = 'Primary'")
+                .HasDatabaseName("UX_ClusterNode_Primary_Per_Cluster");
+        });
+    }
+
+    private static void ConfigureClusterNodeCredential(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<ClusterNodeCredential>(e =>
+        {
+            e.ToTable("ClusterNodeCredential");
+            e.HasKey(x => x.CredentialId);
+            e.Property(x => x.CredentialId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.NodeId).HasMaxLength(64);
+            e.Property(x => x.Kind).HasConversion<string>().HasMaxLength(32);
+            e.Property(x => x.Value).HasMaxLength(512);
+            e.Property(x => x.RotatedAt).HasColumnType("datetime2(3)");
+            e.Property(x => x.CreatedAt).HasColumnType("datetime2(3)").HasDefaultValueSql("SYSUTCDATETIME()");
+            e.Property(x => x.CreatedBy).HasMaxLength(128);
+
+            e.HasOne(x => x.Node).WithMany(n => n.Credentials)
+                .HasForeignKey(x => x.NodeId)
+                .OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.NodeId, x.Enabled }).HasDatabaseName("IX_ClusterNodeCredential_NodeId");
+            e.HasIndex(x => new { x.Kind, x.Value }).IsUnique()
+                .HasFilter("[Enabled] = 1")
+                .HasDatabaseName("UX_ClusterNodeCredential_Value");
+        });
+    }
+
+    private static void ConfigureConfigGeneration(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<ConfigGeneration>(e =>
+        {
+            e.ToTable("ConfigGeneration");
+            e.HasKey(x => x.GenerationId);
+            e.Property(x => x.GenerationId).UseIdentityColumn(seed: 1, increment: 1);
+            e.Property(x => x.ClusterId).HasMaxLength(64);
+            e.Property(x => x.Status).HasConversion<string>().HasMaxLength(16);
+            e.Property(x => x.PublishedAt).HasColumnType("datetime2(3)");
+            e.Property(x => x.PublishedBy).HasMaxLength(128);
+            e.Property(x => x.Notes).HasMaxLength(1024);
+            e.Property(x => x.CreatedAt).HasColumnType("datetime2(3)").HasDefaultValueSql("SYSUTCDATETIME()");
+            e.Property(x => x.CreatedBy).HasMaxLength(128);
+
+            e.HasOne(x => x.Cluster).WithMany(c => c.Generations)
+                .HasForeignKey(x => x.ClusterId)
+                .OnDelete(DeleteBehavior.Restrict);
+            e.HasOne(x => x.Parent).WithMany()
+                .HasForeignKey(x => x.ParentGenerationId)
+                .OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.ClusterId, x.Status, x.GenerationId })
+                .IsDescending(false, false, true)
+                .IncludeProperties(x => x.PublishedAt)
+                .HasDatabaseName("IX_ConfigGeneration_Cluster_Published");
+            // One Draft per cluster at a time
+            e.HasIndex(x => x.ClusterId).IsUnique()
+                .HasFilter("[Status] = 'Draft'")
+                .HasDatabaseName("UX_ConfigGeneration_Draft_Per_Cluster");
+        });
+    }
+
+    private static void ConfigureNamespace(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<Namespace>(e =>
+        {
+            e.ToTable("Namespace");
+            e.HasKey(x => x.NamespaceRowId);
+            e.Property(x => x.NamespaceRowId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.NamespaceId).HasMaxLength(64);
+            e.Property(x => x.ClusterId).HasMaxLength(64);
+            e.Property(x => x.Kind).HasConversion<string>().HasMaxLength(32);
+            e.Property(x => x.NamespaceUri).HasMaxLength(256);
+            e.Property(x => x.Notes).HasMaxLength(1024);
+
+            e.HasOne(x => x.Generation).WithMany()
+                .HasForeignKey(x => x.GenerationId)
+                .OnDelete(DeleteBehavior.Restrict);
+            e.HasOne(x => x.Cluster).WithMany(c => c.Namespaces)
+                .HasForeignKey(x => x.ClusterId)
+                .OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.GenerationId, x.ClusterId, x.Kind }).IsUnique()
+                .HasDatabaseName("UX_Namespace_Generation_Cluster_Kind");
+            e.HasIndex(x => new { x.GenerationId, x.NamespaceUri }).IsUnique()
+                .HasDatabaseName("UX_Namespace_Generation_NamespaceUri");
+            e.HasIndex(x => new { x.GenerationId, x.NamespaceId }).IsUnique()
+                .HasDatabaseName("UX_Namespace_Generation_LogicalId");
+            e.HasIndex(x => new { x.GenerationId, x.NamespaceId, x.ClusterId }).IsUnique()
+                .HasDatabaseName("UX_Namespace_Generation_LogicalId_Cluster");
+            e.HasIndex(x => new { x.GenerationId, x.ClusterId })
+                .HasDatabaseName("IX_Namespace_Generation_Cluster");
+        });
+    }
+
+    private static void ConfigureUnsArea(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<UnsArea>(e =>
+        {
+            e.ToTable("UnsArea");
+            e.HasKey(x => x.UnsAreaRowId);
+            e.Property(x => x.UnsAreaRowId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.UnsAreaId).HasMaxLength(64);
+            e.Property(x => x.ClusterId).HasMaxLength(64);
+            e.Property(x => x.Name).HasMaxLength(32);
+            e.Property(x => x.Notes).HasMaxLength(512);
+
+            e.HasOne(x => x.Generation).WithMany().HasForeignKey(x => x.GenerationId).OnDelete(DeleteBehavior.Restrict);
+            e.HasOne(x => x.Cluster).WithMany().HasForeignKey(x => x.ClusterId).OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.GenerationId, x.ClusterId }).HasDatabaseName("IX_UnsArea_Generation_Cluster");
+            e.HasIndex(x => new { x.GenerationId, x.UnsAreaId }).IsUnique().HasDatabaseName("UX_UnsArea_Generation_LogicalId");
+            e.HasIndex(x => new { x.GenerationId, x.ClusterId, x.Name }).IsUnique().HasDatabaseName("UX_UnsArea_Generation_ClusterName");
+        });
+    }
+
+    private static void ConfigureUnsLine(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<UnsLine>(e =>
+        {
+            e.ToTable("UnsLine");
+            e.HasKey(x => x.UnsLineRowId);
+            e.Property(x => x.UnsLineRowId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.UnsLineId).HasMaxLength(64);
+            e.Property(x => x.UnsAreaId).HasMaxLength(64);
+            e.Property(x => x.Name).HasMaxLength(32);
+            e.Property(x => x.Notes).HasMaxLength(512);
+
+            e.HasOne(x => x.Generation).WithMany().HasForeignKey(x => x.GenerationId).OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.GenerationId, x.UnsAreaId }).HasDatabaseName("IX_UnsLine_Generation_Area");
+            e.HasIndex(x => new { x.GenerationId, x.UnsLineId }).IsUnique().HasDatabaseName("UX_UnsLine_Generation_LogicalId");
+            e.HasIndex(x => new { x.GenerationId, x.UnsAreaId, x.Name }).IsUnique().HasDatabaseName("UX_UnsLine_Generation_AreaName");
+        });
+    }
+
+    private static void ConfigureDriverInstance(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<DriverInstance>(e =>
