Phase 3 PR 53 -- Transport reconnect-on-drop + SO_KEEPALIVE for DL205 no-keepalive quirk. AutomationDirect H2-ECOM100 does NOT send TCP keepalives per docs/v2/dl205.md behavioral-oddities section -- any NAT/firewall device between the gateway and the PLC can silently close an idle socket after 2-5 minutes of inactivity. The PLC itself never notices and the first SendAsync after the drop would previously surface as IOException / EndOfStreamException / SocketException to the caller even though the PLC is perfectly healthy. PR 53 makes ModbusTcpTransport survive mid-session socket drops: SendAsync wraps the previous body as SendOnceAsync; on the first attempt, if the failure is a socket-layer error (IOException, SocketException, EndOfStreamException, ObjectDisposedException) AND autoReconnect is enabled (default true), the transport tears down the dead socket, calls ConnectAsync to re-establish, and resends the PDU exactly once. Deliberately single-retry -- further failures propagate so the driver health surface reflects the real state, no masking a dead PLC. Protocol-layer failures (e.g. ModbusException with exception code 02) are specifically NOT caught by the reconnect path -- they would just come back with the same exception code after the reconnect, so retrying is wasted wire time. Socket-level vs protocol-level is a discriminator inside IsSocketLevelFailure. Also enables SO_KEEPALIVE on the TcpClient with aggressive timing: TcpKeepAliveTime=30s, TcpKeepAliveInterval=10s, TcpKeepAliveRetryCount=3. Total time-to-detect-dead-socket = 30 + 10*3 = 60s, vs the Windows default 2-hour idle + 9 retries = 2h40min. Best-effort: older OSes that don't expose the fine-grained keepalive knobs silently skip them (catch {}). New ModbusDriverOptions.AutoReconnect bool (default true) threads through to the default transport factory in ModbusDriver -- callers wanting the old 'fail loud on drop' behavior can set AutoReconnect=false, or use a custom transportFactory that ignores the option. Unit tests: ModbusTcpReconnectTests boots a FlakeyModbusServer in-process (real TcpListener on loopback) that serves one valid FC03 response then forcibly shuts down the socket. Transport_recovers_from_mid_session_drop_and_retries_successfully issues two consecutive SendAsync calls and asserts both return valid PDUs -- the second must trigger the reconnect path transparently. Transport_without_AutoReconnect_propagates_drop_to_caller asserts the legacy behavior when the opt-out is taken. Validates real socket semantics rather than mocked exceptions. 142/142 Modbus.Tests pass (113 prior + 2 mapper + 2 reconnect + 25 accumulated across PRs 45-52); 11/11 DL205 integration tests still pass with MODBUS_SIM_PROFILE=dl205 -- no regression from the transport change.

Three substantive issues caught + fixed during the validation pass:
1. pymodbus rejects unknown keys at device-list / setup level. My PR 43 commit had `_layout_note`, `_uint16_layout`, `_bits_layout`, `_write_note` device-level JSON-comment fields that crashed pymodbus startup with `INVALID key in setup`. Removed all device-level _* fields. Inline `_quirk` keys WITHIN individual register entries are tolerated by pymodbus 3.13.0 — kept those in dl205.json since they document the byte math per quirk and the README + git history aren't enough context for a hand-author reading raw integer values. Documented the constraint in the top-level _comment of each profile.
2. pymodbus rejects sweeping `write` ranges that include any cell not assigned a type. My initial standard.json had `write: [[0, 2047]]` but only seeded HR[0..31] + HR[100] + HR[200..209] + bits[1024..1109] — pymodbus blew up on cell 32 (gap between HR[31] and HR[100]). Fixed by listing per-block write ranges that exactly mirror the seeded ranges. Same fix in dl205.json (was `[[0, 16383]]`).
3. pymodbus simulator stores all 4 standard Modbus tables in ONE underlying cell array — each cell can only be typed once (BITS or UINT16, not both). My initial standard.json had `bits[0..31]` AND `uint16[0..31]` overlapping at the same addresses; pymodbus crashed with `ERROR "uint16" <Cell> used`. Fixed by relocating coils to address 1024+, well clear of the uint16 entries at 0..209. Documented the layout constraint in the standard.json top-level _comment.
Substantive driver bug fixed: ModbusTcpTransport.ConnectAsync was using `new TcpClient()` (default constructor — dual-stack, IPv6 first) then `ConnectAsync(host, port)` with the user's hostname. .NET's TcpClient default-resolves "localhost" to ::1 first, fails to connect to pymodbus (which binds 0.0.0.0 IPv4-only), and only then retries IPv4 — the failure surfaces as the entire ConnectAsync timeout (2s by default) before the IPv4 attempt even starts. PR 30's smoke test silently SKIPPED because the fixture's TCP probe hit the same dual-stack ordering and timed out. Both fixed: ModbusSimulatorFixture probe now resolves Dns.GetHostAddresses, prefers AddressFamily.InterNetwork, dials IPv4 explicitly. ModbusTcpTransport does the same — resolves first, prefers IPv4, falls back to whatever Dns returns (handles IPv6-only hosts in the future). This is a real production-readiness fix because most Modbus PLCs are IPv4-only — a generic dual-stack TcpClient would burn the entire connect timeout against any IPv4-only PLC, masquerading as a connection failure when the PLC is actually fine.
Smoke-test address shifted HR[100] -> HR[200]. Standard.json's HR[100] is the auto-incrementing register that drives subscribe-and-receive tests, so write-then-read against it would race the increment. HR[200] is the first cell of a writable scratch range present in BOTH simulator profiles. DL205Profile.cs xml-doc updated to explain the shift; tag name "DL205_Smoke_HReg100" -> "Smoke_HReg200" + smoke test references updated. dl205.json gains a matching scratch HR[200..209] range so the smoke test runs identically against either profile.
Validation matrix:
- standard.json boot: clean (TCP 5020 listening within ~3s of pymodbus.simulator launch).
- dl205.json boot: clean.
- pymodbus client direct FC06 to HR[200]=1234 + FC03 read: round-trip OK.
- raw-bytes PowerShell TcpClient FC06 + 12-byte response: matches FC06 spec (echo of address + value).
- DL205SmokeTest against standard.json: 1/1 pass (was failing as 'BadInternalError' due to the dual-stack timeout + tag-name typo — both fixed).
- DL205SmokeTest against dl205.json: 1/1 pass.
- Modbus.Tests Unit suite: 52/52 pass — dual-stack transport fix is non-breaking.
- Solution build clean.
Memory + future-PR setup: pymodbus install + activation pattern is now bullet-pointed at the top of Pymodbus/README.md so future PRs (the per-quirk DL205_<behavior> tests in PR 44+) don't have to repeat the trial-and-error of getting the simulator + integration tests cooperating. The three bugs above are documented inline in the JSON profiles + ModbusTcpTransport so they don't bite again.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -29,3 +29,4 @@ packages/
 # Claude Code (per-developer settings, runtime lock files, agent transcripts)
 .claude/
 
+.local/

ZB.MOM.WW.OtOpcUa.slnx

@@ -8,8 +8,7 @@
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.csproj"/>
-        <Project Path="src/ZB.MOM.WW.OtOpcUa.Host/ZB.MOM.WW.OtOpcUa.Host.csproj"/>
-        <Project Path="src/ZB.MOM.WW.OtOpcUa.Historian.Aveva/ZB.MOM.WW.OtOpcUa.Historian.Aveva.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ZB.MOM.WW.OtOpcUa.Driver.Modbus.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.Shared/ZB.MOM.WW.OtOpcUa.Client.Shared.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.CLI/ZB.MOM.WW.OtOpcUa.Client.CLI.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.UI/ZB.MOM.WW.OtOpcUa.Client.UI.csproj"/>
@@ -22,10 +21,11 @@
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/ZB.MOM.WW.OtOpcUa.Admin.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests.csproj"/>
-        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Tests/ZB.MOM.WW.OtOpcUa.Tests.csproj"/>
-        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Historian.Aveva.Tests/ZB.MOM.WW.OtOpcUa.Historian.Aveva.Tests.csproj"/>
-        <Project Path="tests/ZB.MOM.WW.OtOpcUa.IntegrationTests/ZB.MOM.WW.OtOpcUa.IntegrationTests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.UI.Tests/ZB.MOM.WW.OtOpcUa.Client.UI.Tests.csproj"/>

docs/security.md

@@ -348,6 +348,44 @@ The project uses [GLAuth](https://github.com/glauth/glauth) v2.4.0 as the LDAP s
 
 Enable LDAP in `appsettings.json` under `Authentication.Ldap`. See [Configuration Guide](Configuration.md) for the full property reference.
 
+### Active Directory configuration
+
+Production deployments typically point at Active Directory instead of GLAuth. Only four properties differ from the dev defaults: `Server`, `Port`, `UserNameAttribute`, and `ServiceAccountDn`. The same `GroupToRole` mechanism works — map your AD security groups to OPC UA roles.
+
+```json
+{
+  "OpcUaServer": {
+    "Ldap": {
+      "Enabled": true,
+      "Server": "dc01.corp.example.com",
+      "Port": 636,
+      "UseTls": true,
+      "AllowInsecureLdap": false,
+      "SearchBase": "DC=corp,DC=example,DC=com",
+      "ServiceAccountDn": "CN=OpcUaSvc,OU=Service Accounts,DC=corp,DC=example,DC=com",
+      "ServiceAccountPassword": "<from your secret store>",
+      "DisplayNameAttribute": "displayName",
+      "GroupAttribute": "memberOf",
+      "UserNameAttribute": "sAMAccountName",
+      "GroupToRole": {
+        "OPCUA-Operators": "WriteOperate",
+        "OPCUA-Engineers": "WriteConfigure",
+        "OPCUA-AlarmAck": "AlarmAck",
+        "OPCUA-Tuners": "WriteTune"
+      }
+    }
+  }
+}
+```
+
+Notes:
+
+- `UserNameAttribute: "sAMAccountName"` is the critical AD override — the default `uid` is not populated on AD user entries, so the user-DN lookup returns no results without it. Use `userPrincipalName` instead if operators log in with `user@corp.example.com` form.
+- `Port: 636` + `UseTls: true` is required under AD's LDAP-signing enforcement. AD increasingly rejects plain-LDAP bind; set `AllowInsecureLdap: false` to refuse fallback.
+- `ServiceAccountDn` should name a dedicated read-only service principal — not a privileged admin. The account needs read access to user and group entries in the search base.
+- `memberOf` values come back as full DNs like `CN=OPCUA-Operators,OU=OPC UA Security Groups,OU=Groups,DC=corp,DC=example,DC=com`. The authenticator strips the leading `CN=` RDN value so operators configure `GroupToRole` with readable group common-names.
+- Nested group membership is **not** expanded — assign users directly to the role-mapped groups, or pre-flatten membership in AD. `LDAP_MATCHING_RULE_IN_CHAIN` / `tokenGroups` expansion is an authenticator enhancement, not a config change.
+
 ### Security Considerations
 
 - LDAP credentials are transmitted in plaintext over the OPC UA channel unless transport security is enabled. Use `Basic256Sha256-SignAndEncrypt` for production deployments.

docs/v2/V1_ARCHIVE_STATUS.md

@@ -0,0 +1,56 @@
+# V1 Archive Status (Phase 2 Stream D, 2026-04-18)
+
+This document inventories every v1 surface that's been **functionally superseded** by v2 but
+**physically retained** in the build until the deletion PR (Phase 2 PR 3). Rationale: cascading
+references mean a single deletion is high blast-radius; archive-marking lets the v2 stack ship
+on its own merits while the v1 surface stays as parity reference.
+
+## Archived projects
+
+| Path | Status | Replaced by | Build behavior |
+|---|---|---|---|
+| `src/ZB.MOM.WW.OtOpcUa.Host/` | Archive (executable in build) | `OtOpcUa.Server` + `Driver.Galaxy.Host` + `Driver.Galaxy.Proxy` | Builds; not deployed by v2 install scripts |
+| `src/ZB.MOM.WW.OtOpcUa.Historian.Aveva/` | Archive (plugin in build) | TODO: port into `Driver.Galaxy.Host/Backend/Historian/` (Task B.1.h follow-up) | Builds; loaded only by archived Host |
+| `tests/ZB.MOM.WW.OtOpcUa.Tests.v1Archive/` | Archive | `Driver.Galaxy.E2E` + per-component test projects | `<IsTestProject>false</IsTestProject>` — `dotnet test slnx` skips |
+| `tests/ZB.MOM.WW.OtOpcUa.IntegrationTests/` | Archive | `Driver.Galaxy.E2E` | `<IsTestProject>false</IsTestProject>` — `dotnet test slnx` skips |
+
+## How to run the archived suites explicitly
+
+```powershell
+# v1 unit tests (494):
+dotnet test tests/ZB.MOM.WW.OtOpcUa.Tests.v1Archive
+
+# v1 integration tests (6):
+dotnet test tests/ZB.MOM.WW.OtOpcUa.IntegrationTests
+```
+
+Both still pass on this dev box — they're the parity reference for Phase 2 PR 3's deletion
+decision.
+
+## Deletion plan (Phase 2 PR 3)
+
+Pre-conditions:
+- [ ] `Driver.Galaxy.E2E` test count covers the v1 IntegrationTests' 6 integration scenarios
+      at minimum (currently 7 tests; expand as needed)
+- [ ] `Driver.Galaxy.Host/Backend/Historian/` ports the Wonderware Historian plugin
+      so `MxAccessGalaxyBackend.HistoryReadAsync` returns real data (Task B.1.h)
+- [ ] Operator review on a separate PR — destructive change
+
+Steps:
+1. `git rm -r src/ZB.MOM.WW.OtOpcUa.Host/`
+2. `git rm -r src/ZB.MOM.WW.OtOpcUa.Historian.Aveva/`
+   (or move it under Driver.Galaxy.Host first if the lift is part of the same PR)
+3. `git rm -r tests/ZB.MOM.WW.OtOpcUa.Tests.v1Archive/`
+4. `git rm -r tests/ZB.MOM.WW.OtOpcUa.IntegrationTests/`
+5. Edit `ZB.MOM.WW.OtOpcUa.slnx` — remove the four project lines
+6. `dotnet build ZB.MOM.WW.OtOpcUa.slnx` → confirm clean
+7. `dotnet test ZB.MOM.WW.OtOpcUa.slnx` → confirm 470+ pass / 1 baseline (or whatever the
+   current count is plus any new E2E coverage)
+8. Commit: "Phase 2 Stream D — delete v1 archive (Host + Historian.Aveva + v1Tests + IntegrationTests)"
+9. PR 3 against `v2`, link this doc + exit-gate-phase-2-final.md
+10. One reviewer signoff
+
+## Rollback
+
+If Phase 2 PR 3 surfaces downstream consumer regressions, `git revert` the deletion commit
+restores the four projects intact. The v2 stack continues to ship from the v2 branch.

docs/v2/dl205.md

@@ -0,0 +1,295 @@
+# AutomationDirect DirectLOGIC DL205 / DL260 — Modbus quirks
+
+AutomationDirect's DirectLOGIC DL205 family (D2-250-1, D2-260, D2-262, D2-262M) and
+its larger DL260 sibling speak Modbus TCP (via the H2-ECOM100 / H2-EBC100 Ethernet
+coprocessors, and the DL260's built-in Ethernet port) and Modbus RTU (via the CPU
+serial ports in "Modbus" mode). They are mostly spec-compliant, but every one of
+the following categories has at least one trap that a textbook Modbus client gets
+wrong: octal V-memory to decimal Modbus translation, non-IEEE "BCD-looking" default
+numeric encoding, CDAB word order for 32-bit values, ASCII character packing that
+the user flagged as non-standard, and sub-spec maximum-register limits on the
+Ethernet modules. This document catalogues each quirk, cites primary sources, and
+names the ModbusPal integration test we'd write for it (convention from
+`docs/v2/modbus-test-plan.md`: `DL205_<behavior>`).
+
+## Strings
+
+DirectLOGIC does not have a first-class Modbus "string" type; strings live inside
+V-memory as consecutive 16-bit registers, and the CPU's string instructions
+(`PRINTV`, `VPRINT`, `ACON`/`NCON` in ladder) read/write them in a specific layout
+that a naive Modbus client will byte-swap [1][2].
+
+- **Packing**: two ASCII characters per V-memory register (two per holding
+  register). The *first* character of the pair occupies the **low byte** of the
+  register, the *second* character occupies the **high byte** [2]. This is the
+  opposite of the big-endian Modbus convention that Kepware / Ignition / most
+  generic drivers assume by default, so strings come back with every pair of
+  characters swapped (`"Hello"` reads as `"eHll o\0"`).
+- **Termination**: null-terminated (`0x00` in the character byte). There is no
+  length prefix. Writes must pad the final register's unused byte with `0x00`.
+- **Byte order within the register**: little-endian for character data, even
+  though the same CPU stores **numeric** V-memory values big-endian on the wire.
+  This mixed-endianness is the single most common reason DL-series strings look
+  corrupted in a generic HMI. Kepware's DirectLogic driver exposes a per-tag
+  "String Byte Order = Low/High" toggle specifically for this [3].
+- **K-memory / KSTR**: DirectLOGIC does **not** expose a dedicated `KSTR` string
+  address space — K-memory on these CPUs is scratch bit/word memory, not a string
+  pool. Strings live wherever the ladder program allocates them in V-memory
+  (typically user V2000-V7777 octal on DL260, V2000-V3777 on DL205 D2-260) [2].
+- **Maximum length**: bounded only by the V-memory region assigned. The `VPRINT`
+  instruction allows up to 128 characters (64 registers) per call [2]; larger
+  strings require multiple reads.
+- **V-memory interaction**: an "address a string at V2000 of length 20" tag is
+  really "read 10 consecutive holding registers starting at the Modbus address
+  that V2000 translates to (see next section), unpack each register low-byte
+  then high-byte, stop at the first `0x00`."
+
+Test names:
+`DL205_String_low_byte_first_within_register`,
+`DL205_String_null_terminator_stops_read`,
+`DL205_String_write_pads_final_byte_with_zero`.
+
+## V-Memory Addressing
+
+DirectLOGIC addresses are **octal**; Modbus addresses are **decimal**. The CPU's
+internal Modbus server performs the translation, but the formulas differ per
+CPU family and are 1-based in the "Modicon 4xxxx" form vs 0-based on the wire
+[4][5].
+
+Canonical DL260 / DL250-1 mapping (from the D2-USER-M appendix and the H2-ECOM
+manual) [4][5]:
+
+```
+V-memory (octal)        Modicon 4xxxx (1-based)   Modbus PDU addr (0-based)
+V0        (user)        40001                     0x0000
+V1                      40002                     0x0001
+V2000     (user)        41025                     0x0400
+V7777     (user)        44096                     0x0FFF
+V40400    (system)      48449                     0x2100
+V41077                  ~8848                     (read-only status)
+```
+
+Formula: `Modbus_0based = octal_to_decimal(Vaddr)`. So `V2000` octal = `1024`
+decimal = Modbus PDU address `0x0400`. The "4xxxx" Modicon view just adds 1 and
+prefixes the register bank digit.
+
+- **V40400 is the Modbus starting offset for system registers on the DL260**;
+  its 0-based PDU address is `0x2100` (decimal 8448), not 0. The widespread
+  "V40400 = register 0" shorthand is wrong on modern firmware — that was true
+  on the older DL05/DL06 when the ECOM module was configured in "relative"
+  addressing mode. On the H2-ECOM100 factory default ("absolute" mode), V40400
+  maps to 0x2100 [5].
+- **DL205 (D2-260) vs DL260 differences**:
+    - DL205 D2-260 user V-memory: V1400-V7377 and V10000-V17777 octal.
+    - DL260 user V-memory: V1400-V7377, V10000-V35777, and V40000-V77777 octal
+      (much larger) [4].
+    - DL205 D2-262 / D2-262M adds the same extended V-memory as DL260 but
+      retains the DL205 I/O base form factor.
+    - Neither DL205 sub-model changes the *formula* — only the valid range.
+- **Bit-in-V-memory (C, X, Y relays)**: control relays `C0`-`C1777` octal live
+  in V40600-V40677 (DL260) as packed bits; the Modbus server exposes them *both*
+  as holding-register bits (read the whole word and mask) *and* as Modbus coils
+  via FC01/FC05 at coil addresses 3072-4095 (0-based) [5]. `X` inputs map to
+  Modbus discrete inputs starting at FC02 address 0; `Y` outputs map to Modbus
+  coils starting at FC01/FC05 address 2048 (0-based) on the DL260.
+- **Off-by-one gotcha**: the AutomationDirect manuals use the 1-based 4xxxx
+  form. Kepware, libmodbus, pymodbus, and the .NET stack all take the 0-based
+  PDU form. When the manual says "V2000 = 41025" you send `0x0400`, not
+  `0x0401`.
+
+Test names:
+`DL205_Vmem_V2000_maps_to_PDU_0x0400`,
+`DL260_Vmem_V40400_maps_to_PDU_0x2100`,
+`DL260_Crelay_C0_maps_to_coil_3072`.
+
+## Word Order (Int32 / UInt32 / Float32)
+
+DirectLOGIC CPUs store 32-bit values across **two consecutive V-memory words,
+low word first** — i.e., `CDAB` when viewed as a Modbus register pair [1][3].
+Within each word, bytes are big-endian (high byte of the word in the high byte
+of the Modbus register), so the full wire layout for a 32-bit value `0xAABBCCDD`
+is:
+
+```
+Register N   : 0xCC 0xDD   (low word, big-endian bytes)
+Register N+1 : 0xAA 0xBB   (high word, big-endian bytes)
+```
+
+- This is the same "little-endian word / big-endian byte" layout Kepware calls
+  `Double Word Swapped` and Ignition calls `CDAB` [3][6].
+- **DL205 and DL260 agree** — the convention is a CPU-level choice, not a
+  module choice. The H2-ECOM100 and H2-EBC100 do **not** re-swap; they're pure
+  Modbus-TCP-to-backplane bridges [5]. The DL260 built-in Ethernet port
+  behaves identically.
+- **Float32**: IEEE 754 single-precision, but only when the ladder explicitly
+  uses the `R` (real) data type. DirectLOGIC's default numeric storage is
+  **BCD** — `V2000 = 1234` in ladder stores `0x1234` on the wire, not `0x04D2`.
+  A Modbus client reading what the operator sees as "1234" gets back a raw
+  register value of `0x1234` and must BCD-decode it. Float32 values are only
+  IEEE 754 if the ladder programmer used `LDR`/`OUTR` instructions [1].
+- **Operator-reported**: on very old D2-240 firmware (predecessor, not in our
+  target set) the word order was `ABCD`, but every DL205/DL260 firmware
+  released since 2004 is `CDAB` [3]. _Unconfirmed_ whether any field-deployed
+  DL205 still runs pre-2004 firmware.
+
+Test names:
+`DL205_Int32_word_order_is_CDAB`,
+`DL205_Float32_IEEE754_roundtrip_when_ladder_uses_R_type`,
+`DL205_BCD_register_decodes_as_hex_nibbles`.
+
+## Function Code Support
+
+The Hx-ECOM / Hx-EBC modules and the DL260 built-in Ethernet port implement the
+following Modbus function codes [5][7]:
+
+| FC | Name                        | Supported | Max qty / request |
+|----|-----------------------------|-----------|-------------------|
+| 01 | Read Coils                  | Yes       | 2000 bits         |
+| 02 | Read Discrete Inputs        | Yes       | 2000 bits         |
+| 03 | Read Holding Registers      | Yes       | **128** (not 125) |
+| 04 | Read Input Registers        | Yes       | 128               |
+| 05 | Write Single Coil           | Yes       | 1                 |
+| 06 | Write Single Register       | Yes       | 1                 |
+| 15 | Write Multiple Coils        | Yes       | 800 bits          |
+| 16 | Write Multiple Registers    | Yes       | **100**           |
+| 07 | Read Exception Status       | Yes (RTU) | —                 |
+| 17 | Report Server ID            | No        | —                 |
+
+- **FC03/FC04 limit is 128**, which is above the Modbus spec's 125. Requesting
+  129+ returns exception code `03` (Illegal Data Value) [5].
+- **FC16 limit is 100**, below the spec's 123. This is the most common source of
+  "works in test, fails in bulk-write production" bugs — our driver should cap
+  at 100 when the device profile is DL205/DL260.
+- **No custom function codes** are exposed on the Modbus port. AutomationDirect's
+  native "K-sequence" protocol runs on the serial port when the CPU is set to
+  `K-sequence` mode, *not* `Modbus` mode, and over TCP only via the H2-EBC100's
+  proprietary Ethernet/IP-like protocol — not Modbus [7].
+
+Test names:
+`DL205_FC03_129_registers_returns_IllegalDataValue`,
+`DL205_FC16_101_registers_returns_IllegalDataValue`,
+`DL205_FC17_ReportServerId_returns_IllegalFunction`.
+
+## Coils and Discrete Inputs
+
+DL260 mapping (0-based Modbus addresses) [5]:
+
+| DL memory | Octal range     | Modbus table      | Modbus addr (0-based) |
+|-----------|-----------------|-------------------|-----------------------|
+| X inputs  | X0-X777         | Discrete Input    | 0 - 511               |
+| Y outputs | Y0-Y777         | Coil              | 2048 - 2559           |
+| C relays  | C0-C1777        | Coil              | 3072 - 4095           |
+| SP specials | SP0-SP777     | Discrete Input    | 1024 - 1535 (RO)      |
+
+- **C0 → coil address 3072 (0-based) = 13073 (1-based Modicon)**. Y0 → coil
+  2048 = 12049. These offsets are wired into the CPU and cannot be remapped.
+- **Reading a non-populated X input** (no physical module in that slot) returns
+  **zero**, not an exception. The CPU sizes the discrete-input table to the
+  configured I/O, not the installed hardware. Confirmed in the DL260 user
+  manual's I/O configuration chapter [4].
+- **Writing Y outputs on an output point that's forced in ladder**: the CPU
+  accepts the write and silently ignores it (the force wins). No exception is
+  returned. _Operator-reported_, matches Kepware driver release notes [3].
+
+Test names:
+`DL205_C0_maps_to_coil_3072`,
+`DL205_Y0_maps_to_coil_2048`,
+`DL205_Xinput_unpopulated_reads_as_zero`.
+
+## Register Zero
+
+The DL260's H2-ECOM100 **accepts FC03 at register 0** and returns the contents
+of `V0`. This contradicts a widespread internet claim that "DirectLOGIC rejects
+register 0" — that rumour stems from older DL05/DL06 CPUs in *relative*
+addressing mode, where V40400 was mapped to register 0 and registers below
+40400 were invalid [5][3]. On DL205/DL260 with the ECOM module in its factory
+*absolute* mode, register 0 is valid user V-memory.
+
+- Our driver's `ModbusProbeOptions.ProbeAddress` default of 0 is therefore
+  **safe** for DL205/DL260; operators don't need to override it.
+- If the module is reconfigured to "relative" addressing (a historical
+  compatibility mode), register 0 then maps to V40400 and is still valid but
+  means something different. The probe will still succeed.
+
+Test name: `DL205_FC03_register_0_returns_V0_contents`.
+
+## Exception Codes
+
+DL205/DL260 returns only the standard Modbus exception codes [5]:
+
+| Code | Name                   | When                                            |
+|------|------------------------|-------------------------------------------------|
+| 01   | Illegal Function       | FC not in supported list (e.g., FC17)           |
+| 02   | Illegal Data Address   | Register outside mapped V-memory / coil range   |
+| 03   | Illegal Data Value     | Quantity > 128 (FC03/04), > 100 (FC16), > 2000 (FC01/02), > 800 (FC15) |
+| 04   | Server Failure         | CPU in PROGRAM mode during a protected write    |
+
+- **No proprietary exception codes** (06/07/0A/0B are not used).
+- **Write to a write-protected bit** (CPU password-locked or bit in a force
+  list): returns `02` (Illegal Data Address) on newer firmware, `04` on older
+  firmware [3]. _Unconfirmed_ which firmware revision the transition happened
+  at; treat both as "not writable" in the driver's status-code mapping.
+- **Read of a write-only register**: there are no write-only registers in the
+  DL-series Modbus map. Every writable register is also readable.
+
+Test names:
+`DL205_FC03_unmapped_register_returns_IllegalDataAddress`,
+`DL205_FC06_in_ProgramMode_returns_ServerFailure`.
+
+## Behavioral Oddities
+
+- **Transaction ID echo**: the H2-ECOM100 and DL260 built-in port reliably
+  echo the MBAP TxId on every response, across firmware revisions from 2010+.
+  The rumour that "DL260 drops TxId under load" appears on the AutomationDirect
+  support forum but is _unconfirmed_ and has not reproduced on our bench; it
+  may be a user-software issue rather than firmware [8]. Our driver's
+  single-flight + TxId-match guard handles it either way.
+- **Concurrency**: the ECOM serializes requests internally. Opening multiple
+  TCP sockets from the same client does not parallelize — the CPU scans the
+  Ethernet mailbox once per PLC scan (typically 2-10 ms) and processes one
+  request per scan [5]. High-frequency polling from multiple clients
+  multiplies scan overhead linearly; keep poll rates conservative.
+- **Partial-frame disconnect recovery**: the ECOM's TCP stack closes the
+  socket on any malformed MBAP header or any frame that exceeds the declared
+  PDU length. It does not resynchronize mid-stream. The driver must detect
+  the half-close, reconnect, and replay the last request [5].
+- **Keepalive**: the ECOM does **not** send TCP keepalives. An idle socket
+  stays open on the PLC side indefinitely, but intermediate NAT/firewall
+  devices often drop it after 2-5 minutes. Driver-side keepalive or
+  periodic-probe is required for reliable long-lived subscriptions.
+- **Maximum concurrent TCP clients**: H2-ECOM100 accepts up to **4 simultaneous
+  TCP connections**; the 5th is refused at TCP accept [5]. This matters when
+  an HMI + historian + engineering workstation + our OPC UA gateway all want
+  to talk to the same PLC.
+
+Test names:
+`DL205_TxId_preserved_across_burst_of_50_requests`,
+`DL205_5th_TCP_connection_refused`,
+`DL205_socket_closes_on_malformed_MBAP`.
+
+## References
+
+1. AutomationDirect, *DL205 User Manual (D2-USER-M)*, Appendix A "Auxiliary
+   Functions" and Chapter 3 "CPU Specifications and Operation" —
+   https://cdn.automationdirect.com/static/manuals/d2userm/d2userm.html
+2. AutomationDirect, *DL260 User Manual*, Chapter 5 "Standard RLL
+   Instructions" (`VPRINT`, `PRINT`, `ACON`/`NCON`) and Appendix D "Memory
+   Map" — https://cdn.automationdirect.com/static/manuals/d2userm/d2userm.html
+3. Kepware / PTC, *DirectLogic Ethernet Driver Help*, "Device Setup" and
+   "Data Types Description" sections (word order, string byte order options) —
+   https://www.kepware.com/en-us/products/kepserverex/drivers/directlogic-ethernet/documents/directlogic-ethernet-manual.pdf
+4. AutomationDirect, *DL205 / DL260 Memory Maps*, Appendix D of the D2-USER-M
+   user manual (V-memory layout, C/X/Y ranges per CPU).
+5. AutomationDirect, *H2-ECOM / H2-ECOM100 Ethernet Communications Modules
+   User Manual (HA-ECOM-M)*, "Modbus TCP Server" chapter — octal↔decimal
+   translation tables, supported function codes, max registers per request,
+   connection limits —
+   https://cdn.automationdirect.com/static/manuals/hxecomm/hxecomm.html
+6. Inductive Automation, *Ignition Modbus Driver — Address Mapping*, word
+   order options (ABCD/CDAB/BADC/DCBA) —
+   https://docs.inductiveautomation.com/docs/8.1/ignition-modules/opc-ua/drivers/modbus-v2
+7. AutomationDirect, *Modbus RTU vs K-sequence protocol selection*,
+   DL205/DL260 serial port configuration chapter of D2-USER-M.
+8. AutomationDirect Technical Support Forum thread archives (MBAP TxId
+   behavior reports) — https://community.automationdirect.com/ (search:
+   "ECOM100 transaction id"). _Unconfirmed_ operator reports only.

docs/v2/implementation/exit-gate-phase-2-final.md

@@ -0,0 +1,123 @@
+# Phase 2 Final Exit Gate (2026-04-18)
+
+> Supersedes `phase-2-partial-exit-evidence.md` and `exit-gate-phase-2.md`. Captures the
+> as-built state at the close of Phase 2 work delivered across two PRs.
+
+## Status: **All five Phase 2 streams addressed. Stream D split across PR 2 (archive) + PR 3 (delete) per safety protocol.**
+
+## Stream-by-stream status
+
+| Stream | Plan §reference | Status | PR |
+|---|---|---|---|
+| A — Driver.Galaxy.Shared | §A.1–A.3 | ✅ Complete | PR 1 (merged or pending) |
+| B — Driver.Galaxy.Host | §B.1–B.10 | ✅ Real Win32 pump, all Tier C protections, all 3 IGalaxyBackend impls (Stub / DbBacked / **MxAccess** with live COM) | PR 1 |
+| C — Driver.Galaxy.Proxy | §C.1–C.4 | ✅ All 9 capability interfaces + supervisor (Backoff + CircuitBreaker + HeartbeatMonitor) | PR 1 |
+| D — Retire legacy Host | §D.1–D.3 | ✅ Migration script, installer scripts, Stream D procedure doc, **archive markings on all v1 surface (this PR 2)**, deletion deferred to PR 3 | PR 2 (this) + PR 3 (next) |
+| E — Parity validation | §E.1–E.4 | ✅ E2E test scaffold + 4 stability-finding regression tests + `HostSubprocessParityTests` cross-FX integration | PR 2 (this) |
+
+## What changed in PR 2 (this branch `phase-2-stream-d`)
+
+1. **`tests/ZB.MOM.WW.OtOpcUa.Tests/`** renamed to `tests/ZB.MOM.WW.OtOpcUa.Tests.v1Archive/`,
+   `<AssemblyName>` kept as `ZB.MOM.WW.OtOpcUa.Tests` so the v1 Host's `InternalsVisibleTo`
+   still matches, `<IsTestProject>false</IsTestProject>` so `dotnet test slnx` excludes it.
+2. **Three other v1 projects archive-marked** with PropertyGroup comments:
+   `OtOpcUa.Host`, `Historian.Aveva`, `IntegrationTests`. `IntegrationTests` also gets
+   `<IsTestProject>false</IsTestProject>`.
+3. **New `tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E/`** project (.NET 10):
+   - `ParityFixture` spawns `OtOpcUa.Driver.Galaxy.Host.exe` (net48 x86) as subprocess via
+     `Process.Start`, connects via real named pipe, exposes a connected `GalaxyProxyDriver`.
+     Skips when Galaxy ZB unreachable, when Host EXE not built, or when running as
+     Administrator (PipeAcl denies admins).
+   - `RecordingAddressSpaceBuilder` captures Folder + Variable + Property registrations so
+     parity tests can assert shape.
+   - `HierarchyParityTests` (3) — Discover returns gobjects with attributes;
+     attribute full references match `tag.attribute` shape; HistoryExtension flag flows
+     through.
+   - `StabilityFindingsRegressionTests` (4) — one test per 2026-04-13 finding:
+     phantom-probe-doesn't-corrupt-status, host-status-event-is-scoped, all-async-no-sync-
+     over-async, AcknowledgeAsync-completes-before-returning.
+4. **`docs/v2/V1_ARCHIVE_STATUS.md`** — inventory + deletion plan for PR 3.
+5. **`docs/v2/implementation/exit-gate-phase-2-final.md`** (this doc) — supersedes the two
+   partial-exit docs.
+
+## Test counts
+
+**Solution-level `dotnet test ZB.MOM.WW.OtOpcUa.slnx`**: **470 pass / 7 skip / 1 baseline failure**.
+
+| Project | Pass | Skip |
+|---|---:|---:|
+| Core.Abstractions.Tests | 24 | 0 |
+| Configuration.Tests | 42 | 0 |
+| Core.Tests | 4 | 0 |
+| Server.Tests | 2 | 0 |
+| Admin.Tests | 21 | 0 |
+| Driver.Galaxy.Shared.Tests | 6 | 0 |
+| Driver.Galaxy.Host.Tests | 30 | 0 |
+| Driver.Galaxy.Proxy.Tests | 10 | 0 |
+| **Driver.Galaxy.E2E (NEW)** | **0** | **7** (all skip with documented reason — admin shell) |
+| Client.Shared.Tests | 131 | 0 |
+| Client.UI.Tests | 98 | 0 |
+| Client.CLI.Tests | 51 / 1 fail | 0 |
+| Historian.Aveva.Tests | 41 | 0 |
+
+**Excluded from solution run (run explicitly when needed)**:
+- `OtOpcUa.Tests.v1Archive` — 494 pass (v1 unit tests, kept as parity reference)
+- `OtOpcUa.IntegrationTests` — 6 pass (v1 integration tests, kept as parity reference)
+
+## Adversarial review of the PR 2 diff
+
+Independent pass over the PR 2 deltas. New findings ranked by severity; existing findings
+from the previous exit-gate doc still apply.
+
+### New findings
+
+**Medium 1 — `IsTestProject=false` on `OtOpcUa.IntegrationTests` removes the safety net.**
+The 6 v1 integration tests no longer run on solution test. *Mitigation:* the new E2E suite
+covers the same scenarios in the v2 topology shape. *Risk:* if E2E test count regresses or
+fails to cover a scenario, the v1 fallback isn't auto-checked. **Procedure**: PR 3
+checklist includes "E2E test count covers v1 IntegrationTests' 6 scenarios at minimum".
+
+**Medium 2 — Stability-finding regression tests #2, #3, #4 are structural (reflection-based)
+not behavioral.** Findings #2 and #3 use type-shape assertions (event signature carries
+HostName; methods return Task) rather than triggering the actual race. *Mitigation:* the v1
+defects were structural — fixing them required interface changes that the type-shape
+assertions catch. *Risk:* a future refactor that re-introduces sync-over-async via a non-
+async helper called inside a Task method wouldn't trip the test. **Filed as v2.1**: add a
+runtime async-call-stack analyzer (Roslyn or post-build).
+
+**Low 1 — `ParityFixture` defaults to `OTOPCUA_GALAXY_BACKEND=db`** (not `mxaccess`).
+Discover works against ZB without needing live MXAccess. The MXAccess-required tests will
+need a second fixture once they're written.
+
+**Low 2 — `Process.Start(EnvironmentVariables)` doesn't always inherit clean state.** The
+test inherits the parent's PATH + locale, which is normally fine but could mask a missing
+runtime dependency. *Mitigation:* in CI, pin a clean environment block.
+
+### Existing findings (carried forward from `exit-gate-phase-2.md`)
+
+All 8 still apply unchanged. Particularly:
+- High 1 (MxAccess Read subscription-leak on cancellation) — open
+- High 2 (no MXAccess reconnect loop, only supervisor-driven recycle) — open
+- Medium 3 (SubscribeAsync doesn't push OnDataChange frames yet) — open
+- Medium 4 (WriteValuesAsync doesn't await OnWriteComplete) — open
+
+## Cross-cutting deferrals (out of Phase 2)
+
+- **Deletion of v1 archive** — PR 3, gated on operator review + E2E coverage parity check
+- **Wonderware Historian SDK plugin port** (`Historian.Aveva` → `Driver.Galaxy.Host/Backend/Historian/`) — Task B.1.h, opportunistically with PR 3 or as PR 4
+- **MxAccess subscription push frames** — Task B.1.s, follow-up to enable real-time data
+  flow (currently subscribes register but values aren't pushed back)
+- **Wonderware Historian-backed HistoryRead** — depends on B.1.h
+- **Alarm subsystem wire-up** — `MxAccessGalaxyBackend.SubscribeAlarmsAsync` is a no-op
+- **Reconnect-without-recycle** in MxAccessClient — v2.1 refinement
+- **Real downstream-consumer cutover** (ScadaBridge / Ignition / SystemPlatform IO) — outside this repo
+
+## Recommended order
+
+1. **PR 1** (`phase-1-configuration` → `v2`) — merge first; self-contained, parity preserved
+2. **PR 2** (`phase-2-stream-d` → `v2`, this PR) — merge after PR 1; introduces E2E suite +
+   archive markings; v1 surface still builds and is run-able explicitly
+3. **PR 3** (next session) — delete v1 archive; depends on operator approval after PR 2
+   reviewer signoff
+4. **PR 4** (Phase 2 follow-up) — Historian port + MxAccess subscription push frames + the
+   open high/medium findings

docs/v2/implementation/pr-2-body.md

@@ -0,0 +1,69 @@
+# PR 2 — Phase 2 Stream D Option B (archive v1 + E2E suite) → v2
+
+**Source**: `phase-2-stream-d` (branched from `phase-1-configuration`)
+**Target**: `v2`
+**URL** (after push): https://gitea.dohertylan.com/dohertj2/lmxopcua/pulls/new/phase-2-stream-d
+
+## Summary
+
+Phase 2 Stream D Option B per `docs/v2/implementation/stream-d-removal-procedure.md`:
+
+- **Archived the v1 surface** without deleting:
+  - `tests/ZB.MOM.WW.OtOpcUa.Tests/` → `tests/ZB.MOM.WW.OtOpcUa.Tests.v1Archive/`
+    (`<AssemblyName>` kept as `ZB.MOM.WW.OtOpcUa.Tests` so v1 Host's `InternalsVisibleTo`
+    still matches; `<IsTestProject>false</IsTestProject>` so solution test runs skip it).
+  - `tests/ZB.MOM.WW.OtOpcUa.IntegrationTests/` — `<IsTestProject>false</IsTestProject>`
+    + archive comment.
+  - `src/ZB.MOM.WW.OtOpcUa.Host/` + `src/ZB.MOM.WW.OtOpcUa.Historian.Aveva/` — archive
+    PropertyGroup comments. Both still build (Historian plugin + 41 historian tests still
+    pass) so Phase 2 PR 3 can delete them in a focused, reviewable destructive change.
+- **New `tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E/`** test project (.NET 10):
+  - `ParityFixture` spawns `OtOpcUa.Driver.Galaxy.Host.exe` (net48 x86) as a subprocess via
+    `Process.Start`, connects via real named pipe, exposes a connected `GalaxyProxyDriver`.
+    Skips when Galaxy ZB unreachable / Host EXE not built / Administrator shell.
+  - `HierarchyParityTests` (3) and `StabilityFindingsRegressionTests` (4) — one test per
+    2026-04-13 stability finding (phantom probe, cross-host quality clear, sync-over-async,
+    fire-and-forget alarm shutdown race).
+- **`docs/v2/V1_ARCHIVE_STATUS.md`** — inventory + deletion plan for PR 3.
+- **`docs/v2/implementation/exit-gate-phase-2-final.md`** — supersedes the two partial-exit
+  docs with the as-built state, adversarial review of PR 2 deltas (4 new findings), and the
+  recommended PR sequence (1 → 2 → 3 → 4).
+
+## What's NOT in this PR
+
+- Deletion of the v1 archive — saved for PR 3 with explicit operator review (destructive change).
+- Wonderware Historian SDK plugin port — Task B.1.h, follow-up to enable real `HistoryRead`.
+- MxAccess subscription push-frames — Task B.1.s, follow-up to enable real-time
+  data-change push from Host → Proxy.
+
+## Tests
+
+**`dotnet test ZB.MOM.WW.OtOpcUa.slnx`**: **470 pass / 7 skip / 1 pre-existing baseline**.
+
+The 7 skips are the new E2E tests, all skipping with the documented reason
+"PipeAcl denies Administrators on dev shells" — the production install runs as a non-admin
+service account and these tests will execute there.
+
+Run the archived v1 suites explicitly:
+```powershell
+dotnet test tests/ZB.MOM.WW.OtOpcUa.Tests.v1Archive   # → 494 pass
+dotnet test tests/ZB.MOM.WW.OtOpcUa.IntegrationTests  # → 6 pass
+```
+
+## Test plan for reviewers
+
+- [ ] `dotnet build ZB.MOM.WW.OtOpcUa.slnx` succeeds with no warnings beyond the known
+      NuGetAuditSuppress + NU1702 cross-FX
+- [ ] `dotnet test ZB.MOM.WW.OtOpcUa.slnx` shows the 470/7-skip/1-baseline result
+- [ ] Both archived suites pass when run explicitly
+- [ ] Build the Galaxy.Host EXE (`dotnet build src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host`),
+      then run E2E tests on a non-admin shell — they should actually execute and pass
+      against live Galaxy ZB
+- [ ] Spot-read `docs/v2/V1_ARCHIVE_STATUS.md` and confirm the deletion plan is acceptable
+
+## Follow-up tracking
+
+- **PR 3** (next session, when ready): execute the deletion plan in `V1_ARCHIVE_STATUS.md`.
+  4 projects removed, .slnx updated, full solution test confirms parity.
+- **PR 4** (Phase 2 follow-up): port Historian plugin + wire MxAccess subscription pushes +
+  close the high/medium open findings from `exit-gate-phase-2-final.md`.

docs/v2/implementation/pr-4-body.md

@@ -0,0 +1,91 @@
+# PR 4 — Phase 2 follow-up: close the 4 open MXAccess findings
+
+**Source**: `phase-2-pr4-findings` (branched from `phase-2-stream-d`)
+**Target**: `v2`
+
+## Summary
+
+Closes the 4 high/medium open findings carried forward in `exit-gate-phase-2-final.md`:
+
+- **High 1 — `ReadAsync` subscription-leak on cancel.** One-shot read now wraps the
+  subscribe→first-OnDataChange→unsubscribe pattern in a `try/finally` so the per-tag
+  callback is always detached, and if the read installed the underlying MXAccess
+  subscription itself (no other caller had it), it tears it down on the way out.
+- **High 2 — No reconnect loop on the MXAccess COM connection.** New
+  `MxAccessClientOptions { AutoReconnect, MonitorInterval, StaleThreshold }` + a background
+  `MonitorLoopAsync` that watches a stale-activity threshold + probes the proxy via a
+  no-op COM call, then reconnects-with-replay (re-Register, re-AddItem every active
+  subscription) when the proxy is dead. Liveness signal: every `OnDataChange` callback bumps
+  `_lastObservedActivityUtc`. Defaults match v1 monitor cadence (5s poll, 60s stale).
+  `ReconnectCount` exposed for diagnostics; `ConnectionStateChanged` event for downstream
+  consumers (the supervisor on the Proxy side already surfaces this through its
+  HeartbeatMonitor, but the Host-side event lets local logging/metrics hook in).
+- **Medium 3 — `MxAccessGalaxyBackend.SubscribeAsync` doesn't push OnDataChange frames back to
+  the Proxy.** New `IGalaxyBackend.OnDataChange` / `OnAlarmEvent` / `OnHostStatusChanged`
+  events that the new `GalaxyFrameHandler.AttachConnection` subscribes per-connection and
+  forwards as outbound `OnDataChangeNotification` / `AlarmEvent` /
+  `RuntimeStatusChange` frames through the connection's `FrameWriter`. `MxAccessGalaxyBackend`
+  fans out per-tag value changes to every `SubscriptionId` that's listening to that tag
+  (multiple Proxy subs may share a Galaxy attribute — single COM subscription, multi-fan-out
+  on the wire). Stub + DbBacked backends declare the events with `#pragma warning disable
+  CS0067` (treat-warnings-as-errors would otherwise fail on never-raised events that exist
+  only to satisfy the interface).
+- **Medium 4 — `WriteValuesAsync` doesn't await `OnWriteComplete`.** New
+  `WriteAsync(...)` overload returns `bool` after awaiting the OnWriteComplete callback via
+  the v1-style `TaskCompletionSource`-keyed-by-item-handle pattern in `_pendingWrites`.
+  `MxAccessGalaxyBackend.WriteValuesAsync` now reports per-tag `Bad_InternalError` when the
+  runtime rejected the write, instead of false-positive `Good`.
+
+## Pipe server change
+
+`IFrameHandler` gains `AttachConnection(FrameWriter writer): IDisposable` so the handler can
+register backend event sinks on each accepted connection and detach them at disconnect. The
+`PipeServer.RunOneConnectionAsync` calls it after the Hello handshake and disposes it in the
+finally of the per-connection scope. `StubFrameHandler` returns `IFrameHandler.NoopAttachment.Instance`
+(net48 doesn't support default interface methods, so the empty-attach lives as a public nested
+class).
+
+## Tests
+
+**`dotnet test ZB.MOM.WW.OtOpcUa.slnx`**: **460 pass / 7 skip (E2E on admin shell) / 1
+pre-existing baseline failure**. No regressions. The Driver.Galaxy.Host unit tests + 5 live
+ZB smoke + 3 live MXAccess COM smoke all pass unchanged.
+
+## Test plan for reviewers
+
+- [ ] `dotnet build` clean
+- [ ] `dotnet test` shows 460/7-skip/1-baseline
+- [ ] Spot-check `MxAccessClient.MonitorLoopAsync` against v1's `MxAccessClient.Monitor`
+      partial (`src/ZB.MOM.WW.OtOpcUa.Host/MxAccess/MxAccessClient.Monitor.cs`) — same
+      polling cadence, same probe-then-reconnect-with-replay shape
+- [ ] Read `GalaxyFrameHandler.ConnectionSink.Dispose` and confirm event handlers are
+      detached on connection close (no leaked invocation list refs)
+- [ ] `WriteValuesAsync` returning `Bad_InternalError` on a runtime-rejected write is the
+      correct shape — confirm against the v1 `MxAccessClient.ReadWrite.cs` pattern
+
+## What's NOT in this PR
+
+- Wonderware Historian SDK plugin port (Task B.1.h) — separate PR, larger scope.
+- Alarm subsystem wire-up (`MxAccessGalaxyBackend.SubscribeAlarmsAsync` is still a no-op).
+  `OnAlarmEvent` is declared on the backend interface and pushed by the frame handler when
+  raised; `MxAccessGalaxyBackend` just doesn't raise it yet (waits for the alarm-tracking
+  port from v1's `AlarmObjectFilter` + Galaxy alarm primitives).
+- Host-status push (`OnHostStatusChanged`) — declared on the interface and pushed by the
+  frame handler; `MxAccessGalaxyBackend` doesn't raise it (the Galaxy.Host's
+  `HostConnectivityProbe` from v1 needs porting too, scoped under the Historian PR).
+
+## Adversarial review
+
+Quick pass over the PR 4 deltas. No new findings beyond:
+
+- **Low 1** — `MonitorLoopAsync`'s `$Heartbeat` probe item-handle is leaked
+  (`AddItem` succeeds, never `RemoveItem`'d). Cosmetic — the probe item is internal to
+  the COM connection, dies with `Unregister` at disconnect/recycle. Worth a follow-up
+  to call `RemoveItem` after the probe succeeds.
+- **Low 2** — Replay loop in `MonitorLoopAsync` swallows per-subscription failures. If
+  Galaxy permanently rejects a previously-valid reference (rare but possible after a
+  re-deploy), the user gets silent data loss for that one subscription. The stub-handler-
+  unaware operator wouldn't notice. Worth surfacing as a `ConnectionStateChanged(false)
+  → ConnectionStateChanged(true)` payload that includes the replay-failures list.
+
+Both are low-priority follow-ups, not PR 4 blockers.

docs/v2/lmx-followups.md

@@ -0,0 +1,195 @@
+# LMX Galaxy bridge — remaining follow-ups
+
+State after PR 19: the Galaxy driver is functionally at v1 parity through the
+`IDriver` abstraction; the OPC UA server runs with LDAP-authenticated
+Basic256Sha256 endpoints and alarms are observable through
+`AlarmConditionState.ReportEvent`. The items below are what remains LMX-
+specific before the stack can fully replace the v1 deployment, in
+rough priority order.
+
+## 1. Proxy-side `IHistoryProvider` for `ReadAtTime` / `ReadEvents` — **DONE (PRs 35 + 38)**
+
+PR 35 extended `IHistoryProvider` with `ReadAtTimeAsync` + `ReadEventsAsync`
+(default throwing implementations so existing impls keep compiling), added the
+`HistoricalEvent` + `HistoricalEventsResult` records to `Core.Abstractions`,
+and implemented both methods in `GalaxyProxyDriver` on top of the PR 10 / PR 11
+IPC messages.
+
+PR 38 wired the OPC UA HistoryRead service-handler through
+`DriverNodeManager` by overriding `CustomNodeManager2`'s four per-kind hooks —
+`HistoryReadRawModified` / `HistoryReadProcessed` / `HistoryReadAtTime` /
+`HistoryReadEvents`. Each walks `nodesToProcess`, resolves the driver-side
+full reference from `NodeId.Identifier`, dispatches to the right
+`IHistoryProvider` method, and populates the paired results + errors lists
+(both must be set — the MasterNodeManager merges them and a Good result with
+an unset error slot serializes as `BadHistoryOperationUnsupported` on the
+wire). Historized variables gain `AccessLevels.HistoryRead` so the stack
+dispatches; the driver root folder gains `EventNotifiers.HistoryRead` so
+`HistoryReadEvents` can target it.
+
+Aggregate translation uses a small `MapAggregate` helper that handles
+`Average` / `Minimum` / `Maximum` / `Total` / `Count` (the enum surface the
+driver exposes) and returns null for unsupported aggregates so the handler
+can surface `BadAggregateNotSupported`. Raw+Processed+AtTime wrap driver
+samples as `HistoryData` in an `ExtensionObject`; Events emits a
+`HistoryEvent` with the standard BaseEventType field list (EventId /
+SourceName / Message / Severity / Time / ReceiveTime) — custom
+`SelectClause` evaluation is an explicit follow-up.
+
+**Tests**:
+
+- `DriverNodeManagerHistoryMappingTests` — 12 unit cases pinning
+  `MapAggregate`, `BuildHistoryData`, `BuildHistoryEvent`, `ToDataValue`.
+- `HistoryReadIntegrationTests` — 5 end-to-end cases drive a real OPC UA
+  client (`Session.HistoryRead`) against a fake `IHistoryProvider` driver
+  through the running stack. Covers raw round-trip, processed with Average
+  aggregate, unsupported aggregate → `BadAggregateNotSupported`, at-time
+  timestamp forwarding, and events field-list shape.
+
+**Deferred**:
+- Continuation-point plumbing via `Session.Save/RestoreHistoryContinuationPoint`.
+  Driver returns null continuations today so the pass-through is fine.
+- Per-`SelectClause` evaluation in HistoryReadEvents — clients that send a
+  custom field selection currently get the standard BaseEventType layout.
+
+## 2. Write-gating by role — **DONE (PR 26)**
+
+Landed in PR 26. `WriteAuthzPolicy` in `Server/Security/` maps
+`SecurityClassification` → required role (`FreeAccess` → no role required,
+`Operate`/`SecuredWrite` → `WriteOperate`, `Tune` → `WriteTune`,
+`Configure`/`VerifiedWrite` → `WriteConfigure`, `ViewOnly` → deny regardless).
+`DriverNodeManager` caches the classification per variable during discovery and
+checks the session's roles (via `IRoleBearer`) in `OnWriteValue` before calling
+`IWritable.WriteAsync`. Roles do not cascade — a session with `WriteOperate`
+can't write a `Tune` attribute unless it also carries `WriteTune`.
+
+See `feedback_acl_at_server_layer.md` in memory for the architectural directive
+that authz stays at the server layer and never delegates to driver-specific auth.
+
+## 3. Admin UI client-cert trust management — **DONE (PR 28)**
+
+PR 28 shipped `/certificates` in the Admin UI. `CertTrustService` reads the OPC
+UA server's PKI store root (`OpcUaServerOptions.PkiStoreRoot` — default
+`%ProgramData%\OtOpcUa\pki`) and lists rejected + trusted certs by parsing the
+`.der` files directly, so it has no `Opc.Ua` dependency and runs on any
+Admin host that can reach the shared PKI directory.
+
+Operator actions: Trust (moves `rejected/certs/*.der` → `trusted/certs/*.der`),
+Delete rejected, Revoke trust. The OPC UA stack re-reads the trusted store on
+each new client handshake, so no explicit reload signal is needed —
+operators retry the rejected client's connection after trusting.
+
+Deferred: flipping `AutoAcceptUntrustedClientCertificates` to `false` as the
+deployment default. That's a production-hardening config change, not a code
+gap — the Admin UI is now ready to be the trust gate.
+
+## 4. Live-LDAP integration test — **DONE (PR 31)**
+
+PR 31 shipped `Server.Tests/LdapUserAuthenticatorLiveTests.cs` — 6 live-bind
+tests against the dev GLAuth instance at `localhost:3893`, skipped cleanly
+when the port is unreachable. Covers: valid bind, wrong password, unknown
+user, empty credentials, single-group → WriteOperate mapping, multi-group
+admin user surfacing all mapped roles.
+
+Also added `UserNameAttribute` to `LdapOptions` (default `uid` for RFC 2307
+compat) so Active Directory deployments can configure `sAMAccountName` /
+`userPrincipalName` without code changes. `LdapUserAuthenticatorAdCompatTests`
+(5 unit guards) pins the AD-shape DN parsing + filter escape behaviors. See
+`docs/security.md` §"Active Directory configuration" for the AD appsettings
+snippet.
+
+Deferred: asserting `session.Identity` end-to-end on the server side (i.e.
+drive a full OPC UA session with username/password, then read an
+`IHostConnectivityProbe`-style "whoami" node to verify the role surfaced).
+That needs a test-only address-space node and is a separate PR.
+
+## 5. Full Galaxy live-service smoke test against the merged v2 stack — **IN PROGRESS (PRs 36 + 37)**
+
+PR 36 shipped the prerequisites helper (`AvevaPrerequisites`) that probes
+every dependency a live smoke test needs and produces actionable skip
+messages.
+
+PR 37 shipped the live-stack smoke test project structure:
+`tests/Driver.Galaxy.Proxy.Tests/LiveStack/` with `LiveStackFixture` (connects
+to the *already-running* `OtOpcUaGalaxyHost` Windows service via named pipe;
+never spawns the Host process) and `LiveStackSmokeTests` covering:
+
+- Fixture initializes successfully (IPC handshake succeeds end-to-end).
+- Driver reports `DriverState.Healthy` post-handshake.
+- `DiscoverAsync` returns at least one variable from the live Galaxy.
+- `GetHostStatuses` reports at least one Platform/AppEngine host.
+- `ReadAsync` on a discovered variable round-trips through
+  Proxy → Host pipe → MXAccess → back without a BadInternalError.
+
+Shared secret + pipe name resolve from `OTOPCUA_GALAXY_SECRET` /
+`OTOPCUA_GALAXY_PIPE` env vars, falling back to reading the service's
+registry-stored Environment values (requires elevated test host).
+
+**PR 40** added the write + subscribe facts targeting
+`DelmiaReceiver_001.TestAttribute` (the writable Boolean UDA the dev Galaxy
+ships under TestMachine_001) — write-then-read with a 5s scan-window poll +
+restore-on-finally, and subscribe-then-write asserting both an initial-value
+OnDataChange and a post-write OnDataChange. PR 39 added the elevated-shell
+short-circuit so a developer running from an admin window gets an actionable
+skip instead of `UnauthorizedAccessException`.
+
+**Run the live tests** (from a NORMAL non-admin PowerShell):
+
+```powershell
+$env:OTOPCUA_GALAXY_SECRET = Get-Content C:\Users\dohertj2\Desktop\lmxopcua\.local\galaxy-host-secret.txt
+cd C:\Users\dohertj2\Desktop\lmxopcua
+dotnet test tests\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests --filter "FullyQualifiedName~LiveStackSmokeTests"
+```
+
+Expected: 7/7 pass against the running `OtOpcUaGalaxyHost` service.
+
+**Remaining for #5 in production-grade form**:
+- Confirm the suite passes from a non-elevated shell (operator action).
+- Add similar facts for an alarm-source attribute once `TestMachine_001` (or
+  a sibling) carries a deployed alarm condition — the current dev Galaxy's
+  TestAttribute isn't alarm-flagged.
+
+## 6. Second driver instance on the same server — **DONE (PR 32)**
+
+`Server.Tests/MultipleDriverInstancesIntegrationTests.cs` registers two
+drivers with distinct `DriverInstanceId`s on one `DriverHost`, spins up the
+full OPC UA server, and asserts three behaviors: (1) each driver's namespace
+URI (`urn:OtOpcUa:{id}`) resolves to a distinct index in the client's
+NamespaceUris, (2) browsing one subtree returns that driver's folder and
+does NOT leak the other driver's folder, (3) reads route to the correct
+driver — the alpha instance returns 42 while beta returns 99, so a misroute
+would surface at the assertion layer.
+
+Deferred: the alarm-event multi-driver parity case (two drivers each raising
+a `GalaxyAlarmEvent`, assert each condition lands on its owning instance's
+condition node). Alarm tracking already has its own integration test
+(`AlarmSubscription*`); the multi-driver alarm case would need a stub
+`IAlarmSource` that's worth its own focused PR.
+
+## 7. Host-status per-AppEngine granularity → Admin UI dashboard — **DONE (PRs 33 + 34)**
+
+**PR 33** landed the data layer: `DriverHostStatus` entity + migration with
+composite key `(NodeId, DriverInstanceId, HostName)` and two query-supporting
+indexes (per-cluster drill-down on `NodeId`, stale-row detection on
+`LastSeenUtc`).
+
+**PR 34** wired the publisher + consumer. `HostStatusPublisher` is a
+`BackgroundService` in the Server process that walks every registered
+`IHostConnectivityProbe`-capable driver every 10s, calls
+`GetHostStatuses()`, and upserts rows (`LastSeenUtc` advances each tick;
+`State` + `StateChangedUtc` update on transitions). Admin UI `/hosts` page
+groups by cluster, shows four summary cards (Hosts / Running / Stale /
+Faulted), and flags rows whose `LastSeenUtc` is older than 30s as Stale so
+operators see crashed Servers without waiting for a state change.
+
+Deferred as follow-ups:
+
+- Event-driven push (subscribe to `OnHostStatusChanged` per driver for
+  sub-heartbeat latency). Adds DriverHost lifecycle-event plumbing;
+  10s polling is fine for operator-scale use.
+- Failure-count column — needs the publisher to track a transition history
+  per host, not just current-state.
+- SignalR fan-out to the Admin page (currently the page polls the DB, not
+  a hub). The DB-polled version is fine at current cadence but a hub push
+  would eliminate the 10s race where a new row sits in the DB before the
+  Admin page notices.

docs/v2/modbus-test-plan.md

@@ -0,0 +1,121 @@
+# Modbus driver — test plan + device-quirk catalog
+
+The Modbus TCP driver unit tests (PRs 21–24) cover the protocol surface against an
+in-memory fake transport. They validate the codec, state machine, and function-code
+routing against a textbook Modbus server. That's necessary but not sufficient: real PLC
+populations disagree with the spec in small, device-specific ways, and a driver that
+passes textbook tests can still misbehave against actual equipment.
+
+This doc is the harness-and-quirks playbook. The project it describes lives at
+`tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/` — scaffolded in PR 30 with
+the simulator fixture, DL205 profile stub, and one write/read smoke test. Each
+confirmed DL205 quirk lands in a follow-up PR as a named test in that project.
+
+## Harness
+
+**Chosen simulator: pymodbus 3.13.0** (`pip install 'pymodbus[simulator]==3.13.0'`).
+Replaced ModbusPal in PR 43 — see `tests/.../Pymodbus/README.md` for the
+trade-off rationale. Headline reasons:
+
+- **Headless** pure-Python CLI; no Java GUI, runs cleanly on a CI runner.
+- **Maintained** — current stable 3.13.0; ModbusPal 1.6b is abandoned.
+- **All four standard tables** (HR, IR, coils, DI) configurable; ModbusPal
+  1.6b only exposed HR + coils.
+- **Built-in actions** (`increment`, `random`, `timestamp`, `uptime`) +
+  optional custom-Python actions for declarative dynamic behaviors.
+- **Per-register raw uint16 seeding** — encoding the DL205 string-byte-order
+  / BCD / CDAB-float quirks stays explicit (the quirk math lives in the
+  `_quirk` JSON-comment fields next to each register).
+- Pip-installable on Windows; sidesteps the privileged-port admin
+  requirement by defaulting to TCP **5020** instead of 502.
+
+**Setup pattern**:
+1. `pip install "pymodbus[simulator]==3.13.0"`.
+2. Start the simulator with one of the in-repo profiles:
+   `tests\.../Pymodbus\serve.ps1 -Profile standard` (or `-Profile dl205`).
+3. `dotnet test tests\ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` —
+   tests auto-skip when the endpoint is unreachable. Default endpoint is
+   `localhost:5020`; override via `MODBUS_SIM_ENDPOINT` for a real PLC on its
+   native port 502.
+
+## Per-device quirk catalog
+
+### AutomationDirect DL205 / DL260
+
+First known target device family. **Full quirk catalog with primary-source citations
+and per-quirk integration-test names lives at [`dl205.md`](dl205.md)** — that doc is
+the reference; this section is the testing roadmap.
+
+Confirmed quirks (priority order — top items are highest-impact for our driver
+and ship first as PR 41+):
+
+| Quirk | Driver impact | Integration-test name |
+|---|---|---|
+| **String packing**: 2 chars/register, **first char in low byte** (opposite of generic Modbus) | `ModbusDataType.String` decoder must be configurable per-device family — current code assumes high-byte-first | `DL205_String_low_byte_first_within_register` |
+| **Word order CDAB** for Int32/UInt32/Float32 | Already configurable via `ModbusByteOrder.WordSwap`; default per device profile | `DL205_Int32_word_order_is_CDAB` |
+| **BCD-as-default** numeric storage (only IEEE 754 when ladder uses `R` type) | New decoder mode — register reads as `0x1234` for ladder value `1234`, not as decimal `4660` | `DL205_BCD_register_decodes_as_hex_nibbles` |
+| **FC16 capped at 100 registers** (below the spec's 123) | Bulk-write batching must cap per-device-family | `DL205_FC16_101_registers_returns_IllegalDataValue` |
+| **FC03/04 capped at 128** (above the spec's 125) | Less impactful — clients that respect the spec's 125 stay safe | `DL205_FC03_129_registers_returns_IllegalDataValue` |
+| **V-memory octal-to-decimal addressing** (V2000 octal → 0x0400 decimal) | New address-format helper in profile config so operators can write `V2000` instead of computing `1024` themselves | `DL205_Vmem_V2000_maps_to_PDU_0x0400` |
+| **C-relay → coil 3072 / Y-output → coil 2048** offsets | Hard-coded constants in DL205 device profile | `DL205_C0_maps_to_coil_3072`, `DL205_Y0_maps_to_coil_2048` |
+| **Register 0 is valid** (rejects-register-0 rumour was DL05/DL06 relative-mode artefact) | None — current default is safe | `DL205_FC03_register_0_returns_V0_contents` |
+| **Max 4 simultaneous TCP clients** on H2-ECOM100 | Connect-time: handle TCP-accept failure with a clearer error message | `DL205_5th_TCP_connection_refused` |
+| **No TCP keepalive** | Driver-side periodic-probe (already wired via `IHostConnectivityProbe`) | _Covered by existing `ModbusProbeTests`_ |
+| **No mid-stream resync on malformed MBAP** | Already covered — single-flight + reconnect-on-error | _Covered by existing `ModbusDriverTests`_ |
+| **Write-protect exception code: `02` newer / `04` older** | Translate either to `BadNotWritable` | `DL205_FC06_in_ProgramMode_returns_ServerFailure` |
+
+_Operator-reported / unconfirmed_ — covered defensively in the driver but no
+integration tests until reproduced on hardware:
+- TxId drop under load (forum rumour; not reproduced).
+- Pre-2004 firmware ABCD word order (every shipped DL205/DL260 since 2004 is CDAB).
+
+### Future devices
+
+One section per device class, same shape as DL205. Quirks that apply across
+multiple devices (e.g., "all AB PLCs use CDAB") can be noted in the cross-device
+patterns section below once we have enough data points.
+
+## Cross-device patterns
+
+Once multiple device catalogs accumulate, quirks that recur across two or more
+vendors get promoted into driver defaults or opt-in options:
+
+- _(empty — filled in as catalogs grow)_
+
+## Test conventions
+
+- **One named test per quirk.** `DL205_word_order_is_CDAB_for_Float32` is easier to
+  diagnose on failure than a generic `Float32_roundtrip`. The `DL205_` prefix makes
+  filtering by device class trivial (`--filter "DisplayName~DL205"`).
+- **Skip with a clear SkipReason.** Follow the pattern from
+  `GalaxyRepositoryLiveSmokeTests`: check reachability in the fixture, capture
+  a `SkipReason` string, and have each test call `Assert.Skip(SkipReason)` when
+  it's set. Don't throw — skipped tests read cleanly in CI logs.
+- **Use the real `ModbusTcpTransport`.** Integration tests exercise the wire
+  protocol end-to-end. The in-memory `FakeTransport` from the unit test suite is
+  deliberately not used here — its value is speed + determinism, which doesn't
+  help reproduce device-specific issues.
+- **Don't depend on simulator state between tests.** Each test resets the
+  simulator's register bank or uses a unique address range. Avoid relying on
+  "previous test left value at register 10" setups that flake when tests run in
+  parallel or re-order. Either the test mutates the scratch ranges and restores
+  on finally, or it uses pymodbus's REST API to reset state between facts.
+
+## Next concrete PRs
+
+- **PR 30 — Integration test project + DL205 profile scaffold** — **DONE**.
+  Shipped `tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` with
+  `ModbusSimulatorFixture` (TCP-probe, skips with a clear `SkipReason` when the
+  endpoint is unreachable), `DL205/DL205Profile.cs` (tag map stub), and
+  `DL205/DL205SmokeTests.cs` (write-then-read round-trip).
+- **PR 41 — DL205 quirk catalog doc** — **DONE**. `docs/v2/dl205.md`
+  documents every DL205/DL260 Modbus divergence with primary-source citations.
+- **PR 42 — ModbusPal `.xmpp` profiles** — **SUPERSEDED by PR 43**. Replaced
+  with pymodbus JSON because ModbusPal 1.6b is abandoned, GUI-only, and only
+  exposes 2 of the 4 standard tables.
+- **PR 43 — pymodbus JSON profiles** — **DONE**. `Pymodbus/standard.json` +
+  `Pymodbus/dl205.json` + `Pymodbus/serve.ps1` runner. Both bind TCP 5020.
+- **PR 44+**: one PR per confirmed DL205 quirk, landing the named test + any
+  driver-side adjustment (string byte order, BCD decoder, V-memory address
+  helper, FC16 cap-per-device-family) needed to pass it. Each quirk's value
+  is already pre-encoded in `Pymodbus/dl205.json`.

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor

@@ -5,15 +5,18 @@
         <h5 class="mb-4">OtOpcUa Admin</h5>
         <ul class="nav flex-column">
             <li class="nav-item"><a class="nav-link text-light" href="/">Overview</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/fleet">Fleet status</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/hosts">Host status</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/clusters">Clusters</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/reservations">Reservations</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/certificates">Certificates</a></li>
         </ul>
 
         <div class="mt-5">
             <AuthorizeView>
                 <Authorized>
                     <div class="small text-light">
-                        Signed in as <strong>@context.User.Identity?.Name</strong>
+                        Signed in as <a class="text-light" href="/account"><strong>@context.User.Identity?.Name</strong></a>
                     </div>
                     <div class="small text-muted">
                         @string.Join(", ", context.User.Claims.Where(c => c.Type.EndsWith("/role")).Select(c => c.Value))

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Account.razor

@@ -0,0 +1,129 @@
+@page "/account"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@using System.Security.Claims
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+
+<h1 class="mb-4">My account</h1>
+
+<AuthorizeView>
+    <Authorized>
+        @{
+            var username = context.User.FindFirst(ClaimTypes.NameIdentifier)?.Value ?? "—";
+            var displayName = context.User.Identity?.Name ?? "—";
+            var roles = context.User.Claims
+                .Where(c => c.Type == ClaimTypes.Role).Select(c => c.Value).ToList();
+            var ldapGroups = context.User.Claims
+                .Where(c => c.Type == "ldap_group").Select(c => c.Value).ToList();
+        }
+
+        <div class="row g-4">
+            <div class="col-md-6">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Identity</h5>
+                        <dl class="row mb-0">
+                            <dt class="col-sm-4">Username</dt><dd class="col-sm-8"><code>@username</code></dd>
+                            <dt class="col-sm-4">Display name</dt><dd class="col-sm-8">@displayName</dd>
+                        </dl>
+                    </div>
+                </div>
+            </div>
+
+            <div class="col-md-6">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Admin roles</h5>
+                        @if (roles.Count == 0)
+                        {
+                            <p class="text-muted mb-0">No Admin roles mapped — sign-in would have been blocked, so if you're seeing this, the session claim is likely stale.</p>
+                        }
+                        else
+                        {
+                            <div class="mb-2">
+                                @foreach (var r in roles)
+                                {
+                                    <span class="badge bg-primary me-1">@r</span>
+                                }
+                            </div>
+                            <small class="text-muted">LDAP groups: @(ldapGroups.Count == 0 ? "(none surfaced)" : string.Join(", ", ldapGroups))</small>
+                        }
+                    </div>
+                </div>
+            </div>
+
+            <div class="col-12">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Capabilities</h5>
+                        <p class="text-muted small">
+                            Each Admin role grants a fixed capability set per <code>admin-ui.md</code> §Admin Roles.
+                            Pages below reflect what this session can access; the route's <code>[Authorize]</code> guard
+                            is the ground truth — this table mirrors it for readability.
+                        </p>
+                        <table class="table table-sm align-middle mb-0">
+                            <thead>
+                                <tr>
+                                    <th>Capability</th>
+                                    <th>Required role(s)</th>
+                                    <th class="text-end">You have it?</th>
+                                </tr>
+                            </thead>
+                            <tbody>
+                            @foreach (var cap in Capabilities)
+                            {
+                                var has = cap.RequiredRoles.Any(r => roles.Contains(r, StringComparer.OrdinalIgnoreCase));
+                                <tr>
+                                    <td>@cap.Name<br /><small class="text-muted">@cap.Description</small></td>
+                                    <td>@string.Join(" or ", cap.RequiredRoles)</td>
+                                    <td class="text-end">
+                                        @if (has)
+                                        {
+                                            <span class="badge bg-success">Yes</span>
+                                        }
+                                        else
+                                        {
+                                            <span class="badge bg-secondary">No</span>
+                                        }
+                                    </td>
+                                </tr>
+                            }
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="mt-4">
+            <form method="post" action="/auth/logout">
+                <button class="btn btn-outline-danger" type="submit">Sign out</button>
+            </form>
+        </div>
+    </Authorized>
+</AuthorizeView>
+
+@code {
+    private sealed record Capability(string Name, string Description, string[] RequiredRoles);
+
+    // Kept in sync with Program.cs authorization policies + each page's [Authorize] attribute.
+    // When a new page or policy is added, extend this list so operators can self-service check
+    // whether their session has access without trial-and-error navigation.
+    private static readonly IReadOnlyList<Capability> Capabilities =
+    [
+        new("View clusters + fleet status",
+            "Read-only access to the cluster list, fleet dashboard, and generation history.",
+            [AdminRoles.ConfigViewer, AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+        new("Edit configuration drafts",
+            "Create and edit draft generations, manage namespace bindings and node ACLs. CanEdit policy.",
+            [AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+        new("Publish generations",
+            "Promote a draft to Published — triggers node roll-out. CanPublish policy.",
+            [AdminRoles.FleetAdmin]),
+        new("Manage certificate trust",
+            "Trust rejected client certs + revoke trust. FleetAdmin-only because the trust decision gates OPC UA client access.",
+            [AdminRoles.FleetAdmin]),
+        new("Manage external-ID reservations",
+            "Reserve / release external IDs that map into Galaxy contained names.",
+            [AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+    ];
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Certificates.razor

@@ -0,0 +1,154 @@
+@page "/certificates"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize(Roles = AdminRoles.FleetAdmin)]
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@inject CertTrustService Certs
+@inject AuthenticationStateProvider AuthState
+@inject ILogger<Certificates> Log
+
+<h1 class="mb-4">Certificate trust</h1>
+
+<div class="alert alert-info small mb-4">
+    PKI store root <code>@Certs.PkiStoreRoot</code>. Trusting a rejected cert moves the file into the trusted store — the OPC UA server picks up the change on the next client handshake, so operators should retry the rejected client's connection after trusting.
+</div>
+
+@if (_status is not null)
+{
+    <div class="alert alert-@_statusKind alert-dismissible">
+        @_status
+        <button type="button" class="btn-close" @onclick="ClearStatus"></button>
+    </div>
+}
+
+<h2 class="h4">Rejected (@_rejected.Count)</h2>
+@if (_rejected.Count == 0)
+{
+    <p class="text-muted">No rejected certificates. Clients that fail to handshake with an untrusted cert land here.</p>
+}
+else
+{
+    <table class="table table-sm align-middle">
+        <thead><tr><th>Subject</th><th>Issuer</th><th>Thumbprint</th><th>Valid</th><th class="text-end">Actions</th></tr></thead>
+        <tbody>
+        @foreach (var c in _rejected)
+        {
+            <tr>
+                <td>@c.Subject</td>
+                <td>@c.Issuer</td>
+                <td><code class="small">@c.Thumbprint</code></td>
+                <td class="small">@c.NotBefore.ToString("yyyy-MM-dd") → @c.NotAfter.ToString("yyyy-MM-dd")</td>
+                <td class="text-end">
+                    <button class="btn btn-sm btn-success me-1" @onclick="() => TrustAsync(c)">Trust</button>
+                    <button class="btn btn-sm btn-outline-danger" @onclick="() => DeleteRejectedAsync(c)">Delete</button>
+                </td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+<h2 class="h4 mt-5">Trusted (@_trusted.Count)</h2>
+@if (_trusted.Count == 0)
+{
+    <p class="text-muted">No client certs have been explicitly trusted. The server's own application cert lives in <code>own/</code> and is not listed here.</p>
+}
+else
+{
+    <table class="table table-sm align-middle">
+        <thead><tr><th>Subject</th><th>Issuer</th><th>Thumbprint</th><th>Valid</th><th class="text-end">Actions</th></tr></thead>
+        <tbody>
+        @foreach (var c in _trusted)
+        {
+            <tr>
+                <td>@c.Subject</td>
+                <td>@c.Issuer</td>
+                <td><code class="small">@c.Thumbprint</code></td>
+                <td class="small">@c.NotBefore.ToString("yyyy-MM-dd") → @c.NotAfter.ToString("yyyy-MM-dd")</td>
+                <td class="text-end">
+                    <button class="btn btn-sm btn-outline-danger" @onclick="() => UntrustAsync(c)">Revoke</button>
+                </td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    private IReadOnlyList<CertInfo> _rejected = [];
+    private IReadOnlyList<CertInfo> _trusted = [];
+    private string? _status;
+    private string _statusKind = "success";
+
+    protected override void OnInitialized() => Reload();
+
+    private void Reload()
+    {
+        _rejected = Certs.ListRejected();
+        _trusted = Certs.ListTrusted();
+    }
+
+    private async Task TrustAsync(CertInfo c)
+    {
+        if (Certs.TrustRejected(c.Thumbprint))
+        {
+            await LogActionAsync("cert.trust", c);
+            Set($"Trusted cert {c.Subject} ({Short(c.Thumbprint)}).", "success");
+        }
+        else
+        {
+            Set($"Could not trust {Short(c.Thumbprint)} — file missing; another admin may have already handled it.", "warning");
+        }
+        Reload();
+    }
+
+    private async Task DeleteRejectedAsync(CertInfo c)
+    {
+        if (Certs.DeleteRejected(c.Thumbprint))
+        {
+            await LogActionAsync("cert.delete.rejected", c);
+            Set($"Deleted rejected cert {c.Subject} ({Short(c.Thumbprint)}).", "success");
+        }
+        else
+        {
+            Set($"Could not delete {Short(c.Thumbprint)} — file missing.", "warning");
+        }
+        Reload();
+    }
+
+    private async Task UntrustAsync(CertInfo c)
+    {
+        if (Certs.UntrustCert(c.Thumbprint))
+        {
+            await LogActionAsync("cert.untrust", c);
+            Set($"Revoked trust for {c.Subject} ({Short(c.Thumbprint)}).", "success");
+        }
+        else
+        {
+            Set($"Could not revoke {Short(c.Thumbprint)} — file missing.", "warning");
+        }
+        Reload();
+    }
+
+    private async Task LogActionAsync(string action, CertInfo c)
+    {
+        // Cert trust changes are operator-initiated and security-sensitive — Serilog captures the
+        // user + thumbprint trail. CertTrustService also logs at Information on each filesystem
+        // move/delete; this line ties the action to the authenticated admin user so the two logs
+        // correlate. DB-level ConfigAuditLog persistence is deferred — its schema is
+        // cluster-scoped and cert actions are cluster-agnostic.
+        var state = await AuthState.GetAuthenticationStateAsync();
+        var user = state.User.Identity?.Name ?? "(anonymous)";
+        Log.LogInformation("Admin cert action: user={User} action={Action} thumbprint={Thumbprint} subject={Subject}",
+            user, action, c.Thumbprint, c.Subject);
+    }
+
+    private void Set(string message, string kind)
+    {
+        _status = message;
+        _statusKind = kind;
+    }
+
+    private void ClearStatus() => _status = null;
+
+    private static string Short(string thumbprint) =>
+        thumbprint.Length > 12 ? thumbprint[..12] + "…" : thumbprint;
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Fleet.razor

@@ -0,0 +1,172 @@
+@page "/fleet"
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IServiceScopeFactory ScopeFactory
+@implements IDisposable
+
+<h1 class="mb-4">Fleet status</h1>
+
+<div class="d-flex align-items-center mb-3 gap-2">
+    <button class="btn btn-sm btn-outline-primary" @onclick="RefreshAsync" disabled="@_refreshing">
+        @if (_refreshing) { <span class="spinner-border spinner-border-sm me-1" /> }
+        Refresh
+    </button>
+    <span class="text-muted small">
+        Auto-refresh every @RefreshIntervalSeconds s. Last updated: @(_lastRefreshUtc?.ToString("HH:mm:ss 'UTC'") ?? "—")
+    </span>
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <div class="alert alert-info">
+        No node state recorded yet. Nodes publish their state to the central DB on each poll; if
+        this list is empty, either no nodes have been registered or the poller hasn't run yet.
+    </div>
+}
+else
+{
+    <div class="row g-3 mb-4">
+        <div class="col-md-3">
+            <div class="card"><div class="card-body">
+                <h6 class="text-muted mb-1">Nodes</h6>
+                <div class="fs-3">@_rows.Count</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-success"><div class="card-body">
+                <h6 class="text-muted mb-1">Applied</h6>
+                <div class="fs-3 text-success">@_rows.Count(r => r.Status == "Applied")</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-warning"><div class="card-body">
+                <h6 class="text-muted mb-1">Stale</h6>
+                <div class="fs-3 text-warning">@_rows.Count(r => IsStale(r))</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-danger"><div class="card-body">
+                <h6 class="text-muted mb-1">Failed</h6>
+                <div class="fs-3 text-danger">@_rows.Count(r => r.Status == "Failed")</div>
+            </div></div>
+        </div>
+    </div>
+
+    <table class="table table-hover align-middle">
+        <thead>
+            <tr>
+                <th>Node</th>
+                <th>Cluster</th>
+                <th>Generation</th>
+                <th>Status</th>
+                <th>Last applied</th>
+                <th>Last seen</th>
+                <th>Error</th>
+            </tr>
+        </thead>
+        <tbody>
+        @foreach (var r in _rows)
+        {
+            <tr class="@RowClass(r)">
+                <td><code>@r.NodeId</code></td>
+                <td>@r.ClusterId</td>
+                <td>@(r.GenerationId?.ToString() ?? "—")</td>
+                <td>
+                    <span class="badge @StatusBadge(r.Status)">@(r.Status ?? "—")</span>
+                </td>
+                <td>@FormatAge(r.AppliedAt)</td>
+                <td class="@(IsStale(r) ? "text-warning" : "")">@FormatAge(r.SeenAt)</td>
+                <td class="text-truncate" style="max-width: 320px;" title="@r.Error">@r.Error</td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    // Refresh cadence. 5s matches FleetStatusPoller's poll interval — the dashboard always sees
+    // the most recent published state without polling ahead of the broadcaster.
+    private const int RefreshIntervalSeconds = 5;
+
+    private List<FleetNodeRow>? _rows;
+    private bool _refreshing;
+    private DateTime? _lastRefreshUtc;
+    private Timer? _timer;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await RefreshAsync();
+        _timer = new Timer(async _ => await InvokeAsync(RefreshAsync),
+            state: null,
+            dueTime: TimeSpan.FromSeconds(RefreshIntervalSeconds),
+            period: TimeSpan.FromSeconds(RefreshIntervalSeconds));
+    }
+
+    private async Task RefreshAsync()
+    {
+        if (_refreshing) return;
+        _refreshing = true;
+        try
+        {
+            using var scope = ScopeFactory.CreateScope();
+            var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+            var rows = await db.ClusterNodeGenerationStates.AsNoTracking()
+                .Join(db.ClusterNodes.AsNoTracking(), s => s.NodeId, n => n.NodeId, (s, n) => new FleetNodeRow(
+                    s.NodeId, n.ClusterId, s.CurrentGenerationId,
+                    s.LastAppliedStatus != null ? s.LastAppliedStatus.ToString() : null,
+                    s.LastAppliedError, s.LastAppliedAt, s.LastSeenAt))
+                .OrderBy(r => r.ClusterId)
+                .ThenBy(r => r.NodeId)
+                .ToListAsync();
+            _rows = rows;
+            _lastRefreshUtc = DateTime.UtcNow;
+        }
+        finally
+        {
+            _refreshing = false;
+            StateHasChanged();
+        }
+    }
+
+    private static bool IsStale(FleetNodeRow r)
+    {
+        if (r.SeenAt is null) return true;
+        return (DateTime.UtcNow - r.SeenAt.Value) > TimeSpan.FromSeconds(30);
+    }
+
+    private static string RowClass(FleetNodeRow r) => r.Status switch
+    {
+        "Failed" => "table-danger",
+        _ when IsStale(r) => "table-warning",
+        _ => "",
+    };
+
+    private static string StatusBadge(string? status) => status switch
+    {
+        "Applied" => "bg-success",
+        "Failed" => "bg-danger",
+        "Applying" => "bg-info",
+        _ => "bg-secondary",
+    };
+
+    private static string FormatAge(DateTime? t)
+    {
+        if (t is null) return "—";
+        var age = DateTime.UtcNow - t.Value;
+        if (age.TotalSeconds < 60) return $"{(int)age.TotalSeconds}s ago";
+        if (age.TotalMinutes < 60) return $"{(int)age.TotalMinutes}m ago";
+        if (age.TotalHours < 24) return $"{(int)age.TotalHours}h ago";
+        return t.Value.ToString("yyyy-MM-dd HH:mm 'UTC'");
+    }
+
+    public void Dispose() => _timer?.Dispose();
+
+    internal sealed record FleetNodeRow(
+        string NodeId, string ClusterId, long? GenerationId,
+        string? Status, string? Error, DateTime? AppliedAt, DateTime? SeenAt);
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Hosts.razor

@@ -0,0 +1,160 @@
+@page "/hosts"
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject IServiceScopeFactory ScopeFactory
+@implements IDisposable
+
+<h1 class="mb-4">Driver host status</h1>
+
+<div class="d-flex align-items-center mb-3 gap-2">
+    <button class="btn btn-sm btn-outline-primary" @onclick="RefreshAsync" disabled="@_refreshing">
+        @if (_refreshing) { <span class="spinner-border spinner-border-sm me-1" /> }
+        Refresh
+    </button>
+    <span class="text-muted small">
+        Auto-refresh every @RefreshIntervalSeconds s. Last updated: @(_lastRefreshUtc?.ToString("HH:mm:ss 'UTC'") ?? "—")
+    </span>
+</div>
+
+<div class="alert alert-info small mb-4">
+    Each row is one host reported by a driver instance on a server node. Galaxy drivers report
+    per-Platform / per-AppEngine entries; Modbus drivers report the PLC endpoint. Rows age out
+    of the Server's publisher on every 10-second heartbeat — rows whose LastSeen is older than
+    30s are flagged Stale, which usually means the owning Server process has crashed or lost
+    its DB connection.
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <div class="alert alert-secondary">
+        No host-status rows yet. The Server publishes its first tick 2s after startup; if this list stays empty, check that the Server is running and the driver implements <code>IHostConnectivityProbe</code>.
+    </div>
+}
+else
+{
+    <div class="row g-3 mb-4">
+        <div class="col-md-3"><div class="card"><div class="card-body">
+            <h6 class="text-muted mb-1">Hosts</h6>
+            <div class="fs-3">@_rows.Count</div>
+        </div></div></div>
+        <div class="col-md-3"><div class="card border-success"><div class="card-body">
+            <h6 class="text-muted mb-1">Running</h6>
+            <div class="fs-3 text-success">@_rows.Count(r => r.State == DriverHostState.Running && !HostStatusService.IsStale(r))</div>
+        </div></div></div>
+        <div class="col-md-3"><div class="card border-warning"><div class="card-body">
+            <h6 class="text-muted mb-1">Stale</h6>
+            <div class="fs-3 text-warning">@_rows.Count(HostStatusService.IsStale)</div>
+        </div></div></div>
+        <div class="col-md-3"><div class="card border-danger"><div class="card-body">
+            <h6 class="text-muted mb-1">Faulted</h6>
+            <div class="fs-3 text-danger">@_rows.Count(r => r.State == DriverHostState.Faulted)</div>
+        </div></div></div>
+    </div>
+
+    @foreach (var cluster in _rows.GroupBy(r => r.ClusterId ?? "(unassigned)").OrderBy(g => g.Key))
+    {
+        <h2 class="h5 mt-4">Cluster: <code>@cluster.Key</code></h2>
+        <table class="table table-sm table-hover align-middle">
+            <thead>
+                <tr>
+                    <th>Node</th>
+                    <th>Driver</th>
+                    <th>Host</th>
+                    <th>State</th>
+                    <th>Last transition</th>
+                    <th>Last seen</th>
+                    <th>Detail</th>
+                </tr>
+            </thead>
+            <tbody>
+            @foreach (var r in cluster)
+            {
+                <tr class="@RowClass(r)">
+                    <td><code>@r.NodeId</code></td>
+                    <td><code>@r.DriverInstanceId</code></td>
+                    <td>@r.HostName</td>
+                    <td>
+                        <span class="badge @StateBadge(r.State)">@r.State</span>
+                        @if (HostStatusService.IsStale(r))
+                        {
+                            <span class="badge bg-warning text-dark ms-1">Stale</span>
+                        }
+                    </td>
+                    <td class="small">@FormatAge(r.StateChangedUtc)</td>
+                    <td class="small @(HostStatusService.IsStale(r) ? "text-warning" : "")">@FormatAge(r.LastSeenUtc)</td>
+                    <td class="text-truncate small" style="max-width: 320px;" title="@r.Detail">@r.Detail</td>
+                </tr>
+            }
+            </tbody>
+        </table>
+    }
+}
+
+@code {
+    // Mirrors HostStatusPublisher.HeartbeatInterval — polling ahead of the broadcaster
+    // produces stale-looking rows mid-cycle.
+    private const int RefreshIntervalSeconds = 10;
+
+    private List<HostStatusRow>? _rows;
+    private bool _refreshing;
+    private DateTime? _lastRefreshUtc;
+    private Timer? _timer;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await RefreshAsync();
+        _timer = new Timer(async _ => await InvokeAsync(RefreshAsync),
+            state: null,
+            dueTime: TimeSpan.FromSeconds(RefreshIntervalSeconds),
+            period: TimeSpan.FromSeconds(RefreshIntervalSeconds));
+    }
+
+    private async Task RefreshAsync()
+    {
+        if (_refreshing) return;
+        _refreshing = true;
+        try
+        {
+            using var scope = ScopeFactory.CreateScope();
+            var svc = scope.ServiceProvider.GetRequiredService<HostStatusService>();
+            _rows = (await svc.ListAsync()).ToList();
+            _lastRefreshUtc = DateTime.UtcNow;
+        }
+        finally
+        {
+            _refreshing = false;
+            StateHasChanged();
+        }
+    }
+
+    private static string RowClass(HostStatusRow r) => r.State switch
+    {
+        DriverHostState.Faulted => "table-danger",
+        _ when HostStatusService.IsStale(r) => "table-warning",
+        _ => "",
+    };
+
+    private static string StateBadge(DriverHostState s) => s switch
+    {
+        DriverHostState.Running => "bg-success",
+        DriverHostState.Stopped => "bg-secondary",
+        DriverHostState.Faulted => "bg-danger",
+        _ => "bg-secondary",
+    };
+
+    private static string FormatAge(DateTime t)
+    {
+        var age = DateTime.UtcNow - t;
+        if (age.TotalSeconds < 60) return $"{(int)age.TotalSeconds}s ago";
+        if (age.TotalMinutes < 60) return $"{(int)age.TotalMinutes}m ago";
+        if (age.TotalHours < 24) return $"{(int)age.TotalHours}h ago";
+        return t.ToString("yyyy-MM-dd HH:mm 'UTC'");
+    }
+
+    public void Dispose() => _timer?.Dispose();
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs

@@ -47,6 +47,13 @@ builder.Services.AddScoped<NodeAclService>();
 builder.Services.AddScoped<ReservationService>();
 builder.Services.AddScoped<DraftValidationService>();
 builder.Services.AddScoped<AuditLogService>();
+builder.Services.AddScoped<HostStatusService>();
+
+// Cert-trust management — reads the OPC UA server's PKI store root so rejected client certs
+// can be promoted to trusted via the Admin UI. Singleton: no per-request state, just
+// filesystem operations.
+builder.Services.Configure<CertTrustOptions>(builder.Configuration.GetSection(CertTrustOptions.SectionName));
+builder.Services.AddSingleton<CertTrustService>();
 
 // LDAP auth — parity with ScadaLink's LdapAuthService (decision #102).
 builder.Services.Configure<LdapOptions>(

src/ZB.MOM.WW.OtOpcUa.Admin/Services/CertTrustOptions.cs

@@ -0,0 +1,22 @@
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Points the Admin UI at the OPC UA Server's PKI store root so
+///     <see cref="CertTrustService"/> can list and move certs between the
+///     <c>rejected/</c> and <c>trusted/</c> directories the server maintains. Must match the
+///     <c>OpcUaServer:PkiStoreRoot</c> the Server process is configured with.
+/// </summary>
+public sealed class CertTrustOptions
+{
+    public const string SectionName = "CertTrust";
+
+    /// <summary>
+    ///     Absolute path to the PKI root. Defaults to
+    ///     <c>%ProgramData%\OtOpcUa\pki</c> — matches <c>OpcUaServerOptions.PkiStoreRoot</c>'s
+    ///     default so a standard side-by-side install needs no override.
+    /// </summary>
+    public string PkiStoreRoot { get; init; } =
+        Path.Combine(
+            Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData),
+            "OtOpcUa", "pki");
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/CertTrustService.cs

@@ -0,0 +1,135 @@
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Options;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Metadata for a certificate file found in one of the OPC UA server's PKI stores. The
+///     <see cref="FilePath"/> is the absolute path of the DER/CRT file the stack created when it
+///     rejected the cert (for <see cref="CertStoreKind.Rejected"/>) or when an operator trusted
+///     it (for <see cref="CertStoreKind.Trusted"/>).
+/// </summary>
+public sealed record CertInfo(
+    string Thumbprint,
+    string Subject,
+    string Issuer,
+    DateTime NotBefore,
+    DateTime NotAfter,
+    string FilePath,
+    CertStoreKind Store);
+
+public enum CertStoreKind
+{
+    Rejected,
+    Trusted,
+}
+
+/// <summary>
+///     Filesystem-backed view over the OPC UA server's PKI store. The Opc.Ua stack uses a
+///     Directory-typed store — each cert is a <c>.der</c> file under <c>{root}/{store}/certs/</c>
+///     with a filename derived from subject + thumbprint. This service exposes operators for the
+///     Admin UI: list rejected, list trusted, trust a rejected cert (move to trusted), remove a
+///     rejected cert (delete), untrust a previously trusted cert (delete from trusted).
+/// </summary>
+/// <remarks>
+///     The Admin process is separate from the Server process; this service deliberately has no
+///     Opc.Ua dependency — it works on the on-disk layout directly so it can run on the Admin
+///     host even when the Server isn't installed locally, as long as the PKI root is reachable
+///     (typical deployment has Admin + Server side-by-side on the same machine).
+///
+///     Trust/untrust requires the Server to re-read its trust list. The Opc.Ua stack re-reads
+///     the Directory store on each new incoming connection, so there's no explicit signal
+///     needed — the next client handshake picks up the change. Operators should retry the
+///     rejected client's connection after trusting.
+/// </remarks>
+public sealed class CertTrustService
+{
+    private readonly CertTrustOptions _options;
+    private readonly ILogger<CertTrustService> _logger;
+
+    public CertTrustService(IOptions<CertTrustOptions> options, ILogger<CertTrustService> logger)
+    {
+        _options = options.Value;
+        _logger = logger;
+    }
+
+    public string PkiStoreRoot => _options.PkiStoreRoot;
+
+    public IReadOnlyList<CertInfo> ListRejected() => ListStore(CertStoreKind.Rejected);
+    public IReadOnlyList<CertInfo> ListTrusted() => ListStore(CertStoreKind.Trusted);
+
+    /// <summary>
+    ///     Move the cert with <paramref name="thumbprint"/> from the rejected store to the
+    ///     trusted store. No-op returns false if the rejected file doesn't exist (already moved
+    ///     by another operator, or thumbprint mismatch). Overwrites an existing trusted copy
+    ///     silently — idempotent.
+    /// </summary>
+    public bool TrustRejected(string thumbprint)
+    {
+        var cert = FindInStore(CertStoreKind.Rejected, thumbprint);
+        if (cert is null) return false;
+
+        var trustedDir = CertsDir(CertStoreKind.Trusted);
+        Directory.CreateDirectory(trustedDir);
+        var destPath = Path.Combine(trustedDir, Path.GetFileName(cert.FilePath));
+        File.Move(cert.FilePath, destPath, overwrite: true);
+        _logger.LogInformation("Trusted cert {Thumbprint} (subject={Subject}) — moved {From} → {To}",
+            cert.Thumbprint, cert.Subject, cert.FilePath, destPath);
+        return true;
+    }
+
+    public bool DeleteRejected(string thumbprint) => DeleteFromStore(CertStoreKind.Rejected, thumbprint);
+    public bool UntrustCert(string thumbprint) => DeleteFromStore(CertStoreKind.Trusted, thumbprint);
+
+    private bool DeleteFromStore(CertStoreKind store, string thumbprint)
+    {
+        var cert = FindInStore(store, thumbprint);
+        if (cert is null) return false;
+        File.Delete(cert.FilePath);
+        _logger.LogInformation("Deleted cert {Thumbprint} (subject={Subject}) from {Store} store",
+            cert.Thumbprint, cert.Subject, store);
+        return true;
+    }
+
+    private CertInfo? FindInStore(CertStoreKind store, string thumbprint) =>
+        ListStore(store).FirstOrDefault(c =>
+            string.Equals(c.Thumbprint, thumbprint, StringComparison.OrdinalIgnoreCase));
+
+    private IReadOnlyList<CertInfo> ListStore(CertStoreKind store)
+    {
+        var dir = CertsDir(store);
+        if (!Directory.Exists(dir)) return [];
+
+        var results = new List<CertInfo>();
+        foreach (var path in Directory.EnumerateFiles(dir))
+        {
+            // Skip CRL sidecars + private-key files — trust operations only concern public certs.
+            var ext = Path.GetExtension(path);
+            if (!ext.Equals(".der", StringComparison.OrdinalIgnoreCase) &&
+                !ext.Equals(".crt", StringComparison.OrdinalIgnoreCase) &&
+                !ext.Equals(".cer", StringComparison.OrdinalIgnoreCase))
+            {
+                continue;
+            }
+
+            try
+            {
+                var cert = X509CertificateLoader.LoadCertificateFromFile(path);
+                results.Add(new CertInfo(
+                    cert.Thumbprint, cert.Subject, cert.Issuer,
+                    cert.NotBefore.ToUniversalTime(), cert.NotAfter.ToUniversalTime(),
+                    path, store));
+            }
+            catch (Exception ex)
+            {
+                // A malformed file in the store shouldn't take down the page. Surface it in logs
+                // but skip — operators see the other certs and can clean the bad file manually.
+                _logger.LogWarning(ex, "Failed to parse cert at {Path} — skipping", path);
+            }
+        }
+        return results;
+    }
+
+    private string CertsDir(CertStoreKind store) =>
+        Path.Combine(_options.PkiStoreRoot, store == CertStoreKind.Rejected ? "rejected" : "trusted", "certs");
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/HostStatusService.cs

@@ -0,0 +1,63 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     One row per <see cref="DriverHostStatus"/> record, enriched with the owning
+///     <c>ClusterNode.ClusterId</c> when available (left-join). The Admin <c>/hosts</c> page
+///     groups by cluster and renders a per-node → per-driver → per-host tree.
+/// </summary>
+public sealed record HostStatusRow(
+    string NodeId,
+    string? ClusterId,
+    string DriverInstanceId,
+    string HostName,
+    DriverHostState State,
+    DateTime StateChangedUtc,
+    DateTime LastSeenUtc,
+    string? Detail);
+
+/// <summary>
+///     Read-side service for the Admin UI's per-host drill-down. Loads
+///     <see cref="DriverHostStatus"/> rows (written by the Server process's
+///     <c>HostStatusPublisher</c>) and left-joins <c>ClusterNode</c> so each row knows which
+///     cluster it belongs to — the Admin UI groups by cluster for the fleet-wide view.
+/// </summary>
+/// <remarks>
+///     The publisher heartbeat is 10s (<c>HostStatusPublisher.HeartbeatInterval</c>). The
+///     Admin page also polls every ~10s and treats rows with <c>LastSeenUtc</c> older than
+///     <c>StaleThreshold</c> (30s) as stale — covers a missed heartbeat tolerance plus
+///     a generous buffer for clock skew and publisher GC pauses.
+/// </remarks>
+public sealed class HostStatusService(OtOpcUaConfigDbContext db)
+{
+    public static readonly TimeSpan StaleThreshold = TimeSpan.FromSeconds(30);
+
+    public async Task<IReadOnlyList<HostStatusRow>> ListAsync(CancellationToken ct = default)
+    {
+        // LEFT JOIN on NodeId so a row persists even when its owning ClusterNode row hasn't
+        // been created yet (first-boot bootstrap case — keeps the UI from losing sight of
+        // the reporting server).
+        var rows = await (from s in db.DriverHostStatuses.AsNoTracking()
+                          join n in db.ClusterNodes.AsNoTracking()
+                              on s.NodeId equals n.NodeId into nodeJoin
+                          from n in nodeJoin.DefaultIfEmpty()
+                          orderby s.NodeId, s.DriverInstanceId, s.HostName
+                          select new HostStatusRow(
+                              s.NodeId,
+                              n != null ? n.ClusterId : null,
+                              s.DriverInstanceId,
+                              s.HostName,
+                              s.State,
+                              s.StateChangedUtc,
+                              s.LastSeenUtc,
+                              s.Detail)).ToListAsync(ct);
+        return rows;
+    }
+
+    public static bool IsStale(HostStatusRow row) =>
+        DateTime.UtcNow - row.LastSeenUtc > StaleThreshold;
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/DriverHostStatus.cs

@@ -0,0 +1,61 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Per-host connectivity snapshot the Server publishes for each driver's
+///     <c>IHostConnectivityProbe.GetHostStatuses</c> entry. One row per
+///     (<see cref="NodeId"/>, <see cref="DriverInstanceId"/>, <see cref="HostName"/>) triple —
+///     a redundant 2-node cluster with one Galaxy driver reporting 3 platforms produces 6
+///     rows, not 3, because each server node owns its own runtime view.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Closes the data-layer piece of LMX follow-up #7 (per-AppEngine Admin dashboard
+///         drill-down). The publisher hosted service on the Server side subscribes to every
+///         registered driver's <c>OnHostStatusChanged</c> and upserts rows on transitions +
+///         periodic liveness heartbeats. <see cref="LastSeenUtc"/> advances on every
+///         heartbeat so the Admin UI can flag stale rows from a crashed Server.
+///     </para>
+///     <para>
+///         No foreign-key to <see cref="ClusterNode"/> — a Server may start reporting host
+///         status before its ClusterNode row exists (e.g. first-boot bootstrap), and we'd
+///         rather keep the status row than drop it. The Admin-side service left-joins on
+///         NodeId when presenting rows.
+///     </para>
+/// </remarks>
+public sealed class DriverHostStatus
+{
+    /// <summary>Server node that's running the driver.</summary>
+    public required string NodeId { get; set; }
+
+    /// <summary>Driver instance's stable id (matches <c>IDriver.DriverInstanceId</c>).</summary>
+    public required string DriverInstanceId { get; set; }
+
+    /// <summary>
+    ///     Driver-side host identifier — Galaxy Platform / AppEngine name, Modbus
+    ///     <c>host:port</c>, whatever the probe returns. Opaque to the Admin UI except as
+    ///     a display string.
+    /// </summary>
+    public required string HostName { get; set; }
+
+    public DriverHostState State { get; set; } = DriverHostState.Unknown;
+
+    /// <summary>Timestamp of the last state transition (not of the most recent heartbeat).</summary>
+    public DateTime StateChangedUtc { get; set; }
+
+    /// <summary>
+    ///     Advances on every publisher heartbeat — the Admin UI uses
+    ///     <c>now - LastSeenUtc &gt; threshold</c> to flag rows whose owning Server has
+    ///     stopped reporting (crashed, network-partitioned, etc.), independent of
+    ///     <see cref="State"/>.
+    /// </summary>
+    public DateTime LastSeenUtc { get; set; }
+
+    /// <summary>
+    ///     Optional human-readable detail populated when <see cref="State"/> is
+    ///     <see cref="DriverHostState.Faulted"/> — e.g. the exception message from the
+    ///     driver's probe. Null for Running / Stopped / Unknown transitions.
+    /// </summary>
+    public string? Detail { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/DriverHostState.cs

@@ -0,0 +1,21 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>
+///     Persisted mirror of <c>Core.Abstractions.HostState</c> — the lifecycle state each
+///     <c>IHostConnectivityProbe</c>-capable driver reports for its per-host topology
+///     (Galaxy Platforms / AppEngines, Modbus PLC endpoints, future OPC UA gateway upstreams).
+///     Defined here instead of re-using <c>Core.Abstractions.HostState</c> so the
+///     Configuration project stays free of driver-runtime dependencies.
+/// </summary>
+/// <remarks>
+///     The server-side publisher (follow-up PR) translates
+///     <c>HostStatusChangedEventArgs.NewState</c> to this enum on every transition and
+///     upserts into <see cref="Entities.DriverHostStatus"/>. Admin UI reads from the DB.
+/// </remarks>
+public enum DriverHostState
+{
+    Unknown,
+    Running,
+    Stopped,
+    Faulted,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260418193608_AddDriverHostStatus.cs

@@ -0,0 +1,49 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddDriverHostStatus : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "DriverHostStatus",
+                columns: table => new
+                {
+                    NodeId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    DriverInstanceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    HostName = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: false),
+                    State = table.Column<string>(type: "nvarchar(16)", maxLength: 16, nullable: false),
+                    StateChangedUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: false),
+                    LastSeenUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: false),
+                    Detail = table.Column<string>(type: "nvarchar(1024)", maxLength: 1024, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_DriverHostStatus", x => new { x.NodeId, x.DriverInstanceId, x.HostName });
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DriverHostStatus_LastSeen",
+                table: "DriverHostStatus",
+                column: "LastSeenUtc");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DriverHostStatus_Node",
+                table: "DriverHostStatus",
+                column: "NodeId");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "DriverHostStatus");
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/OtOpcUaConfigDbContextModelSnapshot.cs

@@ -332,6 +332,46 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
                         });
                 });
 
+            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.DriverHostStatus", b =>
+                {
+                    b.Property<string>("NodeId")
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("DriverInstanceId")
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("HostName")
+                        .HasMaxLength(256)
+                        .HasColumnType("nvarchar(256)");
+
+                    b.Property<string>("Detail")
+                        .HasMaxLength(1024)
+                        .HasColumnType("nvarchar(1024)");
+
+                    b.Property<DateTime>("LastSeenUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.Property<string>("State")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("nvarchar(16)");
+
+                    b.Property<DateTime>("StateChangedUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.HasKey("NodeId", "DriverInstanceId", "HostName");
+
+                    b.HasIndex("LastSeenUtc")
+                        .HasDatabaseName("IX_DriverHostStatus_LastSeen");
+
+                    b.HasIndex("NodeId")
+                        .HasDatabaseName("IX_DriverHostStatus_Node");
+
+                    b.ToTable("DriverHostStatus", (string)null);
+                });
+
             modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.DriverInstance", b =>
                 {
                     b.Property<Guid>("DriverInstanceRowId")

src/ZB.MOM.WW.OtOpcUa.Configuration/OtOpcUaConfigDbContext.cs

@@ -27,6 +27,7 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
     public DbSet<ClusterNodeGenerationState> ClusterNodeGenerationStates => Set<ClusterNodeGenerationState>();
     public DbSet<ConfigAuditLog> ConfigAuditLogs => Set<ConfigAuditLog>();
     public DbSet<ExternalIdReservation> ExternalIdReservations => Set<ExternalIdReservation>();
+    public DbSet<DriverHostStatus> DriverHostStatuses => Set<DriverHostStatus>();
 
     protected override void OnModelCreating(ModelBuilder modelBuilder)
     {
@@ -47,6 +48,7 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
         ConfigureClusterNodeGenerationState(modelBuilder);
         ConfigureConfigAuditLog(modelBuilder);
         ConfigureExternalIdReservation(modelBuilder);
+        ConfigureDriverHostStatus(modelBuilder);
     }
 
     private static void ConfigureServerCluster(ModelBuilder modelBuilder)
@@ -484,4 +486,30 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
             e.HasIndex(x => x.EquipmentUuid).HasDatabaseName("IX_ExternalIdReservation_Equipment");
         });
     }
+
+    private static void ConfigureDriverHostStatus(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<DriverHostStatus>(e =>
+        {
+            e.ToTable("DriverHostStatus");
+            // Composite key — one row per (server node, driver instance, probe-reported host).
+            // A redundant 2-node cluster with one Galaxy driver reporting 3 platforms produces
+            // 6 rows because each server node owns its own runtime view; the composite key is
+            // what lets both views coexist without shadowing each other.
+            e.HasKey(x => new { x.NodeId, x.DriverInstanceId, x.HostName });
+            e.Property(x => x.NodeId).HasMaxLength(64);
+            e.Property(x => x.DriverInstanceId).HasMaxLength(64);
+            e.Property(x => x.HostName).HasMaxLength(256);
+            e.Property(x => x.State).HasConversion<string>().HasMaxLength(16);
+            e.Property(x => x.StateChangedUtc).HasColumnType("datetime2(3)");
+            e.Property(x => x.LastSeenUtc).HasColumnType("datetime2(3)");
+            e.Property(x => x.Detail).HasMaxLength(1024);
+
+            // NodeId-only index drives the Admin UI's per-cluster drill-down (select all host
+            // statuses for the nodes of a specific cluster via join on ClusterNode.ClusterId).
+            e.HasIndex(x => x.NodeId).HasDatabaseName("IX_DriverHostStatus_Node");
+            // LastSeenUtc index powers the Admin UI's stale-row query (now - LastSeen > N).
+            e.HasIndex(x => x.LastSeenUtc).HasDatabaseName("IX_DriverHostStatus_LastSeen");
+        });
+    }
 }

src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/DriverAttributeInfo.cs

@@ -19,10 +19,17 @@ namespace ZB.MOM.WW.OtOpcUa.Core.Abstractions;
 /// <param name="ArrayDim">Declared array length when <see cref="IsArray"/> is true; null otherwise.</param>
 /// <param name="SecurityClass">Write-authorization tier for this attribute.</param>
 /// <param name="IsHistorized">True when this attribute is expected to feed historian / HistoryRead.</param>
+/// <param name="IsAlarm">
+///     True when this attribute represents an alarm condition (Galaxy: has an
+///     <c>AlarmExtension</c> primitive). The generic node-manager enriches the variable with an
+///     OPC UA <c>AlarmConditionState</c> when true. Defaults to false so existing non-Galaxy
+///     drivers aren't forced to flow a flag they don't produce.
+/// </param>
 public sealed record DriverAttributeInfo(
     string FullName,
     DriverDataType DriverDataType,
     bool IsArray,
     uint? ArrayDim,
     SecurityClassification SecurityClass,
-    bool IsHistorized);
+    bool IsHistorized,
+    bool IsAlarm = false);

src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/IAddressSpaceBuilder.cs

@@ -42,4 +42,39 @@ public interface IVariableHandle
 {
     /// <summary>Driver-side full reference for read/write addressing.</summary>
     string FullReference { get; }
+
+    /// <summary>
+    ///     Annotate this variable with an OPC UA <c>AlarmConditionState</c>. Drivers with
+    ///     <see cref="DriverAttributeInfo.IsAlarm"/> = true call this during discovery so the
+    ///     concrete address-space builder can materialize a sibling condition node. The returned
+    ///     sink receives lifecycle transitions raised through <see cref="IAlarmSource.OnAlarmEvent"/>
+    ///     — the generic node manager wires the subscription; the concrete builder decides how
+    ///     to surface the state (e.g. OPC UA <c>AlarmConditionState.Activate</c>,
+    ///     <c>Acknowledge</c>, <c>Deactivate</c>).
+    /// </summary>
+    IAlarmConditionSink MarkAsAlarmCondition(AlarmConditionInfo info);
+}
+
+/// <summary>
+///     Metadata used to materialize an OPC UA <c>AlarmConditionState</c> sibling for a variable.
+///     Populated by the driver's discovery step; concrete builders decide how to surface it.
+/// </summary>
+/// <param name="SourceName">Human-readable alarm name used for the <c>SourceName</c> event field.</param>
+/// <param name="InitialSeverity">Severity at address-space build time; updates arrive via <see cref="IAlarmConditionSink"/>.</param>
+/// <param name="InitialDescription">Initial description; updates arrive via <see cref="IAlarmConditionSink"/>.</param>
+public sealed record AlarmConditionInfo(
+    string SourceName,
+    AlarmSeverity InitialSeverity,
+    string? InitialDescription);
+
+/// <summary>
+///     Sink a concrete address-space builder returns from <see cref="IVariableHandle.MarkAsAlarmCondition"/>.
+///     The generic node manager routes per-alarm <see cref="IAlarmSource.OnAlarmEvent"/> payloads here —
+///     the sink translates the transition into an OPC UA condition state change or whatever the
+///     concrete builder's backing address space supports.
+/// </summary>
+public interface IAlarmConditionSink
+{
+    /// <summary>Push an alarm transition (Active / Acknowledged / Inactive) for this condition.</summary>
+    void OnTransition(AlarmEventArgs args);
 }

src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/IHistoryProvider.cs

@@ -30,6 +30,52 @@ public interface IHistoryProvider
         TimeSpan interval,
         HistoryAggregateType aggregate,
         CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Read one sample per requested timestamp — OPC UA HistoryReadAtTime service. The
+    ///     driver interpolates (or returns the prior-boundary sample) when no exact match
+    ///     exists. Optional; drivers that can't interpolate throw <see cref="NotSupportedException"/>.
+    /// </summary>
+    /// <remarks>
+    ///     Default implementation throws. Drivers opt in by overriding; keeps existing
+    ///     <c>IHistoryProvider</c> implementations compiling without forcing a ReadAtTime path
+    ///     they may not have a backend for.
+    /// </remarks>
+    Task<HistoryReadResult> ReadAtTimeAsync(
+        string fullReference,
+        IReadOnlyList<DateTime> timestampsUtc,
+        CancellationToken cancellationToken)
+        => throw new NotSupportedException(
+            $"{GetType().Name} does not implement ReadAtTimeAsync. " +
+            "Drivers whose backends support at-time reads override this method.");
+
+    /// <summary>
+    ///     Read historical alarm/event records — OPC UA HistoryReadEvents service. Distinct
+    ///     from the live event stream — historical rows come from an event historian (Galaxy's
+    ///     Alarm Provider history log, etc.) rather than the driver's active subscription.
+    /// </summary>
+    /// <param name="sourceName">
+    ///     Optional filter: null means "all sources", otherwise restrict to events from that
+    ///     source-object name. Drivers may ignore the filter if the backend doesn't support it.
+    /// </param>
+    /// <param name="startUtc">Inclusive lower bound on <c>EventTimeUtc</c>.</param>
+    /// <param name="endUtc">Exclusive upper bound on <c>EventTimeUtc</c>.</param>
+    /// <param name="maxEvents">Upper cap on returned events — the driver's backend enforces this.</param>
+    /// <param name="cancellationToken">Request cancellation.</param>
+    /// <remarks>
+    ///     Default implementation throws. Only drivers with an event historian (Galaxy via the
+    ///     Wonderware Alarm &amp; Events log) override. Modbus / the OPC UA Client driver stay
+    ///     with the default and let callers see <c>BadHistoryOperationUnsupported</c>.
+    /// </remarks>
+    Task<HistoricalEventsResult> ReadEventsAsync(
+        string? sourceName,
+        DateTime startUtc,
+        DateTime endUtc,
+        int maxEvents,
+        CancellationToken cancellationToken)
+        => throw new NotSupportedException(
+            $"{GetType().Name} does not implement ReadEventsAsync. " +
+            "Drivers whose backends have an event historian override this method.");
 }
 
 /// <summary>Result of a HistoryRead call.</summary>
@@ -48,3 +94,29 @@ public enum HistoryAggregateType
     Total,
     Count,
 }
+
+/// <summary>
+///     One row returned by <see cref="IHistoryProvider.ReadEventsAsync"/> — a historical
+///     alarm/event record, not the OPC UA live-event stream. Fields match the minimum set the
+///     Server needs to populate a <c>HistoryEventFieldList</c> for HistoryReadEvents responses.
+/// </summary>
+/// <param name="EventId">Stable unique id for the event — driver-specific format.</param>
+/// <param name="SourceName">Source object that emitted the event. May differ from the <c>sourceName</c> filter the caller passed (fuzzy matches).</param>
+/// <param name="EventTimeUtc">Process-side timestamp — when the event actually occurred.</param>
+/// <param name="ReceivedTimeUtc">Historian-side timestamp — when the historian persisted the row; may lag <paramref name="EventTimeUtc"/> by the historian's buffer flush cadence.</param>
+/// <param name="Message">Human-readable message text.</param>
+/// <param name="Severity">OPC UA severity (1-1000). Drivers map their native priority scale onto this range.</param>
+public sealed record HistoricalEvent(
+    string EventId,
+    string? SourceName,
+    DateTime EventTimeUtc,
+    DateTime ReceivedTimeUtc,
+    string? Message,
+    ushort Severity);
+
+/// <summary>Result of a <see cref="IHistoryProvider.ReadEventsAsync"/> call.</summary>
+/// <param name="Events">Events in chronological order by <c>EventTimeUtc</c>.</param>
+/// <param name="ContinuationPoint">Opaque token for the next call when more events are available; null when complete.</param>
+public sealed record HistoricalEventsResult(
+    IReadOnlyList<HistoricalEvent> Events,
+    byte[]? ContinuationPoint);

src/ZB.MOM.WW.OtOpcUa.Core/Hosting/DriverHost.cs

@@ -24,6 +24,17 @@ public sealed class DriverHost : IAsyncDisposable
             return _drivers.TryGetValue(driverInstanceId, out var d) ? d.GetHealth() : null;
     }
 
+    /// <summary>
+    ///     Look up a registered driver by instance id. Used by the OPC UA server runtime
+    ///     (<c>OtOpcUaServer</c>) to instantiate one <c>DriverNodeManager</c> per driver at
+    ///     startup. Returns null when the driver is not registered.
+    /// </summary>
+    public IDriver? GetDriver(string driverInstanceId)
+    {
+        lock (_lock)
+            return _drivers.TryGetValue(driverInstanceId, out var d) ? d : null;
+    }
+
     /// <summary>
     ///     Registers the driver and calls <see cref="IDriver.InitializeAsync"/>. If initialization
     ///     throws, the driver is kept in the registry so the operator can retry; quality on its

src/ZB.MOM.WW.OtOpcUa.Core/OpcUa/GenericDriverNodeManager.cs

@@ -1,27 +1,41 @@
+using System.Collections.Concurrent;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
 
 namespace ZB.MOM.WW.OtOpcUa.Core.OpcUa;
 
 /// <summary>
 ///     Generic, driver-agnostic backbone for populating the OPC UA address space from an
-///     <see cref="IDriver"/>. The Galaxy-specific subclass (<c>GalaxyNodeManager</c>) is deferred
-///     to Phase 2 per decision #62 — this class is the foundation that Phase 2 ports the v1
-///     <c>LmxNodeManager</c> logic into.
+///     <see cref="IDriver"/>. Walks the driver's discovery, wires the alarm + data-change +
+///     rediscovery subscription events, and hands each variable to the supplied
+///     <see cref="IAddressSpaceBuilder"/>. Concrete OPC UA server implementations provide the
+///     builder — see the Server project's <c>OpcUaAddressSpaceBuilder</c> for the materialization
+///     against <c>CustomNodeManager2</c>.
 /// </summary>
 /// <remarks>
-///     Phase 1 status: scaffold only. The v1 <c>LmxNodeManager</c> in the legacy Host is unchanged
-///     so IntegrationTests continue to pass. Phase 2 will lift-and-shift its logic here, swapping
-///     <c>IMxAccessClient</c> for <see cref="IDriver"/> and <c>GalaxyAttributeInfo</c> for
-///     <see cref="DriverAttributeInfo"/>.
+///     Per <c>docs/v2/plan.md</c> decision #52 + #62 — Core owns the node tree, drivers stream
+///     <c>Folder</c>/<c>Variable</c> calls, alarm-bearing variables are annotated via
+///     <see cref="IVariableHandle.MarkAsAlarmCondition"/> and subsequent
+///     <see cref="IAlarmSource.OnAlarmEvent"/> payloads route to the sink the builder returned.
 /// </remarks>
-public abstract class GenericDriverNodeManager(IDriver driver)
+public class GenericDriverNodeManager(IDriver driver) : IDisposable
 {
     protected IDriver Driver { get; } = driver ?? throw new ArgumentNullException(nameof(driver));
 
     public string DriverInstanceId => Driver.DriverInstanceId;
 
+    // Source tag (DriverAttributeInfo.FullName) → alarm-condition sink. Populated during
+    // BuildAddressSpaceAsync by a recording IAddressSpaceBuilder implementation that captures the
+    // IVariableHandle per attr.IsAlarm=true variable and calls MarkAsAlarmCondition.
+    private readonly ConcurrentDictionary<string, IAlarmConditionSink> _alarmSinks =
+        new(StringComparer.OrdinalIgnoreCase);
+
+    private EventHandler<AlarmEventArgs>? _alarmForwarder;
+    private bool _disposed;
+
     /// <summary>
-    ///     Populates the address space by streaming nodes from the driver into the supplied builder.
+    ///     Populates the address space by streaming nodes from the driver into the supplied builder,
+    ///     wraps the builder so alarm-condition sinks are captured, subscribes to the driver's
+    ///     alarm event stream, and routes each transition to the matching sink by <c>SourceNodeId</c>.
     ///     Driver exceptions are isolated per decision #12 — the driver's subtree is marked Faulted,
     ///     but other drivers remain available.
     /// </summary>
@@ -32,6 +46,73 @@ public abstract class GenericDriverNodeManager(IDriver driver)
         if (Driver is not ITagDiscovery discovery)
             throw new NotSupportedException($"Driver '{Driver.DriverInstanceId}' does not implement ITagDiscovery.");
 
-        await discovery.DiscoverAsync(builder, ct);
+        var capturing = new CapturingBuilder(builder, _alarmSinks);
+        await discovery.DiscoverAsync(capturing, ct);
+
+        if (Driver is IAlarmSource alarmSource)
+        {
+            _alarmForwarder = (_, e) =>
+            {
+                // Route the alarm to the sink registered for the originating variable, if any.
+                // Unknown source ids are dropped silently — they may belong to another driver or
+                // to a variable the builder chose not to flag as an alarm condition.
+                if (_alarmSinks.TryGetValue(e.SourceNodeId, out var sink))
+                    sink.OnTransition(e);
+            };
+            alarmSource.OnAlarmEvent += _alarmForwarder;
+        }
+    }
+
+    public void Dispose()
+    {
+        if (_disposed) return;
+        _disposed = true;
+        if (_alarmForwarder is not null && Driver is IAlarmSource alarmSource)
+        {
+            alarmSource.OnAlarmEvent -= _alarmForwarder;
+        }
+        _alarmSinks.Clear();
+    }
+
+    /// <summary>
+    ///     Snapshot the current alarm-sink registry by source node id. Diagnostic + test hook;
+    ///     not part of the hot path.
+    /// </summary>
+    internal IReadOnlyCollection<string> TrackedAlarmSources => _alarmSinks.Keys.ToList();
+
+    /// <summary>
+    ///     Wraps the caller-supplied <see cref="IAddressSpaceBuilder"/> so every
+    ///     <see cref="IVariableHandle.MarkAsAlarmCondition"/> call registers the returned sink in
+    ///     the node manager's source-node-id map. The builder itself drives materialization;
+    ///     this wrapper only observes.
+    /// </summary>
+    private sealed class CapturingBuilder(
+        IAddressSpaceBuilder inner,
+        ConcurrentDictionary<string, IAlarmConditionSink> sinks) : IAddressSpaceBuilder
+    {
+        public IAddressSpaceBuilder Folder(string browseName, string displayName)
+            => new CapturingBuilder(inner.Folder(browseName, displayName), sinks);
+
+        public IVariableHandle Variable(string browseName, string displayName, DriverAttributeInfo attributeInfo)
+            => new CapturingHandle(inner.Variable(browseName, displayName, attributeInfo), sinks);
+
+        public void AddProperty(string browseName, DriverDataType dataType, object? value)
+            => inner.AddProperty(browseName, dataType, value);
+    }
+
+    private sealed class CapturingHandle(
+        IVariableHandle inner,
+        ConcurrentDictionary<string, IAlarmConditionSink> sinks) : IVariableHandle
+    {
+        public string FullReference => inner.FullReference;
+
+        public IAlarmConditionSink MarkAsAlarmCondition(AlarmConditionInfo info)
+        {
+            var sink = inner.MarkAsAlarmCondition(info);
+            // Register by the driver-side full reference so the alarm forwarder can look it up
+            // using AlarmEventArgs.SourceNodeId (which the driver populates with the same tag).
+            sinks[inner.FullReference] = sink;
+            return sink;
+        }
     }
 }

src/ZB.MOM.WW.OtOpcUa.Core/ZB.MOM.WW.OtOpcUa.Core.csproj

@@ -16,6 +16,10 @@
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Configuration\ZB.MOM.WW.OtOpcUa.Configuration.csproj"/>
     </ItemGroup>
 
+    <ItemGroup>
+        <InternalsVisibleTo Include="ZB.MOM.WW.OtOpcUa.Core.Tests"/>
+    </ItemGroup>
+
     <ItemGroup>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Alarms/GalaxyAlarmTracker.cs

@@ -0,0 +1,260 @@
+using System;
+using System.Collections.Concurrent;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Alarms;
+
+/// <summary>
+///     Subscribes to the four Galaxy alarm attributes (<c>.InAlarm</c>, <c>.Priority</c>,
+///     <c>.DescAttrName</c>, <c>.Acked</c>) per alarm-bearing attribute discovered during
+///     <c>DiscoverAsync</c>. Maintains one <see cref="AlarmState"/> per alarm, raises
+///     <see cref="AlarmTransition"/> on lifecycle transitions (Active / Unacknowledged /
+///     Acknowledged / Inactive). Ack path writes <c>.AckMsg</c>. Pure-logic state machine
+///     with delegate-based subscribe/write so it's testable against in-memory fakes.
+/// </summary>
+/// <remarks>
+///     Transitions emitted (OPC UA Part 9 alarm lifecycle, simplified for the Galaxy model):
+///     <list type="bullet">
+///         <item><c>Active</c> — InAlarm false → true. Default to Unacknowledged.</item>
+///         <item><c>Acknowledged</c> — Acked false → true while InAlarm is still true.</item>
+///         <item><c>Inactive</c> — InAlarm true → false. If still unacknowledged the alarm
+///         is marked latched-inactive-unack; next Ack transitions straight to Inactive.</item>
+///     </list>
+/// </remarks>
+public sealed class GalaxyAlarmTracker : IDisposable
+{
+    public const string InAlarmAttr = ".InAlarm";
+    public const string PriorityAttr = ".Priority";
+    public const string DescAttrNameAttr = ".DescAttrName";
+    public const string AckedAttr = ".Acked";
+    public const string AckMsgAttr = ".AckMsg";
+
+    private readonly Func<string, Action<string, Vtq>, Task> _subscribe;
+    private readonly Func<string, Task> _unsubscribe;
+    private readonly Func<string, object, Task<bool>> _write;
+    private readonly Func<DateTime> _clock;
+
+    // Alarm tag (attribute full ref, e.g. "Tank.Level.HiHi") → state.
+    private readonly ConcurrentDictionary<string, AlarmState> _alarms =
+        new(StringComparer.OrdinalIgnoreCase);
+
+    // Reverse lookup: probed tag (".InAlarm" etc.) → owning alarm tag.
+    private readonly ConcurrentDictionary<string, (string AlarmTag, AlarmField Field)> _probeToAlarm =
+        new(StringComparer.OrdinalIgnoreCase);
+
+    private bool _disposed;
+
+    public event EventHandler<AlarmTransition>? TransitionRaised;
+
+    public GalaxyAlarmTracker(
+        Func<string, Action<string, Vtq>, Task> subscribe,
+        Func<string, Task> unsubscribe,
+        Func<string, object, Task<bool>> write)
+        : this(subscribe, unsubscribe, write, () => DateTime.UtcNow) { }
+
+    internal GalaxyAlarmTracker(
+        Func<string, Action<string, Vtq>, Task> subscribe,
+        Func<string, Task> unsubscribe,
+        Func<string, object, Task<bool>> write,
+        Func<DateTime> clock)
+    {
+        _subscribe = subscribe ?? throw new ArgumentNullException(nameof(subscribe));
+        _unsubscribe = unsubscribe ?? throw new ArgumentNullException(nameof(unsubscribe));
+        _write = write ?? throw new ArgumentNullException(nameof(write));
+        _clock = clock ?? throw new ArgumentNullException(nameof(clock));
+    }
+
+    public int TrackedAlarmCount => _alarms.Count;
+
+    /// <summary>
+    ///     Advise the four alarm attributes for <paramref name="alarmTag"/>. Idempotent —
+    ///     repeat calls for the same alarm tag are a no-op. Subscribe failure for any of the
+    ///     four rolls back the alarm entry so a stale callback cannot promote a phantom.
+    /// </summary>
+    public async Task TrackAsync(string alarmTag)
+    {
+        if (_disposed || string.IsNullOrWhiteSpace(alarmTag)) return;
+        if (_alarms.ContainsKey(alarmTag)) return;
+
+        var state = new AlarmState { AlarmTag = alarmTag };
+        if (!_alarms.TryAdd(alarmTag, state)) return;
+
+        var probes = new[]
+        {
+            (Tag: alarmTag + InAlarmAttr, Field: AlarmField.InAlarm),
+            (Tag: alarmTag + PriorityAttr, Field: AlarmField.Priority),
+            (Tag: alarmTag + DescAttrNameAttr, Field: AlarmField.DescAttrName),
+            (Tag: alarmTag + AckedAttr, Field: AlarmField.Acked),
+        };
+
+        foreach (var p in probes)
+        {
+            _probeToAlarm[p.Tag] = (alarmTag, p.Field);
+        }
+
+        try
+        {
+            foreach (var p in probes)
+            {
+                await _subscribe(p.Tag, OnProbeCallback).ConfigureAwait(false);
+            }
+        }
+        catch
+        {
+            // Rollback so a partial advise doesn't leak state.
+            _alarms.TryRemove(alarmTag, out _);
+            foreach (var p in probes)
+            {
+                _probeToAlarm.TryRemove(p.Tag, out _);
+                try { await _unsubscribe(p.Tag).ConfigureAwait(false); } catch { }
+            }
+            throw;
+        }
+    }
+
+    /// <summary>
+    ///     Drop every tracked alarm. Unadvises all 4 probes per alarm as best-effort.
+    /// </summary>
+    public async Task ClearAsync()
+    {
+        _alarms.Clear();
+        foreach (var kv in _probeToAlarm.ToList())
+        {
+            _probeToAlarm.TryRemove(kv.Key, out _);
+            try { await _unsubscribe(kv.Key).ConfigureAwait(false); } catch { }
+        }
+    }
+
+    /// <summary>
+    ///     Operator ack — write the comment text into <c>&lt;alarmTag&gt;.AckMsg</c>.
+    ///     Returns false when the runtime reports the write failed.
+    /// </summary>
+    public Task<bool> AcknowledgeAsync(string alarmTag, string comment)
+    {
+        if (_disposed || string.IsNullOrWhiteSpace(alarmTag))
+            return Task.FromResult(false);
+        return _write(alarmTag + AckMsgAttr, comment ?? string.Empty);
+    }
+
+    /// <summary>
+    ///     Subscription callback entry point. Exposed for tests and for the Backend to route
+    ///     fan-out callbacks through. Runs the state machine and fires TransitionRaised
+    ///     outside the lock.
+    /// </summary>
+    public void OnProbeCallback(string probeTag, Vtq vtq)
+    {
+        if (_disposed) return;
+        if (!_probeToAlarm.TryGetValue(probeTag, out var link)) return;
+        if (!_alarms.TryGetValue(link.AlarmTag, out var state)) return;
+
+        AlarmTransition? transition = null;
+        var now = _clock();
+
+        lock (state.Lock)
+        {
+            switch (link.Field)
+            {
+                case AlarmField.InAlarm:
+                {
+                    var wasActive = state.InAlarm;
+                    var isActive = vtq.Value is bool b && b;
+                    state.InAlarm = isActive;
+                    state.LastUpdateUtc = now;
+                    if (!wasActive && isActive)
+                    {
+                        state.Acked = false;
+                        state.LastTransitionUtc = now;
+                        transition = new AlarmTransition(state.AlarmTag, AlarmStateTransition.Active, state.Priority, state.DescAttrName, now);
+                    }
+                    else if (wasActive && !isActive)
+                    {
+                        state.LastTransitionUtc = now;
+                        transition = new AlarmTransition(state.AlarmTag, AlarmStateTransition.Inactive, state.Priority, state.DescAttrName, now);
+                    }
+                    break;
+                }
+                case AlarmField.Priority:
+                    if (vtq.Value is int pi) state.Priority = pi;
+                    else if (vtq.Value is short ps) state.Priority = ps;
+                    else if (vtq.Value is long pl && pl <= int.MaxValue) state.Priority = (int)pl;
+                    state.LastUpdateUtc = now;
+                    break;
+                case AlarmField.DescAttrName:
+                    state.DescAttrName = vtq.Value as string;
+                    state.LastUpdateUtc = now;
+                    break;
+                case AlarmField.Acked:
+                {
+                    var wasAcked = state.Acked;
+                    var isAcked = vtq.Value is bool b && b;
+                    state.Acked = isAcked;
+                    state.LastUpdateUtc = now;
+                    // Fire Acknowledged only when transitioning false→true. Don't fire on initial
+                    // subscribe callback (wasAcked==isAcked in that case because the state starts
+                    // with Acked=false and the initial probe is usually true for an un-active alarm).
+                    if (!wasAcked && isAcked && state.InAlarm)
+                    {
+                        state.LastTransitionUtc = now;
+                        transition = new AlarmTransition(state.AlarmTag, AlarmStateTransition.Acknowledged, state.Priority, state.DescAttrName, now);
+                    }
+                    break;
+                }
+            }
+        }
+
+        if (transition is { } t)
+        {
+            TransitionRaised?.Invoke(this, t);
+        }
+    }
+
+    public IReadOnlyList<AlarmSnapshot> SnapshotStates()
+    {
+        return _alarms.Values.Select(s =>
+        {
+            lock (s.Lock)
+                return new AlarmSnapshot(s.AlarmTag, s.InAlarm, s.Acked, s.Priority, s.DescAttrName);
+        }).ToList();
+    }
+
+    public void Dispose()
+    {
+        if (_disposed) return;
+        _disposed = true;
+        _alarms.Clear();
+        _probeToAlarm.Clear();
+    }
+
+    private sealed class AlarmState
+    {
+        public readonly object Lock = new();
+        public string AlarmTag = "";
+        public bool InAlarm;
+        public bool Acked = true; // default ack'd so first false→true on subscribe doesn't misfire
+        public int Priority;
+        public string? DescAttrName;
+        public DateTime LastUpdateUtc;
+        public DateTime LastTransitionUtc;
+    }
+
+    private enum AlarmField { InAlarm, Priority, DescAttrName, Acked }
+}
+
+public enum AlarmStateTransition { Active, Acknowledged, Inactive }
+
+public sealed record AlarmTransition(
+    string AlarmTag,
+    AlarmStateTransition Transition,
+    int Priority,
+    string? DescAttrName,
+    DateTime AtUtc);
+
+public sealed record AlarmSnapshot(
+    string AlarmTag,
+    bool InAlarm,
+    bool Acked,
+    int Priority,
+    string? DescAttrName);

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/DbBackedGalaxyBackend.cs

@@ -21,6 +21,13 @@ public sealed class DbBackedGalaxyBackend(GalaxyRepository repository) : IGalaxy
     private long _nextSessionId;
     private long _nextSubscriptionId;
 