+        {
+            e.ToTable("DriverInstance", t =>
+            {
+                t.HasCheckConstraint("CK_DriverInstance_DriverConfig_IsJson",
+                    "ISJSON(DriverConfig) = 1");
+            });
+            e.HasKey(x => x.DriverInstanceRowId);
+            e.Property(x => x.DriverInstanceRowId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.DriverInstanceId).HasMaxLength(64);
+            e.Property(x => x.ClusterId).HasMaxLength(64);
+            e.Property(x => x.NamespaceId).HasMaxLength(64);
+            e.Property(x => x.Name).HasMaxLength(128);
+            e.Property(x => x.DriverType).HasMaxLength(32);
+            e.Property(x => x.DriverConfig).HasColumnType("nvarchar(max)");
+
+            e.HasOne(x => x.Generation).WithMany().HasForeignKey(x => x.GenerationId).OnDelete(DeleteBehavior.Restrict);
+            e.HasOne(x => x.Cluster).WithMany().HasForeignKey(x => x.ClusterId).OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.GenerationId, x.ClusterId }).HasDatabaseName("IX_DriverInstance_Generation_Cluster");
+            e.HasIndex(x => new { x.GenerationId, x.NamespaceId }).HasDatabaseName("IX_DriverInstance_Generation_Namespace");
+            e.HasIndex(x => new { x.GenerationId, x.DriverInstanceId }).IsUnique().HasDatabaseName("UX_DriverInstance_Generation_LogicalId");
+        });
+    }
+
+    private static void ConfigureDevice(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<Device>(e =>
+        {
+            e.ToTable("Device", t =>
+            {
+                t.HasCheckConstraint("CK_Device_DeviceConfig_IsJson", "ISJSON(DeviceConfig) = 1");
+            });
+            e.HasKey(x => x.DeviceRowId);
+            e.Property(x => x.DeviceRowId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.DeviceId).HasMaxLength(64);
+            e.Property(x => x.DriverInstanceId).HasMaxLength(64);
+            e.Property(x => x.Name).HasMaxLength(128);
+            e.Property(x => x.DeviceConfig).HasColumnType("nvarchar(max)");
+
+            e.HasOne(x => x.Generation).WithMany().HasForeignKey(x => x.GenerationId).OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.GenerationId, x.DriverInstanceId }).HasDatabaseName("IX_Device_Generation_Driver");
+            e.HasIndex(x => new { x.GenerationId, x.DeviceId }).IsUnique().HasDatabaseName("UX_Device_Generation_LogicalId");
+        });
+    }
+
+    private static void ConfigureEquipment(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<Equipment>(e =>
+        {
+            e.ToTable("Equipment");
+            e.HasKey(x => x.EquipmentRowId);
+            e.Property(x => x.EquipmentRowId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.EquipmentId).HasMaxLength(64);
+            e.Property(x => x.DriverInstanceId).HasMaxLength(64);
+            e.Property(x => x.DeviceId).HasMaxLength(64);
+            e.Property(x => x.UnsLineId).HasMaxLength(64);
+            e.Property(x => x.Name).HasMaxLength(32);
+            e.Property(x => x.MachineCode).HasMaxLength(64);
+            e.Property(x => x.ZTag).HasMaxLength(64);
+            e.Property(x => x.SAPID).HasMaxLength(64);
+            e.Property(x => x.Manufacturer).HasMaxLength(64);
+            e.Property(x => x.Model).HasMaxLength(64);
+            e.Property(x => x.SerialNumber).HasMaxLength(64);
+            e.Property(x => x.HardwareRevision).HasMaxLength(32);
+            e.Property(x => x.SoftwareRevision).HasMaxLength(32);
+            e.Property(x => x.AssetLocation).HasMaxLength(256);
+            e.Property(x => x.ManufacturerUri).HasMaxLength(512);
+            e.Property(x => x.DeviceManualUri).HasMaxLength(512);
+            e.Property(x => x.EquipmentClassRef).HasMaxLength(128);
+
+            e.HasOne(x => x.Generation).WithMany().HasForeignKey(x => x.GenerationId).OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.GenerationId, x.DriverInstanceId }).HasDatabaseName("IX_Equipment_Generation_Driver");
+            e.HasIndex(x => new { x.GenerationId, x.UnsLineId }).HasDatabaseName("IX_Equipment_Generation_Line");
+            e.HasIndex(x => new { x.GenerationId, x.EquipmentId }).IsUnique().HasDatabaseName("UX_Equipment_Generation_LogicalId");
+            e.HasIndex(x => new { x.GenerationId, x.UnsLineId, x.Name }).IsUnique().HasDatabaseName("UX_Equipment_Generation_LinePath");
+            e.HasIndex(x => new { x.GenerationId, x.EquipmentUuid }).IsUnique().HasDatabaseName("UX_Equipment_Generation_Uuid");
+            e.HasIndex(x => new { x.GenerationId, x.ZTag }).HasFilter("[ZTag] IS NOT NULL").HasDatabaseName("IX_Equipment_Generation_ZTag");
+            e.HasIndex(x => new { x.GenerationId, x.SAPID }).HasFilter("[SAPID] IS NOT NULL").HasDatabaseName("IX_Equipment_Generation_SAPID");
+            e.HasIndex(x => new { x.GenerationId, x.MachineCode }).HasDatabaseName("IX_Equipment_Generation_MachineCode");
+        });
+    }
+
+    private static void ConfigureTag(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<Tag>(e =>
+        {
+            e.ToTable("Tag", t =>
+            {
+                t.HasCheckConstraint("CK_Tag_TagConfig_IsJson", "ISJSON(TagConfig) = 1");
+            });
+            e.HasKey(x => x.TagRowId);
+            e.Property(x => x.TagRowId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.TagId).HasMaxLength(64);
+            e.Property(x => x.DriverInstanceId).HasMaxLength(64);
+            e.Property(x => x.DeviceId).HasMaxLength(64);
+            e.Property(x => x.EquipmentId).HasMaxLength(64);
+            e.Property(x => x.Name).HasMaxLength(128);
+            e.Property(x => x.FolderPath).HasMaxLength(512);
+            e.Property(x => x.DataType).HasMaxLength(32);
+            e.Property(x => x.AccessLevel).HasConversion<string>().HasMaxLength(16);
+            e.Property(x => x.PollGroupId).HasMaxLength(64);
+            e.Property(x => x.TagConfig).HasColumnType("nvarchar(max)");
+
+            e.HasOne(x => x.Generation).WithMany().HasForeignKey(x => x.GenerationId).OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.GenerationId, x.DriverInstanceId, x.DeviceId }).HasDatabaseName("IX_Tag_Generation_Driver_Device");
+            e.HasIndex(x => new { x.GenerationId, x.EquipmentId })
+                .HasFilter("[EquipmentId] IS NOT NULL")
+                .HasDatabaseName("IX_Tag_Generation_Equipment");
+            e.HasIndex(x => new { x.GenerationId, x.TagId }).IsUnique().HasDatabaseName("UX_Tag_Generation_LogicalId");
+            e.HasIndex(x => new { x.GenerationId, x.EquipmentId, x.Name }).IsUnique()
+                .HasFilter("[EquipmentId] IS NOT NULL")
+                .HasDatabaseName("UX_Tag_Generation_EquipmentPath");
+            e.HasIndex(x => new { x.GenerationId, x.DriverInstanceId, x.FolderPath, x.Name }).IsUnique()
+                .HasFilter("[EquipmentId] IS NULL")
+                .HasDatabaseName("UX_Tag_Generation_FolderPath");