+    // DB-only backend doesn't have a runtime data plane; never raises events.
+#pragma warning disable CS0067
+    public event System.EventHandler<OnDataChangeNotification>? OnDataChange;
+    public event System.EventHandler<GalaxyAlarmEvent>? OnAlarmEvent;
+    public event System.EventHandler<HostConnectivityStatus>? OnHostStatusChanged;
+#pragma warning restore CS0067
+
     public Task<OpenSessionResponse> OpenSessionAsync(OpenSessionRequest req, CancellationToken ct)
     {
         var id = Interlocked.Increment(ref _nextSessionId);
@@ -120,6 +127,33 @@ public sealed class DbBackedGalaxyBackend(GalaxyRepository repository) : IGalaxy
             Tags = System.Array.Empty<HistoryTagValues>(),
         });
 
+    public Task<HistoryReadProcessedResponse> HistoryReadProcessedAsync(
+        HistoryReadProcessedRequest req, CancellationToken ct)
+        => Task.FromResult(new HistoryReadProcessedResponse
+        {
+            Success = false,
+            Error = "MXAccess + Historian code lift pending (Phase 2 Task B.1)",
+            Values = System.Array.Empty<GalaxyDataValue>(),
+        });
+
+    public Task<HistoryReadAtTimeResponse> HistoryReadAtTimeAsync(
+        HistoryReadAtTimeRequest req, CancellationToken ct)
+        => Task.FromResult(new HistoryReadAtTimeResponse
+        {
+            Success = false,
+            Error = "MXAccess + Historian code lift pending (Phase 2 Task B.1)",
+            Values = System.Array.Empty<GalaxyDataValue>(),
+        });
+
+    public Task<HistoryReadEventsResponse> HistoryReadEventsAsync(
+        HistoryReadEventsRequest req, CancellationToken ct)
+        => Task.FromResult(new HistoryReadEventsResponse
+        {
+            Success = false,
+            Error = "MXAccess + Historian code lift pending (Phase 2 Task B.1)",
+            Events = System.Array.Empty<GalaxyHistoricalEvent>(),
+        });
+
     public Task<RecycleStatusResponse> RecycleAsync(RecycleHostRequest req, CancellationToken ct)
         => Task.FromResult(new RecycleStatusResponse { Accepted = true, GraceSeconds = 15 });
 
@@ -131,6 +165,7 @@ public sealed class DbBackedGalaxyBackend(GalaxyRepository repository) : IGalaxy
         ArrayDim = row.ArrayDimension is int d and > 0 ? (uint)d : null,
         SecurityClassification = row.SecurityClassification,
         IsHistorized = row.IsHistorized,
+        IsAlarm = row.IsAlarm,
     };
 
     /// <summary>

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Historian/HistorianClusterEndpointPicker.cs

@@ -1,31 +1,14 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
-using ZB.MOM.WW.OtOpcUa.Host.Configuration;
-using ZB.MOM.WW.OtOpcUa.Host.Historian;
 
-namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian
 {
     /// <summary>
     ///     Thread-safe, pure-logic endpoint picker for the Wonderware Historian cluster. Tracks which
     ///     configured nodes are healthy, places failed nodes in a time-bounded cooldown, and hands
     ///     out an ordered list of eligible candidates for the data source to try in sequence.
     /// </summary>
-    /// <remarks>
-    ///     Design notes:
-    ///     <list type="bullet">
-    ///         <item>No SDK dependency — fully unit-testable with an injected clock.</item>
-    ///         <item>Per-node state is guarded by a single lock; operations are microsecond-scale
-    ///         so contention is a non-issue.</item>
-    ///         <item>Cooldown is purely passive: a node re-enters the healthy pool the next time
-    ///         it is queried after its cooldown window elapses. There is no background probe.</item>
-    ///         <item>Nodes are returned in configuration order so operators can express a
-    ///         preference (primary first, fallback second).</item>
-    ///         <item>When <see cref="HistorianConfiguration.ServerNames"/> is empty, the picker is
-    ///         initialized with a single entry from <see cref="HistorianConfiguration.ServerName"/>
-    ///         so legacy deployments continue to work unchanged.</item>
-    ///     </list>
-    /// </remarks>
     internal sealed class HistorianClusterEndpointPicker
     {
         private readonly Func<DateTime> _clock;
@@ -53,39 +36,20 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                 .ToList();
         }
 
-        /// <summary>
-        ///     Gets the total number of configured cluster nodes. Stable — nodes are never added
-        ///     or removed after construction.
-        /// </summary>
         public int NodeCount
         {
-            get
-            {
-                lock (_lock)
-                    return _nodes.Count;
-            }
+            get { lock (_lock) return _nodes.Count; }
         }
 
-        /// <summary>
-        ///     Returns an ordered snapshot of nodes currently eligible for a connection attempt,
-        ///     with any node whose cooldown has elapsed automatically restored to the pool.
-        ///     An empty list means all nodes are in active cooldown.
-        /// </summary>
         public IReadOnlyList<string> GetHealthyNodes()
         {
             lock (_lock)
             {
                 var now = _clock();
-                return _nodes
-                    .Where(n => IsHealthyAt(n, now))
-                    .Select(n => n.Name)
-                    .ToList();
+                return _nodes.Where(n => IsHealthyAt(n, now)).Select(n => n.Name).ToList();
             }
         }
 
-        /// <summary>
-        ///     Gets the count of nodes currently eligible for a connection attempt (i.e., not in cooldown).
-        /// </summary>
         public int HealthyNodeCount
         {
             get
@@ -98,18 +62,12 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
             }
         }
 
-        /// <summary>
-        ///     Places <paramref name="node"/> into cooldown starting at the current clock time.
-        ///     Increments the node's failure counter and stores the latest error message for
-        ///     surfacing on the dashboard. Unknown node names are ignored.
-        /// </summary>
         public void MarkFailed(string node, string? error)
         {
             lock (_lock)
             {
                 var entry = FindEntry(node);
-                if (entry == null)
-                    return;
+                if (entry == null) return;
 
                 var now = _clock();
                 entry.FailureCount++;
@@ -119,26 +77,16 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
             }
         }
 
-        /// <summary>
-        ///     Marks <paramref name="node"/> as healthy immediately — clears any active cooldown but
-        ///     leaves the cumulative failure counter intact for operator diagnostics. Unknown node
-        ///     names are ignored.
-        /// </summary>
         public void MarkHealthy(string node)
         {
             lock (_lock)
             {
                 var entry = FindEntry(node);
-                if (entry == null)
-                    return;
+                if (entry == null) return;
                 entry.CooldownUntil = null;
             }
         }
 
-        /// <summary>
-        ///     Captures the current per-node state for the health dashboard. Freshly computed from
-        ///     <see cref="_clock"/> so recently-expired cooldowns are reported as healthy.
-        /// </summary>
         public List<HistorianClusterNodeState> SnapshotNodeStates()
         {
             lock (_lock)

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Historian/HistorianClusterNodeState.cs

@@ -0,0 +1,18 @@
+using System;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian
+{
+    /// <summary>
+    ///     Point-in-time state of a single historian cluster node. One entry per configured node
+    ///     appears inside <see cref="HistorianHealthSnapshot"/>.
+    /// </summary>
+    public sealed class HistorianClusterNodeState
+    {
+        public string Name { get; set; } = "";
+        public bool IsHealthy { get; set; }
+        public DateTime? CooldownUntil { get; set; }
+        public int FailureCount { get; set; }
+        public string? LastError { get; set; }
+        public DateTime? LastFailureTime { get; set; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Historian/HistorianConfiguration.cs

@@ -0,0 +1,38 @@
+using System.Collections.Generic;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian
+{
+    /// <summary>
+    ///     Wonderware Historian SDK configuration. Populated from environment variables at Host
+    ///     startup (see <c>Program.cs</c>) or from the Proxy's <c>DriverInstance.DriverConfig</c>
+    ///     section passed during OpenSession. Kept OPC-UA-free — the Proxy side owns UA translation.
+    /// </summary>
+    public sealed class HistorianConfiguration
+    {
+        public bool Enabled { get; set; } = false;
+
+        /// <summary>Single-node fallback when <see cref="ServerNames"/> is empty.</summary>
+        public string ServerName { get; set; } = "localhost";
+
+        /// <summary>
+        ///     Ordered cluster nodes. When non-empty, the data source tries each in order on connect,
+        ///     falling through to the next on failure. A failed node is placed in cooldown for
+        ///     <see cref="FailureCooldownSeconds"/> before being re-eligible.
+        /// </summary>
+        public List<string> ServerNames { get; set; } = new();
+
+        public int FailureCooldownSeconds { get; set; } = 60;
+        public bool IntegratedSecurity { get; set; } = true;
+        public string? UserName { get; set; }
+        public string? Password { get; set; }
+        public int Port { get; set; } = 32568;
+        public int CommandTimeoutSeconds { get; set; } = 30;
+        public int MaxValuesPerRead { get; set; } = 10000;
+
+        /// <summary>
+        ///     Outer safety timeout applied to sync-over-async Historian operations. Must be
+        ///     comfortably larger than <see cref="CommandTimeoutSeconds"/>.
+        /// </summary>
+        public int RequestTimeoutSeconds { get; set; } = 60;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Historian/HistorianDataSource.cs

@@ -4,16 +4,14 @@ using StringCollection = System.Collections.Specialized.StringCollection;
 using System.Threading;
 using System.Threading.Tasks;
 using ArchestrA;
-using Opc.Ua;
 using Serilog;
-using ZB.MOM.WW.OtOpcUa.Host.Configuration;
-using ZB.MOM.WW.OtOpcUa.Host.Domain;
-using ZB.MOM.WW.OtOpcUa.Host.Historian;
 
-namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian
 {
     /// <summary>
     ///     Reads historical data from the Wonderware Historian via the aahClientManaged SDK.
+    ///     OPC-UA-free — emits <see cref="HistorianSample"/>/<see cref="HistorianAggregateSample"/>
+    ///     which the Proxy maps to OPC UA <c>DataValue</c> on its side of the IPC.
     /// </summary>
     public sealed class HistorianDataSource : IHistorianDataSource
     {
@@ -27,9 +25,6 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
         private HistorianAccess? _eventConnection;
         private bool _disposed;
 
-        // Runtime query health state. Guarded by _healthLock — updated on every read
-        // method exit (success or failure) so the dashboard can distinguish "plugin
-        // loaded but never queried" from "plugin loaded and queries are failing".
         private readonly object _healthLock = new object();
         private long _totalSuccesses;
         private long _totalFailures;
@@ -40,22 +35,11 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
         private string? _activeProcessNode;
         private string? _activeEventNode;
 
-        // Cluster endpoint picker — shared across process + event paths so a node that
-        // fails on one silo is skipped on the other. Initialized from config at construction.
         private readonly HistorianClusterEndpointPicker _picker;
 
-        /// <summary>
-        ///     Initializes a Historian reader that translates OPC UA history requests into Wonderware Historian SDK queries.
-        /// </summary>
-        /// <param name="config">The Historian SDK connection settings used for runtime history lookups.</param>
         public HistorianDataSource(HistorianConfiguration config)
             : this(config, new SdkHistorianConnectionFactory(), null) { }
 
-        /// <summary>
-        ///     Initializes a Historian reader with a custom connection factory for testing. When
-        ///     <paramref name="picker"/> is <see langword="null"/> a new picker is built from
-        ///     <paramref name="config"/>, preserving backward compatibility with existing tests.
-        /// </summary>
         internal HistorianDataSource(
             HistorianConfiguration config,
             IHistorianConnectionFactory factory,
@@ -66,11 +50,6 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
             _picker = picker ?? new HistorianClusterEndpointPicker(config);
         }
 
-        /// <summary>
-        ///     Iterates the picker's healthy node list, cloning the configuration per attempt and
-        ///     handing it to the factory. Marks each tried node as healthy on success or failed on
-        ///     exception. Returns the winning connection + node name; throws when no nodes succeed.
-        /// </summary>
         private (HistorianAccess Connection, string Node) ConnectToAnyHealthyNode(HistorianConnectionType type)
         {
             var candidates = _picker.GetHealthyNodes();
@@ -97,8 +76,7 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                 {
                     _picker.MarkFailed(node, ex.Message);
                     lastException = ex;
-                    Log.Warning(ex,
-                        "Historian node {Node} failed during connect attempt; trying next candidate", node);
+                    Log.Warning(ex, "Historian node {Node} failed during connect attempt; trying next candidate", node);
                 }
             }
 
@@ -125,14 +103,12 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
             };
         }
 
-        /// <inheritdoc />
         public HistorianHealthSnapshot GetHealthSnapshot()
         {
             var nodeStates = _picker.SnapshotNodeStates();
             var healthyCount = 0;
             foreach (var n in nodeStates)
-                if (n.IsHealthy)
-                    healthyCount++;
+                if (n.IsHealthy) healthyCount++;
 
             lock (_healthLock)
             {
@@ -183,13 +159,8 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
             if (_disposed)
                 throw new ObjectDisposedException(nameof(HistorianDataSource));
 
-            // Fast path: already connected (no lock needed)
-            if (Volatile.Read(ref _connection) != null)
-                return;
+            if (Volatile.Read(ref _connection) != null) return;
 
-            // Create and wait for connection outside the lock so concurrent history
-            // requests are not serialized behind a slow Historian handshake. The cluster
-            // picker iterates configured nodes and returns the first that successfully connects.
             var (conn, winningNode) = ConnectToAnyHealthyNode(HistorianConnectionType.Process);
 
             lock (_connectionLock)
@@ -203,15 +174,13 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
 
                 if (_connection != null)
                 {
-                    // Another thread connected while we were waiting
                     conn.CloseConnection(out _);
                     conn.Dispose();
                     return;
                 }
 
                 _connection = conn;
-                lock (_healthLock)
-                    _activeProcessNode = winningNode;
+                lock (_healthLock) _activeProcessNode = winningNode;
                 Log.Information("Historian SDK connection opened to {Server}:{Port}", winningNode, _config.Port);
             }
         }
@@ -220,8 +189,7 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
         {
             lock (_connectionLock)
             {
-                if (_connection == null)
-                    return;
+                if (_connection == null) return;
 
                 try
                 {
@@ -241,10 +209,8 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                     _activeProcessNode = null;
                 }
 
-                if (failedNode != null)
-                    _picker.MarkFailed(failedNode, ex?.Message ?? "mid-query failure");
-                Log.Warning(ex, "Historian SDK connection reset (node={Node}) — will reconnect on next request",
-                    failedNode ?? "(unknown)");
+                if (failedNode != null) _picker.MarkFailed(failedNode, ex?.Message ?? "mid-query failure");
+                Log.Warning(ex, "Historian SDK connection reset (node={Node})", failedNode ?? "(unknown)");
             }
         }
 
@@ -253,8 +219,7 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
             if (_disposed)
                 throw new ObjectDisposedException(nameof(HistorianDataSource));
 
-            if (Volatile.Read(ref _eventConnection) != null)
-                return;
+            if (Volatile.Read(ref _eventConnection) != null) return;
 
             var (conn, winningNode) = ConnectToAnyHealthyNode(HistorianConnectionType.Event);
 
@@ -275,10 +240,8 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                 }
 
                 _eventConnection = conn;
-                lock (_healthLock)
-                    _activeEventNode = winningNode;
-                Log.Information("Historian SDK event connection opened to {Server}:{Port}",
-                    winningNode, _config.Port);
+                lock (_healthLock) _activeEventNode = winningNode;
+                Log.Information("Historian SDK event connection opened to {Server}:{Port}", winningNode, _config.Port);
             }
         }
 
@@ -286,8 +249,7 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
         {
             lock (_eventConnectionLock)
             {
-                if (_eventConnection == null)
-                    return;
+                if (_eventConnection == null) return;
 
                 try
                 {
@@ -307,20 +269,16 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                     _activeEventNode = null;
                 }
 
-                if (failedNode != null)
-                    _picker.MarkFailed(failedNode, ex?.Message ?? "mid-query failure");
-                Log.Warning(ex, "Historian SDK event connection reset (node={Node}) — will reconnect on next request",
-                    failedNode ?? "(unknown)");
+                if (failedNode != null) _picker.MarkFailed(failedNode, ex?.Message ?? "mid-query failure");
+                Log.Warning(ex, "Historian SDK event connection reset (node={Node})", failedNode ?? "(unknown)");
             }
         }
 
-
-        /// <inheritdoc />
-        public Task<List<DataValue>> ReadRawAsync(
+        public Task<List<HistorianSample>> ReadRawAsync(
             string tagName, DateTime startTime, DateTime endTime, int maxValues,
             CancellationToken ct = default)
         {
-            var results = new List<DataValue>();
+            var results = new List<HistorianSample>();
 
             try
             {
@@ -364,32 +322,22 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                     else
                         value = result.Value;
 
-                    var quality = (byte)(result.OpcQuality & 0xFF);
-
-                    results.Add(new DataValue
+                    results.Add(new HistorianSample
                     {
-                        Value = new Variant(value),
-                        SourceTimestamp = timestamp,
-                        ServerTimestamp = timestamp,
-                        StatusCode = QualityMapper.MapToOpcUaStatusCode(QualityMapper.MapFromMxAccessQuality(quality))
+                        Value = value,
+                        TimestampUtc = timestamp,
+                        Quality = (byte)(result.OpcQuality & 0xFF),
                     });
 
                     count++;
-                    if (limit > 0 && count >= limit)
-                        break;
+                    if (limit > 0 && count >= limit) break;
                 }
 
                 query.EndQuery(out _);
                 RecordSuccess();
             }
-            catch (OperationCanceledException)
-            {
-                throw;
-            }
-            catch (ObjectDisposedException)
-            {
-                throw;
-            }
+            catch (OperationCanceledException) { throw; }
+            catch (ObjectDisposedException) { throw; }
             catch (Exception ex)
             {
                 Log.Warning(ex, "HistoryRead raw failed for {Tag}", tagName);
@@ -403,13 +351,12 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
             return Task.FromResult(results);
         }
 
-        /// <inheritdoc />
-        public Task<List<DataValue>> ReadAggregateAsync(
+        public Task<List<HistorianAggregateSample>> ReadAggregateAsync(
             string tagName, DateTime startTime, DateTime endTime,
             double intervalMs, string aggregateColumn,
             CancellationToken ct = default)
         {
-            var results = new List<DataValue>();
+            var results = new List<HistorianAggregateSample>();
 
             try
             {
@@ -426,8 +373,7 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
 
                 if (!query.StartQuery(args, out var error))
                 {
-                    Log.Warning("Historian SDK aggregate query start failed for {Tag}: {Error}", tagName,
-                        error.ErrorCode);
+                    Log.Warning("Historian SDK aggregate query start failed for {Tag}: {Error}", tagName, error.ErrorCode);
                     RecordFailure($"aggregate StartQuery: {error.ErrorCode}");
                     HandleConnectionError();
                     return Task.FromResult(results);
@@ -441,26 +387,18 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                     var timestamp = DateTime.SpecifyKind(result.StartDateTime, DateTimeKind.Utc);
                     var value = ExtractAggregateValue(result, aggregateColumn);
 
-                    results.Add(new DataValue
+                    results.Add(new HistorianAggregateSample
                     {
-                        Value = new Variant(value),
-                        SourceTimestamp = timestamp,
-                        ServerTimestamp = timestamp,
-                        StatusCode = value != null ? StatusCodes.Good : StatusCodes.BadNoData
+                        Value = value,
+                        TimestampUtc = timestamp,
                     });
                 }
 
                 query.EndQuery(out _);
                 RecordSuccess();
             }
-            catch (OperationCanceledException)
-            {
-                throw;
-            }
-            catch (ObjectDisposedException)
-            {
-                throw;
-            }
+            catch (OperationCanceledException) { throw; }
+            catch (ObjectDisposedException) { throw; }
             catch (Exception ex)
             {
                 Log.Warning(ex, "HistoryRead aggregate failed for {Tag}", tagName);
@@ -474,12 +412,11 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
             return Task.FromResult(results);
         }
 
-        /// <inheritdoc />
-        public Task<List<DataValue>> ReadAtTimeAsync(
+        public Task<List<HistorianSample>> ReadAtTimeAsync(
             string tagName, DateTime[] timestamps,
             CancellationToken ct = default)
         {
-            var results = new List<DataValue>();
+            var results = new List<HistorianSample>();
 
             if (timestamps == null || timestamps.Length == 0)
                 return Task.FromResult(results);
@@ -504,12 +441,11 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
 
                     if (!query.StartQuery(args, out var error))
                     {
-                        results.Add(new DataValue
+                        results.Add(new HistorianSample
                         {
-                            Value = Variant.Null,
-                            SourceTimestamp = timestamp,
-                            ServerTimestamp = timestamp,
-                            StatusCode = StatusCodes.BadNoData
+                            Value = null,
+                            TimestampUtc = DateTime.SpecifyKind(timestamp, DateTimeKind.Utc),
+                            Quality = 0, // Bad
                         });
                         continue;
                     }
@@ -523,24 +459,20 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                         else
                             value = result.Value;
 
-                        var quality = (byte)(result.OpcQuality & 0xFF);
-                        results.Add(new DataValue
+                        results.Add(new HistorianSample
                         {
-                            Value = new Variant(value),
-                            SourceTimestamp = timestamp,
-                            ServerTimestamp = timestamp,
-                            StatusCode = QualityMapper.MapToOpcUaStatusCode(
-                                QualityMapper.MapFromMxAccessQuality(quality))
+                            Value = value,
+                            TimestampUtc = DateTime.SpecifyKind(timestamp, DateTimeKind.Utc),
+                            Quality = (byte)(result.OpcQuality & 0xFF),
                         });
                     }
                     else
                     {
-                        results.Add(new DataValue
+                        results.Add(new HistorianSample
                         {
-                            Value = Variant.Null,
-                            SourceTimestamp = timestamp,
-                            ServerTimestamp = timestamp,
-                            StatusCode = StatusCodes.BadNoData
+                            Value = null,
+                            TimestampUtc = DateTime.SpecifyKind(timestamp, DateTimeKind.Utc),
+                            Quality = 0,
                         });
                     }
 
@@ -548,14 +480,8 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                 }
                 RecordSuccess();
             }
-            catch (OperationCanceledException)
-            {
-                throw;
-            }
-            catch (ObjectDisposedException)
-            {
-                throw;
-            }
+            catch (OperationCanceledException) { throw; }
+            catch (ObjectDisposedException) { throw; }
             catch (Exception ex)
             {
                 Log.Warning(ex, "HistoryRead at-time failed for {Tag}", tagName);
@@ -569,7 +495,6 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
             return Task.FromResult(results);
         }
 
-        /// <inheritdoc />
         public Task<List<HistorianEventDto>> ReadEventsAsync(
             string? sourceName, DateTime startTime, DateTime endTime, int maxEvents,
             CancellationToken ct = default)
@@ -609,21 +534,14 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                     ct.ThrowIfCancellationRequested();
                     results.Add(ToDto(query.QueryResult));
                     count++;
-                    if (maxEvents > 0 && count >= maxEvents)
-                        break;
+                    if (maxEvents > 0 && count >= maxEvents) break;
                 }
 
                 query.EndQuery(out _);
                 RecordSuccess();
             }
-            catch (OperationCanceledException)
-            {
-                throw;
-            }
-            catch (ObjectDisposedException)
-            {
-                throw;
-            }
+            catch (OperationCanceledException) { throw; }
+            catch (ObjectDisposedException) { throw; }
             catch (Exception ex)
             {
                 Log.Warning(ex, "HistoryRead events failed for source {Source}", sourceName ?? "(all)");
@@ -639,6 +557,11 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
 
         private static HistorianEventDto ToDto(HistorianEvent evt)
         {
+            // The ArchestrA SDK marks these properties obsolete but still returns them; their
+            // successors aren't wired in the version we bind against. Using them is the documented
+            // v1 behavior — suppressed locally instead of project-wide so any non-event use of
+            // deprecated SDK surface still surfaces as an error.
+#pragma warning disable CS0618
             return new HistorianEventDto
             {
                 Id = evt.Id,
@@ -648,11 +571,9 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                 DisplayText = evt.DisplayText,
                 Severity = (ushort)evt.Severity
             };
+#pragma warning restore CS0618
         }
 
-        /// <summary>
-        ///     Extracts the requested aggregate value from an <see cref="AnalogSummaryQueryResult"/> by column name.
-        /// </summary>
         internal static double? ExtractAggregateValue(AnalogSummaryQueryResult result, string column)
         {
             switch (column)
@@ -668,13 +589,9 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
             }
         }
 
-        /// <summary>
-        ///     Closes the Historian SDK connection and releases resources.
-        /// </summary>
         public void Dispose()
         {
-            if (_disposed)
-                return;
+            if (_disposed) return;
             _disposed = true;
 
             try

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Historian/HistorianEventDto.cs

@@ -1,10 +1,10 @@
 using System;
 
-namespace ZB.MOM.WW.OtOpcUa.Host.Historian
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian
 {
     /// <summary>
-    ///     SDK-free representation of a Historian event record exposed by the historian plugin.
-    ///     Prevents ArchestrA types from leaking into the Host assembly.
+    ///     SDK-free representation of a Historian event record. Prevents ArchestrA types from
+    ///     leaking beyond <c>HistorianDataSource</c>.
     /// </summary>
     public sealed class HistorianEventDto
     {

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Historian/HistorianHealthSnapshot.cs

@@ -0,0 +1,27 @@
+using System;
+using System.Collections.Generic;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian
+{
+    /// <summary>
+    ///     Point-in-time runtime health of the historian subsystem — consumed by the status dashboard
+    ///     via an IPC health query (not wired in PR #5; deferred).
+    /// </summary>
+    public sealed class HistorianHealthSnapshot
+    {
+        public long TotalQueries { get; set; }
+        public long TotalSuccesses { get; set; }
+        public long TotalFailures { get; set; }
+        public int ConsecutiveFailures { get; set; }
+        public DateTime? LastSuccessTime { get; set; }
+        public DateTime? LastFailureTime { get; set; }
+        public string? LastError { get; set; }
+        public bool ProcessConnectionOpen { get; set; }
+        public bool EventConnectionOpen { get; set; }
+        public string? ActiveProcessNode { get; set; }
+        public string? ActiveEventNode { get; set; }
+        public int NodeCount { get; set; }
+        public int HealthyNodeCount { get; set; }
+        public List<HistorianClusterNodeState> Nodes { get; set; } = new();
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Historian/HistorianQualityMapper.cs

@@ -0,0 +1,46 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian;
+
+/// <summary>
+///     Maps a raw OPC DA quality byte (as returned by Wonderware Historian's <c>OpcQuality</c>)
+///     to an OPC UA <c>StatusCode</c> uint. Preserves specific codes (BadNotConnected,
+///     UncertainSubNormal, etc.) instead of collapsing to Good/Uncertain/Bad categories.
+///     Mirrors v1 <c>QualityMapper.MapToOpcUaStatusCode</c> without pulling in OPC UA types —
+///     the returned value is the 32-bit OPC UA <c>StatusCode</c> wire encoding that the Proxy
+///     surfaces directly as <c>DataValueSnapshot.StatusCode</c>.
+/// </summary>
+public static class HistorianQualityMapper
+{
+    /// <summary>
+    ///     Map an 8-bit OPC DA quality byte to the corresponding OPC UA StatusCode. The byte
+    ///     family bits decide the category (Good &gt;= 192, Uncertain 64-191, Bad 0-63); the
+    ///     low-nibble subcode selects the specific code.
+    /// </summary>
+    public static uint Map(byte q) => q switch
+    {
+        // Good family (192+)
+        192 => 0x00000000u,             // Good
+        216 => 0x00D80000u,             // Good_LocalOverride
+
+        // Uncertain family (64-191)
+        64 => 0x40000000u,              // Uncertain
+        68 => 0x40900000u,              // Uncertain_LastUsableValue
+        80 => 0x40930000u,              // Uncertain_SensorNotAccurate
+        84 => 0x40940000u,              // Uncertain_EngineeringUnitsExceeded
+        88 => 0x40950000u,              // Uncertain_SubNormal
+
+        // Bad family (0-63)
+        0  => 0x80000000u,              // Bad
+        4  => 0x80890000u,              // Bad_ConfigurationError
+        8  => 0x808A0000u,              // Bad_NotConnected
+        12 => 0x808B0000u,              // Bad_DeviceFailure
+        16 => 0x808C0000u,              // Bad_SensorFailure
+        20 => 0x80050000u,              // Bad_CommunicationError
+        24 => 0x808D0000u,              // Bad_OutOfService
+        32 => 0x80320000u,              // Bad_WaitingForInitialData
+
+        // Unknown code — fall back to the category so callers still get a sensible bucket.
+        _ when q >= 192 => 0x00000000u,
+        _ when q >= 64 => 0x40000000u,
+        _ => 0x80000000u,
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Historian/HistorianSample.cs

@@ -0,0 +1,30 @@
+using System;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian
+{
+    /// <summary>
+    ///     OPC-UA-free representation of a single historical data point. The Host returns these
+    ///     across the IPC boundary as <c>GalaxyDataValue</c>; the Proxy maps quality and value to
+    ///     OPC UA <c>DataValue</c>. Raw MX quality byte is preserved so the Proxy can use the same
+    ///     quality mapper it already uses for live reads.
+    /// </summary>
+    public sealed class HistorianSample
+    {
+        public object? Value { get; set; }
+
+        /// <summary>Raw OPC DA quality byte from the historian SDK (low 8 bits of OpcQuality).</summary>
+        public byte Quality { get; set; }
+
+        public DateTime TimestampUtc { get; set; }
+    }
+
+    /// <summary>
+    ///     Result of <see cref="IHistorianDataSource.ReadAggregateAsync"/>. When <see cref="Value"/> is
+    ///     null the aggregate is unavailable for that bucket (Proxy maps to <c>BadNoData</c>).
+    /// </summary>
+    public sealed class HistorianAggregateSample
+    {
+        public double? Value { get; set; }
+        public DateTime TimestampUtc { get; set; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Historian/IHistorianConnectionFactory.cs

@@ -1,26 +1,19 @@
 using System;
 using System.Threading;
 using ArchestrA;
-using ZB.MOM.WW.OtOpcUa.Host.Configuration;
 
-namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian
 {
     /// <summary>
-    ///     Creates and opens Historian SDK connections. Extracted so tests can inject
-    ///     fakes that control connection success, failure, and timeout behavior.
+    ///     Creates and opens Historian SDK connections. Extracted so tests can inject fakes that
+    ///     control connection success, failure, and timeout behavior.
     /// </summary>
     internal interface IHistorianConnectionFactory
     {
-        /// <summary>
-        ///     Creates a new Historian SDK connection, opens it, and waits until it is ready.
-        ///     Throws on connection failure or timeout.
-        /// </summary>
         HistorianAccess CreateAndConnect(HistorianConfiguration config, HistorianConnectionType type);
     }
 
-    /// <summary>
-    ///     Production implementation that creates real Historian SDK connections.
-    /// </summary>
+    /// <summary>Production implementation — opens real Historian SDK connections.</summary>
     internal sealed class SdkHistorianConnectionFactory : IHistorianConnectionFactory
     {
         public HistorianAccess CreateAndConnect(HistorianConfiguration config, HistorianConnectionType type)
@@ -51,7 +44,6 @@ namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
                     $"Failed to open Historian SDK connection to {config.ServerName}:{config.Port}: {error.ErrorCode}");
             }
 
-            // The SDK connects asynchronously — poll until the connection is ready
             var timeoutMs = config.CommandTimeoutSeconds * 1000;
             var elapsed = 0;
             while (elapsed < timeoutMs)

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Historian/IHistorianDataSource.cs

@@ -2,27 +2,26 @@ using System;
 using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
-using Opc.Ua;
 
-namespace ZB.MOM.WW.OtOpcUa.Host.Historian
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian
 {
     /// <summary>
-    ///     OPC UA-typed surface for the historian plugin. Host consumers depend only on this
-    ///     interface so the Wonderware Historian SDK assemblies are not required unless the
-    ///     plugin is loaded at runtime.
+    ///     OPC-UA-free surface for the Wonderware Historian subsystem inside Galaxy.Host.
+    ///     Implementations read via the aahClient* SDK; the Proxy side maps returned samples
+    ///     to OPC UA <c>DataValue</c>.
     /// </summary>
     public interface IHistorianDataSource : IDisposable
     {
-        Task<List<DataValue>> ReadRawAsync(
+        Task<List<HistorianSample>> ReadRawAsync(
             string tagName, DateTime startTime, DateTime endTime, int maxValues,
             CancellationToken ct = default);
 
-        Task<List<DataValue>> ReadAggregateAsync(
+        Task<List<HistorianAggregateSample>> ReadAggregateAsync(
             string tagName, DateTime startTime, DateTime endTime,
             double intervalMs, string aggregateColumn,
             CancellationToken ct = default);
 
-        Task<List<DataValue>> ReadAtTimeAsync(
+        Task<List<HistorianSample>> ReadAtTimeAsync(
             string tagName, DateTime[] timestamps,
             CancellationToken ct = default);
 
@@ -30,11 +29,6 @@ namespace ZB.MOM.WW.OtOpcUa.Host.Historian
             string? sourceName, DateTime startTime, DateTime endTime, int maxEvents,
             CancellationToken ct = default);
 
-        /// <summary>
-        ///     Returns a runtime snapshot of query success/failure counters and connection state.
-        ///     Consumed by the status dashboard and health check service so operators can detect
-        ///     silent query degradation that the load-time plugin status can't catch.
-        /// </summary>
         HistorianHealthSnapshot GetHealthSnapshot();
     }
 }

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/IGalaxyBackend.cs

@@ -14,6 +14,15 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
 /// </summary>
 public interface IGalaxyBackend
 {
+    /// <summary>
+    ///     Server-pushed events the backend raises asynchronously (data-change, alarm,
+    ///     host-status). The frame handler subscribes once on connect and forwards each
+    ///     event to the Proxy as a typed <see cref="MessageKind"/> notification.
+    /// </summary>
+    event System.EventHandler<OnDataChangeNotification>? OnDataChange;
+    event System.EventHandler<GalaxyAlarmEvent>? OnAlarmEvent;
+    event System.EventHandler<HostConnectivityStatus>? OnHostStatusChanged;
+
     Task<OpenSessionResponse> OpenSessionAsync(OpenSessionRequest req, CancellationToken ct);
     Task CloseSessionAsync(CloseSessionRequest req, CancellationToken ct);
 
@@ -29,6 +38,9 @@ public interface IGalaxyBackend
     Task AcknowledgeAlarmAsync(AlarmAckRequest req, CancellationToken ct);
 
     Task<HistoryReadResponse> HistoryReadAsync(HistoryReadRequest req, CancellationToken ct);
+    Task<HistoryReadProcessedResponse> HistoryReadProcessedAsync(HistoryReadProcessedRequest req, CancellationToken ct);
+    Task<HistoryReadAtTimeResponse> HistoryReadAtTimeAsync(HistoryReadAtTimeRequest req, CancellationToken ct);
+    Task<HistoryReadEventsResponse> HistoryReadEventsAsync(HistoryReadEventsRequest req, CancellationToken ct);
 
     Task<RecycleStatusResponse> RecycleAsync(RecycleHostRequest req, CancellationToken ct);
 }

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccess/MxAccessClient.cs

@@ -1,8 +1,10 @@
 using System;
 using System.Collections.Concurrent;
+using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
 using ArchestrA.MxAccess;
+using Serilog;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Sta;
 
 namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
@@ -17,9 +19,12 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
 /// </summary>
 public sealed class MxAccessClient : IDisposable
 {
+    private static readonly ILogger Log = Serilog.Log.ForContext<MxAccessClient>();
+
     private readonly StaPump _pump;
     private readonly IMxProxy _proxy;
     private readonly string _clientName;
+    private readonly MxAccessClientOptions _options;
 
     // Galaxy attribute reference → MXAccess item handle (set on first Subscribe/Read).
     private readonly ConcurrentDictionary<string, int> _addressToHandle = new(StringComparer.OrdinalIgnoreCase);
@@ -30,39 +35,195 @@ public sealed class MxAccessClient : IDisposable
 
     private int _connectionHandle;
     private bool _connected;
+    private DateTime _lastObservedActivityUtc = DateTime.UtcNow;
+    private CancellationTokenSource? _monitorCts;
+    private int _reconnectCount;
+    private bool _disposed;
 
-    public MxAccessClient(StaPump pump, IMxProxy proxy, string clientName)
+    /// <summary>Fires whenever the connection transitions Connected ↔ Disconnected.</summary>
+    public event EventHandler<bool>? ConnectionStateChanged;
+
+    /// <summary>
+    ///     Fires once per failed subscription replay after a reconnect. Carries the tag reference
+    ///     and the exception so the backend can propagate the degradation signal (e.g. mark the
+    ///     subscription bad on the Proxy side rather than silently losing its callback). Added for
+    ///     PR 6 low finding #2 — the replay loop previously ate per-tag failures silently and an
+    ///     operator would only find out that a specific subscription stopped updating through a
+    ///     data-quality complaint from downstream.
+    /// </summary>
+    public event EventHandler<SubscriptionReplayFailedEventArgs>? SubscriptionReplayFailed;
+
+    public MxAccessClient(StaPump pump, IMxProxy proxy, string clientName, MxAccessClientOptions? options = null)
     {
         _pump = pump;
         _proxy = proxy;
         _clientName = clientName;
+        _options = options ?? new MxAccessClientOptions();
         _proxy.OnDataChange += OnDataChange;
         _proxy.OnWriteComplete += OnWriteComplete;
     }
 
     public bool IsConnected => _connected;
     public int SubscriptionCount => _subscriptions.Count;
+    public int ReconnectCount => _reconnectCount;
 
-    /// <summary>Connects on the STA thread. Idempotent.</summary>
-    public Task<int> ConnectAsync() => _pump.InvokeAsync(() =>
-    {
-        if (_connected) return _connectionHandle;
-        _connectionHandle = _proxy.Register(_clientName);
-        _connected = true;
-        return _connectionHandle;
-    });
+    /// <summary>
+    ///     Wonderware client identity used when registering with the LMXProxyServer. Surfaced so
+    ///     <see cref="Backend.MxAccessGalaxyBackend"/> can tag its <c>OnHostStatusChanged</c> IPC
+    ///     pushes with a stable gateway name per PR 8.
+    /// </summary>
+    public string ClientName => _clientName;
 
-    public Task DisconnectAsync() => _pump.InvokeAsync(() =>
+    /// <summary>Connects on the STA thread. Idempotent. Starts the reconnect monitor on first call.</summary>
+    public async Task<int> ConnectAsync()
     {
-        if (!_connected) return;
-        try { _proxy.Unregister(_connectionHandle); }
-        finally
+        var handle = await _pump.InvokeAsync(() =>
         {
-            _connected = false;
-            _addressToHandle.Clear();
-            _handleToAddress.Clear();
+            if (_connected) return _connectionHandle;
+            _connectionHandle = _proxy.Register(_clientName);
+            _connected = true;
+            return _connectionHandle;
+        });
+
+        ConnectionStateChanged?.Invoke(this, true);
+
+        if (_options.AutoReconnect && _monitorCts is null)
+        {
+            _monitorCts = new CancellationTokenSource();
+            _ = Task.Run(() => MonitorLoopAsync(_monitorCts.Token));
         }
-    });
+
+        return handle;
+    }
+
+    public async Task DisconnectAsync()
+    {
+        _monitorCts?.Cancel();
+        _monitorCts = null;
+
+        await _pump.InvokeAsync(() =>
+        {
+            if (!_connected) return;
+            try { _proxy.Unregister(_connectionHandle); }
+            finally
+            {
+                _connected = false;
+                _addressToHandle.Clear();
+                _handleToAddress.Clear();
+            }
+        });
+
+        ConnectionStateChanged?.Invoke(this, false);
+    }
+
+    /// <summary>
+    ///     Background loop that watches for connection liveness signals and triggers
+    ///     reconnect-with-replay when the connection appears dead. Per Phase 2 high finding #2:
+    ///     v1's MxAccessClient.Monitor pattern lifted into the new pump-based client. Uses
+    ///     observed-activity timestamp + optional probe-tag subscription. Without an explicit
+    ///     probe tag, falls back to "no data change in N seconds + no successful read in N
+    ///     seconds = unhealthy" — same shape as v1.
+    /// </summary>
+    private async Task MonitorLoopAsync(CancellationToken ct)
+    {
+        while (!ct.IsCancellationRequested)
+        {
+            try { await Task.Delay(_options.MonitorInterval, ct); }
+            catch (OperationCanceledException) { break; }
+
+            if (!_connected || _disposed) continue;
+
+            var idle = DateTime.UtcNow - _lastObservedActivityUtc;
+            if (idle <= _options.StaleThreshold) continue;
+
+            // Probe: try a no-op COM call. If the proxy is dead, the call will throw — that's
+            // our reconnect signal. PR 6 low finding #1: AddItem allocates an MXAccess item
+            // handle; we must RemoveItem it on the same pump turn or the long-running monitor
+            // leaks one handle per probe cycle (one every MonitorInterval seconds, indefinitely).
+            bool probeOk;
+            try
+            {
+                probeOk = await _pump.InvokeAsync(() =>
+                {
+                    int probeHandle = 0;
+                    try
+                    {
+                        probeHandle = _proxy.AddItem(_connectionHandle, "$Heartbeat");
+                        return probeHandle > 0;
+                    }
+                    catch { return false; }
+                    finally
+                    {
+                        if (probeHandle > 0)
+                        {
+                            try { _proxy.RemoveItem(_connectionHandle, probeHandle); }
+                            catch { /* proxy is dying; best-effort cleanup */ }
+                        }
+                    }
+                });
+            }
+            catch { probeOk = false; }
+
+            if (probeOk)
+            {
+                _lastObservedActivityUtc = DateTime.UtcNow;
+                continue;
+            }
+
+            // Connection appears dead — reconnect-with-replay.
+            try
+            {
+                await _pump.InvokeAsync(() =>
+                {
+                    try { _proxy.Unregister(_connectionHandle); } catch { /* dead anyway */ }
+                    _connected = false;
+                });
+                ConnectionStateChanged?.Invoke(this, false);
+
+                await _pump.InvokeAsync(() =>
+                {
+                    _connectionHandle = _proxy.Register(_clientName);
+                    _connected = true;
+                });
+                _reconnectCount++;
+                ConnectionStateChanged?.Invoke(this, true);
+
+                // Replay every subscription that was active before the disconnect. PR 6 low
+                // finding #2: surface per-tag failures — log them and raise
+                // SubscriptionReplayFailed so the backend can propagate the degraded state
+                // (previously swallowed silently; downstream quality dropped without a signal).
+                var snapshot = _addressToHandle.Keys.ToArray();
+                _addressToHandle.Clear();
+                _handleToAddress.Clear();
+                var failed = 0;
+                foreach (var fullRef in snapshot)
+                {
+                    try { await SubscribeOnPumpAsync(fullRef); }
+                    catch (Exception subEx)
+                    {
+                        failed++;
+                        Log.Warning(subEx,
+                            "MXAccess subscription replay failed for {TagReference} after reconnect #{Reconnect}",
+                            fullRef, _reconnectCount);
+                        SubscriptionReplayFailed?.Invoke(this,
+                            new SubscriptionReplayFailedEventArgs(fullRef, subEx));
+                    }
+                }
+
+                if (failed > 0)
+                    Log.Warning("Subscription replay completed — {Failed} of {Total} failed", failed, snapshot.Length);
+                else
+                    Log.Information("Subscription replay completed — {Total} re-subscribed cleanly", snapshot.Length);
+
+                _lastObservedActivityUtc = DateTime.UtcNow;
+            }
+            catch
+            {
+                // Reconnect failed; back off and retry on the next tick.
+                _connected = false;
+            }
+        }
+    }
 
     /// <summary>
     ///     One-shot read implemented as a transient subscribe + unsubscribe.
@@ -79,26 +240,72 @@ public sealed class MxAccessClient : IDisposable
 
         // Stash the one-shot handler before sending the subscribe, then remove it after firing.
         _subscriptions.AddOrUpdate(fullReference, oneShot, (_, existing) => Combine(existing, oneShot));
+        var addedToReadOnlyAttribute = !_addressToHandle.ContainsKey(fullReference);
 
-        var itemHandle = await SubscribeOnPumpAsync(fullReference);
+        try
+        {
+            await SubscribeOnPumpAsync(fullReference);
 
-        using var _ = ct.Register(() => tcs.TrySetCanceled());
-        var raceTask = await Task.WhenAny(tcs.Task, Task.Delay(timeout, ct));
-        if (raceTask != tcs.Task) throw new TimeoutException($"MXAccess read of {fullReference} timed out after {timeout}");
+            using var _ = ct.Register(() => tcs.TrySetCanceled());
+            var raceTask = await Task.WhenAny(tcs.Task, Task.Delay(timeout, ct));
+            if (raceTask != tcs.Task) throw new TimeoutException($"MXAccess read of {fullReference} timed out after {timeout}");
 
-        // Detach the one-shot handler.
-        _subscriptions.AddOrUpdate(fullReference, _ => default!, (_, existing) => Remove(existing, oneShot));
-
-        return await tcs.Task;
+            return await tcs.Task;
+        }
+        finally
+        {
+            // High 1 — always detach the one-shot handler, even on cancellation/timeout/throw.
+            // If we were the one who added the underlying MXAccess subscription (no other
+            // caller had it), tear it down too so we don't leak a probe item handle.
+            _subscriptions.AddOrUpdate(fullReference, _ => default!, (_, existing) => Remove(existing, oneShot));
+            if (addedToReadOnlyAttribute)
+            {
+                try { await UnsubscribeAsync(fullReference); }
+                catch { /* shutdown-best-effort */ }
+            }
+        }
     }
 