+        });
+    }
+
+    private static void ConfigurePollGroup(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<PollGroup>(e =>
+        {
+            e.ToTable("PollGroup", t =>
+            {
+                t.HasCheckConstraint("CK_PollGroup_IntervalMs_Min", "IntervalMs >= 50");
+            });
+            e.HasKey(x => x.PollGroupRowId);
+            e.Property(x => x.PollGroupRowId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.PollGroupId).HasMaxLength(64);
+            e.Property(x => x.DriverInstanceId).HasMaxLength(64);
+            e.Property(x => x.Name).HasMaxLength(128);
+
+            e.HasOne(x => x.Generation).WithMany().HasForeignKey(x => x.GenerationId).OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.GenerationId, x.DriverInstanceId }).HasDatabaseName("IX_PollGroup_Generation_Driver");
+            e.HasIndex(x => new { x.GenerationId, x.PollGroupId }).IsUnique().HasDatabaseName("UX_PollGroup_Generation_LogicalId");
+        });
+    }
+
+    private static void ConfigureNodeAcl(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<NodeAcl>(e =>
+        {
+            e.ToTable("NodeAcl");
+            e.HasKey(x => x.NodeAclRowId);
+            e.Property(x => x.NodeAclRowId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.NodeAclId).HasMaxLength(64);
+            e.Property(x => x.ClusterId).HasMaxLength(64);
+            e.Property(x => x.LdapGroup).HasMaxLength(256);
+            e.Property(x => x.ScopeKind).HasConversion<string>().HasMaxLength(16);
+            e.Property(x => x.ScopeId).HasMaxLength(64);
+            e.Property(x => x.PermissionFlags).HasConversion<int>();
+            e.Property(x => x.Notes).HasMaxLength(512);
+
+            e.HasOne(x => x.Generation).WithMany().HasForeignKey(x => x.GenerationId).OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => new { x.GenerationId, x.ClusterId }).HasDatabaseName("IX_NodeAcl_Generation_Cluster");
+            e.HasIndex(x => new { x.GenerationId, x.LdapGroup }).HasDatabaseName("IX_NodeAcl_Generation_Group");
+            e.HasIndex(x => new { x.GenerationId, x.ScopeKind, x.ScopeId })
+                .HasFilter("[ScopeId] IS NOT NULL")
+                .HasDatabaseName("IX_NodeAcl_Generation_Scope");
+            e.HasIndex(x => new { x.GenerationId, x.NodeAclId }).IsUnique().HasDatabaseName("UX_NodeAcl_Generation_LogicalId");
+            e.HasIndex(x => new { x.GenerationId, x.ClusterId, x.LdapGroup, x.ScopeKind, x.ScopeId }).IsUnique()
+                .HasDatabaseName("UX_NodeAcl_Generation_GroupScope");
+        });
+    }
+
+    private static void ConfigureClusterNodeGenerationState(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<ClusterNodeGenerationState>(e =>
+        {
+            e.ToTable("ClusterNodeGenerationState");
+            e.HasKey(x => x.NodeId);
+            e.Property(x => x.NodeId).HasMaxLength(64);
+            e.Property(x => x.LastAppliedAt).HasColumnType("datetime2(3)");
+            e.Property(x => x.LastAppliedStatus).HasConversion<string>().HasMaxLength(16);
+            e.Property(x => x.LastAppliedError).HasMaxLength(2048);
+            e.Property(x => x.LastSeenAt).HasColumnType("datetime2(3)");
+
+            e.HasOne(x => x.Node).WithOne(n => n.GenerationState).HasForeignKey<ClusterNodeGenerationState>(x => x.NodeId).OnDelete(DeleteBehavior.Restrict);
+            e.HasOne(x => x.CurrentGeneration).WithMany().HasForeignKey(x => x.CurrentGenerationId).OnDelete(DeleteBehavior.Restrict);
+
+            e.HasIndex(x => x.CurrentGenerationId).HasDatabaseName("IX_ClusterNodeGenerationState_Generation");
+        });
+    }
+
+    private static void ConfigureConfigAuditLog(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<ConfigAuditLog>(e =>
+        {
+            e.ToTable("ConfigAuditLog", t =>
+            {
+                t.HasCheckConstraint("CK_ConfigAuditLog_DetailsJson_IsJson",
+                    "DetailsJson IS NULL OR ISJSON(DetailsJson) = 1");
+            });
+            e.HasKey(x => x.AuditId);
+            e.Property(x => x.AuditId).UseIdentityColumn(seed: 1, increment: 1);
+            e.Property(x => x.Timestamp).HasColumnType("datetime2(3)").HasDefaultValueSql("SYSUTCDATETIME()");
+            e.Property(x => x.Principal).HasMaxLength(128);
+            e.Property(x => x.EventType).HasMaxLength(64);
+            e.Property(x => x.ClusterId).HasMaxLength(64);
+            e.Property(x => x.NodeId).HasMaxLength(64);
+            e.Property(x => x.DetailsJson).HasColumnType("nvarchar(max)");
+
+            e.HasIndex(x => new { x.ClusterId, x.Timestamp })
+                .IsDescending(false, true)
+                .HasDatabaseName("IX_ConfigAuditLog_Cluster_Time");
+            e.HasIndex(x => x.GenerationId)
+                .HasFilter("[GenerationId] IS NOT NULL")
+                .HasDatabaseName("IX_ConfigAuditLog_Generation");
+        });
+    }
+
+    private static void ConfigureExternalIdReservation(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<ExternalIdReservation>(e =>
+        {
+            e.ToTable("ExternalIdReservation");
+            e.HasKey(x => x.ReservationId);
+            e.Property(x => x.ReservationId).HasDefaultValueSql("NEWSEQUENTIALID()");
+            e.Property(x => x.Kind).HasConversion<string>().HasMaxLength(16);
+            e.Property(x => x.Value).HasMaxLength(64);
+            e.Property(x => x.ClusterId).HasMaxLength(64);
+            e.Property(x => x.FirstPublishedAt).HasColumnType("datetime2(3)").HasDefaultValueSql("SYSUTCDATETIME()");
+            e.Property(x => x.FirstPublishedBy).HasMaxLength(128);
+            e.Property(x => x.LastPublishedAt).HasColumnType("datetime2(3)").HasDefaultValueSql("SYSUTCDATETIME()");
+            e.Property(x => x.ReleasedAt).HasColumnType("datetime2(3)");
+            e.Property(x => x.ReleasedBy).HasMaxLength(128);
+            e.Property(x => x.ReleaseReason).HasMaxLength(512);
+
+            // Active reservations unique per (Kind, Value) — filtered index lets released rows coexist with a new reservation of the same value.
+            // The UX_ filtered index covers active-reservation lookups; history queries over released rows
+            // fall back to the table scan (released rows are rare + small). No separate non-unique (Kind, Value)
+            // index is declared because EF Core merges duplicate column sets into a single index, which would
+            // clobber the filtered-unique name.
+            e.HasIndex(x => new { x.Kind, x.Value }).IsUnique()
+                .HasFilter("[ReleasedAt] IS NULL")
+                .HasDatabaseName("UX_ExternalIdReservation_KindValue_Active");
+            e.HasIndex(x => x.EquipmentUuid).HasDatabaseName("IX_ExternalIdReservation_Equipment");
+        });
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Validation/DraftSnapshot.cs