-    public Task WriteAsync(string fullReference, object value, int securityClassification = 0) =>
-        _pump.InvokeAsync(() =>
+    /// <summary>
+    ///     Writes <paramref name="value"/> to the runtime and AWAITS the OnWriteComplete
+    ///     callback so the caller learns the actual write status. Per Phase 2 medium finding #4
+    ///     in <c>exit-gate-phase-2.md</c>: the previous fire-and-forget version returned a
+    ///     false-positive Good even when the runtime rejected the write post-callback.
+    /// </summary>
+    public async Task<bool> WriteAsync(string fullReference, object value,
+        int securityClassification = 0, TimeSpan? timeout = null)
+    {
+        if (!_connected) throw new InvalidOperationException("MxAccessClient not connected");
+        var actualTimeout = timeout ?? TimeSpan.FromSeconds(5);
+
+        var itemHandle = await _pump.InvokeAsync(() => ResolveItem(fullReference));
+
+        var tcs = new TaskCompletionSource<bool>(TaskCreationOptions.RunContinuationsAsynchronously);
+        if (!_pendingWrites.TryAdd(itemHandle, tcs))
         {
-            if (!_connected) throw new InvalidOperationException("MxAccessClient not connected");
-            var itemHandle = ResolveItem(fullReference);
-            _proxy.Write(_connectionHandle, itemHandle, value, securityClassification);
-        });
+            // A prior write to the same item handle is still pending — uncommon but possible
+            // if the caller spammed writes. Replace it: the older TCS observes a Cancelled task.
+            if (_pendingWrites.TryRemove(itemHandle, out var prior))
+                prior.TrySetCanceled();
+            _pendingWrites[itemHandle] = tcs;
+        }
+
+        try
+        {
+            await _pump.InvokeAsync(() =>
+                _proxy.Write(_connectionHandle, itemHandle, value, securityClassification));
+
+            var raceTask = await Task.WhenAny(tcs.Task, Task.Delay(actualTimeout));
+            if (raceTask != tcs.Task)
+                throw new TimeoutException($"MXAccess write of {fullReference} timed out after {actualTimeout}");
+
+            return await tcs.Task;
+        }
+        finally
+        {
+            _pendingWrites.TryRemove(itemHandle, out _);
+        }
+    }
 
     public async Task SubscribeAsync(string fullReference, Action<string, Vtq> callback)
     {
@@ -148,6 +355,9 @@ public sealed class MxAccessClient : IDisposable
     {
         if (!_handleToAddress.TryGetValue(phItemHandle, out var fullRef)) return;
 
+        // Liveness: any data-change event is proof the connection is alive.
+        _lastObservedActivityUtc = DateTime.UtcNow;
+
         var ts = pftItemTimeStamp is DateTime dt ? dt.ToUniversalTime() : DateTime.UtcNow;
         var quality = (byte)Math.Min(255, Math.Max(0, pwItemQuality));
         var vtq = new Vtq(pvItemValue, ts, quality);
@@ -169,10 +379,30 @@ public sealed class MxAccessClient : IDisposable
 
     public void Dispose()
     {
+        _disposed = true;
+        _monitorCts?.Cancel();
+
         try { DisconnectAsync().GetAwaiter().GetResult(); }
         catch { /* swallow */ }
 
         _proxy.OnDataChange -= OnDataChange;
         _proxy.OnWriteComplete -= OnWriteComplete;
+        _monitorCts?.Dispose();
     }
 }
+
+/// <summary>
+///     Tunables for <see cref="MxAccessClient"/>'s reconnect monitor. Defaults match the v1
+///     monitor's polling cadence so behavior is consistent across the lift.
+/// </summary>
+public sealed class MxAccessClientOptions
+{
+    /// <summary>Whether to start the background monitor at connect time.</summary>
+    public bool AutoReconnect { get; init; } = true;
+
+    /// <summary>How often the monitor wakes up to check liveness.</summary>
+    public TimeSpan MonitorInterval { get; init; } = TimeSpan.FromSeconds(5);
+
+    /// <summary>If no data-change activity in this window, the monitor probes the connection.</summary>
+    public TimeSpan StaleThreshold { get; init; } = TimeSpan.FromSeconds(60);
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccess/SubscriptionReplayFailedEventArgs.cs

@@ -0,0 +1,20 @@
+using System;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+
+/// <summary>
+///     Fired by <see cref="MxAccessClient.SubscriptionReplayFailed"/> when a previously-active
+///     subscription fails to be restored after a reconnect. The backend should treat the tag as
+///     unhealthy until the next successful resubscribe.
+/// </summary>
+public sealed class SubscriptionReplayFailedEventArgs : EventArgs
+{
+    public SubscriptionReplayFailedEventArgs(string tagReference, Exception exception)
+    {
+        TagReference = tagReference;
+        Exception = exception;
+    }
+
+    public string TagReference { get; }
+    public Exception Exception { get; }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/MxAccessGalaxyBackend.cs

@@ -4,8 +4,11 @@ using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
 using MessagePack;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Alarms;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Stability;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
 
 namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
@@ -18,22 +21,114 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
 ///     MxAccess <c>AlarmExtension</c> primitives but the wire-up is also Phase 2 follow-up
 ///     (the v1 alarm subsystem is its own subtree).
 /// </summary>
-public sealed class MxAccessGalaxyBackend : IGalaxyBackend
+public sealed class MxAccessGalaxyBackend : IGalaxyBackend, IDisposable
 {
     private readonly GalaxyRepository _repository;
     private readonly MxAccessClient _mx;
+    private readonly IHistorianDataSource? _historian;
     private long _nextSessionId;
     private long _nextSubscriptionId;
 
     // Active SubscriptionId → MXAccess full reference list — so Unsubscribe can find them.
     private readonly System.Collections.Concurrent.ConcurrentDictionary<long, IReadOnlyList<string>> _subs = new();
+    // Reverse lookup: tag reference → subscription IDs subscribed to it (one tag may belong to many).
+    private readonly System.Collections.Concurrent.ConcurrentDictionary<string, System.Collections.Concurrent.ConcurrentBag<long>>
+        _refToSubs = new(System.StringComparer.OrdinalIgnoreCase);
 
-    public MxAccessGalaxyBackend(GalaxyRepository repository, MxAccessClient mx)
+    public event System.EventHandler<OnDataChangeNotification>? OnDataChange;
+    public event System.EventHandler<GalaxyAlarmEvent>? OnAlarmEvent;
+    public event System.EventHandler<HostConnectivityStatus>? OnHostStatusChanged;
+
+    private readonly System.EventHandler<bool> _onConnectionStateChanged;
+    private readonly GalaxyRuntimeProbeManager _probeManager;
+    private readonly System.EventHandler<HostStateTransition> _onProbeStateChanged;
+    private readonly GalaxyAlarmTracker _alarmTracker;
+    private readonly System.EventHandler<AlarmTransition> _onAlarmTransition;
+
+    // Cached during DiscoverAsync so SubscribeAlarmsAsync knows which attributes to advise.
+    // One entry per IsAlarm=true attribute in the last discovered hierarchy.
+    private readonly System.Collections.Concurrent.ConcurrentBag<string> _discoveredAlarmTags = new();
+
+    public MxAccessGalaxyBackend(GalaxyRepository repository, MxAccessClient mx, IHistorianDataSource? historian = null)
     {
         _repository = repository;
         _mx = mx;
+        _historian = historian;
+
+        // PR 8: gateway-level host-status push. When the MXAccess COM proxy transitions
+        // connected↔disconnected, raise OnHostStatusChanged with a synthetic host entry named
+        // after the Wonderware client identity so the Admin UI surfaces top-level transport
+        // health even before per-platform/per-engine probing lands (deferred to a later PR that
+        // ports v1's GalaxyRuntimeProbeManager with ScanState subscriptions).
+        _onConnectionStateChanged = (_, connected) =>
+        {
+            OnHostStatusChanged?.Invoke(this, new HostConnectivityStatus
+            {
+                HostName = _mx.ClientName,
+                RuntimeStatus = connected ? "Running" : "Stopped",
+                LastObservedUtcUnixMs = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(),
+            });
+        };
+        _mx.ConnectionStateChanged += _onConnectionStateChanged;
+
+        // PR 13: per-platform runtime probes. ScanState subscriptions fire OnProbeCallback,
+        // which runs the state machine and raises StateChanged on transitions we care about.
+        // We forward each transition through the same OnHostStatusChanged IPC event that the
+        // gateway-level ConnectionStateChanged uses — tagged with the platform's TagName so the
+        // Admin UI can show per-host health independently from the top-level transport status.
+        _probeManager = new GalaxyRuntimeProbeManager(
+            subscribe: (probe, cb) => _mx.SubscribeAsync(probe, cb),
+            unsubscribe: probe => _mx.UnsubscribeAsync(probe));
+        _onProbeStateChanged = (_, t) =>
+        {
+            OnHostStatusChanged?.Invoke(this, new HostConnectivityStatus
+            {
+                HostName = t.TagName,
+                RuntimeStatus = t.NewState switch
+                {
+                    HostRuntimeState.Running => "Running",
+                    HostRuntimeState.Stopped => "Stopped",
+                    _ => "Unknown",
+                },
+                LastObservedUtcUnixMs = new DateTimeOffset(t.AtUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+            });
+        };
+        _probeManager.StateChanged += _onProbeStateChanged;
+
+        // PR 14: alarm subsystem. Per IsAlarm=true attribute discovered, subscribe to the four
+        // alarm-state attributes (.InAlarm/.Priority/.DescAttrName/.Acked), track lifecycle,
+        // and raise GalaxyAlarmEvent on transitions — forwarded through the existing
+        // OnAlarmEvent IPC event that the PR 4 ConnectionSink already wires into AlarmEvent frames.
+        _alarmTracker = new GalaxyAlarmTracker(
+            subscribe: (tag, cb) => _mx.SubscribeAsync(tag, cb),
+            unsubscribe: tag => _mx.UnsubscribeAsync(tag),
+            write: (tag, v) => _mx.WriteAsync(tag, v));
+        _onAlarmTransition = (_, t) => OnAlarmEvent?.Invoke(this, new GalaxyAlarmEvent
+        {
+            EventId = Guid.NewGuid().ToString("N"),
+            ObjectTagName = t.AlarmTag,
+            AlarmName = t.AlarmTag,
+            Severity = t.Priority,
+            StateTransition = t.Transition switch
+            {
+                AlarmStateTransition.Active => "Active",
+                AlarmStateTransition.Acknowledged => "Acknowledged",
+                AlarmStateTransition.Inactive => "Inactive",
+                _ => "Unknown",
+            },
+            Message = t.DescAttrName ?? t.AlarmTag,
+            UtcUnixMs = new DateTimeOffset(t.AtUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+        });
+        _alarmTracker.TransitionRaised += _onAlarmTransition;
     }
 
+    /// <summary>
+    ///     Exposed for tests. Production flow: DiscoverAsync completes → backend calls
+    ///     <c>SyncProbesAsync</c> with the runtime hosts (WinPlatform + AppEngine gobjects) to
+    ///     advise ScanState per host.
+    /// </summary>
+    internal GalaxyRuntimeProbeManager ProbeManager => _probeManager;
+
     public async Task<OpenSessionResponse> OpenSessionAsync(OpenSessionRequest req, CancellationToken ct)
     {
         try
@@ -73,6 +168,34 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend
                 Attributes = attrsByGobject.TryGetValue(o.GobjectId, out var a) ? a : Array.Empty<GalaxyAttributeInfo>(),
             }).ToArray();
 
+            // PR 14: cache alarm-bearing attribute full refs so SubscribeAlarmsAsync can advise
+            // them on demand. Format matches the Galaxy reference grammar <tag>.<attr>.
+            var freshAlarmTags = attributes
+                .Where(a => a.IsAlarm)
+                .Select(a => nameByGobject.TryGetValue(a.GobjectId, out var tn)
+                    ? tn + "." + a.AttributeName
+                    : null)
+                .Where(s => !string.IsNullOrWhiteSpace(s))
+                .Cast<string>()
+                .ToArray();
+            while (_discoveredAlarmTags.TryTake(out _)) { }
+            foreach (var t in freshAlarmTags) _discoveredAlarmTags.Add(t);
+
+            // PR 13: Sync the per-platform probe manager against the just-discovered hierarchy
+            // so ScanState subscriptions track the current runtime set. Best-effort — probe
+            // failures don't block Discover from returning, since the gateway-level signal from
+            // MxAccessClient.ConnectionStateChanged still flows and the Admin UI degrades to
+            // that level if any per-host probe couldn't advise.
+            try
+            {
+                var targets = hierarchy
+                    .Where(o => o.CategoryId == GalaxyRuntimeProbeManager.CategoryWinPlatform
+                             || o.CategoryId == GalaxyRuntimeProbeManager.CategoryAppEngine)
+                    .Select(o => new HostProbeTarget(o.TagName, o.CategoryId));
+                await _probeManager.SyncAsync(targets).ConfigureAwait(false);
+            }
+            catch { /* swallow — Discover succeeded; probes are a diagnostic enrichment */ }
+
             return new DiscoverHierarchyResponse { Success = true, Objects = objects };
         }
         catch (Exception ex)
@@ -120,8 +243,13 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend
                     ? null
                     : MessagePackSerializer.Deserialize<object>(w.ValueBytes);
 
-                await _mx.WriteAsync(w.TagReference, value!);
-                results.Add(new WriteValueResult { TagReference = w.TagReference, StatusCode = 0 });
+                var ok = await _mx.WriteAsync(w.TagReference, value!);
+                results.Add(new WriteValueResult
+                {
+                    TagReference = w.TagReference,
+                    StatusCode = ok ? 0u : 0x80020000u, // Good or Bad_InternalError
+                    Error = ok ? null : "MXAccess runtime reported write failure",
+                });
             }
             catch (Exception ex)
             {
@@ -137,12 +265,16 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend
 
         try
         {
-            // For each requested tag, register a subscription that publishes back via the
-            // shared MXAccess data-change handler. The OnDataChange push frame to the Proxy
-            // is wired in the upcoming subscription-push pass; for now the value is captured
-            // for the first ReadAsync to hit it (so the subscribe surface itself is functional).
             foreach (var tag in req.TagReferences)
-                await _mx.SubscribeAsync(tag, (_, __) => { /* push-frame plumbing in next iteration */ });
+            {
+                _refToSubs.AddOrUpdate(tag,
+                    _ => new System.Collections.Concurrent.ConcurrentBag<long> { sid },
+                    (_, bag) => { bag.Add(sid); return bag; });
+
+                // The MXAccess SubscribeAsync only takes one callback per tag; the same callback
+                // fires for every active subscription of that tag — we fan out by SubscriptionId.
+                await _mx.SubscribeAsync(tag, OnTagValueChanged);
+            }
 
             _subs[sid] = req.TagReferences;
             return new SubscribeResponse { Success = true, SubscriptionId = sid, ActualIntervalMs = req.RequestedIntervalMs };
@@ -157,23 +289,255 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend
     {
         if (!_subs.TryRemove(req.SubscriptionId, out var refs)) return;
         foreach (var r in refs)
-            await _mx.UnsubscribeAsync(r);
+        {
+            // Drop this subscription from the reverse map; only unsubscribe from MXAccess if no
+            // other subscription is still listening (multiple Proxy subs may share a tag).
+            _refToSubs.TryGetValue(r, out var bag);
+            if (bag is not null)
+            {
+                var remaining = new System.Collections.Concurrent.ConcurrentBag<long>(
+                    bag.Where(id => id != req.SubscriptionId));
+                if (remaining.IsEmpty)
+                {
+                    _refToSubs.TryRemove(r, out _);
+                    await _mx.UnsubscribeAsync(r);
+                }
+                else
+                {
+                    _refToSubs[r] = remaining;
+                }
+            }
+        }
     }
 
-    public Task SubscribeAlarmsAsync(AlarmSubscribeRequest req, CancellationToken ct) => Task.CompletedTask;
-    public Task AcknowledgeAlarmAsync(AlarmAckRequest req, CancellationToken ct) => Task.CompletedTask;
+    /// <summary>
+    ///     Fires for every value change on any subscribed Galaxy attribute. Wraps the value in
+    ///     a <see cref="GalaxyDataValue"/> and raises <see cref="OnDataChange"/> once per
+    ///     subscription that includes this tag — the IPC sink translates that into outbound
+    ///     <c>OnDataChangeNotification</c> frames.
+    /// </summary>
+    private void OnTagValueChanged(string fullReference, MxAccess.Vtq vtq)
+    {
+        if (!_refToSubs.TryGetValue(fullReference, out var bag) || bag.IsEmpty) return;
 
-    public Task<HistoryReadResponse> HistoryReadAsync(HistoryReadRequest req, CancellationToken ct)
-        => Task.FromResult(new HistoryReadResponse
+        var wireValue = ToWire(fullReference, vtq);
+        // Emit one notification per active SubscriptionId for this tag — the Proxy fans out to
+        // each ISubscribable consumer based on the SubscriptionId in the payload.
+        foreach (var sid in bag.Distinct())
         {
-            Success = false,
-            Error = "Wonderware Historian plugin loader not yet wired (Phase 2 Task B.1.h follow-up)",
-            Tags = Array.Empty<HistoryTagValues>(),
-        });
+            OnDataChange?.Invoke(this, new OnDataChangeNotification
+            {
+                SubscriptionId = sid,
+                Values = new[] { wireValue },
+            });
+        }
+    }
+
+    /// <summary>
+    ///     PR 14: advise every alarm-bearing attribute's 4-attr quartet. Best-effort per-alarm —
+    ///     a subscribe failure on one alarm doesn't abort the whole call, since operators prefer
+    ///     partial alarm coverage to none. Idempotent on repeat calls (tracker internally
+    ///     skips already-tracked alarms).
+    /// </summary>
+    public async Task SubscribeAlarmsAsync(AlarmSubscribeRequest req, CancellationToken ct)
+    {
+        foreach (var tag in _discoveredAlarmTags)
+        {
+            try { await _alarmTracker.TrackAsync(tag).ConfigureAwait(false); }
+            catch { /* swallow per-alarm — tracker rolls back its own state on failure */ }
+        }
+    }
+
+    /// <summary>
+    ///     PR 14: route operator ack through the tracker's AckMsg write path. EventId on the
+    ///     incoming request maps directly to the alarm full reference (Proxy-side naming
+    ///     convention from GalaxyProxyDriver.RaiseAlarmEvent → ev.EventId).
+    /// </summary>
+    public async Task AcknowledgeAlarmAsync(AlarmAckRequest req, CancellationToken ct)
+    {
+        // EventId carries a per-transition Guid.ToString("N"); there's no reverse map from
+        // event id to alarm tag yet, so v1's convention (ack targets the condition) is matched
+        // by reading the alarm name from the Comment envelope: v1 packed "<tag>|<comment>".
+        // Until the Proxy is updated to send the alarm tag separately, fall back to treating
+        // the EventId as the alarm tag — Client CLI passes it through unchanged.
+        var tag = req.EventId;
+        if (!string.IsNullOrWhiteSpace(tag))
+        {
+            try { await _alarmTracker.AcknowledgeAsync(tag, req.Comment ?? string.Empty).ConfigureAwait(false); }
+            catch { /* swallow — ack failures surface via MxAccessClient.WriteAsync logs */ }
+        }
+    }
+
+    public async Task<HistoryReadResponse> HistoryReadAsync(HistoryReadRequest req, CancellationToken ct)
+    {
+        if (_historian is null)
+            return new HistoryReadResponse
+            {
+                Success = false,
+                Error = "Historian disabled — no OTOPCUA_HISTORIAN_ENABLED configuration",
+                Tags = Array.Empty<HistoryTagValues>(),
+            };
+
+        var start = DateTimeOffset.FromUnixTimeMilliseconds(req.StartUtcUnixMs).UtcDateTime;
+        var end = DateTimeOffset.FromUnixTimeMilliseconds(req.EndUtcUnixMs).UtcDateTime;
+        var tags = new List<HistoryTagValues>(req.TagReferences.Length);
+
+        try
+        {
+            foreach (var reference in req.TagReferences)
+            {
+                var samples = await _historian.ReadRawAsync(reference, start, end, (int)req.MaxValuesPerTag, ct).ConfigureAwait(false);
+                tags.Add(new HistoryTagValues
+                {
+                    TagReference = reference,
+                    Values = samples.Select(s => ToWire(reference, s)).ToArray(),
+                });
+            }
+            return new HistoryReadResponse { Success = true, Tags = tags.ToArray() };
+        }
+        catch (OperationCanceledException) { throw; }
+        catch (Exception ex)
+        {
+            return new HistoryReadResponse
+            {
+                Success = false,
+                Error = $"Historian read failed: {ex.Message}",
+                Tags = tags.ToArray(),
+            };
+        }
+    }
+
+    public async Task<HistoryReadProcessedResponse> HistoryReadProcessedAsync(
+        HistoryReadProcessedRequest req, CancellationToken ct)
+    {
+        if (_historian is null)
+            return new HistoryReadProcessedResponse
+            {
+                Success = false,
+                Error = "Historian disabled — no OTOPCUA_HISTORIAN_ENABLED configuration",
+                Values = Array.Empty<GalaxyDataValue>(),
+            };
+
+        if (req.IntervalMs <= 0)
+            return new HistoryReadProcessedResponse
+            {
+                Success = false,
+                Error = "HistoryReadProcessed requires IntervalMs > 0",
+                Values = Array.Empty<GalaxyDataValue>(),
+            };
+
+        var start = DateTimeOffset.FromUnixTimeMilliseconds(req.StartUtcUnixMs).UtcDateTime;
+        var end = DateTimeOffset.FromUnixTimeMilliseconds(req.EndUtcUnixMs).UtcDateTime;
+
+        try
+        {
+            var samples = await _historian.ReadAggregateAsync(
+                req.TagReference, start, end, req.IntervalMs, req.AggregateColumn, ct).ConfigureAwait(false);
+
+            var wire = samples.Select(s => ToWire(req.TagReference, s)).ToArray();
+            return new HistoryReadProcessedResponse { Success = true, Values = wire };
+        }
+        catch (OperationCanceledException) { throw; }
+        catch (Exception ex)
+        {
+            return new HistoryReadProcessedResponse
+            {
+                Success = false,
+                Error = $"Historian aggregate read failed: {ex.Message}",
+                Values = Array.Empty<GalaxyDataValue>(),
+            };
+        }
+    }
+
+    public async Task<HistoryReadAtTimeResponse> HistoryReadAtTimeAsync(
+        HistoryReadAtTimeRequest req, CancellationToken ct)
+    {
+        if (_historian is null)
+            return new HistoryReadAtTimeResponse
+            {
+                Success = false,
+                Error = "Historian disabled — no OTOPCUA_HISTORIAN_ENABLED configuration",
+                Values = Array.Empty<GalaxyDataValue>(),
+            };
+
+        if (req.TimestampsUtcUnixMs.Length == 0)
+            return new HistoryReadAtTimeResponse { Success = true, Values = Array.Empty<GalaxyDataValue>() };
+
+        var timestamps = req.TimestampsUtcUnixMs
+            .Select(ms => DateTimeOffset.FromUnixTimeMilliseconds(ms).UtcDateTime)
+            .ToArray();
+
+        try
+        {
+            var samples = await _historian.ReadAtTimeAsync(req.TagReference, timestamps, ct).ConfigureAwait(false);
+            var wire = samples.Select(s => ToWire(req.TagReference, s)).ToArray();
+            return new HistoryReadAtTimeResponse { Success = true, Values = wire };
+        }
+        catch (OperationCanceledException) { throw; }
+        catch (Exception ex)
+        {
+            return new HistoryReadAtTimeResponse
+            {
+                Success = false,
+                Error = $"Historian at-time read failed: {ex.Message}",
+                Values = Array.Empty<GalaxyDataValue>(),
+            };
+        }
+    }
+
+    public async Task<HistoryReadEventsResponse> HistoryReadEventsAsync(
+        HistoryReadEventsRequest req, CancellationToken ct)
+    {
+        if (_historian is null)
+            return new HistoryReadEventsResponse
+            {
+                Success = false,
+                Error = "Historian disabled — no OTOPCUA_HISTORIAN_ENABLED configuration",
+                Events = Array.Empty<GalaxyHistoricalEvent>(),
+            };
+
+        var start = DateTimeOffset.FromUnixTimeMilliseconds(req.StartUtcUnixMs).UtcDateTime;
+        var end = DateTimeOffset.FromUnixTimeMilliseconds(req.EndUtcUnixMs).UtcDateTime;
+
+        try
+        {
+            var events = await _historian.ReadEventsAsync(req.SourceName, start, end, req.MaxEvents, ct).ConfigureAwait(false);
+            var wire = events.Select(e => new GalaxyHistoricalEvent
+            {
+                EventId = e.Id.ToString(),
+                SourceName = e.Source,
+                EventTimeUtcUnixMs = new DateTimeOffset(DateTime.SpecifyKind(e.EventTime, DateTimeKind.Utc), TimeSpan.Zero).ToUnixTimeMilliseconds(),
+                ReceivedTimeUtcUnixMs = new DateTimeOffset(DateTime.SpecifyKind(e.ReceivedTime, DateTimeKind.Utc), TimeSpan.Zero).ToUnixTimeMilliseconds(),
+                DisplayText = e.DisplayText,
+                Severity = e.Severity,
+            }).ToArray();
+            return new HistoryReadEventsResponse { Success = true, Events = wire };
+        }
+        catch (OperationCanceledException) { throw; }
+        catch (Exception ex)
+        {
+            return new HistoryReadEventsResponse
+            {
+                Success = false,
+                Error = $"Historian event read failed: {ex.Message}",
+                Events = Array.Empty<GalaxyHistoricalEvent>(),
+            };
+        }
+    }
 
     public Task<RecycleStatusResponse> RecycleAsync(RecycleHostRequest req, CancellationToken ct)
         => Task.FromResult(new RecycleStatusResponse { Accepted = true, GraceSeconds = 15 });
 
+    public void Dispose()
+    {
+        _alarmTracker.TransitionRaised -= _onAlarmTransition;
+        _alarmTracker.Dispose();
+        _probeManager.StateChanged -= _onProbeStateChanged;
+        _probeManager.Dispose();
+        _mx.ConnectionStateChanged -= _onConnectionStateChanged;
+        _historian?.Dispose();
+    }
+
     private static GalaxyDataValue ToWire(string reference, Vtq vtq) => new()
     {
         TagReference = reference,
@@ -184,6 +548,39 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend
         ServerTimestampUtcUnixMs = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(),
     };
 
+    /// <summary>
+    ///     Maps a <see cref="HistorianSample"/> (raw historian row, OPC-UA-free) to the IPC wire
+    ///     shape. The Proxy decodes the MessagePack value and maps <see cref="HistorianSample.Quality"/>
+    ///     through <c>QualityMapper</c> on its side of the pipe — we keep the raw byte here so
+    ///     rich OPC DA status codes (e.g. <c>BadNotConnected</c>, <c>UncertainSubNormal</c>) survive
+    ///     the hop intact.
+    /// </summary>
+    private static GalaxyDataValue ToWire(string reference, HistorianSample sample) => new()
+    {
+        TagReference = reference,
+        ValueBytes = sample.Value is null ? null : MessagePackSerializer.Serialize(sample.Value),
+        ValueMessagePackType = 0,
+        StatusCode = HistorianQualityMapper.Map(sample.Quality),
+        SourceTimestampUtcUnixMs = new DateTimeOffset(sample.TimestampUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+        ServerTimestampUtcUnixMs = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(),
+    };
+
+
+    /// <summary>
+    ///     Maps a <see cref="HistorianAggregateSample"/> (one aggregate bucket) to the IPC wire
+    ///     shape. A null <see cref="HistorianAggregateSample.Value"/> means the aggregate was
+    ///     unavailable for the bucket — the Proxy translates that to OPC UA <c>BadNoData</c>.
+    /// </summary>
+    private static GalaxyDataValue ToWire(string reference, HistorianAggregateSample sample) => new()
+    {
+        TagReference = reference,
+        ValueBytes = sample.Value is null ? null : MessagePackSerializer.Serialize(sample.Value.Value),
+        ValueMessagePackType = 0,
+        StatusCode = sample.Value is null ? 0x800E0000u /* BadNoData */ : 0x00000000u,
+        SourceTimestampUtcUnixMs = new DateTimeOffset(sample.TimestampUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+        ServerTimestampUtcUnixMs = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(),
+    };
+
     private static GalaxyAttributeInfo MapAttribute(GalaxyAttributeRow row) => new()
     {
         AttributeName = row.AttributeName,
@@ -192,6 +589,7 @@ public sealed class MxAccessGalaxyBackend : IGalaxyBackend
         ArrayDim = row.ArrayDimension is int d and > 0 ? (uint)d : null,
         SecurityClassification = row.SecurityClassification,
         IsHistorized = row.IsHistorized,
+        IsAlarm = row.IsAlarm,
     };
 
     private static string MapCategory(int categoryId) => categoryId switch

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/Stability/GalaxyRuntimeProbeManager.cs

@@ -0,0 +1,273 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Stability;
+
+/// <summary>
+///     Per-platform + per-AppEngine runtime probe. Subscribes to <c>&lt;TagName&gt;.ScanState</c>
+///     for each $WinPlatform and $AppEngine gobject, tracks Unknown → Running → Stopped
+///     transitions, and fires <see cref="StateChanged"/> so <see cref="Backend.MxAccessGalaxyBackend"/>
+///     can forward per-host events through the existing IPC <c>OnHostStatusChanged</c> event.
+///     Pure-logic state machine with an injected clock so it's deterministically testable —
+///     port of v1 <c>GalaxyRuntimeProbeManager</c> without the OPC UA node-manager coupling.
+/// </summary>
+/// <remarks>
+///     State machine rules (documented in v1's <c>runtimestatus.md</c> and preserved here):
+///     <list type="bullet">
+///         <item><c>ScanState</c> is on-change-only — a stably-Running host may go hours without a
+///         callback. Running → Stopped is driven by an explicit <c>ScanState=false</c> callback,
+///         never by starvation.</item>
+///         <item>Unknown → Running is a startup transition and does NOT fire StateChanged (would
+///         paint every host as "just recovered" at startup, which is noise).</item>
+///         <item>Stopped → Running and Running → Stopped fire StateChanged. Unknown → Stopped
+///         fires StateChanged because that's a first-known-bad signal operators need.</item>
+///         <item>All public methods are thread-safe. Callbacks fire outside the internal lock to
+///         avoid lock inversion with caller-owned state.</item>
+///     </list>
+/// </remarks>
+public sealed class GalaxyRuntimeProbeManager : IDisposable
+{
+    public const int CategoryWinPlatform = 1;
+    public const int CategoryAppEngine = 3;
+    public const string ProbeAttribute = ".ScanState";
+
+    private readonly Func<DateTime> _clock;
+    private readonly Func<string, Action<string, Vtq>, Task> _subscribe;
+    private readonly Func<string, Task> _unsubscribe;
+    private readonly object _lock = new();
+
+    // probe tag → per-host state
+    private readonly Dictionary<string, HostProbeState> _byProbe = new(StringComparer.OrdinalIgnoreCase);
+    // tag name → probe tag (for reverse lookup on the desired-set diff)
+    private readonly Dictionary<string, string> _probeByTagName = new(StringComparer.OrdinalIgnoreCase);
+    private bool _disposed;
+
+    /// <summary>
+    ///     Fires on every state transition that operators should react to. See class remarks
+    ///     for the rules on which transitions fire.
+    /// </summary>
+    public event EventHandler<HostStateTransition>? StateChanged;
+
+    public GalaxyRuntimeProbeManager(
+        Func<string, Action<string, Vtq>, Task> subscribe,
+        Func<string, Task> unsubscribe)
+        : this(subscribe, unsubscribe, () => DateTime.UtcNow) { }
+
+    internal GalaxyRuntimeProbeManager(
+        Func<string, Action<string, Vtq>, Task> subscribe,
+        Func<string, Task> unsubscribe,
+        Func<DateTime> clock)
+    {
+        _subscribe = subscribe ?? throw new ArgumentNullException(nameof(subscribe));
+        _unsubscribe = unsubscribe ?? throw new ArgumentNullException(nameof(unsubscribe));
+        _clock = clock ?? throw new ArgumentNullException(nameof(clock));
+    }
+
+    /// <summary>Number of probes currently advised. Test/dashboard hook.</summary>
+    public int ActiveProbeCount
+    {
+        get { lock (_lock) return _byProbe.Count; }
+    }
+
+    /// <summary>
+    ///     Snapshot every currently-tracked host's state. One entry per probe.
+    /// </summary>
+    public IReadOnlyList<HostProbeSnapshot> SnapshotStates()
+    {
+        lock (_lock)
+        {
+            return _byProbe.Select(kv => new HostProbeSnapshot(
+                TagName: kv.Value.TagName,
+                State: kv.Value.State,
+                LastChangedUtc: kv.Value.LastStateChangeUtc)).ToList();
+        }
+    }
+
+    /// <summary>
+    ///     Query the current runtime state for <paramref name="tagName"/>. Returns
+    ///     <see cref="HostRuntimeState.Unknown"/> when the host is not tracked.
+    /// </summary>
+    public HostRuntimeState GetState(string tagName)
+    {
+        lock (_lock)
+        {
+            if (_probeByTagName.TryGetValue(tagName, out var probe)
+                && _byProbe.TryGetValue(probe, out var state))
+                return state.State;
+            return HostRuntimeState.Unknown;
+        }
+    }
+
+    /// <summary>
+    ///     Diff the desired host set (filtered $WinPlatform / $AppEngine from the latest Discover)
+    ///     against the currently-tracked set and advise / unadvise as needed. Idempotent:
+    ///     calling twice with the same set does nothing.
+    /// </summary>
+    public async Task SyncAsync(IEnumerable<HostProbeTarget> desiredHosts)
+    {
+        if (_disposed) return;
+
+        var desired = desiredHosts
+            .Where(h => !string.IsNullOrWhiteSpace(h.TagName))
+            .ToDictionary(h => h.TagName, StringComparer.OrdinalIgnoreCase);
+
+        List<string> toAdvise;
+        List<string> toUnadvise;
+        lock (_lock)
+        {
+            toAdvise = desired.Keys
+                .Where(tag => !_probeByTagName.ContainsKey(tag))
+                .ToList();
+            toUnadvise = _probeByTagName.Keys
+                .Where(tag => !desired.ContainsKey(tag))
+                .Select(tag => _probeByTagName[tag])
+                .ToList();
+
+            foreach (var tag in toAdvise)
+            {
+                var probe = tag + ProbeAttribute;
+                _probeByTagName[tag] = probe;
+                _byProbe[probe] = new HostProbeState
+                {
+                    TagName = tag,
+                    State = HostRuntimeState.Unknown,
+                    LastStateChangeUtc = _clock(),
+                };
+            }
+
+            foreach (var probe in toUnadvise)
+            {
+                _byProbe.Remove(probe);
+            }
+
+            foreach (var removedTag in _probeByTagName.Keys.Where(t => !desired.ContainsKey(t)).ToList())
+            {
+                _probeByTagName.Remove(removedTag);
+            }
+        }
+
+        foreach (var tag in toAdvise)
+        {
+            var probe = tag + ProbeAttribute;
+            try
+            {
+                await _subscribe(probe, OnProbeCallback);
+            }
+            catch
+            {
+                // Rollback on subscribe failure so a later Tick can't transition a never-advised
+                // probe into a false Stopped state. Callers can re-Sync later to retry.
+                lock (_lock)
+                {
+                    _byProbe.Remove(probe);
+                    _probeByTagName.Remove(tag);
+                }
+            }
+        }
+
+        foreach (var probe in toUnadvise)
+        {
+            try { await _unsubscribe(probe); } catch { /* best-effort cleanup */ }
+        }
+    }
+
+    /// <summary>
+    ///     Public entry point for tests and internal callbacks. Production flow: MxAccessClient's
+    ///     SubscribeAsync delivers VTQ updates through the callback wired in <see cref="SyncAsync"/>,
+    ///     which calls this method under the lock to update state and fires
+    ///     <see cref="StateChanged"/> outside the lock for any transition that matters.
+    /// </summary>
+    public void OnProbeCallback(string probeTag, Vtq vtq)
+    {
+        if (_disposed) return;
+
+        HostStateTransition? transition = null;
+        lock (_lock)
+        {
+            if (!_byProbe.TryGetValue(probeTag, out var state)) return;
+
+            var isRunning = vtq.Quality >= 192 && vtq.Value is bool b && b;
+            var now = _clock();
+            var previous = state.State;
+            state.LastCallbackUtc = now;
+
+            if (isRunning)
+            {
+                state.GoodUpdateCount++;
+                if (previous != HostRuntimeState.Running)
+                {
+                    state.State = HostRuntimeState.Running;
+                    state.LastStateChangeUtc = now;
+                    if (previous == HostRuntimeState.Stopped)
+                    {
+                        transition = new HostStateTransition(state.TagName, previous, HostRuntimeState.Running, now);
+                    }
+                }
+            }
+            else
+            {
+                state.FailureCount++;
+                if (previous != HostRuntimeState.Stopped)
+                {
+                    state.State = HostRuntimeState.Stopped;
+                    state.LastStateChangeUtc = now;
+                    transition = new HostStateTransition(state.TagName, previous, HostRuntimeState.Stopped, now);
+                }
+            }
+        }
+
+        if (transition is { } t)
+        {
+            StateChanged?.Invoke(this, t);
+        }
+    }
+
+    public void Dispose()
+    {
+        if (_disposed) return;
+        _disposed = true;
+        lock (_lock)
+        {
+            _byProbe.Clear();
+            _probeByTagName.Clear();
+        }
+    }
+
+    private sealed class HostProbeState
+    {
+        public string TagName { get; set; } = "";
+        public HostRuntimeState State { get; set; }
+        public DateTime LastStateChangeUtc { get; set; }
+        public DateTime? LastCallbackUtc { get; set; }
+        public long GoodUpdateCount { get; set; }
+        public long FailureCount { get; set; }
+    }
+}
+
+public enum HostRuntimeState
+{
+    Unknown,
+    Running,
+    Stopped,
+}
+
+public sealed record HostStateTransition(
+    string TagName,
+    HostRuntimeState OldState,
+    HostRuntimeState NewState,
+    DateTime AtUtc);
+
+public sealed record HostProbeSnapshot(
+    string TagName,
+    HostRuntimeState State,
+    DateTime LastChangedUtc);
+
+public readonly record struct HostProbeTarget(string TagName, int CategoryId)
+{
+    public bool IsRuntimeHost =>
+        CategoryId == GalaxyRuntimeProbeManager.CategoryWinPlatform
+        || CategoryId == GalaxyRuntimeProbeManager.CategoryAppEngine;
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Backend/StubGalaxyBackend.cs

@@ -15,6 +15,13 @@ public sealed class StubGalaxyBackend : IGalaxyBackend
     private long _nextSessionId;
     private long _nextSubscriptionId;
 
+    // Stub backend never raises events — implements the interface members for symmetry.
+#pragma warning disable CS0067
+    public event System.EventHandler<OnDataChangeNotification>? OnDataChange;
+    public event System.EventHandler<GalaxyAlarmEvent>? OnAlarmEvent;
+    public event System.EventHandler<HostConnectivityStatus>? OnHostStatusChanged;
+#pragma warning restore CS0067
+
     public Task<OpenSessionResponse> OpenSessionAsync(OpenSessionRequest req, CancellationToken ct)
     {
         var id = Interlocked.Increment(ref _nextSessionId);
@@ -78,6 +85,33 @@ public sealed class StubGalaxyBackend : IGalaxyBackend
             Tags = System.Array.Empty<HistoryTagValues>(),
         });
 
+    public Task<HistoryReadProcessedResponse> HistoryReadProcessedAsync(
+        HistoryReadProcessedRequest req, CancellationToken ct)
+        => Task.FromResult(new HistoryReadProcessedResponse
+        {
+            Success = false,
+            Error = "stub: MXAccess code lift pending (Phase 2 Task B.1)",
+            Values = System.Array.Empty<GalaxyDataValue>(),
+        });
+
+    public Task<HistoryReadAtTimeResponse> HistoryReadAtTimeAsync(
+        HistoryReadAtTimeRequest req, CancellationToken ct)
+        => Task.FromResult(new HistoryReadAtTimeResponse
+        {
+            Success = false,
+            Error = "stub: MXAccess code lift pending (Phase 2 Task B.1)",
+            Values = System.Array.Empty<GalaxyDataValue>(),
+        });
+
+    public Task<HistoryReadEventsResponse> HistoryReadEventsAsync(
+        HistoryReadEventsRequest req, CancellationToken ct)
+        => Task.FromResult(new HistoryReadEventsResponse
+        {
+            Success = false,
+            Error = "stub: MXAccess code lift pending (Phase 2 Task B.1)",
+            Events = System.Array.Empty<GalaxyHistoricalEvent>(),
+        });
+
     public Task<RecycleStatusResponse> RecycleAsync(RecycleHostRequest req, CancellationToken ct)
         => Task.FromResult(new RecycleStatusResponse
         {

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Ipc/GalaxyFrameHandler.cs

@@ -80,6 +80,27 @@ public sealed class GalaxyFrameHandler(IGalaxyBackend backend, ILogger logger) :
                     await writer.WriteAsync(MessageKind.HistoryReadResponse, resp, ct);
                     return;
                 }
+                case MessageKind.HistoryReadProcessedRequest:
+                {
+                    var resp = await backend.HistoryReadProcessedAsync(
+                        Deserialize<HistoryReadProcessedRequest>(body), ct);
+                    await writer.WriteAsync(MessageKind.HistoryReadProcessedResponse, resp, ct);
+                    return;
+                }
+                case MessageKind.HistoryReadAtTimeRequest:
+                {
+                    var resp = await backend.HistoryReadAtTimeAsync(
+                        Deserialize<HistoryReadAtTimeRequest>(body), ct);
+                    await writer.WriteAsync(MessageKind.HistoryReadAtTimeResponse, resp, ct);
+                    return;
+                }
+                case MessageKind.HistoryReadEventsRequest:
+                {
+                    var resp = await backend.HistoryReadEventsAsync(
+                        Deserialize<HistoryReadEventsRequest>(body), ct);
+                    await writer.WriteAsync(MessageKind.HistoryReadEventsResponse, resp, ct);
+                    return;
+                }
                 case MessageKind.RecycleHostRequest:
                 {
                     var resp = await backend.RecycleAsync(Deserialize<RecycleHostRequest>(body), ct);
@@ -99,9 +120,64 @@ public sealed class GalaxyFrameHandler(IGalaxyBackend backend, ILogger logger) :
         }
     }
 
+    /// <summary>
+    ///     Subscribes the backend's server-pushed events for the lifetime of the connection.
+    ///     The returned disposable unsubscribes when the connection closes — without it the
+    ///     backend's static event invocation list would accumulate dead writer references and
+    ///     leak memory + raise <see cref="ObjectDisposedException"/> on every push.
+    /// </summary>
+    public IDisposable AttachConnection(FrameWriter writer)
+    {
+        var sink = new ConnectionSink(backend, writer, logger);
+        sink.Attach();
+        return sink;
+    }
+
     private static T Deserialize<T>(byte[] body) => MessagePackSerializer.Deserialize<T>(body);
 
     private static Task SendErrorAsync(FrameWriter writer, string code, string message, CancellationToken ct)
         => writer.WriteAsync(MessageKind.ErrorResponse,
             new ErrorResponse { Code = code, Message = message }, ct);
+
+    private sealed class ConnectionSink : IDisposable
+    {
+        private readonly IGalaxyBackend _backend;
+        private readonly FrameWriter _writer;
+        private readonly ILogger _logger;
+        private EventHandler<OnDataChangeNotification>? _onData;
+        private EventHandler<GalaxyAlarmEvent>? _onAlarm;
+        private EventHandler<HostConnectivityStatus>? _onHost;
+
+        public ConnectionSink(IGalaxyBackend backend, FrameWriter writer, ILogger logger)
+        {
+            _backend = backend; _writer = writer; _logger = logger;
+        }
+
+        public void Attach()
+        {
+            _onData = (_, e) => Push(MessageKind.OnDataChangeNotification, e);
+            _onAlarm = (_, e) => Push(MessageKind.AlarmEvent, e);
+            _onHost = (_, e) => Push(MessageKind.RuntimeStatusChange,
+                new RuntimeStatusChangeNotification { Status = e });
+            _backend.OnDataChange += _onData;
+            _backend.OnAlarmEvent += _onAlarm;
+            _backend.OnHostStatusChanged += _onHost;
+        }
+
+        private void Push<T>(MessageKind kind, T payload)
+        {
+            // Fire-and-forget — pushes can race with disposal of the writer. We swallow
+            // ObjectDisposedException because the dispose path will detach this sink shortly.
+            try { _writer.WriteAsync(kind, payload, CancellationToken.None).GetAwaiter().GetResult(); }
+            catch (ObjectDisposedException) { }
+            catch (Exception ex) { _logger.Warning(ex, "ConnectionSink push failed for {Kind}", kind); }
+        }
+
+        public void Dispose()
+        {
+            if (_onData is not null) _backend.OnDataChange -= _onData;
+            if (_onAlarm is not null) _backend.OnAlarmEvent -= _onAlarm;
+            if (_onHost is not null) _backend.OnHostStatusChanged -= _onHost;
+        }
+    }
 }

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Ipc/PipeServer.cs

@@ -98,6 +98,8 @@ public sealed class PipeServer : IDisposable
                 new HelloAck { Accepted = true, HostName = Environment.MachineName },
                 linked.Token).ConfigureAwait(false);
 
+            using var attachment = handler.AttachConnection(writer);
+
             while (!linked.Token.IsCancellationRequested)
             {
                 var frame = await reader.ReadFrameAsync(linked.Token).ConfigureAwait(false);
@@ -157,4 +159,19 @@ public sealed class PipeServer : IDisposable
 public interface IFrameHandler
 {
     Task HandleAsync(MessageKind kind, byte[] body, FrameWriter writer, CancellationToken ct);
+
+    /// <summary>
+    ///     Called once per accepted connection after the Hello handshake. Lets the handler
+    ///     attach server-pushed event sinks (data-change, alarm, host-status) to the
+    ///     connection's <paramref name="writer"/>. Returns an <see cref="IDisposable"/> the
+    ///     pipe server disposes when the connection closes — backends use it to unsubscribe.
+    ///     Implementations that don't push events can return <see cref="NoopAttachment"/>.
+    /// </summary>
+    IDisposable AttachConnection(FrameWriter writer);
+
+    public sealed class NoopAttachment : IDisposable
+    {
+        public static readonly NoopAttachment Instance = new();
+        public void Dispose() { }
+    }
 }

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Ipc/StubFrameHandler.cs

@@ -1,3 +1,4 @@
+using System;
 using System.Threading;
 using System.Threading.Tasks;
 using MessagePack;
@@ -27,4 +28,6 @@ public sealed class StubFrameHandler : IFrameHandler
             new ErrorResponse { Code = "not-implemented", Message = $"Kind {kind} is stubbed — MXAccess lift deferred" },
             ct);
     }
+
+    public IDisposable AttachConnection(FrameWriter writer) => IFrameHandler.NoopAttachment.Instance;
 }

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/Program.cs

@@ -4,6 +4,7 @@ using System.Threading;
 using Serilog;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Historian;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.MxAccess;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Ipc;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Sta;
@@ -66,9 +67,11 @@ public static class Program
                     pump = new StaPump("Galaxy.Sta");
                     pump.WaitForStartedAsync().GetAwaiter().GetResult();
                     mx = new MxAccessClient(pump, new MxProxyAdapter(), clientName);
+                    var historian = BuildHistorianIfEnabled();
                     backend = new MxAccessGalaxyBackend(
                         new GalaxyRepository(new GalaxyRepositoryOptions { ConnectionString = zbConn }),
-                        mx);
+                        mx,
+                        historian);
                     break;
             }
 
@@ -77,6 +80,7 @@ public static class Program
             try { server.RunAsync(handler, cts.Token).GetAwaiter().GetResult(); }
             finally
             {
+                (backend as IDisposable)?.Dispose();
                 mx?.Dispose();
                 pump?.Dispose();
             }
@@ -91,4 +95,45 @@ public static class Program
         }
         finally { Log.CloseAndFlush(); }
     }
+
+    /// <summary>
+    ///     Builds a <see cref="HistorianDataSource"/> from the OTOPCUA_HISTORIAN_* environment
+    ///     variables the supervisor passes at spawn time. Returns null when the historian is
+    ///     disabled (default) so <c>MxAccessGalaxyBackend.HistoryReadAsync</c> returns a clear
+    ///     "not configured" error instead of attempting an SDK connection to localhost.
+    /// </summary>
+    private static IHistorianDataSource? BuildHistorianIfEnabled()
+    {
+        var enabled = Environment.GetEnvironmentVariable("OTOPCUA_HISTORIAN_ENABLED");
+        if (!string.Equals(enabled, "true", StringComparison.OrdinalIgnoreCase) && enabled != "1")
+            return null;
+
+        var cfg = new HistorianConfiguration
+        {
+            Enabled = true,
+            ServerName = Environment.GetEnvironmentVariable("OTOPCUA_HISTORIAN_SERVER") ?? "localhost",
+            Port = TryParseInt("OTOPCUA_HISTORIAN_PORT", 32568),
+            IntegratedSecurity = !string.Equals(Environment.GetEnvironmentVariable("OTOPCUA_HISTORIAN_INTEGRATED"), "false", StringComparison.OrdinalIgnoreCase),
+            UserName = Environment.GetEnvironmentVariable("OTOPCUA_HISTORIAN_USER"),
+            Password = Environment.GetEnvironmentVariable("OTOPCUA_HISTORIAN_PASS"),
+            CommandTimeoutSeconds = TryParseInt("OTOPCUA_HISTORIAN_TIMEOUT_SEC", 30),
+            MaxValuesPerRead = TryParseInt("OTOPCUA_HISTORIAN_MAX_VALUES", 10000),
+            FailureCooldownSeconds = TryParseInt("OTOPCUA_HISTORIAN_COOLDOWN_SEC", 60),
+        };
+
+        var servers = Environment.GetEnvironmentVariable("OTOPCUA_HISTORIAN_SERVERS");
+        if (!string.IsNullOrWhiteSpace(servers))
+            cfg.ServerNames = new System.Collections.Generic.List<string>(
+                servers.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries));
+
+        Log.Information("Historian enabled — {NodeCount} configured node(s), port={Port}",
+            cfg.ServerNames.Count > 0 ? cfg.ServerNames.Count : 1, cfg.Port);
+        return new HistorianDataSource(cfg);
+    }
+
+    private static int TryParseInt(string envName, int defaultValue)
+    {
+        var raw = Environment.GetEnvironmentVariable(envName);
+        return int.TryParse(raw, out var parsed) ? parsed : defaultValue;
+    }
 }

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.csproj

@@ -30,11 +30,43 @@
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.csproj"/>
     </ItemGroup>
 
+    <ItemGroup>
+        <InternalsVisibleTo Include="ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests"/>
+    </ItemGroup>
+
     <ItemGroup>
         <Reference Include="ArchestrA.MxAccess">
             <HintPath>..\..\lib\ArchestrA.MxAccess.dll</HintPath>
             <Private>true</Private>
         </Reference>
+        <!-- Wonderware Historian SDK — consumed by Backend/Historian/ for HistoryReadAsync.
+             Previously lived in the v1 Historian.Aveva plugin; folded into Driver.Galaxy.Host
+             for PR #5 because this host is already Galaxy-specific. -->
+        <Reference Include="aahClientManaged">
+            <HintPath>..\..\lib\aahClientManaged.dll</HintPath>
+            <EmbedInteropTypes>false</EmbedInteropTypes>
+        </Reference>
+        <Reference Include="aahClientCommon">
+            <HintPath>..\..\lib\aahClientCommon.dll</HintPath>
+            <EmbedInteropTypes>false</EmbedInteropTypes>
+        </Reference>
+    </ItemGroup>
+
+    <ItemGroup>
+        <!-- Historian SDK native and satellite DLLs — staged beside the host exe so the
+             aahClientManaged wrapper can P/Invoke into them without an AssemblyResolve hook. -->
+        <None Include="..\..\lib\aahClient.dll">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Include="..\..\lib\Historian.CBE.dll">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Include="..\..\lib\Historian.DPAPI.dll">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
+        <None Include="..\..\lib\ArchestrA.CloudHistorian.Contract.dll">
+            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
     </ItemGroup>
 
     <ItemGroup>

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/GalaxyProxyDriver.cs

@@ -114,16 +114,31 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
             var folder = builder.Folder(obj.ContainedName, obj.ContainedName);
             foreach (var attr in obj.Attributes)
             {
-                folder.Variable(
+                var fullName = $"{obj.TagName}.{attr.AttributeName}";
+                var handle = folder.Variable(
                     attr.AttributeName,
                     attr.AttributeName,
                     new DriverAttributeInfo(
-                        FullName: $"{obj.TagName}.{attr.AttributeName}",
+                        FullName: fullName,
                         DriverDataType: MapDataType(attr.MxDataType),
                         IsArray: attr.IsArray,
                         ArrayDim: attr.ArrayDim,
                         SecurityClass: MapSecurity(attr.SecurityClassification),
-                        IsHistorized: attr.IsHistorized));
+                        IsHistorized: attr.IsHistorized,
+                        IsAlarm: attr.IsAlarm));
+
+                // PR 15: when Galaxy flags the attribute as alarm-bearing (AlarmExtension
+                // primitive), register an alarm-condition sink so the generic node manager
+                // can route OnAlarmEvent payloads for this tag to the concrete address-space
+                // builder. Severity default Medium — the live severity arrives through
+                // AlarmEventArgs once MxAccessGalaxyBackend's tracker starts firing.
+                if (attr.IsAlarm)
+                {
+                    handle.MarkAsAlarmCondition(new AlarmConditionInfo(
+                        SourceName: fullName,
+                        InitialSeverity: AlarmSeverity.Medium,
+                        InitialDescription: null));
+                }
             }
         }
     }
@@ -296,10 +311,108 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
         return new HistoryReadResult(samples, ContinuationPoint: null);
     }
 
-    public Task<HistoryReadResult> ReadProcessedAsync(
+    public async Task<HistoryReadResult> ReadProcessedAsync(
         string fullReference, DateTime startUtc, DateTime endUtc, TimeSpan interval,
         HistoryAggregateType aggregate, CancellationToken cancellationToken)
-        => throw new NotSupportedException("Galaxy historian processed reads are not supported in v2; use ReadRawAsync.");
+    {
+        var client = RequireClient();
+        var column = MapAggregateToColumn(aggregate);
+
+        var resp = await client.CallAsync<HistoryReadProcessedRequest, HistoryReadProcessedResponse>(
+            MessageKind.HistoryReadProcessedRequest,
+            new HistoryReadProcessedRequest
+            {
+                SessionId = _sessionId,
+                TagReference = fullReference,
+                StartUtcUnixMs = new DateTimeOffset(startUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+                EndUtcUnixMs = new DateTimeOffset(endUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+                IntervalMs = (long)interval.TotalMilliseconds,
+                AggregateColumn = column,
+            },
+            MessageKind.HistoryReadProcessedResponse,
+            cancellationToken);
+
+        if (!resp.Success)
+            throw new InvalidOperationException($"Galaxy.Host HistoryReadProcessed failed: {resp.Error}");
+
+        IReadOnlyList<DataValueSnapshot> samples = [.. resp.Values.Select(ToSnapshot)];
+        return new HistoryReadResult(samples, ContinuationPoint: null);
+    }
+
+    public async Task<HistoryReadResult> ReadAtTimeAsync(
+        string fullReference, IReadOnlyList<DateTime> timestampsUtc, CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        var resp = await client.CallAsync<HistoryReadAtTimeRequest, HistoryReadAtTimeResponse>(
+            MessageKind.HistoryReadAtTimeRequest,
+            new HistoryReadAtTimeRequest
+            {
+                SessionId = _sessionId,
+                TagReference = fullReference,
+                TimestampsUtcUnixMs = [.. timestampsUtc.Select(t => new DateTimeOffset(t, TimeSpan.Zero).ToUnixTimeMilliseconds())],
+            },
+            MessageKind.HistoryReadAtTimeResponse,
+            cancellationToken);
+
+        if (!resp.Success)
+            throw new InvalidOperationException($"Galaxy.Host HistoryReadAtTime failed: {resp.Error}");
+
+        // ReadAtTime returns one sample per requested timestamp in the same order — the Host
+        // pads with bad-quality snapshots when a timestamp can't be interpolated, so response
+        // length matches request length exactly. We trust that contract rather than
+        // re-aligning here, because the Host is the source-of-truth for interpolation policy.
+        IReadOnlyList<DataValueSnapshot> samples = [.. resp.Values.Select(ToSnapshot)];
+        return new HistoryReadResult(samples, ContinuationPoint: null);
+    }
+
+    public async Task<HistoricalEventsResult> ReadEventsAsync(
+        string? sourceName, DateTime startUtc, DateTime endUtc, int maxEvents, CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        var resp = await client.CallAsync<HistoryReadEventsRequest, HistoryReadEventsResponse>(
+            MessageKind.HistoryReadEventsRequest,
+            new HistoryReadEventsRequest
+            {
+                SessionId = _sessionId,
+                SourceName = sourceName,
+                StartUtcUnixMs = new DateTimeOffset(startUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+                EndUtcUnixMs = new DateTimeOffset(endUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+                MaxEvents = maxEvents,
+            },
+            MessageKind.HistoryReadEventsResponse,
+            cancellationToken);
+
+        if (!resp.Success)
+            throw new InvalidOperationException($"Galaxy.Host HistoryReadEvents failed: {resp.Error}");
+
+        IReadOnlyList<HistoricalEvent> events = [.. resp.Events.Select(ToHistoricalEvent)];
+        return new HistoricalEventsResult(events, ContinuationPoint: null);
+    }
+
+    internal static HistoricalEvent ToHistoricalEvent(GalaxyHistoricalEvent wire) => new(
+        EventId: wire.EventId,
+        SourceName: wire.SourceName,
+        EventTimeUtc: DateTimeOffset.FromUnixTimeMilliseconds(wire.EventTimeUtcUnixMs).UtcDateTime,
+        ReceivedTimeUtc: DateTimeOffset.FromUnixTimeMilliseconds(wire.ReceivedTimeUtcUnixMs).UtcDateTime,
+        Message: wire.DisplayText,
+        Severity: wire.Severity);
+
+    /// <summary>
+    ///     Maps the OPC UA Part 13 aggregate enum onto the Wonderware Historian
+    ///     AnalogSummaryQuery column names consumed by <c>HistorianDataSource.ReadAggregateAsync</c>.
+    ///     Kept on the Proxy side so Galaxy.Host stays OPC-UA-free.
+    /// </summary>
+    internal static string MapAggregateToColumn(HistoryAggregateType aggregate) => aggregate switch
+    {
+        HistoryAggregateType.Average => "Average",
+        HistoryAggregateType.Minimum => "Minimum",
+        HistoryAggregateType.Maximum => "Maximum",
+        HistoryAggregateType.Count => "ValueCount",
+        HistoryAggregateType.Total => throw new NotSupportedException(
+            "HistoryAggregateType.Total is not supported by the Wonderware Historian AnalogSummary " +
+            "query — use Average × Count on the caller side, or switch to Average/Minimum/Maximum/Count."),
+        _ => throw new NotSupportedException($"Unknown HistoryAggregateType {aggregate}"),
+    };
 
     // ---- IRediscoverable ----
 

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.csproj

@@ -16,6 +16,10 @@
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.csproj"/>
     </ItemGroup>
 
+    <ItemGroup>
+        <InternalsVisibleTo Include="ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests"/>
+    </ItemGroup>
+
     <ItemGroup>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared/Contracts/Discovery.cs

@@ -30,6 +30,15 @@ public sealed class GalaxyAttributeInfo
     [Key(3)] public uint? ArrayDim { get; set; }
     [Key(4)] public int SecurityClassification { get; set; }
     [Key(5)] public bool IsHistorized { get; set; }
+
+    /// <summary>
+    ///     True when the attribute has an AlarmExtension primitive in the Galaxy repository
+    ///     (<c>primitive_definition.primitive_name = 'AlarmExtension'</c>). The generic
+    ///     node-manager uses this to enrich the variable's OPC UA node with an
+    ///     <c>AlarmConditionState</c> during address-space build. Added in PR 9 as the
+    ///     discovery-side foundation for the alarm event wire-up that follows in PR 10+.
+    /// </summary>
+    [Key(6)] public bool IsAlarm { get; set; }
 }
 
 [MessagePackObject]

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared/Contracts/Framing.cs

@@ -48,8 +48,14 @@ public enum MessageKind : byte
     AlarmEvent                 = 0x51,
     AlarmAckRequest            = 0x52,
 
-    HistoryReadRequest         = 0x60,
-    HistoryReadResponse        = 0x61,
+    HistoryReadRequest           = 0x60,
+    HistoryReadResponse          = 0x61,
+    HistoryReadProcessedRequest  = 0x62,
+    HistoryReadProcessedResponse = 0x63,
+    HistoryReadAtTimeRequest     = 0x64,
+    HistoryReadAtTimeResponse    = 0x65,
+    HistoryReadEventsRequest     = 0x66,
+    HistoryReadEventsResponse    = 0x67,
 
     HostConnectivityStatus     = 0x70,
     RuntimeStatusChange        = 0x71,

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared/Contracts/History.cs

@@ -26,3 +26,85 @@ public sealed class HistoryReadResponse
     [Key(1)] public string? Error { get; set; }
     [Key(2)] public HistoryTagValues[] Tags { get; set; } = System.Array.Empty<HistoryTagValues>();
 }
+
+/// <summary>
+///     Processed (aggregated) historian read — OPC UA HistoryReadProcessed service. The
+///     aggregate column is a string (e.g. "Average", "Minimum") mapped by the Proxy from the
+///     OPC UA HistoryAggregateType enum so Galaxy.Host stays OPC-UA-free.
+/// </summary>
+[MessagePackObject]
+public sealed class HistoryReadProcessedRequest
+{
+    [Key(0)] public long SessionId { get; set; }
+    [Key(1)] public string TagReference { get; set; } = string.Empty;
+    [Key(2)] public long StartUtcUnixMs { get; set; }
+    [Key(3)] public long EndUtcUnixMs { get; set; }
+    [Key(4)] public long IntervalMs { get; set; }
+    [Key(5)] public string AggregateColumn { get; set; } = "Average";
+}
+
+[MessagePackObject]
+public sealed class HistoryReadProcessedResponse
+{
+    [Key(0)] public bool Success { get; set; }
+    [Key(1)] public string? Error { get; set; }
+    [Key(2)] public GalaxyDataValue[] Values { get; set; } = System.Array.Empty<GalaxyDataValue>();
+}
+
+/// <summary>
+///     At-time historian read — OPC UA HistoryReadAtTime service. Returns one sample per
+///     requested timestamp (interpolated when no exact match exists). The per-timestamp array
+///     is flow-encoded as Unix milliseconds to avoid MessagePack DateTime quirks.
+/// </summary>
+[MessagePackObject]
+public sealed class HistoryReadAtTimeRequest
+{
+    [Key(0)] public long SessionId { get; set; }
+    [Key(1)] public string TagReference { get; set; } = string.Empty;
+    [Key(2)] public long[] TimestampsUtcUnixMs { get; set; } = System.Array.Empty<long>();
+}
+
+[MessagePackObject]
+public sealed class HistoryReadAtTimeResponse
+{
+    [Key(0)] public bool Success { get; set; }
+    [Key(1)] public string? Error { get; set; }
+    [Key(2)] public GalaxyDataValue[] Values { get; set; } = System.Array.Empty<GalaxyDataValue>();
+}
+
+/// <summary>
+///     Historical events read — OPC UA HistoryReadEvents service and Alarm &amp; Condition
+///     history. <c>SourceName</c> null means "all sources". Distinct from the live
+///     <see cref="GalaxyAlarmEvent"/> stream because historical rows carry both
+///     <c>EventTime</c> (when the event occurred in the process) and <c>ReceivedTime</c>
+///     (when the Historian persisted it) and have no StateTransition — the Historian logs
+///     the instantaneous event, not the OPC UA alarm lifecycle.
+/// </summary>
+[MessagePackObject]
+public sealed class HistoryReadEventsRequest
+{
+    [Key(0)] public long SessionId { get; set; }
+    [Key(1)] public string? SourceName { get; set; }
+    [Key(2)] public long StartUtcUnixMs { get; set; }
+    [Key(3)] public long EndUtcUnixMs { get; set; }
+    [Key(4)] public int MaxEvents { get; set; } = 1000;
+}
+
+[MessagePackObject]
+public sealed class GalaxyHistoricalEvent
+{
+    [Key(0)] public string EventId { get; set; } = string.Empty;
+    [Key(1)] public string? SourceName { get; set; }
+    [Key(2)] public long EventTimeUtcUnixMs { get; set; }
+    [Key(3)] public long ReceivedTimeUtcUnixMs { get; set; }
+    [Key(4)] public string? DisplayText { get; set; }
+    [Key(5)] public ushort Severity { get; set; }
+}
+
+[MessagePackObject]
+public sealed class HistoryReadEventsResponse
+{
+    [Key(0)] public bool Success { get; set; }
+    [Key(1)] public string? Error { get; set; }
+    [Key(2)] public GalaxyHistoricalEvent[] Events { get; set; } = System.Array.Empty<GalaxyHistoricalEvent>();
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/DirectLogicAddress.cs

@@ -0,0 +1,165 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+/// <summary>
+///     AutomationDirect DirectLOGIC address-translation helpers. DL205 / DL260 / DL350 CPUs
+///     address V-memory in OCTAL while the Modbus wire uses DECIMAL PDU addresses — operators
+///     see "V2000" in the PLC ladder-logic editor but the Modbus client must write PDU 0x0400.
+///     The formulas differ between user V-memory (simple octal-to-decimal) and system V-memory
+///     (fixed bank mappings), so the two cases are separate methods rather than one overloaded
+///     "ToPdu" call.
+/// </summary>
+/// <remarks>
+///     See <c>docs/v2/dl205.md</c> §V-memory for the full CPU-family matrix + rationale.
+///     References: D2-USER-M appendix (DL205/D2-260), H2-ECOM-M §6.5 (absolute vs relative
+///     addressing), AutomationDirect forum guidance on V40400 system-base.
+/// </remarks>
+public static class DirectLogicAddress
+{
+    /// <summary>
+    ///     Convert a DirectLOGIC user V-memory address (octal) to a 0-based Modbus PDU address.
+    ///     Accepts bare octal (<c>"2000"</c>) or <c>V</c>-prefixed (<c>"V2000"</c>). Range
+    ///     depends on CPU model — DL205 D2-260 user memory is V1400-V7377 + V10000-V17777
+    ///     octal, DL260 extends to V77777 octal.
+    /// </summary>
+    /// <exception cref="ArgumentException">Input is null / empty / contains non-octal digits (8,9).</exception>
+    /// <exception cref="OverflowException">Parsed value exceeds ushort.MaxValue (0xFFFF).</exception>
+    public static ushort UserVMemoryToPdu(string vAddress)
+    {
+        if (string.IsNullOrWhiteSpace(vAddress))
+            throw new ArgumentException("V-memory address must not be empty", nameof(vAddress));
+        var s = vAddress.Trim();
+        if (s[0] == 'V' || s[0] == 'v') s = s.Substring(1);
+        if (s.Length == 0)
+            throw new ArgumentException($"V-memory address '{vAddress}' has no digits", nameof(vAddress));
+
+        // Octal conversion. Reject 8/9 digits up-front — int.Parse in the obvious base would
+        // accept them silently because .NET has no built-in base-8 parser.
+        uint result = 0;
+        foreach (var ch in s)
+        {
+            if (ch < '0' || ch > '7')
+                throw new ArgumentException(
+                    $"V-memory address '{vAddress}' contains non-octal digit '{ch}' — DirectLOGIC V-addresses are octal (0-7)",
+                    nameof(vAddress));
+            result = result * 8 + (uint)(ch - '0');
+            if (result > ushort.MaxValue)
+                throw new OverflowException(
+                    $"V-memory address '{vAddress}' exceeds the 16-bit Modbus PDU address range");
+        }
+        return (ushort)result;
+    }
+
+    /// <summary>
+    ///     DirectLOGIC system V-memory starts at octal V40400 on DL260 / H2-ECOM100 in factory
+    ///     "absolute" addressing mode. Unlike user V-memory, the mapping is NOT a simple
+    ///     octal-to-decimal conversion — the CPU relocates the system bank to Modbus PDU 0x2100
+    ///     (decimal 8448). This helper returns the CPU-family base plus a user-supplied offset
+    ///     within the system bank.
+    /// </summary>
+    public const ushort SystemVMemoryBasePdu = 0x2100;
+
+    /// <param name="offsetWithinSystemBank">
+    ///     0-based register offset within the system bank. Pass 0 for V40400 itself; pass 1 for
+    ///     V40401 (octal), and so on. NOT an octal-decoded value — the system bank lives at
+    ///     consecutive PDU addresses, so the offset is plain decimal.
+    /// </param>
+    public static ushort SystemVMemoryToPdu(ushort offsetWithinSystemBank)
+    {
+        var pdu = SystemVMemoryBasePdu + offsetWithinSystemBank;
+        if (pdu > ushort.MaxValue)
+            throw new OverflowException(
+                $"System V-memory offset {offsetWithinSystemBank} maps past 0xFFFF");
+        return (ushort)pdu;
+    }
+
+    // Bit-memory bases per DL260 user manual §I/O-configuration.
+    // Numbers after X / Y / C / SP are OCTAL in DirectLOGIC notation. The Modbus base is
+    // added to the octal-decoded offset; e.g. Y017 = Modbus coil 2048 + octal(17) = 2048 + 15 = 2063.
+
+    /// <summary>
+    ///     DL260 Y-output coil base. Y0 octal → Modbus coil address 2048 (0-based).
+    /// </summary>
+    public const ushort YOutputBaseCoil = 2048;
+
+    /// <summary>
+    ///     DL260 C-relay coil base. C0 octal → Modbus coil address 3072 (0-based).
+    /// </summary>
+    public const ushort CRelayBaseCoil = 3072;
+
+    /// <summary>
+    ///     DL260 X-input discrete-input base. X0 octal → Modbus discrete input 0.
+    /// </summary>
+    public const ushort XInputBaseDiscrete = 0;
+
+    /// <summary>
+    ///     DL260 SP special-relay discrete-input base. SP0 octal → Modbus discrete input 1024.
+    ///     Read-only; writing SP relays is rejected with Illegal Data Address.
+    /// </summary>
+    public const ushort SpecialBaseDiscrete = 1024;
+
+    /// <summary>
+    ///     Translate a DirectLOGIC Y-output address (e.g. <c>"Y0"</c>, <c>"Y17"</c>) to its
+    ///     0-based Modbus coil address on DL260. The trailing number is OCTAL, matching the
+    ///     ladder-logic editor's notation.
+    /// </summary>
+    public static ushort YOutputToCoil(string yAddress) =>
+        AddOctalOffset(YOutputBaseCoil, StripPrefix(yAddress, 'Y'));
+
+    /// <summary>
+    ///     Translate a DirectLOGIC C-relay address (e.g. <c>"C0"</c>, <c>"C1777"</c>) to its
+    ///     0-based Modbus coil address.
+    /// </summary>
+    public static ushort CRelayToCoil(string cAddress) =>
+        AddOctalOffset(CRelayBaseCoil, StripPrefix(cAddress, 'C'));
+
+    /// <summary>
+    ///     Translate a DirectLOGIC X-input address (e.g. <c>"X0"</c>, <c>"X17"</c>) to its
+    ///     0-based Modbus discrete-input address. Reading an unpopulated X returns 0, not an
+    ///     exception — the CPU sizes the table to configured I/O, not installed modules.
+    /// </summary>
+    public static ushort XInputToDiscrete(string xAddress) =>
+        AddOctalOffset(XInputBaseDiscrete, StripPrefix(xAddress, 'X'));
+
+    /// <summary>
+    ///     Translate a DirectLOGIC SP-special-relay address (e.g. <c>"SP0"</c>) to its 0-based
+    ///     Modbus discrete-input address. Accepts <c>"SP"</c> prefix case-insensitively.
+    /// </summary>
+    public static ushort SpecialToDiscrete(string spAddress)
+    {
+        if (string.IsNullOrWhiteSpace(spAddress))
+            throw new ArgumentException("SP address must not be empty", nameof(spAddress));
+        var s = spAddress.Trim();
+        if (s.Length >= 2 && (s[0] == 'S' || s[0] == 's') && (s[1] == 'P' || s[1] == 'p'))
+            s = s.Substring(2);
+        return AddOctalOffset(SpecialBaseDiscrete, s);
+    }
+
+    private static string StripPrefix(string address, char expectedPrefix)
+    {
+        if (string.IsNullOrWhiteSpace(address))
+            throw new ArgumentException("Address must not be empty", nameof(address));
+        var s = address.Trim();
+        if (s.Length > 0 && char.ToUpperInvariant(s[0]) == char.ToUpperInvariant(expectedPrefix))
+            s = s.Substring(1);
+        return s;
+    }
+
+    private static ushort AddOctalOffset(ushort baseAddr, string octalDigits)
+    {
+        if (octalDigits.Length == 0)
+            throw new ArgumentException("Address has no digits", nameof(octalDigits));
+        uint offset = 0;
+        foreach (var ch in octalDigits)
+        {
+            if (ch < '0' || ch > '7')
+                throw new ArgumentException(
+                    $"Address contains non-octal digit '{ch}' — DirectLOGIC I/O addresses are octal (0-7)",
+                    nameof(octalDigits));
+            offset = offset * 8 + (uint)(ch - '0');
+        }
+        var result = baseAddr + offset;
+        if (result > ushort.MaxValue)
+            throw new OverflowException($"Address {baseAddr}+{offset} exceeds 0xFFFF");
+        return (ushort)result;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/IModbusTransport.cs

@@ -0,0 +1,25 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+/// <summary>
+///     Abstraction over the Modbus TCP socket. Takes a <c>PDU</c> (function code + data, excluding
+///     the 7-byte MBAP header) and returns the response PDU — the transport owns transaction-id
+///     pairing, framing, and socket I/O. Tests supply in-memory fakes.
+/// </summary>
+public interface IModbusTransport : IAsyncDisposable
+{
+    Task ConnectAsync(CancellationToken ct);
+
+    /// <summary>
+    ///     Send a Modbus PDU (function code + function-specific data) and read the response PDU.
+    ///     Throws <see cref="ModbusException"/> when the server returns an exception PDU
+    ///     (function code + 0x80 + exception code).
+    /// </summary>
+    Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct);
+}
+
+public sealed class ModbusException(byte functionCode, byte exceptionCode, string message)
+    : Exception(message)
+{
+    public byte FunctionCode { get; } = functionCode;
+    public byte ExceptionCode { get; } = exceptionCode;
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriver.cs

@@ -0,0 +1,732 @@
+using System.Buffers.Binary;
+using System.Text.Json;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+/// <summary>
+///     Modbus TCP implementation of <see cref="IDriver"/> + <see cref="ITagDiscovery"/> +
+///     <see cref="IReadable"/> + <see cref="IWritable"/>. First native-protocol greenfield
+///     driver for the v2 stack — validates the driver-agnostic <c>IAddressSpaceBuilder</c> +
+///     <c>IReadable</c>/<c>IWritable</c> abstractions generalize beyond Galaxy.
+/// </summary>
+/// <remarks>
+///     Scope limits: synchronous Read/Write only, no subscriptions (Modbus has no push model;
+///     subscriptions would need a polling loop over the declared tags — additive PR). Historian
+///     + alarm capabilities are out of scope (the protocol doesn't express them).
+/// </remarks>
+public sealed class ModbusDriver(ModbusDriverOptions options, string driverInstanceId,
+    Func<ModbusDriverOptions, IModbusTransport>? transportFactory = null)
+    : IDriver, ITagDiscovery, IReadable, IWritable, ISubscribable, IHostConnectivityProbe, IDisposable, IAsyncDisposable
+{
+    // Active polling subscriptions. Each subscription owns a background Task that polls the
+    // tags at its configured interval, diffs against _lastKnownValues, and fires OnDataChange
+    // per changed tag. UnsubscribeAsync cancels the task via the CTS stored on the handle.
+    private readonly System.Collections.Concurrent.ConcurrentDictionary<long, SubscriptionState> _subscriptions = new();
+    private long _nextSubscriptionId;
+
+    public event EventHandler<DataChangeEventArgs>? OnDataChange;
+    public event EventHandler<HostStatusChangedEventArgs>? OnHostStatusChanged;
+
+    // Single-host probe state — Modbus driver talks to exactly one endpoint so the "hosts"
+    // collection has at most one entry. HostName is the Host:Port string so the Admin UI can
+    // display the PLC endpoint uniformly with Galaxy platforms/engines.
+    private readonly object _probeLock = new();
+    private HostState _hostState = HostState.Unknown;
+    private DateTime _hostStateChangedUtc = DateTime.UtcNow;
+    private CancellationTokenSource? _probeCts;
+    private readonly ModbusDriverOptions _options = options;
+    private readonly Func<ModbusDriverOptions, IModbusTransport> _transportFactory =
+        transportFactory ?? (o => new ModbusTcpTransport(o.Host, o.Port, o.Timeout, o.AutoReconnect));
+
+    private IModbusTransport? _transport;
+    private DriverHealth _health = new(DriverState.Unknown, null, null);
+    private readonly Dictionary<string, ModbusTagDefinition> _tagsByName = new(StringComparer.OrdinalIgnoreCase);
+
+    public string DriverInstanceId => driverInstanceId;
+    public string DriverType => "Modbus";
+
+    public async Task InitializeAsync(string driverConfigJson, CancellationToken cancellationToken)
+    {
+        _health = new DriverHealth(DriverState.Initializing, null, null);
+        try
+        {
+            _transport = _transportFactory(_options);
+            await _transport.ConnectAsync(cancellationToken).ConfigureAwait(false);
+            foreach (var t in _options.Tags) _tagsByName[t.Name] = t;
+            _health = new DriverHealth(DriverState.Healthy, DateTime.UtcNow, null);
+
+            // PR 23: kick off the probe loop once the transport is up. Initial state stays
+            // Unknown until the first probe tick succeeds — avoids broadcasting a premature
+            // Running transition before any register round-trip has happened.
+            if (_options.Probe.Enabled)
+            {
+                _probeCts = new CancellationTokenSource();
+                _ = Task.Run(() => ProbeLoopAsync(_probeCts.Token), _probeCts.Token);
+            }
+        }
+        catch (Exception ex)
+        {
+            _health = new DriverHealth(DriverState.Faulted, null, ex.Message);
+            throw;
+        }
+    }
+
+    public async Task ReinitializeAsync(string driverConfigJson, CancellationToken cancellationToken)
+    {
+        await ShutdownAsync(cancellationToken);
+        await InitializeAsync(driverConfigJson, cancellationToken);
+    }
+
+    public async Task ShutdownAsync(CancellationToken cancellationToken)
+    {
+        try { _probeCts?.Cancel(); } catch { }
+        _probeCts?.Dispose();
+        _probeCts = null;
+
+        foreach (var state in _subscriptions.Values)
+        {
+            try { state.Cts.Cancel(); } catch { }
+            state.Cts.Dispose();
+        }
+        _subscriptions.Clear();
+
+        if (_transport is not null) await _transport.DisposeAsync().ConfigureAwait(false);
+        _transport = null;
+        _health = new DriverHealth(DriverState.Unknown, _health.LastSuccessfulRead, null);
+    }
+
+    public DriverHealth GetHealth() => _health;
+    public long GetMemoryFootprint() => 0;
+    public Task FlushOptionalCachesAsync(CancellationToken cancellationToken) => Task.CompletedTask;
+
+    // ---- ITagDiscovery ----
+
+    public Task DiscoverAsync(IAddressSpaceBuilder builder, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(builder);
+        var folder = builder.Folder("Modbus", "Modbus");
+        foreach (var t in _options.Tags)
+        {
+            folder.Variable(t.Name, t.Name, new DriverAttributeInfo(
+                FullName: t.Name,
+                DriverDataType: MapDataType(t.DataType),
+                IsArray: false,
+                ArrayDim: null,
+                SecurityClass: t.Writable ? SecurityClassification.Operate : SecurityClassification.ViewOnly,
+                IsHistorized: false,
+                IsAlarm: false));
+        }
+        return Task.CompletedTask;
+    }
+
+    // ---- IReadable ----
+
+    public async Task<IReadOnlyList<DataValueSnapshot>> ReadAsync(
+        IReadOnlyList<string> fullReferences, CancellationToken cancellationToken)
+    {
+        var transport = RequireTransport();
+        var now = DateTime.UtcNow;
+        var results = new DataValueSnapshot[fullReferences.Count];
+        for (var i = 0; i < fullReferences.Count; i++)
+        {
+            if (!_tagsByName.TryGetValue(fullReferences[i], out var tag))
+            {
+                results[i] = new DataValueSnapshot(null, StatusBadNodeIdUnknown, null, now);
+                continue;
+            }
+            try
+            {
+                var value = await ReadOneAsync(transport, tag, cancellationToken).ConfigureAwait(false);
+                results[i] = new DataValueSnapshot(value, 0u, now, now);
+                _health = new DriverHealth(DriverState.Healthy, now, null);
+            }
+            catch (ModbusException mex)
+            {
+                results[i] = new DataValueSnapshot(null, MapModbusExceptionToStatus(mex.ExceptionCode), null, now);
+                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, mex.Message);
+            }
+            catch (Exception ex)
+            {
+                // Non-Modbus-layer failure: socket dropped, timeout, malformed response. Surface
+                // as communication error so callers can distinguish it from tag-level faults.
+                results[i] = new DataValueSnapshot(null, StatusBadCommunicationError, null, now);
+                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, ex.Message);
+            }
+        }
+        return results;
+    }
+
+    private async Task<object> ReadOneAsync(IModbusTransport transport, ModbusTagDefinition tag, CancellationToken ct)
+    {
+        switch (tag.Region)
+        {
+            case ModbusRegion.Coils:
+            {
+                var pdu = new byte[] { 0x01, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF), 0x00, 0x01 };
+                var resp = await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                return (resp[2] & 0x01) == 1;
+            }
+            case ModbusRegion.DiscreteInputs:
+            {
+                var pdu = new byte[] { 0x02, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF), 0x00, 0x01 };
+                var resp = await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                return (resp[2] & 0x01) == 1;
+            }
+            case ModbusRegion.HoldingRegisters:
+            case ModbusRegion.InputRegisters:
+            {
+                var quantity = RegisterCount(tag);
+                var fc = tag.Region == ModbusRegion.HoldingRegisters ? (byte)0x03 : (byte)0x04;
+                // Auto-chunk when the tag's register span exceeds the caller-configured cap.
+                // Affects long strings (FC03/04 > 125 regs is spec-forbidden; DL205 caps at 128,
+                // Mitsubishi Q caps at 64). Non-string tags max out at 4 regs so the cap never
+                // triggers for numerics.
+                var cap = _options.MaxRegistersPerRead == 0 ? (ushort)125 : _options.MaxRegistersPerRead;
+                var data = quantity <= cap
+                    ? await ReadRegisterBlockAsync(transport, fc, tag.Address, quantity, ct).ConfigureAwait(false)
+                    : await ReadRegisterBlockChunkedAsync(transport, fc, tag.Address, quantity, cap, ct).ConfigureAwait(false);
+                return DecodeRegister(data, tag);
+            }
+            default:
+                throw new InvalidOperationException($"Unknown region {tag.Region}");
+        }
+    }
+
+    private async Task<byte[]> ReadRegisterBlockAsync(
+        IModbusTransport transport, byte fc, ushort address, ushort quantity, CancellationToken ct)
+    {
+        var pdu = new byte[] { fc, (byte)(address >> 8), (byte)(address & 0xFF),
+                               (byte)(quantity >> 8), (byte)(quantity & 0xFF) };
+        var resp = await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+        // resp = [fc][byte-count][data...]
+        var data = new byte[resp[1]];
+        Buffer.BlockCopy(resp, 2, data, 0, resp[1]);
+        return data;
+    }
+
+    private async Task<byte[]> ReadRegisterBlockChunkedAsync(
+        IModbusTransport transport, byte fc, ushort address, ushort totalRegs, ushort cap, CancellationToken ct)
+    {
+        var assembled = new byte[totalRegs * 2];
+        ushort done = 0;
+        while (done < totalRegs)
+        {
+            var chunk = (ushort)Math.Min(cap, totalRegs - done);
+            var chunkBytes = await ReadRegisterBlockAsync(transport, fc, (ushort)(address + done), chunk, ct).ConfigureAwait(false);
+            Buffer.BlockCopy(chunkBytes, 0, assembled, done * 2, chunkBytes.Length);
+            done += chunk;
+        }
+        return assembled;
+    }
+
+    // ---- IWritable ----
+
+    public async Task<IReadOnlyList<WriteResult>> WriteAsync(
+        IReadOnlyList<WriteRequest> writes, CancellationToken cancellationToken)
+    {
+        var transport = RequireTransport();
+        var results = new WriteResult[writes.Count];
+        for (var i = 0; i < writes.Count; i++)
+        {
+            var w = writes[i];
+            if (!_tagsByName.TryGetValue(w.FullReference, out var tag))
+            {
+                results[i] = new WriteResult(StatusBadNodeIdUnknown);
+                continue;
+            }
+            if (!tag.Writable || tag.Region is ModbusRegion.DiscreteInputs or ModbusRegion.InputRegisters)
+            {
+                results[i] = new WriteResult(StatusBadNotWritable);
+                continue;
+            }
+            try
+            {
+                await WriteOneAsync(transport, tag, w.Value, cancellationToken).ConfigureAwait(false);
+                results[i] = new WriteResult(0u);
+            }
+            catch (ModbusException mex)
+            {
+                results[i] = new WriteResult(MapModbusExceptionToStatus(mex.ExceptionCode));
+            }
+            catch (Exception)
+            {
+                results[i] = new WriteResult(StatusBadInternalError);
+            }
+        }
+        return results;
+    }
+
+    private async Task WriteOneAsync(IModbusTransport transport, ModbusTagDefinition tag, object? value, CancellationToken ct)
+    {
+        switch (tag.Region)
+        {
+            case ModbusRegion.Coils:
+            {
+                var on = Convert.ToBoolean(value);
+                var pdu = new byte[] { 0x05, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF),
+                                       on ? (byte)0xFF : (byte)0x00, 0x00 };
+                await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                return;
+            }
+            case ModbusRegion.HoldingRegisters:
+            {
+                var bytes = EncodeRegister(value, tag);
+                if (bytes.Length == 2)
+                {
+                    var pdu = new byte[] { 0x06, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF),
+                                           bytes[0], bytes[1] };
+                    await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                }
+                else
+                {
+                    // FC 16 (Write Multiple Registers) for 32-bit types.
+                    var qty = (ushort)(bytes.Length / 2);
+                    var writeCap = _options.MaxRegistersPerWrite == 0 ? (ushort)123 : _options.MaxRegistersPerWrite;
+                    if (qty > writeCap)
+                        throw new InvalidOperationException(
+                            $"Write of {qty} registers to {tag.Name} exceeds MaxRegistersPerWrite={writeCap}. " +
+                            $"Split the tag (e.g. shorter StringLength) — partial FC16 chunks would lose atomicity.");
+                    var pdu = new byte[6 + 1 + bytes.Length];
+                    pdu[0] = 0x10;
+                    pdu[1] = (byte)(tag.Address >> 8); pdu[2] = (byte)(tag.Address & 0xFF);
+                    pdu[3] = (byte)(qty >> 8); pdu[4] = (byte)(qty & 0xFF);
+                    pdu[5] = (byte)bytes.Length;
+                    Buffer.BlockCopy(bytes, 0, pdu, 6, bytes.Length);
+                    await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                }
+                return;
+            }
+            default:
+                throw new InvalidOperationException($"Writes not supported for region {tag.Region}");
+        }
+    }
+
+    // ---- ISubscribable (polling overlay) ----
+
+    public Task<ISubscriptionHandle> SubscribeAsync(
+        IReadOnlyList<string> fullReferences, TimeSpan publishingInterval, CancellationToken cancellationToken)
+    {
+        var id = Interlocked.Increment(ref _nextSubscriptionId);
+        var cts = new CancellationTokenSource();
+        var interval = publishingInterval < TimeSpan.FromMilliseconds(100)
+            ? TimeSpan.FromMilliseconds(100) // floor — Modbus can't sustain < 100ms polling reliably
+            : publishingInterval;
+        var handle = new ModbusSubscriptionHandle(id);
+        var state = new SubscriptionState(handle, [.. fullReferences], interval, cts);
+        _subscriptions[id] = state;
+        _ = Task.Run(() => PollLoopAsync(state, cts.Token), cts.Token);
+        return Task.FromResult<ISubscriptionHandle>(handle);
+    }
+
+    public Task UnsubscribeAsync(ISubscriptionHandle handle, CancellationToken cancellationToken)
+    {
+        if (handle is ModbusSubscriptionHandle h && _subscriptions.TryRemove(h.Id, out var state))
+        {
+            state.Cts.Cancel();
+            state.Cts.Dispose();
+        }
+        return Task.CompletedTask;
+    }
+
+    private async Task PollLoopAsync(SubscriptionState state, CancellationToken ct)
+    {
+        // Initial-data push: read every tag once at subscribe time so OPC UA clients see the
+        // current value per Part 4 convention, even if the value never changes thereafter.
+        try { await PollOnceAsync(state, forceRaise: true, ct).ConfigureAwait(false); }
+        catch (OperationCanceledException) { return; }
+        catch { /* first-read error — polling continues */ }
+
+        while (!ct.IsCancellationRequested)
+        {
+            try { await Task.Delay(state.Interval, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { return; }
+
+            try { await PollOnceAsync(state, forceRaise: false, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { return; }
+            catch { /* transient polling error — loop continues, health surface reflects it */ }
+        }
+    }
+
+    private async Task PollOnceAsync(SubscriptionState state, bool forceRaise, CancellationToken ct)
+    {
+        var snapshots = await ReadAsync(state.TagReferences, ct).ConfigureAwait(false);
+        for (var i = 0; i < state.TagReferences.Count; i++)
+        {
+            var tagRef = state.TagReferences[i];
+            var current = snapshots[i];
+            var lastSeen = state.LastValues.TryGetValue(tagRef, out var prev) ? prev : default;
+
+            // Raise on first read (forceRaise) OR when the boxed value differs from last-known.
+            if (forceRaise || !Equals(lastSeen?.Value, current.Value) || lastSeen?.StatusCode != current.StatusCode)
+            {
+                state.LastValues[tagRef] = current;
+                OnDataChange?.Invoke(this, new DataChangeEventArgs(state.Handle, tagRef, current));
+            }
+        }
+    }
+
+    private sealed record SubscriptionState(
+        ModbusSubscriptionHandle Handle,
+        IReadOnlyList<string> TagReferences,
+        TimeSpan Interval,
+        CancellationTokenSource Cts)
+    {
+        public System.Collections.Concurrent.ConcurrentDictionary<string, DataValueSnapshot> LastValues { get; }
+            = new(StringComparer.OrdinalIgnoreCase);
+    }
+
+    private sealed record ModbusSubscriptionHandle(long Id) : ISubscriptionHandle
+    {
+        public string DiagnosticId => $"modbus-sub-{Id}";
+    }
+
+    // ---- IHostConnectivityProbe ----
+
+    public IReadOnlyList<HostConnectivityStatus> GetHostStatuses()
+    {
+        lock (_probeLock)
+            return [new HostConnectivityStatus(HostName, _hostState, _hostStateChangedUtc)];
+    }
+
+    /// <summary>
+    ///     Host identifier surfaced to <c>IHostConnectivityProbe.GetHostStatuses</c> and the Admin UI.
+    ///     Formatted as <c>host:port</c> so multiple Modbus drivers in the same server disambiguate
+    ///     by endpoint without needing the driver-instance-id in the Admin dashboard.
+    /// </summary>
+    public string HostName => $"{_options.Host}:{_options.Port}";
+
+    private async Task ProbeLoopAsync(CancellationToken ct)
+    {
+        var transport = _transport; // captured reference; disposal tears the loop down via ct
+        while (!ct.IsCancellationRequested)
+        {
+            var success = false;
+            try
+            {
+                using var probeCts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+                probeCts.CancelAfter(_options.Probe.Timeout);
+                var pdu = new byte[] { 0x03,
+                    (byte)(_options.Probe.ProbeAddress >> 8),
+                    (byte)(_options.Probe.ProbeAddress & 0xFF), 0x00, 0x01 };
+                _ = await transport!.SendAsync(_options.UnitId, pdu, probeCts.Token).ConfigureAwait(false);
+                success = true;
+            }
+            catch (OperationCanceledException) when (ct.IsCancellationRequested)
+            {
+                return;
+            }
+            catch
+            {
+                // transport / timeout / exception PDU — treated as Stopped below
+            }
+
+            TransitionTo(success ? HostState.Running : HostState.Stopped);
+
+            try { await Task.Delay(_options.Probe.Interval, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { return; }
+        }
+    }
+
+    private void TransitionTo(HostState newState)
+    {
+        HostState old;
+        lock (_probeLock)
+        {
+            old = _hostState;
+            if (old == newState) return;
+            _hostState = newState;
+            _hostStateChangedUtc = DateTime.UtcNow;
+        }
+        OnHostStatusChanged?.Invoke(this, new HostStatusChangedEventArgs(HostName, old, newState));
+    }
+
+    // ---- codec ----
+
+    /// <summary>
+    ///     How many 16-bit registers a given tag occupies. Accounts for multi-register logical
+    ///     types (Int32/Float32 = 2 regs, Int64/Float64 = 4 regs) and for strings (rounded up
+    ///     from 2 chars per register).
+    /// </summary>
+    internal static ushort RegisterCount(ModbusTagDefinition tag) => tag.DataType switch
+    {
+        ModbusDataType.Int16 or ModbusDataType.UInt16 or ModbusDataType.BitInRegister or ModbusDataType.Bcd16 => 1,
+        ModbusDataType.Int32 or ModbusDataType.UInt32 or ModbusDataType.Float32 or ModbusDataType.Bcd32 => 2,
+        ModbusDataType.Int64 or ModbusDataType.UInt64 or ModbusDataType.Float64 => 4,
+        ModbusDataType.String => (ushort)((tag.StringLength + 1) / 2), // 2 chars per register
+        _ => throw new InvalidOperationException($"Non-register data type {tag.DataType}"),
+    };
+
+    /// <summary>
+    ///     Word-swap the input into the big-endian layout the decoders expect. For 2-register
+    ///     types this reverses the two words; for 4-register types it reverses the four words
+    ///     (PLC stored [hi-mid, low-mid, hi-high, low-high] → memory [hi-high, low-high, hi-mid, low-mid]).
+    /// </summary>
+    private static byte[] NormalizeWordOrder(ReadOnlySpan<byte> data, ModbusByteOrder order)
+    {
+        if (order == ModbusByteOrder.BigEndian) return data.ToArray();
+        var result = new byte[data.Length];
+        for (var word = 0; word < data.Length / 2; word++)
+        {
+            var srcWord = data.Length / 2 - 1 - word;
+            result[word * 2] = data[srcWord * 2];
+            result[word * 2 + 1] = data[srcWord * 2 + 1];
+        }
+        return result;
+    }
+
+    internal static object DecodeRegister(ReadOnlySpan<byte> data, ModbusTagDefinition tag)
+    {
+        switch (tag.DataType)
+        {
+            case ModbusDataType.Int16: return BinaryPrimitives.ReadInt16BigEndian(data);
+            case ModbusDataType.UInt16: return BinaryPrimitives.ReadUInt16BigEndian(data);
+            case ModbusDataType.Bcd16:
+            {
+                var raw = BinaryPrimitives.ReadUInt16BigEndian(data);
+                return (int)DecodeBcd(raw, nibbles: 4);
+            }
+            case ModbusDataType.Bcd32:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                var raw = BinaryPrimitives.ReadUInt32BigEndian(b);
+                return (int)DecodeBcd(raw, nibbles: 8);
+            }
+            case ModbusDataType.BitInRegister:
+            {
+                var raw = BinaryPrimitives.ReadUInt16BigEndian(data);
+                return (raw & (1 << tag.BitIndex)) != 0;
+            }
+            case ModbusDataType.Int32:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadInt32BigEndian(b);
+            }
+            case ModbusDataType.UInt32:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadUInt32BigEndian(b);
+            }
+            case ModbusDataType.Float32:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadSingleBigEndian(b);
+            }
+            case ModbusDataType.Int64:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadInt64BigEndian(b);
+            }
+            case ModbusDataType.UInt64:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadUInt64BigEndian(b);
+            }
+            case ModbusDataType.Float64:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadDoubleBigEndian(b);
+            }
+            case ModbusDataType.String:
+            {
+                // ASCII, 2 chars per register. HighByteFirst (standard) packs the first char in
+                // the high byte of each register; LowByteFirst (DL205/DL260) packs the first char
+                // in the low byte. Respect StringLength (truncate nul-padded regions).
+                var chars = new char[tag.StringLength];
+                for (var i = 0; i < tag.StringLength; i++)
+                {
+                    var regIdx = i / 2;
+                    var highByte = data[regIdx * 2];
+                    var lowByte  = data[regIdx * 2 + 1];
+                    byte b;
+                    if (tag.StringByteOrder == ModbusStringByteOrder.HighByteFirst)
+                        b = (i % 2 == 0) ? highByte : lowByte;
+                    else
+                        b = (i % 2 == 0) ? lowByte : highByte;
+                    if (b == 0) return new string(chars, 0, i);
+                    chars[i] = (char)b;
+                }
+                return new string(chars);
+            }
+            default:
+                throw new InvalidOperationException($"Non-register data type {tag.DataType}");
+        }
+    }
+
+    internal static byte[] EncodeRegister(object? value, ModbusTagDefinition tag)
+    {
+        switch (tag.DataType)
+        {
+            case ModbusDataType.Int16:
+            {
+                var v = Convert.ToInt16(value);
+                var b = new byte[2]; BinaryPrimitives.WriteInt16BigEndian(b, v); return b;
+            }
+            case ModbusDataType.UInt16:
+            {
+                var v = Convert.ToUInt16(value);
+                var b = new byte[2]; BinaryPrimitives.WriteUInt16BigEndian(b, v); return b;
+            }
+            case ModbusDataType.Bcd16:
+            {
+                var v = Convert.ToUInt32(value);
+                if (v > 9999) throw new OverflowException($"BCD16 value {v} exceeds 4 decimal digits");
+                var raw = (ushort)EncodeBcd(v, nibbles: 4);
+                var b = new byte[2]; BinaryPrimitives.WriteUInt16BigEndian(b, raw); return b;
+            }
+            case ModbusDataType.Bcd32:
+            {
+                var v = Convert.ToUInt32(value);
+                if (v > 99_999_999u) throw new OverflowException($"BCD32 value {v} exceeds 8 decimal digits");
+                var raw = EncodeBcd(v, nibbles: 8);
+                var b = new byte[4]; BinaryPrimitives.WriteUInt32BigEndian(b, raw);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.Int32:
+            {
+                var v = Convert.ToInt32(value);
+                var b = new byte[4]; BinaryPrimitives.WriteInt32BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.UInt32:
+            {
+                var v = Convert.ToUInt32(value);
+                var b = new byte[4]; BinaryPrimitives.WriteUInt32BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.Float32:
+            {
+                var v = Convert.ToSingle(value);
+                var b = new byte[4]; BinaryPrimitives.WriteSingleBigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.Int64:
+            {
+                var v = Convert.ToInt64(value);
+                var b = new byte[8]; BinaryPrimitives.WriteInt64BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.UInt64:
+            {
+                var v = Convert.ToUInt64(value);
+                var b = new byte[8]; BinaryPrimitives.WriteUInt64BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.Float64:
+            {
+                var v = Convert.ToDouble(value);
+                var b = new byte[8]; BinaryPrimitives.WriteDoubleBigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.String:
+            {
+                var s = Convert.ToString(value) ?? string.Empty;
+                var regs = (tag.StringLength + 1) / 2;
+                var b = new byte[regs * 2];
+                for (var i = 0; i < tag.StringLength && i < s.Length; i++)
+                {
+                    var regIdx = i / 2;
+                    var destIdx = tag.StringByteOrder == ModbusStringByteOrder.HighByteFirst
+                        ? (i % 2 == 0 ? regIdx * 2 : regIdx * 2 + 1)
+                        : (i % 2 == 0 ? regIdx * 2 + 1 : regIdx * 2);
+                    b[destIdx] = (byte)s[i];
+                }
+                // remaining bytes stay 0 — nul-padded per PLC convention
+                return b;
+            }
+            case ModbusDataType.BitInRegister:
+                throw new InvalidOperationException(
+                    "BitInRegister writes require a read-modify-write; not supported in PR 24 (separate follow-up).");
+            default:
+                throw new InvalidOperationException($"Non-register data type {tag.DataType}");
+        }
+    }
+
+    private static DriverDataType MapDataType(ModbusDataType t) => t switch
+    {
+        ModbusDataType.Bool or ModbusDataType.BitInRegister => DriverDataType.Boolean,
+        ModbusDataType.Int16 or ModbusDataType.Int32 => DriverDataType.Int32,
+        ModbusDataType.UInt16 or ModbusDataType.UInt32 => DriverDataType.Int32,
+        ModbusDataType.Int64 or ModbusDataType.UInt64 => DriverDataType.Int32, // widening to Int32 loses precision; PR 25 adds Int64 to DriverDataType
+        ModbusDataType.Float32 => DriverDataType.Float32,
+        ModbusDataType.Float64 => DriverDataType.Float64,
+        ModbusDataType.String => DriverDataType.String,
+        ModbusDataType.Bcd16 or ModbusDataType.Bcd32 => DriverDataType.Int32,
+        _ => DriverDataType.Int32,
+    };
+
+    /// <summary>
+    ///     Decode an N-nibble binary-coded-decimal value. Each nibble of <paramref name="raw"/>
+    ///     encodes one decimal digit (most-significant nibble first). Rejects nibbles &gt; 9 —
+    ///     the hardware sometimes produces garbage during transitions and silent non-BCD reads
+    ///     would quietly corrupt the caller's data.
+    /// </summary>
+    internal static uint DecodeBcd(uint raw, int nibbles)
+    {
+        uint result = 0;
+        for (var i = nibbles - 1; i >= 0; i--)
+        {
+            var digit = (raw >> (i * 4)) & 0xF;
+            if (digit > 9)
+                throw new InvalidDataException(
+                    $"Non-BCD nibble 0x{digit:X} at position {i} of raw=0x{raw:X}");
+            result = result * 10 + digit;
+        }
+        return result;
+    }
+
+    /// <summary>
+    ///     Encode a decimal value as N-nibble BCD. Caller is responsible for range-checking
+    ///     against the nibble capacity (10^nibbles - 1).
+    /// </summary>
+    internal static uint EncodeBcd(uint value, int nibbles)
+    {
+        uint result = 0;
+        for (var i = 0; i < nibbles; i++)
+        {
+            var digit = value % 10;
+            result |= digit << (i * 4);
+            value /= 10;
+        }
+        return result;
+    }
+
+    private IModbusTransport RequireTransport() =>
+        _transport ?? throw new InvalidOperationException("ModbusDriver not initialized");
+
+    private const uint StatusBadInternalError = 0x80020000u;
+    private const uint StatusBadNodeIdUnknown = 0x80340000u;
+    private const uint StatusBadNotWritable = 0x803B0000u;
+    private const uint StatusBadOutOfRange = 0x803C0000u;
+    private const uint StatusBadNotSupported = 0x803D0000u;
+    private const uint StatusBadDeviceFailure = 0x80550000u;
+    private const uint StatusBadCommunicationError = 0x80050000u;
+
+    /// <summary>
+    ///     Map a server-returned Modbus exception code to the most informative OPC UA
+    ///     StatusCode. Keeps the driver's outward-facing status surface aligned with what a
+    ///     Modbus engineer would expect when reading the spec: exception 02 (Illegal Data
+    ///     Address) surfaces as BadOutOfRange so clients can distinguish "tag wrong" from
+    ///     generic BadInternalError, exception 04 (Server Failure) as BadDeviceFailure so
+    ///     operators see a CPU-mode problem rather than a driver bug, etc. Per
+    ///     <c>docs/v2/dl205.md</c>, DL205/DL260 returns only codes 01-04 — no proprietary
+    ///     extensions.
+    /// </summary>
+    internal static uint MapModbusExceptionToStatus(byte exceptionCode) => exceptionCode switch
+    {
+        0x01 => StatusBadNotSupported,     // Illegal Function — FC not in supported list
+        0x02 => StatusBadOutOfRange,       // Illegal Data Address — register outside mapped range
+        0x03 => StatusBadOutOfRange,       // Illegal Data Value — quantity over per-FC cap
+        0x04 => StatusBadDeviceFailure,    // Server Failure — CPU in PROGRAM mode during protected write
+        0x05 or 0x06 => StatusBadDeviceFailure, // Acknowledge / Server Busy — long-running op / busy
+        0x0A or 0x0B => StatusBadCommunicationError, // Gateway path unavailable / target failed to respond
+        _ => StatusBadInternalError,
+    };
+
+    public void Dispose() => DisposeAsync().AsTask().GetAwaiter().GetResult();
+    public async ValueTask DisposeAsync()
+    {
+        if (_transport is not null) await _transport.DisposeAsync().ConfigureAwait(false);
+        _transport = null;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriverOptions.cs