@@ -0,0 +1,28 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Validation;
+
+/// <summary>
+///     Inputs for draft validation. Contains the draft's rows plus the minimum prior-generation
+///     rows needed for cross-generation invariants (EquipmentUuid stability, UnsArea identity).
+/// </summary>
+public sealed class DraftSnapshot
+{
+    public required long GenerationId { get; init; }
+    public required string ClusterId { get; init; }
+
+    public IReadOnlyList<Namespace> Namespaces { get; init; } = [];
+    public IReadOnlyList<DriverInstance> DriverInstances { get; init; } = [];
+    public IReadOnlyList<Device> Devices { get; init; } = [];
+    public IReadOnlyList<UnsArea> UnsAreas { get; init; } = [];
+    public IReadOnlyList<UnsLine> UnsLines { get; init; } = [];
+    public IReadOnlyList<Equipment> Equipment { get; init; } = [];
+    public IReadOnlyList<Tag> Tags { get; init; } = [];
+    public IReadOnlyList<PollGroup> PollGroups { get; init; } = [];
+
+    /// <summary>Prior Equipment rows (any generation, same cluster) for stability checks.</summary>
+    public IReadOnlyList<Equipment> PriorEquipment { get; init; } = [];
+
+    /// <summary>Active reservations (<c>ReleasedAt IS NULL</c>) for pre-flight.</summary>
+    public IReadOnlyList<ExternalIdReservation> ActiveReservations { get; init; } = [];
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Validation/DraftValidator.cs

@@ -0,0 +1,176 @@
+using System.Text.RegularExpressions;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Validation;
+
+/// <summary>
+///     Managed-code pre-publish validator per decision #91. Complements the structural checks in
+///     <c>sp_ValidateDraft</c> — this layer owns schema validation for JSON columns, UNS segment
+///     regex, EquipmentId derivation, cross-cluster checks, and anything else that's uncomfortable
+///     to express in T-SQL. Returns every failing rule in one pass (decision: surface all errors,
+///     not just the first, so operators fix in bulk).
+/// </summary>
+public static class DraftValidator
+{
+    private static readonly Regex UnsSegment = new(@"^[a-z0-9-]{1,32}$", RegexOptions.Compiled);
+    private const string UnsDefaultSegment = "_default";
+    private const int MaxPathLength = 200;
+
+    public static IReadOnlyList<ValidationError> Validate(DraftSnapshot draft)
+    {
+        var errors = new List<ValidationError>();
+
+        ValidateUnsSegments(draft, errors);
+        ValidatePathLength(draft, errors);
+        ValidateEquipmentUuidImmutability(draft, errors);
+        ValidateSameClusterNamespaceBinding(draft, errors);
+        ValidateReservationPreflight(draft, errors);
+        ValidateEquipmentIdDerivation(draft, errors);
+        ValidateDriverNamespaceCompatibility(draft, errors);
+
+        return errors;
+    }
+
+    private static bool IsValidSegment(string? s) =>
+        s is not null && (UnsSegment.IsMatch(s) || s == UnsDefaultSegment);
+
+    private static void ValidateUnsSegments(DraftSnapshot draft, List<ValidationError> errors)
+    {
+        foreach (var a in draft.UnsAreas)
+            if (!IsValidSegment(a.Name))
+                errors.Add(new("UnsSegmentInvalid",
+                    $"UnsArea.Name '{a.Name}' does not match [a-z0-9-]{{1,32}} or '_default'",
+                    a.UnsAreaId));
+
+        foreach (var l in draft.UnsLines)
+            if (!IsValidSegment(l.Name))
+                errors.Add(new("UnsSegmentInvalid",
+                    $"UnsLine.Name '{l.Name}' does not match [a-z0-9-]{{1,32}} or '_default'",
+                    l.UnsLineId));
+
+        foreach (var e in draft.Equipment)
+            if (!IsValidSegment(e.Name))
+                errors.Add(new("UnsSegmentInvalid",
+                    $"Equipment.Name '{e.Name}' does not match [a-z0-9-]{{1,32}} or '_default'",
+                    e.EquipmentId));
+    }
+
+    /// <summary>Cluster.Enterprise + Site + area + line + equipment + 4 slashes ≤ 200 chars.</summary>
+    private static void ValidatePathLength(DraftSnapshot draft, List<ValidationError> errors)
+    {
+        // The cluster row isn't in the snapshot — we assume caller pre-validated Enterprise+Site
+        // length and bound them as constants <= 64 chars each. Here we validate the dynamic portion.
+        var areaById = draft.UnsAreas.ToDictionary(a => a.UnsAreaId);
+        var lineById = draft.UnsLines.ToDictionary(l => l.UnsLineId);
+
+        foreach (var eq in draft.Equipment.Where(e => e.UnsLineId is not null))
+        {
+            if (!lineById.TryGetValue(eq.UnsLineId!, out var line)) continue;
+            if (!areaById.TryGetValue(line.UnsAreaId, out var area)) continue;
+
+            // rough upper bound: Enterprise+Site at most 32+32; add dynamic segments + 4 slashes
+            var len = 32 + 32 + area.Name.Length + line.Name.Length + eq.Name.Length + 4;
+            if (len > MaxPathLength)
+                errors.Add(new("PathTooLong",
+                    $"Equipment path exceeds {MaxPathLength} chars (approx {len})",
+                    eq.EquipmentId));
+        }
+    }
+
+    private static void ValidateEquipmentUuidImmutability(DraftSnapshot draft, List<ValidationError> errors)
+    {
+        var priorById = draft.PriorEquipment
+            .GroupBy(e => e.EquipmentId)
+            .ToDictionary(g => g.Key, g => g.First().EquipmentUuid);
+
+        foreach (var eq in draft.Equipment)
+        {
+            if (priorById.TryGetValue(eq.EquipmentId, out var priorUuid) && priorUuid != eq.EquipmentUuid)
+                errors.Add(new("EquipmentUuidImmutable",
+                    $"EquipmentId '{eq.EquipmentId}' had UUID '{priorUuid}' in a prior generation; cannot change to '{eq.EquipmentUuid}'",
+                    eq.EquipmentId));
+        }
+    }
+
+    private static void ValidateSameClusterNamespaceBinding(DraftSnapshot draft, List<ValidationError> errors)
+    {
+        var nsById = draft.Namespaces.ToDictionary(n => n.NamespaceId);
+
+        foreach (var di in draft.DriverInstances)
+        {
+            if (!nsById.TryGetValue(di.NamespaceId, out var ns))
+            {
+                errors.Add(new("NamespaceUnresolved",
+                    $"DriverInstance '{di.DriverInstanceId}' references unknown NamespaceId '{di.NamespaceId}'",
+                    di.DriverInstanceId));
+                continue;
+            }
+
+            if (ns.ClusterId != di.ClusterId)
+                errors.Add(new("BadCrossClusterNamespaceBinding",
+                    $"DriverInstance '{di.DriverInstanceId}' is in cluster '{di.ClusterId}' but references namespace in cluster '{ns.ClusterId}'",
+                    di.DriverInstanceId));
+        }
+    }
+
+    private static void ValidateReservationPreflight(DraftSnapshot draft, List<ValidationError> errors)
+    {
+        var activeByKindValue = draft.ActiveReservations
+            .ToDictionary(r => (r.Kind, r.Value), r => r.EquipmentUuid);
+
+        foreach (var eq in draft.Equipment)
+        {
+            if (eq.ZTag is not null &&
+                activeByKindValue.TryGetValue((ReservationKind.ZTag, eq.ZTag), out var ztagOwner) &&
+                ztagOwner != eq.EquipmentUuid)
+                errors.Add(new("BadDuplicateExternalIdentifier",
+                    $"ZTag '{eq.ZTag}' is already reserved by EquipmentUuid '{ztagOwner}'",
+                    eq.EquipmentId));
+
+            if (eq.SAPID is not null &&
+                activeByKindValue.TryGetValue((ReservationKind.SAPID, eq.SAPID), out var sapOwner) &&
+                sapOwner != eq.EquipmentUuid)
+                errors.Add(new("BadDuplicateExternalIdentifier",
+                    $"SAPID '{eq.SAPID}' is already reserved by EquipmentUuid '{sapOwner}'",
+                    eq.EquipmentId));
+        }
+    }
+
+    /// <summary>Decision #125: EquipmentId = 'EQ-' + lowercase first 12 hex chars of the UUID.</summary>
+    public static string DeriveEquipmentId(Guid uuid) =>
+        "EQ-" + uuid.ToString("N")[..12].ToLowerInvariant();
+
+    private static void ValidateEquipmentIdDerivation(DraftSnapshot draft, List<ValidationError> errors)
+    {
+        foreach (var eq in draft.Equipment)
+        {
+            var expected = DeriveEquipmentId(eq.EquipmentUuid);
+            if (!string.Equals(eq.EquipmentId, expected, StringComparison.Ordinal))
+                errors.Add(new("EquipmentIdNotDerived",
+                    $"Equipment.EquipmentId '{eq.EquipmentId}' does not match the canonical derivation '{expected}'",
+                    eq.EquipmentId));
+        }
+    }
+
+    private static void ValidateDriverNamespaceCompatibility(DraftSnapshot draft, List<ValidationError> errors)
+    {
+        var nsById = draft.Namespaces.ToDictionary(n => n.NamespaceId);
+
+        foreach (var di in draft.DriverInstances)
+        {
+            if (!nsById.TryGetValue(di.NamespaceId, out var ns)) continue;
+
+            var compat = ns.Kind switch
+            {
+                NamespaceKind.SystemPlatform => di.DriverType == "Galaxy",
+                NamespaceKind.Equipment      => di.DriverType != "Galaxy",
+                _                            => true,
+            };
+
+            if (!compat)
+                errors.Add(new("DriverNamespaceKindMismatch",
+                    $"DriverInstance '{di.DriverInstanceId}' ({di.DriverType}) is not allowed in {ns.Kind} namespace",
+                    di.DriverInstanceId));
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Validation/ValidationError.cs