@@ -0,0 +1,161 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+/// <summary>
+///     Modbus TCP driver configuration. Bound from the driver's <c>DriverConfig</c> JSON at
+///     <c>DriverHost.RegisterAsync</c>. Every register the driver exposes appears in
+///     <see cref="Tags"/>; names become the OPC UA browse name + full reference.
+/// </summary>
+public sealed class ModbusDriverOptions
+{
+    public string Host { get; init; } = "127.0.0.1";
+    public int Port { get; init; } = 502;
+    public byte UnitId { get; init; } = 1;
+    public TimeSpan Timeout { get; init; } = TimeSpan.FromSeconds(2);
+
+    /// <summary>Pre-declared tag map. Modbus has no discovery protocol — the driver returns exactly these.</summary>
+    public IReadOnlyList<ModbusTagDefinition> Tags { get; init; } = [];
+
+    /// <summary>
+    ///     Background connectivity-probe settings. When <see cref="ModbusProbeOptions.Enabled"/>
+    ///     is true the driver runs a tick loop that issues a cheap FC03 at register 0 every
+    ///     <see cref="ModbusProbeOptions.Interval"/> and raises <c>OnHostStatusChanged</c> on
+    ///     Running ↔ Stopped transitions. The Admin UI / OPC UA clients see the state through
+    ///     <see cref="IHostConnectivityProbe"/>.
+    /// </summary>
+    public ModbusProbeOptions Probe { get; init; } = new();
+
+    /// <summary>
+    ///     Maximum registers per FC03 (Read Holding Registers) / FC04 (Read Input Registers)
+    ///     transaction. Modbus-TCP spec allows 125; many device families impose lower caps:
+    ///     AutomationDirect DL205/DL260 cap at <c>128</c>, Mitsubishi Q/FX3U cap at <c>64</c>,
+    ///     Omron CJ/CS cap at <c>125</c>. Set to the lowest cap across the devices this driver
+    ///     instance talks to; the driver auto-chunks larger reads into consecutive requests.
+    ///     Default <c>125</c> — the spec maximum, safe against any conforming server. Setting
+    ///     to <c>0</c> disables the cap (discouraged — the spec upper bound still applies).
+    /// </summary>
+    public ushort MaxRegistersPerRead { get; init; } = 125;
+
+    /// <summary>
+    ///     Maximum registers per FC16 (Write Multiple Registers) transaction. Spec maximum is
+    ///     <c>123</c>; DL205/DL260 cap at <c>100</c>. Matching caller-vs-device semantics:
+    ///     exceeding the cap currently throws (writes aren't auto-chunked because a partial
+    ///     write across two FC16 calls is no longer atomic — caller must explicitly opt in
+    ///     by shortening the tag's <c>StringLength</c> or splitting it into multiple tags).
+    /// </summary>
+    public ushort MaxRegistersPerWrite { get; init; } = 123;
+
+    /// <summary>
+    ///     When <c>true</c> (default) the built-in <see cref="ModbusTcpTransport"/> detects
+    ///     mid-transaction socket failures (<see cref="System.IO.EndOfStreamException"/>,
+    ///     <see cref="System.Net.Sockets.SocketException"/>) and transparently reconnects +
+    ///     retries the PDU exactly once. Required for DL205/DL260 because the H2-ECOM100
+    ///     does not send TCP keepalives — intermediate NAT / firewall devices silently close
+    ///     idle sockets and the first send after the drop would otherwise surface as a
+    ///     connection error to the caller even though the PLC is up.
+    /// </summary>
+    public bool AutoReconnect { get; init; } = true;
+}
+
+public sealed class ModbusProbeOptions
+{
+    public bool Enabled { get; init; } = true;
+    public TimeSpan Interval { get; init; } = TimeSpan.FromSeconds(5);
+    public TimeSpan Timeout { get; init; } = TimeSpan.FromSeconds(2);
+    /// <summary>Register to read for the probe. Zero is usually safe; override for PLCs that lock register 0.</summary>
+    public ushort ProbeAddress { get; init; } = 0;
+}
+
+/// <summary>
+///     One Modbus-backed OPC UA variable. Address is zero-based (Modbus spec numbering, not
+///     the documentation's 1-based coil/register conventions). Multi-register types
+///     (Int32/UInt32/Float32 = 2 regs; Int64/UInt64/Float64 = 4 regs) respect the
+///     <see cref="ByteOrder"/> field — real-world PLCs disagree on word ordering.
+/// </summary>
+/// <param name="Name">
+///     Tag name, used for both the OPC UA browse name and the driver's full reference. Must be
+///     unique within the driver.
+/// </param>
+/// <param name="Region">Coils / DiscreteInputs / InputRegisters / HoldingRegisters.</param>
+/// <param name="Address">Zero-based address within the region.</param>
+/// <param name="DataType">
+///     Logical data type. See <see cref="ModbusDataType"/> for the register count each encodes.
+/// </param>
+/// <param name="Writable">When true and Region supports writes (Coils / HoldingRegisters), IWritable routes writes here.</param>
+/// <param name="ByteOrder">Word ordering for multi-register types. Ignored for Bool / Int16 / UInt16 / BitInRegister / String.</param>
+/// <param name="BitIndex">For <c>DataType = BitInRegister</c>: which bit of the holding register (0-15, LSB-first).</param>
+/// <param name="StringLength">For <c>DataType = String</c>: number of ASCII characters (2 per register, rounded up).</param>
+/// <param name="StringByteOrder">
+///     Per-register byte order for <c>DataType = String</c>. Standard Modbus packs the first
+///     character in the high byte (<see cref="ModbusStringByteOrder.HighByteFirst"/>).
+///     AutomationDirect DirectLOGIC (DL205/DL260) and a few legacy families pack the first
+///     character in the low byte instead — see <c>docs/v2/dl205.md</c> §strings.
+/// </param>
+public sealed record ModbusTagDefinition(
+    string Name,
+    ModbusRegion Region,
+    ushort Address,
+    ModbusDataType DataType,
+    bool Writable = true,
+    ModbusByteOrder ByteOrder = ModbusByteOrder.BigEndian,
+    byte BitIndex = 0,
+    ushort StringLength = 0,
+    ModbusStringByteOrder StringByteOrder = ModbusStringByteOrder.HighByteFirst);
+
+public enum ModbusRegion { Coils, DiscreteInputs, InputRegisters, HoldingRegisters }
+
+public enum ModbusDataType
+{
+    Bool,
+    Int16,
+    UInt16,
+    Int32,
+    UInt32,
+    Int64,
+    UInt64,
+    Float32,
+    Float64,
+    /// <summary>Single bit within a holding register. <see cref="ModbusTagDefinition.BitIndex"/> selects 0-15 LSB-first.</summary>
+    BitInRegister,
+    /// <summary>ASCII string packed 2 chars per register, <see cref="ModbusTagDefinition.StringLength"/> characters long.</summary>
+    String,
+    /// <summary>
+    ///     16-bit binary-coded decimal. Each nibble encodes one decimal digit (0-9). Register
+    ///     value <c>0x1234</c> decodes as decimal <c>1234</c> — NOT binary <c>0x04D2 = 4660</c>.
+    ///     DL205/DL260 and several Mitsubishi / Omron families store timers, counters, and
+    ///     operator-facing numerics as BCD by default.
+    /// </summary>
+    Bcd16,
+    /// <summary>
+    ///     32-bit (two-register) BCD. Decodes 8 decimal digits. Word ordering follows
+    ///     <see cref="ModbusTagDefinition.ByteOrder"/> the same way <see cref="Int32"/> does.
+    /// </summary>
+    Bcd32,
+}
+
+/// <summary>
+///     Word ordering for multi-register types. Modbus TCP standard is <see cref="BigEndian"/>
+///     (ABCD for 32-bit: high word at the lower address). Many PLCs — Siemens S7, several
+///     Allen-Bradley series, some Modicon families — use <see cref="WordSwap"/> (CDAB), which
+///     keeps bytes big-endian within each register but reverses the word pair(s).
+/// </summary>
+public enum ModbusByteOrder
+{
+    BigEndian,
+    WordSwap,
+}
+
+/// <summary>
+///     Per-register byte order for ASCII strings packed 2 chars per register. Standard Modbus
+///     convention is <see cref="HighByteFirst"/> — the first character of each pair occupies
+///     the high byte of the register. AutomationDirect DirectLOGIC (DL205, DL260, DL350) and a
+///     handful of legacy controllers pack <see cref="LowByteFirst"/>, which inverts that within
+///     each register. Word ordering across multiple registers is always ascending address for
+///     strings — only the byte order inside each register flips.
+/// </summary>
+public enum ModbusStringByteOrder
+{
+    HighByteFirst,
+    LowByteFirst,
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusTcpTransport.cs

@@ -0,0 +1,200 @@
+using System.Net.Sockets;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+/// <summary>
+///     Concrete Modbus TCP transport. Wraps a single <see cref="TcpClient"/> and serializes
+///     requests so at most one transaction is in-flight at a time — Modbus servers typically
+///     support concurrent transactions, but the single-flight model keeps the wire trace
+///     easy to diagnose and avoids interleaved-response correlation bugs.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Survives mid-transaction socket drops: when a send/read fails with a socket-level
+///         error (<see cref="IOException"/>, <see cref="SocketException"/>, <see cref="EndOfStreamException"/>)
+///         the transport disposes the dead socket, reconnects, and retries the PDU exactly
+///         once. Deliberately limited to a single retry — further failures bubble up so the
+///         driver's health surface reflects the real state instead of masking a dead PLC.
+///     </para>
+///     <para>
+///         Why this matters for DL205/DL260: the AutomationDirect H2-ECOM100 does NOT send
+///         TCP keepalives per <c>docs/v2/dl205.md</c> §behavioral-oddities, so any NAT/firewall
+///         between the gateway and PLC can silently close an idle socket after 2-5 minutes.
+///         Also enables OS-level <c>SO_KEEPALIVE</c> so the driver's own side detects a stuck
+///         socket in reasonable time even when the application is mostly idle.
+///     </para>
+/// </remarks>
+public sealed class ModbusTcpTransport : IModbusTransport
+{
+    private readonly string _host;
+    private readonly int _port;
+    private readonly TimeSpan _timeout;
+    private readonly bool _autoReconnect;
+    private readonly SemaphoreSlim _gate = new(1, 1);
+    private TcpClient? _client;
+    private NetworkStream? _stream;
+    private ushort _nextTx;
+    private bool _disposed;
+
+    public ModbusTcpTransport(string host, int port, TimeSpan timeout, bool autoReconnect = true)
+    {
+        _host = host;
+        _port = port;
+        _timeout = timeout;
+        _autoReconnect = autoReconnect;
+    }
+
+    public async Task ConnectAsync(CancellationToken ct)
+    {
+        // Resolve the host explicitly + prefer IPv4. .NET's TcpClient default-constructor is
+        // dual-stack (IPv6 first, fallback to IPv4) — but most Modbus TCP devices (PLCs and
+        // simulators like pymodbus) bind 0.0.0.0 only, so the IPv6 attempt times out and we
+        // burn the entire ConnectAsync budget before even trying IPv4. Resolving first +
+        // dialing the IPv4 address directly sidesteps that.
+        var addresses = await System.Net.Dns.GetHostAddressesAsync(_host, ct).ConfigureAwait(false);
+        var ipv4 = System.Linq.Enumerable.FirstOrDefault(addresses,
+            a => a.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork);
+        var target = ipv4 ?? (addresses.Length > 0 ? addresses[0] : System.Net.IPAddress.Loopback);
+
+        _client = new TcpClient(target.AddressFamily);
+        EnableKeepAlive(_client);
+
+        using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+        cts.CancelAfter(_timeout);
+        await _client.ConnectAsync(target, _port, cts.Token).ConfigureAwait(false);
+        _stream = _client.GetStream();
+    }
+
+    /// <summary>
+    ///     Enable SO_KEEPALIVE with aggressive probe timing. DL205/DL260 doesn't send keepalives
+    ///     itself; having the OS probe the socket every ~30s lets the driver notice a dead PLC
+    ///     or broken NAT path long before the default 2-hour Windows idle timeout fires.
+    ///     Non-fatal if the underlying OS rejects the option (some older Linux / container
+    ///     sandboxes don't expose the fine-grained timing levers — the driver still works,
+    ///     application-level probe still detects problems).
+    /// </summary>
+    private static void EnableKeepAlive(TcpClient client)
+    {
+        try
+        {
+            client.Client.SetSocketOption(SocketOptionLevel.Socket, SocketOptionName.KeepAlive, true);
+            client.Client.SetSocketOption(SocketOptionLevel.Tcp, SocketOptionName.TcpKeepAliveTime, 30);
+            client.Client.SetSocketOption(SocketOptionLevel.Tcp, SocketOptionName.TcpKeepAliveInterval, 10);
+            client.Client.SetSocketOption(SocketOptionLevel.Tcp, SocketOptionName.TcpKeepAliveRetryCount, 3);
+        }
+        catch { /* best-effort; older OSes may not expose the granular knobs */ }
+    }
+
+    public async Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct)
+    {
+        if (_disposed) throw new ObjectDisposedException(nameof(ModbusTcpTransport));
+        if (_stream is null) throw new InvalidOperationException("Transport not connected");
+
+        await _gate.WaitAsync(ct).ConfigureAwait(false);
+        try
+        {
+            try
+            {
+                return await SendOnceAsync(unitId, pdu, ct).ConfigureAwait(false);
+            }
+            catch (Exception ex) when (_autoReconnect && IsSocketLevelFailure(ex))
+            {
+                // Mid-transaction drop: tear down the dead socket, reconnect, resend. Single
+                // retry — if it fails again, let it propagate so health/status reflect reality.
+                await TearDownAsync().ConfigureAwait(false);
+                await ConnectAsync(ct).ConfigureAwait(false);
+                return await SendOnceAsync(unitId, pdu, ct).ConfigureAwait(false);
+            }
+        }
+        finally
+        {
+            _gate.Release();
+        }
+    }
+
+    private async Task<byte[]> SendOnceAsync(byte unitId, byte[] pdu, CancellationToken ct)
+    {
+        if (_stream is null) throw new InvalidOperationException("Transport not connected");
+        var txId = ++_nextTx;
+
+        // MBAP: [TxId(2)][Proto=0(2)][Length(2)][UnitId(1)] + PDU
+        var adu = new byte[7 + pdu.Length];
+        adu[0] = (byte)(txId >> 8);
+        adu[1] = (byte)(txId & 0xFF);
+        // protocol id already zero
+        var len = (ushort)(1 + pdu.Length); // unit id + pdu
+        adu[4] = (byte)(len >> 8);
+        adu[5] = (byte)(len & 0xFF);
+        adu[6] = unitId;
+        Buffer.BlockCopy(pdu, 0, adu, 7, pdu.Length);
+
+        using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+        cts.CancelAfter(_timeout);
+        await _stream.WriteAsync(adu.AsMemory(), cts.Token).ConfigureAwait(false);
+        await _stream.FlushAsync(cts.Token).ConfigureAwait(false);
+
+        var header = new byte[7];
+        await ReadExactlyAsync(_stream, header, cts.Token).ConfigureAwait(false);
+        var respTxId = (ushort)((header[0] << 8) | header[1]);
+        if (respTxId != txId)
+            throw new InvalidDataException($"Modbus TxId mismatch: expected {txId} got {respTxId}");
+        var respLen = (ushort)((header[4] << 8) | header[5]);
+        if (respLen < 1) throw new InvalidDataException($"Modbus response length too small: {respLen}");
+        var respPdu = new byte[respLen - 1];
+        await ReadExactlyAsync(_stream, respPdu, cts.Token).ConfigureAwait(false);
+
+        // Exception PDU: function code has high bit set.
+        if ((respPdu[0] & 0x80) != 0)
+        {
+            var fc = (byte)(respPdu[0] & 0x7F);
+            var ex = respPdu[1];
+            throw new ModbusException(fc, ex, $"Modbus exception fc={fc} code={ex}");
+        }
+
+        return respPdu;
+    }
+
+    /// <summary>
+    ///     Distinguish socket-layer failures (eligible for reconnect-and-retry) from
+    ///     protocol-layer failures (must propagate — retrying the same PDU won't help if the
+    ///     PLC just returned exception 02 Illegal Data Address).
+    /// </summary>
+    private static bool IsSocketLevelFailure(Exception ex) =>
+        ex is EndOfStreamException
+        || ex is IOException
+        || ex is SocketException
+        || ex is ObjectDisposedException;
+
+    private async Task TearDownAsync()
+    {
+        try { if (_stream is not null) await _stream.DisposeAsync().ConfigureAwait(false); }
+        catch { /* best-effort */ }
+        _stream = null;
+        try { _client?.Dispose(); } catch { }
+        _client = null;
+    }
+
+    private static async Task ReadExactlyAsync(Stream s, byte[] buf, CancellationToken ct)
+    {
+        var read = 0;
+        while (read < buf.Length)
+        {
+            var n = await s.ReadAsync(buf.AsMemory(read), ct).ConfigureAwait(false);
+            if (n == 0) throw new EndOfStreamException("Modbus socket closed mid-response");
+            read += n;
+        }
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_disposed) return;
+        _disposed = true;
+        try
+        {
+            if (_stream is not null) await _stream.DisposeAsync().ConfigureAwait(false);
+        }
+        catch { /* best-effort */ }
+        _client?.Dispose();
+        _gate.Dispose();
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ZB.MOM.WW.OtOpcUa.Driver.Modbus.csproj

@@ -0,0 +1,27 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <LangVersion>latest</LangVersion>
+        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+        <GenerateDocumentationFile>true</GenerateDocumentationFile>
+        <NoWarn>$(NoWarn);CS1591</NoWarn>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Driver.Modbus</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.Abstractions\ZB.MOM.WW.OtOpcUa.Core.Abstractions.csproj"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <InternalsVisibleTo Include="ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+</Project>

src/ZB.MOM.WW.OtOpcUa.Historian.Aveva/AvevaHistorianPluginEntry.cs

@@ -1,15 +0,0 @@
-using ZB.MOM.WW.OtOpcUa.Host.Configuration;
-using ZB.MOM.WW.OtOpcUa.Host.Historian;
-
-namespace ZB.MOM.WW.OtOpcUa.Historian.Aveva
-{
-    /// <summary>
-    ///     Reflection entry point invoked by <c>HistorianPluginLoader</c> in the Host. Kept
-    ///     deliberately simple so the plugin contract is a single static factory method.
-    /// </summary>
-    public static class AvevaHistorianPluginEntry
-    {
-        public static IHistorianDataSource Create(HistorianConfiguration config)
-            => new HistorianDataSource(config);
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Historian.Aveva/ZB.MOM.WW.OtOpcUa.Historian.Aveva.csproj

@@ -1,87 +0,0 @@
-<Project Sdk="Microsoft.NET.Sdk">
-
-    <PropertyGroup>
-        <TargetFramework>net48</TargetFramework>
-        <PlatformTarget>x86</PlatformTarget>
-        <LangVersion>9.0</LangVersion>
-        <Nullable>enable</Nullable>
-        <RootNamespace>ZB.MOM.WW.OtOpcUa.Historian.Aveva</RootNamespace>
-        <AssemblyName>ZB.MOM.WW.OtOpcUa.Historian.Aveva</AssemblyName>
-        <!-- Plugin is loaded at runtime via Assembly.LoadFrom; never copy it as a CopyLocal dep. -->
-        <CopyLocalLockFileAssemblies>false</CopyLocalLockFileAssemblies>
-        <!-- Deploy next to Host.exe under bin/<cfg>/Historian/ so F5 works without a manual copy. -->
-        <HistorianPluginOutputDir>$(MSBuildThisFileDirectory)..\ZB.MOM.WW.OtOpcUa.Host\bin\$(Configuration)\net48\Historian\</HistorianPluginOutputDir>
-    </PropertyGroup>
-
-    <ItemGroup>
-        <InternalsVisibleTo Include="ZB.MOM.WW.OtOpcUa.Historian.Aveva.Tests"/>
-    </ItemGroup>
-
-    <ItemGroup>
-        <!-- Logging -->
-        <PackageReference Include="Serilog" Version="2.10.0"/>
-
-        <!-- OPC UA (for DataValue/StatusCodes used by the IHistorianDataSource surface) -->
-        <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Server" Version="1.5.374.126"/>
-    </ItemGroup>
-
-    <ItemGroup>
-        <!-- Private=false: the plugin binds to Host types at compile time but Host.exe must not be
-             copied into the plugin's output folder (it is already in the process). -->
-        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Host\ZB.MOM.WW.OtOpcUa.Host.csproj">
-            <Private>false</Private>
-            <ReferenceOutputAssembly>true</ReferenceOutputAssembly>
-        </ProjectReference>
-    </ItemGroup>
-
-    <ItemGroup>
-        <!-- Wonderware Historian SDK -->
-        <Reference Include="aahClientManaged">
-            <HintPath>..\..\lib\aahClientManaged.dll</HintPath>
-            <EmbedInteropTypes>false</EmbedInteropTypes>
-        </Reference>
-        <Reference Include="aahClientCommon">
-            <HintPath>..\..\lib\aahClientCommon.dll</HintPath>
-            <EmbedInteropTypes>false</EmbedInteropTypes>
-        </Reference>
-    </ItemGroup>
-
-    <ItemGroup>
-        <!-- Historian SDK native dependencies — copied beside the plugin DLL so the AssemblyResolve
-             handler in HistorianPluginLoader can find them when the plugin first JITs. -->
-        <None Include="..\..\lib\aahClient.dll">
-            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-        </None>
-        <None Include="..\..\lib\aahClientCommon.dll">
-            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-        </None>
-        <None Include="..\..\lib\aahClientManaged.dll">
-            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-        </None>
-        <None Include="..\..\lib\Historian.CBE.dll">
-            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-        </None>
-        <None Include="..\..\lib\Historian.DPAPI.dll">
-            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-        </None>
-        <None Include="..\..\lib\ArchestrA.CloudHistorian.Contract.dll">
-            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
-        </None>
-    </ItemGroup>
-
-    <Target Name="StageHistorianPluginForHost" AfterTargets="Build">
-        <ItemGroup>
-            <_HistorianStageFiles Include="$(OutDir)aahClient.dll"/>
-            <_HistorianStageFiles Include="$(OutDir)aahClientCommon.dll"/>
-            <_HistorianStageFiles Include="$(OutDir)aahClientManaged.dll"/>
-            <_HistorianStageFiles Include="$(OutDir)Historian.CBE.dll"/>
-            <_HistorianStageFiles Include="$(OutDir)Historian.DPAPI.dll"/>
-            <_HistorianStageFiles Include="$(OutDir)ArchestrA.CloudHistorian.Contract.dll"/>
-            <_HistorianStageFiles Include="$(OutDir)$(AssemblyName).dll"/>
-            <_HistorianStageFiles Include="$(OutDir)$(AssemblyName).pdb" Condition="Exists('$(OutDir)$(AssemblyName).pdb')"/>
-        </ItemGroup>
-        <MakeDir Directories="$(HistorianPluginOutputDir)"/>
-        <Copy SourceFiles="@(_HistorianStageFiles)" DestinationFolder="$(HistorianPluginOutputDir)" SkipUnchangedFiles="true"/>
-    </Target>
-
-</Project>

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/AlarmFilterConfiguration.cs

@@ -1,27 +0,0 @@
-using System.Collections.Generic;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     Configures the template-based alarm object filter under <c>OpcUa.AlarmFilter</c>.
-    /// </summary>
-    /// <remarks>
-    ///     Each entry in <see cref="ObjectFilters"/> is a wildcard pattern matched against the template
-    ///     derivation chain of every Galaxy object. Supported wildcard: <c>*</c>. Matching is case-insensitive
-    ///     and the leading <c>$</c> used by Galaxy template tag_names is normalized away, so operators can
-    ///     write <c>TestMachine*</c> instead of <c>$TestMachine*</c>. An entry may itself contain comma-separated
-    ///     patterns for convenience (e.g., <c>"TestMachine*, Pump_*"</c>). An empty list disables the filter,
-    ///     restoring current behavior: all alarm-bearing objects are monitored when
-    ///     <see cref="OpcUaConfiguration.AlarmTrackingEnabled"/> is <see langword="true"/>.
-    /// </remarks>
-    public class AlarmFilterConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets the wildcard patterns that select which Galaxy objects contribute alarm conditions.
-        ///     An object is included when any template in its derivation chain matches any pattern, and the
-        ///     inclusion propagates to all descendants in the containment hierarchy. Each object is evaluated
-        ///     once: overlapping matches never create duplicate alarm subscriptions.
-        /// </summary>
-        public List<string> ObjectFilters { get; set; } = new();
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/AppConfiguration.cs

@@ -1,48 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     Top-level configuration holder binding all sections from appsettings.json. (SVC-003)
-    /// </summary>
-    public class AppConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets the OPC UA endpoint settings exposed to downstream clients that browse the LMX address space.
-        /// </summary>
-        public OpcUaConfiguration OpcUa { get; set; } = new();
-
-        /// <summary>
-        ///     Gets or sets the MXAccess runtime connection settings used to read and write live Galaxy attributes.
-        /// </summary>
-        public MxAccessConfiguration MxAccess { get; set; } = new();
-
-        /// <summary>
-        ///     Gets or sets the repository settings used to query Galaxy metadata for address-space construction.
-        /// </summary>
-        public GalaxyRepositoryConfiguration GalaxyRepository { get; set; } = new();
-
-        /// <summary>
-        ///     Gets or sets the embedded dashboard settings used to surface service health to operators.
-        /// </summary>
-        public DashboardConfiguration Dashboard { get; set; } = new();
-
-        /// <summary>
-        ///     Gets or sets the Wonderware Historian connection settings used to serve OPC UA historical data.
-        /// </summary>
-        public HistorianConfiguration Historian { get; set; } = new();
-
-        /// <summary>
-        ///     Gets or sets the authentication and role-based access control settings.
-        /// </summary>
-        public AuthenticationConfiguration Authentication { get; set; } = new();
-
-        /// <summary>
-        ///     Gets or sets the transport security settings that control which OPC UA security profiles are exposed.
-        /// </summary>
-        public SecurityProfileConfiguration Security { get; set; } = new();
-
-        /// <summary>
-        ///     Gets or sets the redundancy settings that control how this server participates in a redundant pair.
-        /// </summary>
-        public RedundancyConfiguration Redundancy { get; set; } = new();
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/AuthenticationConfiguration.cs

@@ -1,25 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     Authentication and role-based access control settings for the OPC UA server.
-    /// </summary>
-    public class AuthenticationConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets a value indicating whether anonymous OPC UA connections are accepted.
-        /// </summary>
-        public bool AllowAnonymous { get; set; } = true;
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether anonymous users can write tag values.
-        ///     When false, only authenticated users can write. Existing security classification restrictions still apply.
-        /// </summary>
-        public bool AnonymousCanWrite { get; set; } = true;
-
-        /// <summary>
-        ///     Gets or sets the LDAP authentication settings. When Ldap.Enabled is true,
-        ///     credentials are validated against the LDAP server and group membership determines permissions.
-        /// </summary>
-        public LdapConfiguration Ldap { get; set; } = new();
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/ConfigurationValidator.cs