@@ -0,0 +1,8 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Validation;
+
+/// <summary>
+///     One validation failure. <see cref="Code"/> is a stable machine-readable symbol
+///     (<c>BadCrossClusterNamespaceBinding</c>, <c>UnsSegmentInvalid</c>, …). <see cref="Context"/>
+///     carries the offending logical ID so the Admin UI can link straight to the row.
+/// </summary>
+public sealed record ValidationError(string Code, string Message, string? Context = null);

src/ZB.MOM.WW.OtOpcUa.Configuration/ZB.MOM.WW.OtOpcUa.Configuration.csproj

@@ -0,0 +1,41 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <LangVersion>latest</LangVersion>
+        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+        <GenerateDocumentationFile>true</GenerateDocumentationFile>
+        <NoWarn>$(NoWarn);CS1591</NoWarn>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Configuration</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Microsoft.EntityFrameworkCore" Version="10.0.0"/>
+        <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="10.0.0"/>
+        <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.0">
+            <PrivateAssets>all</PrivateAssets>
+            <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+        <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.0"/>
+        <PackageReference Include="LiteDB" Version="5.0.21"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <!--
+            System.Security.Cryptography.Xml reaches this project transitively from
+            Microsoft.EntityFrameworkCore.Design → Microsoft.Build.Tasks.Core. EF Core Design is
+            marked PrivateAssets=all (design-time only, never shipped at runtime), and we do not
+            use XML digital signatures. Fix is only available in 11.0.0-preview. Suppress the two
+            advisories until a stable 11.x is released or the transitive chain is updated.
+        -->
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.Abstractions\ZB.MOM.WW.OtOpcUa.Core.Abstractions.csproj"/>
+    </ItemGroup>
+
+</Project>

src/ZB.MOM.WW.OtOpcUa.Core/Hosting/DriverHost.cs

@@ -0,0 +1,80 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+/// <summary>
+///     Process-local registry + lifecycle manager for loaded <see cref="IDriver"/> instances
+///     (decision #65). Phase 1 scaffold — per-process isolation for Tier C drivers (Galaxy, FOCAS)
+///     is implemented in Phase 2 via named-pipe RPC; this class handles in-process drivers today
+///     and exposes the same registration interface so the Tier C wrapper can slot in later.
+/// </summary>
+public sealed class DriverHost : IAsyncDisposable
+{
+    private readonly Dictionary<string, IDriver> _drivers = new();
+    private readonly object _lock = new();
+
+    public IReadOnlyCollection<string> RegisteredDriverIds
+    {
+        get { lock (_lock) return [.. _drivers.Keys]; }
+    }
+
+    public DriverHealth? GetHealth(string driverInstanceId)
+    {
+        lock (_lock)
+            return _drivers.TryGetValue(driverInstanceId, out var d) ? d.GetHealth() : null;
+    }
+
+    /// <summary>
+    ///     Registers the driver and calls <see cref="IDriver.InitializeAsync"/>. If initialization
+    ///     throws, the driver is kept in the registry so the operator can retry; quality on its
+    ///     nodes will reflect <see cref="DriverState.Faulted"/> until <c>Reinitialize</c> succeeds.
+    /// </summary>
+    public async Task RegisterAsync(IDriver driver, string driverConfigJson, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(driver);
+        var id = driver.DriverInstanceId;
+
+        lock (_lock)
+        {
+            if (_drivers.ContainsKey(id))
+                throw new InvalidOperationException($"Driver '{id}' is already registered.");
+            _drivers[id] = driver;
+        }
+
+        try { await driver.InitializeAsync(driverConfigJson, ct); }
+        catch
+        {
+            // Keep the driver registered — operator will see Faulted state and can reinitialize.
+            throw;
+        }
+    }
+
+    public async Task UnregisterAsync(string driverInstanceId, CancellationToken ct)
+    {
+        IDriver? driver;
+        lock (_lock)
+        {
+            if (!_drivers.TryGetValue(driverInstanceId, out driver)) return;
+            _drivers.Remove(driverInstanceId);
+        }
+
+        try { await driver.ShutdownAsync(ct); }
+        catch { /* shutdown is best-effort; logs elsewhere */ }
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        List<IDriver> snapshot;
+        lock (_lock)
+        {
+            snapshot = [.. _drivers.Values];
+            _drivers.Clear();
+        }
+
+        foreach (var driver in snapshot)
+        {
+            try { await driver.ShutdownAsync(CancellationToken.None); } catch { /* ignore */ }
+            (driver as IDisposable)?.Dispose();
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs

@@ -0,0 +1,37 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.OpcUa;
+
+/// <summary>
+///     Generic, driver-agnostic backbone for populating the OPC UA address space from an
+///     <see cref="IDriver"/>. The Galaxy-specific subclass (<c>GalaxyNodeManager</c>) is deferred
+///     to Phase 2 per decision #62 — this class is the foundation that Phase 2 ports the v1
+///     <c>LmxNodeManager</c> logic into.
+/// </summary>
+/// <remarks>
+///     Phase 1 status: scaffold only. The v1 <c>LmxNodeManager</c> in the legacy Host is unchanged
+///     so IntegrationTests continue to pass. Phase 2 will lift-and-shift its logic here, swapping
+///     <c>IMxAccessClient</c> for <see cref="IDriver"/> and <c>GalaxyAttributeInfo</c> for
+///     <see cref="DriverAttributeInfo"/>.
+/// </remarks>
+public abstract class GenericDriverNodeManager(IDriver driver)
+{
+    protected IDriver Driver { get; } = driver ?? throw new ArgumentNullException(nameof(driver));
+
+    public string DriverInstanceId => Driver.DriverInstanceId;
+
+    /// <summary>
+    ///     Populates the address space by streaming nodes from the driver into the supplied builder.
+    ///     Driver exceptions are isolated per decision #12 — the driver's subtree is marked Faulted,
+    ///     but other drivers remain available.
+    /// </summary>
+    public async Task BuildAddressSpaceAsync(IAddressSpaceBuilder builder, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(builder);
+
+        if (Driver is not ITagDiscovery discovery)
+            throw new NotSupportedException($"Driver '{Driver.DriverInstanceId}' does not implement ITagDiscovery.");
+
+        await discovery.DiscoverAsync(builder, ct);
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Core/ZB.MOM.WW.OtOpcUa.Core.csproj

@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <LangVersion>latest</LangVersion>
+        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+        <GenerateDocumentationFile>true</GenerateDocumentationFile>
+        <NoWarn>$(NoWarn);CS1591</NoWarn>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Core</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.Abstractions\ZB.MOM.WW.OtOpcUa.Core.Abstractions.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Configuration\ZB.MOM.WW.OtOpcUa.Configuration.csproj"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+</Project>

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Ipc/PipeAcl.cs

@@ -0,0 +1,40 @@
+using System;
+using System.IO.Pipes;
+using System.Security.AccessControl;
+using System.Security.Principal;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
+
+/// <summary>
+///     Builds the <see cref="PipeSecurity"/> required by <c>driver-stability.md §"IPC Security"</c>:
+///     only the configured OtOpcUa server principal SID gets <c>ReadWrite | Synchronize</c>;
+///     LocalSystem and Administrators are explicitly denied. Any other authenticated user falls
+///     through to the implicit deny.
+/// </summary>
+public static class PipeAcl
+{
+    public static PipeSecurity Create(SecurityIdentifier allowedSid)
+    {
+        if (allowedSid is null) throw new ArgumentNullException(nameof(allowedSid));
+
+        var security = new PipeSecurity();
+
+        security.AddAccessRule(new PipeAccessRule(
+            allowedSid,
+            PipeAccessRights.ReadWrite | PipeAccessRights.Synchronize,
+            AccessControlType.Allow));
+
+        var localSystem = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
+        var admins      = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
+
+        if (allowedSid != localSystem)
+            security.AddAccessRule(new PipeAccessRule(localSystem, PipeAccessRights.FullControl, AccessControlType.Deny));
+        if (allowedSid != admins)
+            security.AddAccessRule(new PipeAccessRule(admins,      PipeAccessRights.FullControl, AccessControlType.Deny));
+
+        // Owner = allowed SID so the deny rules can't be removed without write-DACL rights.
+        security.SetOwner(allowedSid);
+
+        return security;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Ipc/PipeServer.cs

@@ -0,0 +1,160 @@
+using System;
+using System.IO.Pipes;
+using System.Security.Principal;
+using System.Threading;
+using System.Threading.Tasks;
+using MessagePack;
+using Serilog;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
+
+/// <summary>
+///     Accepts one client connection at a time on a named pipe with the strict ACL from
+///     <see cref="PipeAcl"/>. Verifies the peer SID and the per-process shared secret before any
+///     RPC frame is accepted. Per <c>driver-stability.md §"IPC Security"</c>.
+/// </summary>
+public sealed class PipeServer : IDisposable
+{
+    private readonly string _pipeName;
+    private readonly SecurityIdentifier _allowedSid;
+    private readonly string _sharedSecret;
+    private readonly ILogger _logger;
+    private readonly CancellationTokenSource _cts = new();
+    private NamedPipeServerStream? _current;
+
+    public PipeServer(string pipeName, SecurityIdentifier allowedSid, string sharedSecret, ILogger logger)
+    {
+        _pipeName = pipeName ?? throw new ArgumentNullException(nameof(pipeName));
+        _allowedSid = allowedSid ?? throw new ArgumentNullException(nameof(allowedSid));
+        _sharedSecret = sharedSecret ?? throw new ArgumentNullException(nameof(sharedSecret));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <summary>
+    ///     Accepts one connection, performs Hello handshake, then dispatches frames to
+    ///     <paramref name="handler"/> until EOF or cancel. Returns when the client disconnects.
+    /// </summary>
+    public async Task RunOneConnectionAsync(IFrameHandler handler, CancellationToken ct)
+    {
+        using var linked = CancellationTokenSource.CreateLinkedTokenSource(_cts.Token, ct);
+        var acl = PipeAcl.Create(_allowedSid);
+
+        // .NET Framework 4.8 uses the legacy constructor overload that takes a PipeSecurity directly.
+        _current = new NamedPipeServerStream(
+            _pipeName,
+            PipeDirection.InOut,
+            maxNumberOfServerInstances: 1,
+            PipeTransmissionMode.Byte,
+            PipeOptions.Asynchronous,
+            inBufferSize: 64 * 1024,
+            outBufferSize: 64 * 1024,
+            pipeSecurity: acl);
+
+        try
+        {
+            await _current.WaitForConnectionAsync(linked.Token).ConfigureAwait(false);
+
+            if (!VerifyCaller(_current, out var reason))
+            {
+                _logger.Warning("IPC caller rejected: {Reason}", reason);
+                _current.Disconnect();
+                return;
+            }
+
+            using var reader = new FrameReader(_current, leaveOpen: true);
+            using var writer = new FrameWriter(_current, leaveOpen: true);
+
+            // First frame must be a Hello with the correct shared secret.
+            var first = await reader.ReadFrameAsync(linked.Token).ConfigureAwait(false);
+            if (first is null || first.Value.Kind != MessageKind.Hello)
+            {
+                _logger.Warning("IPC first frame was not Hello; dropping");
+                return;
+            }
+
+            var hello = MessagePackSerializer.Deserialize<Hello>(first.Value.Body);
+            if (!string.Equals(hello.SharedSecret, _sharedSecret, StringComparison.Ordinal))
+            {
+                await writer.WriteAsync(MessageKind.HelloAck,
+                    new HelloAck { Accepted = false, RejectReason = "shared-secret-mismatch" },
+                    linked.Token).ConfigureAwait(false);
+                _logger.Warning("IPC Hello rejected: shared-secret-mismatch");
+                return;
+            }
+
+            if (hello.ProtocolMajor != Hello.CurrentMajor)
+            {
+                await writer.WriteAsync(MessageKind.HelloAck,
+                    new HelloAck { Accepted = false, RejectReason = $"major-version-mismatch-peer={hello.ProtocolMajor}-server={Hello.CurrentMajor}" },
+                    linked.Token).ConfigureAwait(false);
+                _logger.Warning("IPC Hello rejected: major mismatch peer={Peer} server={Server}",
+                    hello.ProtocolMajor, Hello.CurrentMajor);
+                return;
+            }
+
+            await writer.WriteAsync(MessageKind.HelloAck,
+                new HelloAck { Accepted = true, HostName = Environment.MachineName },
+                linked.Token).ConfigureAwait(false);
+
+            while (!linked.Token.IsCancellationRequested)
+            {
+                var frame = await reader.ReadFrameAsync(linked.Token).ConfigureAwait(false);
+                if (frame is null) break;
+
+                await handler.HandleAsync(frame.Value.Kind, frame.Value.Body, writer, linked.Token).ConfigureAwait(false);
+            }
+        }
+        finally
+        {
+            _current.Dispose();
+            _current = null;
+        }
+    }
+
+    /// <summary>
+    ///     Runs the server continuously, handling one connection at a time. When a connection ends
+    ///     (clean or error), accepts the next.
+    /// </summary>
+    public async Task RunAsync(IFrameHandler handler, CancellationToken ct)
+    {
+        while (!ct.IsCancellationRequested)
+        {
+            try { await RunOneConnectionAsync(handler, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { break; }
+            catch (Exception ex) { _logger.Error(ex, "IPC connection loop error — accepting next"); }
+        }
+    }
+
+    private bool VerifyCaller(NamedPipeServerStream pipe, out string reason)
+    {
+        try
+        {
+            pipe.RunAsClient(() =>
+            {
+                using var wi = WindowsIdentity.GetCurrent();
+                if (wi.User is null)
+                    throw new InvalidOperationException("GetCurrent().User is null — cannot verify caller");
+                if (wi.User != _allowedSid)
+                    throw new UnauthorizedAccessException(
+                        $"caller SID {wi.User.Value} does not match allowed {_allowedSid.Value}");
+            });
+            reason = string.Empty;
+            return true;
+        }
+        catch (Exception ex) { reason = ex.Message; return false; }
+    }
+
+    public void Dispose()
+    {
+        _cts.Cancel();
+        _current?.Dispose();
+        _cts.Dispose();
+    }
+}
+
+public interface IFrameHandler
+{
+    Task HandleAsync(MessageKind kind, byte[] body, FrameWriter writer, CancellationToken ct);
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Ipc/StubFrameHandler.cs

@@ -0,0 +1,30 @@
+using System.Threading;
+using System.Threading.Tasks;
+using MessagePack;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
+
+/// <summary>
+///     Placeholder handler that responds to the framed IPC with error responses. Replaced by the
+///     real Galaxy-backed handler when the MXAccess code move (deferred) lands.
+/// </summary>
+public sealed class StubFrameHandler : IFrameHandler
+{
+    public Task HandleAsync(MessageKind kind, byte[] body, FrameWriter writer, CancellationToken ct)
+    {
+        // Minimal lifecycle: heartbeat ack keeps the supervisor's liveness detector happy even
+        // while the data-plane is stubbed, so integration tests of the supervisor can run end-to-end.
+        if (kind == MessageKind.Heartbeat)
+        {
+            var hb = MessagePackSerializer.Deserialize<Heartbeat>(body);
+            return writer.WriteAsync(MessageKind.HeartbeatAck,
+                new HeartbeatAck { SequenceNumber = hb.SequenceNumber, UtcUnixMs = hb.UtcUnixMs }, ct);
+        }
+
+        return writer.WriteAsync(MessageKind.ErrorResponse,
+            new ErrorResponse { Code = "not-implemented", Message = $"Kind {kind} is stubbed — MXAccess lift deferred" },
+            ct);
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/IsExternalInit.cs

@@ -0,0 +1,5 @@
+// Shim — .NET Framework 4.8 doesn't ship with IsExternalInit, required for init-only setters +
+// positional records. Safe to add in our own namespace; the compiler accepts any type with this name.
+namespace System.Runtime.CompilerServices;
+
+internal static class IsExternalInit;

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Program.cs

@@ -0,0 +1,54 @@
+using System;
+using System.Security.Principal;
+using System.Threading;
+using Serilog;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host;
+
+/// <summary>
+///     Entry point for the <c>OtOpcUaGalaxyHost</c> Windows service / console host. Reads the
+///     pipe name, allowed-SID, and shared secret from environment (passed by the supervisor at
+///     spawn time per <c>driver-stability.md</c>).
+/// </summary>
+public static class Program
+{
+    public static int Main(string[] args)
+    {
+        Log.Logger = new LoggerConfiguration()
+            .MinimumLevel.Information()
+            .WriteTo.File(
+                @"%ProgramData%\OtOpcUa\galaxy-host-.log".Replace("%ProgramData%", Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData)),
+                rollingInterval: RollingInterval.Day)
+            .CreateLogger();
+
+        try
+        {
+            var pipeName = Environment.GetEnvironmentVariable("OTOPCUA_GALAXY_PIPE") ?? "OtOpcUaGalaxy";
+            var allowedSidValue = Environment.GetEnvironmentVariable("OTOPCUA_ALLOWED_SID")
+                ?? throw new InvalidOperationException("OTOPCUA_ALLOWED_SID not set — supervisor must pass the server principal SID");
+            var sharedSecret = Environment.GetEnvironmentVariable("OTOPCUA_GALAXY_SECRET")
+                ?? throw new InvalidOperationException("OTOPCUA_GALAXY_SECRET not set — supervisor must pass the per-process secret at spawn time");
+
+            var allowedSid = new SecurityIdentifier(allowedSidValue);
+
+            using var server = new PipeServer(pipeName, allowedSid, sharedSecret, Log.Logger);
+            using var cts = new CancellationTokenSource();
+            Console.CancelKeyPress += (_, e) => { e.Cancel = true; cts.Cancel(); };
+
+            Log.Information("OtOpcUaGalaxyHost starting — pipe={Pipe} allowedSid={Sid}", pipeName, allowedSidValue);
+
+            var handler = new StubFrameHandler();
+            server.RunAsync(handler, cts.Token).GetAwaiter().GetResult();
+
+            Log.Information("OtOpcUaGalaxyHost stopped cleanly");
+            return 0;
+        }
+        catch (Exception ex)
+        {
+            Log.Fatal(ex, "OtOpcUaGalaxyHost fatal");
+            return 2;
+        }
+        finally { Log.CloseAndFlush(); }
+    }
+}