@@ -1,314 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.Data.SqlClient;
-using System.Linq;
-using Opc.Ua;
-using Serilog;
-using ZB.MOM.WW.OtOpcUa.Host.OpcUa;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     Validates and logs effective configuration at startup. (SVC-003, SVC-005)
-    /// </summary>
-    public static class ConfigurationValidator
-    {
-        private static readonly ILogger Log = Serilog.Log.ForContext(typeof(ConfigurationValidator));
-
-        /// <summary>
-        ///     Validates the effective host configuration and writes the resolved values to the startup log before service
-        ///     initialization continues.
-        /// </summary>
-        /// <param name="config">
-        ///     The bound service configuration that drives OPC UA hosting, MXAccess connectivity, Galaxy queries,
-        ///     and dashboard behavior.
-        /// </param>
-        /// <returns>
-        ///     <see langword="true" /> when the required settings are present and within supported bounds; otherwise,
-        ///     <see langword="false" />.
-        /// </returns>
-        public static bool ValidateAndLog(AppConfiguration config)
-        {
-            var valid = true;
-
-            Log.Information("=== Effective Configuration ===");
-
-            // OPC UA
-            Log.Information(
-                "OpcUa.BindAddress={BindAddress}, Port={Port}, EndpointPath={EndpointPath}, ServerName={ServerName}, GalaxyName={GalaxyName}",
-                config.OpcUa.BindAddress, config.OpcUa.Port, config.OpcUa.EndpointPath, config.OpcUa.ServerName,
-                config.OpcUa.GalaxyName);
-            Log.Information("OpcUa.MaxSessions={MaxSessions}, SessionTimeoutMinutes={SessionTimeout}",
-                config.OpcUa.MaxSessions, config.OpcUa.SessionTimeoutMinutes);
-
-            if (config.OpcUa.Port < 1 || config.OpcUa.Port > 65535)
-            {
-                Log.Error("OpcUa.Port must be between 1 and 65535");
-                valid = false;
-            }
-
-            if (string.IsNullOrWhiteSpace(config.OpcUa.GalaxyName))
-            {
-                Log.Error("OpcUa.GalaxyName must not be empty");
-                valid = false;
-            }
-
-            // Alarm filter
-            var alarmFilterCount = config.OpcUa.AlarmFilter?.ObjectFilters?.Count ?? 0;
-            Log.Information(
-                "OpcUa.AlarmTrackingEnabled={AlarmEnabled}, AlarmFilter.ObjectFilters=[{Filters}]",
-                config.OpcUa.AlarmTrackingEnabled,
-                alarmFilterCount == 0 ? "(none)" : string.Join(", ", config.OpcUa.AlarmFilter!.ObjectFilters));
-            if (alarmFilterCount > 0 && !config.OpcUa.AlarmTrackingEnabled)
-                Log.Warning(
-                    "OpcUa.AlarmFilter.ObjectFilters has {Count} patterns but OpcUa.AlarmTrackingEnabled is false — filter will have no effect",
-                    alarmFilterCount);
-
-            // MxAccess
-            Log.Information(
-                "MxAccess.ClientName={ClientName}, ReadTimeout={ReadTimeout}s, WriteTimeout={WriteTimeout}s, MaxConcurrent={MaxConcurrent}",
-                config.MxAccess.ClientName, config.MxAccess.ReadTimeoutSeconds, config.MxAccess.WriteTimeoutSeconds,
-                config.MxAccess.MaxConcurrentOperations);
-            Log.Information(
-                "MxAccess.MonitorInterval={MonitorInterval}s, AutoReconnect={AutoReconnect}, ProbeTag={ProbeTag}, ProbeStaleThreshold={ProbeStale}s",
-                config.MxAccess.MonitorIntervalSeconds, config.MxAccess.AutoReconnect,
-                config.MxAccess.ProbeTag ?? "(none)", config.MxAccess.ProbeStaleThresholdSeconds);
-            Log.Information(
-                "MxAccess.RuntimeStatusProbesEnabled={Enabled}, RuntimeStatusUnknownTimeoutSeconds={Timeout}s, RequestTimeoutSeconds={RequestTimeout}s",
-                config.MxAccess.RuntimeStatusProbesEnabled, config.MxAccess.RuntimeStatusUnknownTimeoutSeconds,
-                config.MxAccess.RequestTimeoutSeconds);
-
-            if (string.IsNullOrWhiteSpace(config.MxAccess.ClientName))
-            {
-                Log.Error("MxAccess.ClientName must not be empty");
-                valid = false;
-            }
-
-            if (config.MxAccess.RuntimeStatusUnknownTimeoutSeconds < 5)
-                Log.Warning(
-                    "MxAccess.RuntimeStatusUnknownTimeoutSeconds={Timeout} is below the recommended floor of 5s; initial probe resolution may time out before MxAccess has delivered the first callback",
-                    config.MxAccess.RuntimeStatusUnknownTimeoutSeconds);
-
-            if (config.MxAccess.RequestTimeoutSeconds < 1)
-            {
-                Log.Error("MxAccess.RequestTimeoutSeconds must be at least 1");
-                valid = false;
-            }
-            else if (config.MxAccess.RequestTimeoutSeconds <
-                     Math.Max(config.MxAccess.ReadTimeoutSeconds, config.MxAccess.WriteTimeoutSeconds))
-            {
-                Log.Warning(
-                    "MxAccess.RequestTimeoutSeconds={RequestTimeout} is below Read/Write inner timeouts ({Read}s/{Write}s); outer safety bound may fire before the inner client completes its own error path",
-                    config.MxAccess.RequestTimeoutSeconds,
-                    config.MxAccess.ReadTimeoutSeconds, config.MxAccess.WriteTimeoutSeconds);
-            }
-
-            // Galaxy Repository
-            Log.Information(
-                "GalaxyRepository.ConnectionString={ConnectionString}, ChangeDetectionInterval={ChangeInterval}s, CommandTimeout={CmdTimeout}s, ExtendedAttributes={ExtendedAttributes}",
-                SanitizeConnectionString(config.GalaxyRepository.ConnectionString), config.GalaxyRepository.ChangeDetectionIntervalSeconds,
-                config.GalaxyRepository.CommandTimeoutSeconds, config.GalaxyRepository.ExtendedAttributes);
-
-            var effectivePlatformName = string.IsNullOrWhiteSpace(config.GalaxyRepository.PlatformName)
-                ? Environment.MachineName
-                : config.GalaxyRepository.PlatformName;
-            Log.Information(
-                "GalaxyRepository.Scope={Scope}, PlatformName={PlatformName}",
-                config.GalaxyRepository.Scope,
-                config.GalaxyRepository.Scope == GalaxyScope.LocalPlatform
-                    ? effectivePlatformName
-                    : "(n/a)");
-
-            if (config.GalaxyRepository.Scope == GalaxyScope.LocalPlatform &&
-                string.IsNullOrWhiteSpace(config.GalaxyRepository.PlatformName))
-                Log.Information(
-                    "GalaxyRepository.PlatformName not set — using Environment.MachineName '{MachineName}'",
-                    Environment.MachineName);
-
-            if (string.IsNullOrWhiteSpace(config.GalaxyRepository.ConnectionString))
-            {
-                Log.Error("GalaxyRepository.ConnectionString must not be empty");
-                valid = false;
-            }
-
-            // Dashboard
-            Log.Information("Dashboard.Enabled={Enabled}, Port={Port}, RefreshInterval={Refresh}s",
-                config.Dashboard.Enabled, config.Dashboard.Port, config.Dashboard.RefreshIntervalSeconds);
-
-            // Security
-            Log.Information(
-                "Security.Profiles=[{Profiles}], AutoAcceptClientCertificates={AutoAccept}, RejectSHA1={RejectSHA1}, MinKeySize={MinKeySize}",
-                string.Join(", ", config.Security.Profiles), config.Security.AutoAcceptClientCertificates,
-                config.Security.RejectSHA1Certificates, config.Security.MinimumCertificateKeySize);
-
-            Log.Information("Security.PkiRootPath={PkiRootPath}", config.Security.PkiRootPath ?? "(default)");
-            Log.Information("Security.CertificateSubject={CertificateSubject}", config.Security.CertificateSubject ?? "(default)");
-            Log.Information("Security.CertificateLifetimeMonths={Months}", config.Security.CertificateLifetimeMonths);
-
-            var unknownProfiles = config.Security.Profiles
-                .Where(p => !SecurityProfileResolver.ValidProfileNames.Contains(p, StringComparer.OrdinalIgnoreCase))
-                .ToList();
-            if (unknownProfiles.Count > 0)
-                Log.Warning("Unknown security profile(s): {Profiles}. Valid values: {ValidProfiles}",
-                    string.Join(", ", unknownProfiles), string.Join(", ", SecurityProfileResolver.ValidProfileNames));
-
-            if (config.Security.MinimumCertificateKeySize < 2048)
-            {
-                Log.Error("Security.MinimumCertificateKeySize must be at least 2048");
-                valid = false;
-            }
-
-            if (config.Security.AutoAcceptClientCertificates)
-                Log.Warning(
-                    "Security.AutoAcceptClientCertificates is enabled — client certificate trust is not enforced. Set to false in production");
-
-            if (config.Security.Profiles.Count == 1 &&
-                config.Security.Profiles[0].Equals("None", StringComparison.OrdinalIgnoreCase))
-                Log.Warning("Only the 'None' security profile is configured — transport security is disabled");
-
-            // Historian
-            var clusterNodes = config.Historian.ServerNames ?? new List<string>();
-            var effectiveNodes = clusterNodes.Count > 0
-                ? string.Join(",", clusterNodes)
-                : config.Historian.ServerName;
-            Log.Information(
-                "Historian.Enabled={Enabled}, Nodes=[{Nodes}], IntegratedSecurity={IntegratedSecurity}, Port={Port}",
-                config.Historian.Enabled, effectiveNodes, config.Historian.IntegratedSecurity,
-                config.Historian.Port);
-            Log.Information(
-                "Historian.CommandTimeoutSeconds={Timeout}, MaxValuesPerRead={MaxValues}, FailureCooldownSeconds={Cooldown}, RequestTimeoutSeconds={RequestTimeout}",
-                config.Historian.CommandTimeoutSeconds, config.Historian.MaxValuesPerRead,
-                config.Historian.FailureCooldownSeconds, config.Historian.RequestTimeoutSeconds);
-
-            if (config.Historian.Enabled)
-            {
-                if (clusterNodes.Count == 0 && string.IsNullOrWhiteSpace(config.Historian.ServerName))
-                {
-                    Log.Error("Historian.ServerName (or ServerNames) must not be empty when Historian is enabled");
-                    valid = false;
-                }
-
-                if (config.Historian.FailureCooldownSeconds < 0)
-                {
-                    Log.Error("Historian.FailureCooldownSeconds must be zero or positive");
-                    valid = false;
-                }
-
-                if (config.Historian.RequestTimeoutSeconds < 1)
-                {
-                    Log.Error("Historian.RequestTimeoutSeconds must be at least 1");
-                    valid = false;
-                }
-                else if (config.Historian.RequestTimeoutSeconds < config.Historian.CommandTimeoutSeconds)
-                {
-                    Log.Warning(
-                        "Historian.RequestTimeoutSeconds={RequestTimeout} is below CommandTimeoutSeconds={CmdTimeout}; outer safety bound may fire before the inner SDK completes its own error path",
-                        config.Historian.RequestTimeoutSeconds, config.Historian.CommandTimeoutSeconds);
-                }
-
-                if (clusterNodes.Count > 0 && !string.IsNullOrWhiteSpace(config.Historian.ServerName)
-                    && config.Historian.ServerName != "localhost")
-                    Log.Warning(
-                        "Historian.ServerName='{ServerName}' is ignored because Historian.ServerNames has {Count} entries",
-                        config.Historian.ServerName, clusterNodes.Count);
-
-                if (config.Historian.Port < 1 || config.Historian.Port > 65535)
-                {
-                    Log.Error("Historian.Port must be between 1 and 65535");
-                    valid = false;
-                }
-
-                if (!config.Historian.IntegratedSecurity && string.IsNullOrWhiteSpace(config.Historian.UserName))
-                {
-                    Log.Error("Historian.UserName must not be empty when IntegratedSecurity is disabled");
-                    valid = false;
-                }
-
-                if (!config.Historian.IntegratedSecurity && string.IsNullOrWhiteSpace(config.Historian.Password))
-                    Log.Warning("Historian.Password is empty — authentication may fail");
-            }
-
-            // Authentication
-            Log.Information("Authentication.AllowAnonymous={AllowAnonymous}, AnonymousCanWrite={AnonymousCanWrite}",
-                config.Authentication.AllowAnonymous, config.Authentication.AnonymousCanWrite);
-
-            if (config.Authentication.Ldap.Enabled)
-            {
-                Log.Information("Authentication.Ldap.Enabled=true, Host={Host}, Port={Port}, BaseDN={BaseDN}",
-                    config.Authentication.Ldap.Host, config.Authentication.Ldap.Port,
-                    config.Authentication.Ldap.BaseDN);
-                Log.Information(
-                    "Authentication.Ldap groups: ReadOnly={ReadOnly}, WriteOperate={WriteOperate}, WriteTune={WriteTune}, WriteConfigure={WriteConfigure}, AlarmAck={AlarmAck}",
-                    config.Authentication.Ldap.ReadOnlyGroup, config.Authentication.Ldap.WriteOperateGroup,
-                    config.Authentication.Ldap.WriteTuneGroup, config.Authentication.Ldap.WriteConfigureGroup,
-                    config.Authentication.Ldap.AlarmAckGroup);
-
-                if (string.IsNullOrWhiteSpace(config.Authentication.Ldap.ServiceAccountDn))
-                    Log.Warning("Authentication.Ldap.ServiceAccountDn is empty — group lookups will fail");
-            }
-
-            // Redundancy
-            if (config.OpcUa.ApplicationUri != null)
-                Log.Information("OpcUa.ApplicationUri={ApplicationUri}", config.OpcUa.ApplicationUri);
-
-            Log.Information(
-                "Redundancy.Enabled={Enabled}, Mode={Mode}, Role={Role}, ServiceLevelBase={ServiceLevelBase}",
-                config.Redundancy.Enabled, config.Redundancy.Mode, config.Redundancy.Role,
-                config.Redundancy.ServiceLevelBase);
-
-            if (config.Redundancy.ServerUris.Count > 0)
-                Log.Information("Redundancy.ServerUris=[{ServerUris}]",
-                    string.Join(", ", config.Redundancy.ServerUris));
-
-            if (config.Redundancy.Enabled)
-            {
-                if (string.IsNullOrWhiteSpace(config.OpcUa.ApplicationUri))
-                {
-                    Log.Error(
-                        "OpcUa.ApplicationUri must be set when redundancy is enabled — each instance needs a unique identity");
-                    valid = false;
-                }
-
-                if (config.Redundancy.ServerUris.Count < 2)
-                    Log.Warning(
-                        "Redundancy.ServerUris contains fewer than 2 entries — a redundant set typically has at least 2 servers");
-
-                if (config.OpcUa.ApplicationUri != null &&
-                    !config.Redundancy.ServerUris.Contains(config.OpcUa.ApplicationUri))
-                    Log.Warning("Local OpcUa.ApplicationUri '{ApplicationUri}' is not listed in Redundancy.ServerUris",
-                        config.OpcUa.ApplicationUri);
-
-                var mode = RedundancyModeResolver.Resolve(config.Redundancy.Mode, true);
-                if (mode == RedundancySupport.None)
-                    Log.Warning("Redundancy is enabled but Mode '{Mode}' is not recognized — will fall back to None",
-                        config.Redundancy.Mode);
-            }
-
-            if (config.Redundancy.ServiceLevelBase < 1 || config.Redundancy.ServiceLevelBase > 255)
-            {
-                Log.Error("Redundancy.ServiceLevelBase must be between 1 and 255");
-                valid = false;
-            }
-
-            Log.Information("=== Configuration {Status} ===", valid ? "Valid" : "INVALID");
-            return valid;
-        }
-
-        private static string SanitizeConnectionString(string connectionString)
-        {
-            if (string.IsNullOrWhiteSpace(connectionString))
-                return "(empty)";
-            try
-            {
-                var builder = new SqlConnectionStringBuilder(connectionString);
-                if (!string.IsNullOrEmpty(builder.Password))
-                    builder.Password = "********";
-                return builder.ConnectionString;
-            }
-            catch
-            {
-                return "(unparseable)";
-            }
-        }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/DashboardConfiguration.cs

@@ -1,23 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     Status dashboard configuration. (SVC-003, DASH-001)
-    /// </summary>
-    public class DashboardConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets a value indicating whether the operator dashboard is hosted alongside the OPC UA service.
-        /// </summary>
-        public bool Enabled { get; set; } = true;
-
-        /// <summary>
-        ///     Gets or sets the HTTP port used by the dashboard endpoint that exposes service health and rebuild state.
-        /// </summary>
-        public int Port { get; set; } = 8081;
-
-        /// <summary>
-        ///     Gets or sets the refresh interval, in seconds, for recalculating the dashboard status snapshot.
-        /// </summary>
-        public int RefreshIntervalSeconds { get; set; } = 10;
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/GalaxyRepositoryConfiguration.cs

@@ -1,42 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     Galaxy repository database configuration. (SVC-003, GR-005)
-    /// </summary>
-    public class GalaxyRepositoryConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets the database connection string used to read Galaxy hierarchy and attribute metadata.
-        /// </summary>
-        public string ConnectionString { get; set; } = "Server=localhost;Database=ZB;Integrated Security=true;";
-
-        /// <summary>
-        ///     Gets or sets how often, in seconds, the service polls for Galaxy deploy changes that require an address-space
-        ///     rebuild.
-        /// </summary>
-        public int ChangeDetectionIntervalSeconds { get; set; } = 30;
-
-        /// <summary>
-        ///     Gets or sets the SQL command timeout, in seconds, for repository queries against the Galaxy catalog.
-        /// </summary>
-        public int CommandTimeoutSeconds { get; set; } = 30;
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether extended Galaxy attribute metadata should be loaded into the OPC UA model.
-        /// </summary>
-        public bool ExtendedAttributes { get; set; } = false;
-
-        /// <summary>
-        ///     Gets or sets the scope of Galaxy objects loaded into the OPC UA address space.
-        ///     <c>Galaxy</c> loads all deployed objects (default). <c>LocalPlatform</c> loads only
-        ///     objects hosted by the platform deployed on this machine.
-        /// </summary>
-        public GalaxyScope Scope { get; set; } = GalaxyScope.Galaxy;
-
-        /// <summary>
-        ///     Gets or sets an explicit platform node name for <see cref="GalaxyScope.LocalPlatform" /> filtering.
-        ///     When <see langword="null" />, the local machine name (<c>Environment.MachineName</c>) is used.
-        /// </summary>
-        public string? PlatformName { get; set; }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/GalaxyScope.cs

@@ -1,18 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     Controls how much of the Galaxy object hierarchy is loaded into the OPC UA address space.
-    /// </summary>
-    public enum GalaxyScope
-    {
-        /// <summary>
-        ///     Load all deployed objects from the entire Galaxy (default, backward-compatible behavior).
-        /// </summary>
-        Galaxy,
-
-        /// <summary>
-        ///     Load only objects hosted by the local platform and the structural areas needed to reach them.
-        /// </summary>
-        LocalPlatform
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/HistorianConfiguration.cs

@@ -1,76 +0,0 @@
-using System.Collections.Generic;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     Wonderware Historian SDK configuration for OPC UA historical data access.
-    /// </summary>
-    public class HistorianConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets a value indicating whether OPC UA historical data access is enabled.
-        /// </summary>
-        public bool Enabled { get; set; } = false;
-
-        /// <summary>
-        ///     Gets or sets the single Historian server hostname used when <see cref="ServerNames"/>
-        ///     is empty. Preserved for backward compatibility with pre-cluster deployments.
-        /// </summary>
-        public string ServerName { get; set; } = "localhost";
-
-        /// <summary>
-        ///     Gets or sets the ordered list of Historian cluster nodes. When non-empty, this list
-        ///     supersedes <see cref="ServerName"/>: the data source attempts each node in order on
-        ///     connect, falling through to the next on failure. A failed node is placed in cooldown
-        ///     for <see cref="FailureCooldownSeconds"/> before being re-eligible.
-        /// </summary>
-        public List<string> ServerNames { get; set; } = new();
-
-        /// <summary>
-        ///     Gets or sets the cooldown window, in seconds, that a historian node is skipped after
-        ///     a connection failure. A value of zero retries the node on every request. Default 60s.
-        /// </summary>
-        public int FailureCooldownSeconds { get; set; } = 60;
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether Windows Integrated Security is used.
-        ///     When false, <see cref="UserName"/> and <see cref="Password"/> are used instead.
-        /// </summary>
-        public bool IntegratedSecurity { get; set; } = true;
-
-        /// <summary>
-        ///     Gets or sets the username for Historian authentication when <see cref="IntegratedSecurity"/> is false.
-        /// </summary>
-        public string? UserName { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the password for Historian authentication when <see cref="IntegratedSecurity"/> is false.
-        /// </summary>
-        public string? Password { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the Historian server TCP port.
-        /// </summary>
-        public int Port { get; set; } = 32568;
-
-        /// <summary>
-        ///     Gets or sets the packet timeout in seconds for Historian SDK operations.
-        /// </summary>
-        public int CommandTimeoutSeconds { get; set; } = 30;
-
-        /// <summary>
-        ///     Gets or sets the maximum number of values returned per HistoryRead request.
-        /// </summary>
-        public int MaxValuesPerRead { get; set; } = 10000;
-
-        /// <summary>
-        ///     Gets or sets an outer safety timeout, in seconds, applied to sync-over-async Historian
-        ///     operations invoked from the OPC UA stack thread (HistoryReadRaw, HistoryReadProcessed,
-        ///     HistoryReadAtTime, HistoryReadEvents). This is a backstop for the case where a
-        ///     historian query hangs outside <see cref="CommandTimeoutSeconds"/> — e.g., a slow SDK
-        ///     reconnect or mid-failover cluster node. Must be comfortably larger than
-        ///     <see cref="CommandTimeoutSeconds"/> so normal operation is never affected. Default 60s.
-        /// </summary>
-        public int RequestTimeoutSeconds { get; set; } = 60;
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/LdapConfiguration.cs

@@ -1,75 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     LDAP authentication and group-to-role mapping settings.
-    /// </summary>
-    public class LdapConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets whether LDAP authentication is enabled.
-        ///     When true, user credentials are validated against the configured LDAP server
-        ///     and group membership determines OPC UA permissions.
-        /// </summary>
-        public bool Enabled { get; set; } = false;
-
-        /// <summary>
-        ///     Gets or sets the LDAP server hostname or IP address.
-        /// </summary>
-        public string Host { get; set; } = "localhost";
-
-        /// <summary>
-        ///     Gets or sets the LDAP server port.
-        /// </summary>
-        public int Port { get; set; } = 3893;
-
-        /// <summary>
-        ///     Gets or sets the base DN for LDAP operations.
-        /// </summary>
-        public string BaseDN { get; set; } = "dc=lmxopcua,dc=local";
-
-        /// <summary>
-        ///     Gets or sets the bind DN template. Use {username} as a placeholder.
-        /// </summary>
-        public string BindDnTemplate { get; set; } = "cn={username},dc=lmxopcua,dc=local";
-
-        /// <summary>
-        ///     Gets or sets the service account DN used for LDAP searches (group lookups).
-        /// </summary>
-        public string ServiceAccountDn { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the service account password.
-        /// </summary>
-        public string ServiceAccountPassword { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the LDAP connection timeout in seconds.
-        /// </summary>
-        public int TimeoutSeconds { get; set; } = 5;
-
-        /// <summary>
-        ///     Gets or sets the LDAP group name that grants read-only access.
-        /// </summary>
-        public string ReadOnlyGroup { get; set; } = "ReadOnly";
-
-        /// <summary>
-        ///     Gets or sets the LDAP group name that grants write access for FreeAccess/Operate attributes.
-        /// </summary>
-        public string WriteOperateGroup { get; set; } = "WriteOperate";
-
-        /// <summary>
-        ///     Gets or sets the LDAP group name that grants write access for Tune attributes.
-        /// </summary>
-        public string WriteTuneGroup { get; set; } = "WriteTune";
-
-        /// <summary>
-        ///     Gets or sets the LDAP group name that grants write access for Configure attributes.
-        /// </summary>
-        public string WriteConfigureGroup { get; set; } = "WriteConfigure";
-
-        /// <summary>
-        ///     Gets or sets the LDAP group name that grants alarm acknowledgment access.
-        /// </summary>
-        public string AlarmAckGroup { get; set; } = "AlarmAck";
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/MxAccessConfiguration.cs

@@ -1,86 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     MXAccess client configuration. (SVC-003, MXA-008, MXA-009)
-    /// </summary>
-    public class MxAccessConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets the client name registered with the MXAccess runtime for this bridge instance.
-        /// </summary>
-        public string ClientName { get; set; } = "LmxOpcUa";
-
-        /// <summary>
-        ///     Gets or sets the Galaxy node name to target when the service connects to a specific runtime node.
-        /// </summary>
-        public string? NodeName { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the Galaxy name used when resolving MXAccess references and diagnostics.
-        /// </summary>
-        public string? GalaxyName { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the maximum time, in seconds, to wait for a live tag read to complete.
-        /// </summary>
-        public int ReadTimeoutSeconds { get; set; } = 5;
-
-        /// <summary>
-        ///     Gets or sets the maximum time, in seconds, to wait for a tag write acknowledgment from the runtime.
-        /// </summary>
-        public int WriteTimeoutSeconds { get; set; } = 5;
-
-        /// <summary>
-        ///     Gets or sets an outer safety timeout, in seconds, applied to sync-over-async MxAccess
-        ///     operations invoked from the OPC UA stack thread (Read, Write, address-space rebuild probe
-        ///     sync). This is a backstop for the case where an async path hangs outside the inner
-        ///     <see cref="ReadTimeoutSeconds"/> / <see cref="WriteTimeoutSeconds"/> bounds — e.g., a
-        ///     slow reconnect or a scheduler stall. Must be comfortably larger than the inner timeouts
-        ///     so normal operation is never affected. Default 30s.
-        /// </summary>
-        public int RequestTimeoutSeconds { get; set; } = 30;
-
-        /// <summary>
-        ///     Gets or sets the cap on concurrent MXAccess operations so the bridge does not overload the runtime.
-        /// </summary>
-        public int MaxConcurrentOperations { get; set; } = 10;
-
-        /// <summary>
-        ///     Gets or sets how often, in seconds, the connectivity monitor probes the runtime connection.
-        /// </summary>
-        public int MonitorIntervalSeconds { get; set; } = 5;
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether the bridge should automatically attempt to re-establish a dropped MXAccess
-        ///     session.
-        /// </summary>
-        public bool AutoReconnect { get; set; } = true;
-
-        /// <summary>
-        ///     Gets or sets the optional probe tag used to verify that the MXAccess runtime is still returning fresh data.
-        /// </summary>
-        public string? ProbeTag { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the number of seconds a probe value may remain unchanged before the connection is considered stale.
-        /// </summary>
-        public int ProbeStaleThresholdSeconds { get; set; } = 60;
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether the bridge advises <c>&lt;ObjectName&gt;.ScanState</c> for every
-        ///     deployed <c>$WinPlatform</c> and <c>$AppEngine</c>, reporting per-host runtime state on the status
-        ///     dashboard and proactively invalidating OPC UA variable quality when a host transitions to Stopped.
-        ///     Enabled by default. Disable to return to legacy behavior where host runtime state is invisible and
-        ///     MxAccess's per-tag bad-quality fan-out is the only stop signal.
-        /// </summary>
-        public bool RuntimeStatusProbesEnabled { get; set; } = true;
-
-        /// <summary>
-        ///     Gets or sets the maximum seconds to wait for the initial probe callback before marking a host as
-        ///     Stopped. Only applies to the Unknown → Stopped transition. Because <c>ScanState</c> is delivered
-        ///     on-change only, a stably Running host does not time out — no starvation check runs on Running
-        ///     entries. Default 15s.
-        /// </summary>
-        public int RuntimeStatusUnknownTimeoutSeconds { get; set; } = 15;
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/OpcUaConfiguration.cs

@@ -1,64 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     OPC UA server configuration. (SVC-003, OPC-001, OPC-012, OPC-013)
-    /// </summary>
-    public class OpcUaConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets the IP address or hostname the OPC UA server binds to.
-        ///     Defaults to <c>0.0.0.0</c> (all interfaces). Set to a specific IP or hostname to restrict listening.
-        /// </summary>
-        public string BindAddress { get; set; } = "0.0.0.0";
-
-        /// <summary>
-        ///     Gets or sets the TCP port on which the OPC UA server listens for client sessions.
-        /// </summary>
-        public int Port { get; set; } = 4840;
-
-        /// <summary>
-        ///     Gets or sets the endpoint path appended to the host URI for the LMX OPC UA server.
-        /// </summary>
-        public string EndpointPath { get; set; } = "/LmxOpcUa";
-
-        /// <summary>
-        ///     Gets or sets the server name presented to OPC UA clients and used in diagnostics.
-        /// </summary>
-        public string ServerName { get; set; } = "LmxOpcUa";
-
-        /// <summary>
-        ///     Gets or sets the Galaxy name represented by the published OPC UA namespace.
-        /// </summary>
-        public string GalaxyName { get; set; } = "ZB";
-
-        /// <summary>
-        ///     Gets or sets the explicit application URI for this server instance.
-        ///     When <see langword="null" />, defaults to <c>urn:{GalaxyName}:LmxOpcUa</c>.
-        ///     Must be set to a unique value per instance when redundancy is enabled.
-        /// </summary>
-        public string? ApplicationUri { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the maximum number of simultaneous OPC UA sessions accepted by the host.
-        /// </summary>
-        public int MaxSessions { get; set; } = 100;
-
-        /// <summary>
-        ///     Gets or sets the session timeout, in minutes, before idle client sessions are closed.
-        /// </summary>
-        public int SessionTimeoutMinutes { get; set; } = 30;
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether alarm tracking is enabled.
-        ///     When enabled, AlarmConditionState nodes are created for alarm attributes and InAlarm transitions are monitored.
-        /// </summary>
-        public bool AlarmTrackingEnabled { get; set; } = false;
-
-        /// <summary>
-        ///     Gets or sets the template-based alarm object filter. When <see cref="AlarmFilterConfiguration.ObjectFilters"/>
-        ///     is empty, all alarm-bearing objects are monitored (current behavior). When patterns are supplied, only
-        ///     objects whose template derivation chain matches a pattern (and their descendants) have alarms monitored.
-        /// </summary>
-        public AlarmFilterConfiguration AlarmFilter { get; set; } = new();
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/RedundancyConfiguration.cs

@@ -1,41 +0,0 @@
-using System.Collections.Generic;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     Non-transparent redundancy settings that control how the server advertises itself
-    ///     within a redundant pair and computes its dynamic ServiceLevel.
-    /// </summary>
-    public class RedundancyConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets whether redundancy is enabled. When <see langword="false" /> (default),
-        ///     the server reports <c>RedundancySupport.None</c> and <c>ServiceLevel = 255</c>.
-        /// </summary>
-        public bool Enabled { get; set; } = false;
-
-        /// <summary>
-        ///     Gets or sets the redundancy mode. Valid values: <c>Warm</c>, <c>Hot</c>.
-        /// </summary>
-        public string Mode { get; set; } = "Warm";
-
-        /// <summary>
-        ///     Gets or sets the role of this instance. Valid values: <c>Primary</c>, <c>Secondary</c>.
-        ///     The primary advertises a higher ServiceLevel than the secondary when both are healthy.
-        /// </summary>
-        public string Role { get; set; } = "Primary";
-
-        /// <summary>
-        ///     Gets or sets the ApplicationUri values for all servers in the redundant set.
-        ///     Must include this instance's own <c>OpcUa.ApplicationUri</c>.
-        /// </summary>
-        public List<string> ServerUris { get; set; } = new();
-
-        /// <summary>
-        ///     Gets or sets the base ServiceLevel when the server is fully healthy.
-        ///     The secondary automatically receives <c>ServiceLevelBase - 50</c>.
-        ///     Valid range: 1-255.
-        /// </summary>
-        public int ServiceLevelBase { get; set; } = 200;
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Configuration/SecurityProfileConfiguration.cs

@@ -1,52 +0,0 @@
-using System.Collections.Generic;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Configuration
-{
-    /// <summary>
-    ///     Transport security settings that control which OPC UA security profiles the server exposes and how client
-    ///     certificates are handled.
-    /// </summary>
-    public class SecurityProfileConfiguration
-    {
-        /// <summary>
-        ///     Gets or sets the list of security profile names to expose as server endpoints.
-        ///     Valid values: "None", "Basic256Sha256-Sign", "Basic256Sha256-SignAndEncrypt".
-        ///     Defaults to ["None"] for backward compatibility.
-        /// </summary>
-        public List<string> Profiles { get; set; } = new() { "None" };
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether the server automatically accepts client certificates
-        ///     that are not in the trusted store. Should be <see langword="false" /> in production.
-        /// </summary>
-        public bool AutoAcceptClientCertificates { get; set; } = true;
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether client certificates signed with SHA-1 are rejected.
-        /// </summary>
-        public bool RejectSHA1Certificates { get; set; } = true;
-
-        /// <summary>
-        ///     Gets or sets the minimum RSA key size required for client certificates.
-        /// </summary>
-        public int MinimumCertificateKeySize { get; set; } = 2048;
-
-        /// <summary>
-        ///     Gets or sets an optional override for the PKI root directory.
-        ///     When <see langword="null" />, defaults to <c>%LOCALAPPDATA%\OPC Foundation\pki</c>.
-        /// </summary>
-        public string? PkiRootPath { get; set; }
-
-        /// <summary>
-        ///     Gets or sets an optional override for the server certificate subject name.
-        ///     When <see langword="null" />, defaults to <c>CN={ServerName}, O=ZB MOM, DC=localhost</c>.
-        /// </summary>
-        public string? CertificateSubject { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the lifetime of the auto-generated server certificate in months.
-        ///     Defaults to 60 months (5 years).
-        /// </summary>
-        public int CertificateLifetimeMonths { get; set; } = 60;
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/AlarmObjectFilter.cs

@@ -1,215 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text.RegularExpressions;
-using Serilog;
-using ZB.MOM.WW.OtOpcUa.Host.Configuration;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Compiles and applies wildcard template patterns against Galaxy objects to decide which
-    ///     objects should contribute alarm conditions. The filter is pure data — no OPC UA, no DB —
-    ///     so it is fully unit-testable with synthetic hierarchies.
-    /// </summary>
-    /// <remarks>
-    ///     <para>Matching rules:</para>
-    ///     <list type="bullet">
-    ///         <item>An object is included when any template name in its derivation chain matches
-    ///         any configured pattern.</item>
-    ///         <item>Matching is case-insensitive and ignores the Galaxy leading <c>$</c> prefix on
-    ///         both the chain entry and the user pattern, so <c>TestMachine*</c> matches the stored
-    ///         <c>$TestMachine</c>.</item>
-    ///         <item>Inclusion propagates to every descendant of a matched object (containment subtree).</item>
-    ///         <item>Each object is evaluated once — overlapping matches never produce duplicate
-    ///         inclusions (set semantics).</item>
-    ///     </list>
-    ///     <para>Pattern syntax: literal text plus <c>*</c> wildcards (zero or more characters).
-    ///     Other regex metacharacters in the raw pattern are escaped and treated literally.</para>
-    /// </remarks>
-    public class AlarmObjectFilter
-    {
-        private static readonly ILogger Log = Serilog.Log.ForContext<AlarmObjectFilter>();
-
-        private readonly List<Regex> _patterns;
-        private readonly List<string> _rawPatterns;
-        private readonly HashSet<string> _matchedRawPatterns;
-
-        /// <summary>
-        ///     Initializes a new alarm object filter from the supplied configuration section.
-        /// </summary>
-        /// <param name="config">The alarm filter configuration whose <see cref="AlarmFilterConfiguration.ObjectFilters"/>
-        ///     entries are parsed into regular expressions. Entries may themselves contain comma-separated patterns.</param>
-        public AlarmObjectFilter(AlarmFilterConfiguration? config)
-        {
-            _patterns = new List<Regex>();
-            _rawPatterns = new List<string>();
-            _matchedRawPatterns = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
-
-            if (config?.ObjectFilters == null)
-                return;
-
-            foreach (var entry in config.ObjectFilters)
-            {
-                if (string.IsNullOrWhiteSpace(entry))
-                    continue;
-
-                foreach (var piece in entry.Split(','))
-                {
-                    var trimmed = piece.Trim();
-                    if (trimmed.Length == 0)
-                        continue;
-
-                    try
-                    {
-                        var normalized = Normalize(trimmed);
-                        var regex = GlobToRegex(normalized);
-                        _patterns.Add(regex);
-                        _rawPatterns.Add(trimmed);
-                    }
-                    catch (Exception ex)
-                    {
-                        Log.Warning(ex, "Failed to compile alarm filter pattern {Pattern} — skipping", trimmed);
-                    }
-                }
-            }
-        }
-
-        /// <summary>
-        ///     Gets a value indicating whether the filter has any compiled patterns. When <see langword="false"/>,
-        ///     callers should treat alarm tracking as unfiltered (current behavior preserved).
-        /// </summary>
-        public bool Enabled => _patterns.Count > 0;
-
-        /// <summary>
-        ///     Gets the number of compiled patterns the filter will evaluate against each object.
-        /// </summary>
-        public int PatternCount => _patterns.Count;
-
-        /// <summary>
-        ///     Gets the raw pattern strings that did not match any object in the most recent call to
-        ///     <see cref="ResolveIncludedObjects"/>. Useful for startup warnings about operator typos.
-        /// </summary>
-        public IReadOnlyList<string> UnmatchedPatterns =>
-            _rawPatterns.Where(p => !_matchedRawPatterns.Contains(p)).ToList();
-
-        /// <summary>
-        ///     Gets the raw pattern strings exactly as supplied by the operator after comma-splitting
-        ///     and trimming. Surfaced on the status dashboard so operators can confirm the active filter.
-        /// </summary>
-        public IReadOnlyList<string> RawPatterns => _rawPatterns;
-
-        /// <summary>
-        ///     Returns <see langword="true"/> when any template name in <paramref name="chain"/> matches any
-        ///     compiled pattern. An empty chain never matches unless the operator explicitly supplied a pattern
-        ///     equal to <c>*</c> (which collapses to an empty-matching regex after normalization).
-        /// </summary>
-        /// <param name="chain">The template derivation chain to test (own template first, ancestors after).</param>
-        public bool MatchesTemplateChain(IReadOnlyList<string>? chain)
-        {
-            if (chain == null || chain.Count == 0 || _patterns.Count == 0)
-                return false;
-
-            for (var i = 0; i < _patterns.Count; i++)
-            {
-                var regex = _patterns[i];
-                for (var j = 0; j < chain.Count; j++)
-                {
-                    var entry = chain[j];
-                    if (string.IsNullOrEmpty(entry))
-                        continue;
-                    if (regex.IsMatch(Normalize(entry)))
-                    {
-                        _matchedRawPatterns.Add(_rawPatterns[i]);
-                        return true;
-                    }
-                }
-            }
-
-            return false;
-        }
-
-        /// <summary>
-        ///     Walks the hierarchy top-down from each root and returns the set of gobject IDs whose alarms
-        ///     should be monitored, honoring both template matching and descendant propagation. Returns
-        ///     <see langword="null"/> when the filter is disabled so callers can skip the containment check
-        ///     entirely.
-        /// </summary>
-        /// <param name="hierarchy">The full deployed Galaxy hierarchy, as returned by the repository service.</param>
-        /// <returns>The set of included gobject IDs, or <see langword="null"/> when filtering is disabled.</returns>
-        public HashSet<int>? ResolveIncludedObjects(IReadOnlyList<GalaxyObjectInfo>? hierarchy)
-        {
-            if (!Enabled)
-                return null;
-
-            _matchedRawPatterns.Clear();
-            var included = new HashSet<int>();
-            if (hierarchy == null || hierarchy.Count == 0)
-                return included;
-
-            var byId = new Dictionary<int, GalaxyObjectInfo>(hierarchy.Count);
-            foreach (var obj in hierarchy)
-                byId[obj.GobjectId] = obj;
-
-            var childrenByParent = new Dictionary<int, List<int>>();
-            foreach (var obj in hierarchy)
-            {
-                var parentId = obj.ParentGobjectId;
-                if (parentId != 0 && !byId.ContainsKey(parentId))
-                    parentId = 0; // orphan → treat as root
-                if (!childrenByParent.TryGetValue(parentId, out var list))
-                {
-                    list = new List<int>();
-                    childrenByParent[parentId] = list;
-                }
-                list.Add(obj.GobjectId);
-            }
-
-            var roots = childrenByParent.TryGetValue(0, out var rootList)
-                ? rootList
-                : new List<int>();
-
-            var visited = new HashSet<int>();
-            var queue = new Queue<(int Id, bool ParentIncluded)>();
-            foreach (var rootId in roots)
-                queue.Enqueue((rootId, false));
-
-            while (queue.Count > 0)
-            {
-                var (id, parentIncluded) = queue.Dequeue();
-                if (!visited.Add(id))
-                    continue; // cycle defense
-
-                if (!byId.TryGetValue(id, out var obj))
-                    continue;
-
-                var nodeIncluded = parentIncluded || MatchesTemplateChain(obj.TemplateChain);
-                if (nodeIncluded)
-                    included.Add(id);
-
-                if (childrenByParent.TryGetValue(id, out var children))
-                    foreach (var childId in children)
-                        queue.Enqueue((childId, nodeIncluded));
-            }
-
-            return included;
-        }
-
-        private static Regex GlobToRegex(string normalized)
-        {
-            var segments = normalized.Split('*');
-            var parts = segments.Select(Regex.Escape);
-            var body = string.Join(".*", parts);
-            return new Regex("^" + body + "$",
-                RegexOptions.IgnoreCase | RegexOptions.CultureInvariant | RegexOptions.Compiled);
-        }
-
-        private static string Normalize(string value)
-        {
-            var trimmed = value.Trim();
-            if (trimmed.StartsWith("$", StringComparison.Ordinal))
-                return trimmed.Substring(1);
-            return trimmed;
-        }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/ConnectionState.cs

@@ -1,38 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     MXAccess connection lifecycle states. (MXA-002)
-    /// </summary>
-    public enum ConnectionState
-    {
-        /// <summary>
-        ///     No active session exists to the Galaxy runtime.
-        /// </summary>
-        Disconnected,
-
-        /// <summary>
-        ///     The bridge is opening a new MXAccess session to the runtime.
-        /// </summary>
-        Connecting,
-
-        /// <summary>
-        ///     The bridge has an active MXAccess session and can service reads, writes, and subscriptions.
-        /// </summary>
-        Connected,
-
-        /// <summary>
-        ///     The bridge is closing the current MXAccess session and draining runtime resources.
-        /// </summary>
-        Disconnecting,
-
-        /// <summary>
-        ///     The bridge detected a connection fault that requires operator attention or recovery logic.
-        /// </summary>
-        Error,
-
-        /// <summary>
-        ///     The bridge is attempting to restore service after a runtime communication failure.
-        /// </summary>
-        Reconnecting
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/ConnectionStateChangedEventArgs.cs

@@ -1,38 +0,0 @@
-using System;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Event args for connection state transitions. (MXA-002)
-    /// </summary>
-    public class ConnectionStateChangedEventArgs : EventArgs
-    {
-        /// <summary>
-        ///     Initializes a new instance of the <see cref="ConnectionStateChangedEventArgs" /> class.
-        /// </summary>
-        /// <param name="previous">The connection state being exited.</param>
-        /// <param name="current">The connection state being entered.</param>
-        /// <param name="message">Additional context about the transition, such as a connection fault or reconnect attempt.</param>
-        public ConnectionStateChangedEventArgs(ConnectionState previous, ConnectionState current, string message = "")
-        {
-            PreviousState = previous;
-            CurrentState = current;
-            Message = message ?? "";
-        }
-
-        /// <summary>
-        ///     Gets the previous MXAccess connection state before the transition was raised.
-        /// </summary>
-        public ConnectionState PreviousState { get; }
-
-        /// <summary>
-        ///     Gets the new MXAccess connection state that the bridge moved into.
-        /// </summary>
-        public ConnectionState CurrentState { get; }
-
-        /// <summary>
-        ///     Gets an operator-facing message that explains why the connection state changed.
-        /// </summary>
-        public string Message { get; }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/GalaxyAttributeInfo.cs

@@ -1,76 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     DTO matching attributes.sql result columns. (GR-002)
-    /// </summary>
-    public class GalaxyAttributeInfo
-    {
-        /// <summary>
-        ///     Gets or sets the Galaxy object identifier that owns the attribute.
-        /// </summary>
-        public int GobjectId { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the Wonderware tag name used to associate the attribute with its runtime object.
-        /// </summary>
-        public string TagName { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the attribute name as defined on the Galaxy template or instance.
-        /// </summary>
-        public string AttributeName { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the fully qualified MXAccess reference used for runtime reads and writes.
-        /// </summary>
-        public string FullTagReference { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the numeric Galaxy data type code used to map the attribute into OPC UA.
-        /// </summary>
-        public int MxDataType { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the human-readable Galaxy data type name returned by the repository query.
-        /// </summary>
-        public string DataTypeName { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether the attribute is an array and should be exposed as a collection node.
-        /// </summary>
-        public bool IsArray { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the array length when the Galaxy attribute is modeled as a fixed-size array.
-        /// </summary>
-        public int? ArrayDimension { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the primitive data type name used when flattening the attribute for OPC UA clients.
-        /// </summary>
-        public string PrimitiveName { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the source classification that explains whether the attribute comes from configuration, calculation,
-        ///     or runtime data.
-        /// </summary>
-        public string AttributeSource { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the Galaxy security classification that determines OPC UA write access.
-        ///     0=FreeAccess, 1=Operate (default), 2=SecuredWrite, 3=VerifiedWrite, 4=Tune, 5=Configure, 6=ViewOnly.
-        /// </summary>
-        public int SecurityClassification { get; set; } = 1;
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether the attribute has a HistoryExtension primitive and is historized by the
-        ///     Wonderware Historian.
-        /// </summary>
-        public bool IsHistorized { get; set; }
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether the attribute has an AlarmExtension primitive and is an alarm.
-        /// </summary>
-        public bool IsAlarm { get; set; }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/GalaxyObjectInfo.cs

@@ -1,64 +0,0 @@
-using System.Collections.Generic;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     DTO matching hierarchy.sql result columns. (GR-001)
-    /// </summary>
-    public class GalaxyObjectInfo
-    {
-        /// <summary>
-        ///     Gets or sets the Galaxy object identifier used to connect hierarchy rows to attribute rows.
-        /// </summary>
-        public int GobjectId { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the runtime tag name for the Galaxy object represented in the OPC UA tree.
-        /// </summary>
-        public string TagName { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the contained name shown for the object inside its parent area or object.
-        /// </summary>
-        public string ContainedName { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the browse name emitted into OPC UA so clients can navigate the Galaxy hierarchy.
-        /// </summary>
-        public string BrowseName { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the parent Galaxy object identifier that establishes the hierarchy relationship.
-        /// </summary>
-        public int ParentGobjectId { get; set; }
-
-        /// <summary>
-        ///     Gets or sets a value indicating whether the row represents a Galaxy area rather than a contained object.
-        /// </summary>
-        public bool IsArea { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the template derivation chain for this object. Index 0 is the object's own template;
-        ///     subsequent entries walk up toward the most ancestral template before <c>$Object</c>. Populated by
-        ///     the recursive CTE in <c>hierarchy.sql</c> on <c>gobject.derived_from_gobject_id</c>. Used by
-        ///     <see cref="AlarmObjectFilter"/> to decide whether an object's alarms should be monitored.
-        /// </summary>
-        public List<string> TemplateChain { get; set; } = new();
-
-        /// <summary>
-        ///     Gets or sets the Galaxy template category id for this object. Category 1 is $WinPlatform,
-        ///     3 is $AppEngine, 13 is $Area, 10 is $UserDefined, and so on. Populated from
-        ///     <c>template_definition.category_id</c> by <c>hierarchy.sql</c> and consumed by the runtime
-        ///     status probe manager to identify hosts that should receive a <c>ScanState</c> probe.
-        /// </summary>
-        public int CategoryId { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the Galaxy object id of this object's runtime host, populated from
-        ///     <c>gobject.hosted_by_gobject_id</c>. Walk this chain upward to find the nearest
-        ///     <c>$WinPlatform</c> or <c>$AppEngine</c> ancestor for subtree quality invalidation when
-        ///     a runtime host is reported Stopped. Zero for root objects that have no host.
-        /// </summary>
-        public int HostedByGobjectId { get; set; }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/GalaxyRuntimeState.cs

@@ -1,29 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Runtime state of a deployed Galaxy runtime host ($WinPlatform or $AppEngine) as
-    ///     observed by the bridge via its <c>ScanState</c> probe.
-    /// </summary>
-    public enum GalaxyRuntimeState
-    {
-        /// <summary>
-        ///     Probe advised but no callback received yet. Transitions to <see cref="Running"/>
-        ///     on the first successful <c>ScanState = true</c> callback, or to <see cref="Stopped"/>
-        ///     once the unknown-resolution timeout elapses.
-        /// </summary>
-        Unknown,
-
-        /// <summary>
-        ///     Last probe callback reported <c>ScanState = true</c> with a successful item status.
-        ///     The host is on scan and executing.
-        /// </summary>
-        Running,
-
-        /// <summary>
-        ///     Last probe callback reported <c>ScanState != true</c>, or a failed item status, or
-        ///     the initial probe never resolved before the unknown timeout elapsed. The host is
-        ///     off scan or unreachable.
-        /// </summary>
-        Stopped
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/GalaxyRuntimeStatus.cs

@@ -1,72 +0,0 @@
-using System;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Point-in-time runtime state of a single Galaxy runtime host ($WinPlatform or $AppEngine)
-    ///     as tracked by the <c>GalaxyRuntimeProbeManager</c>. Surfaced on the status dashboard and
-    ///     consumed by <c>HealthCheckService</c> so operators can detect a stopped host before
-    ///     downstream clients notice the stale data.
-    /// </summary>
-    public sealed class GalaxyRuntimeStatus
-    {
-        /// <summary>
-        ///     Gets or sets the Galaxy tag_name of the host (e.g., <c>DevPlatform</c> or
-        ///     <c>DevAppEngine</c>).
-        /// </summary>
-        public string ObjectName { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the Galaxy gobject_id of the host.
-        /// </summary>
-        public int GobjectId { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the Galaxy template category name — <c>$WinPlatform</c> or
-        ///     <c>$AppEngine</c>. Used by the dashboard to group hosts by kind.
-        /// </summary>
-        public string Kind { get; set; } = "";
-
-        /// <summary>
-        ///     Gets or sets the current runtime state.
-        /// </summary>
-        public GalaxyRuntimeState State { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the UTC timestamp of the most recent probe callback, whether it
-        ///     reported success or failure. <see langword="null"/> before the first callback.
-        /// </summary>
-        public DateTime? LastStateCallbackTime { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the UTC timestamp of the most recent <see cref="State"/> transition.
-        ///     Backs the dashboard "Since" column. <see langword="null"/> in the initial Unknown
-        ///     state before any transition.
-        /// </summary>
-        public DateTime? LastStateChangeTime { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the last <c>ScanState</c> value received from the probe, or
-        ///     <see langword="null"/> before the first update or when the last callback carried
-        ///     a non-success item status (no value delivered).
-        /// </summary>
-        public bool? LastScanState { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the detail message from the most recent failure callback, cleared on
-        ///     the next successful <c>ScanState = true</c> delivery.
-        /// </summary>
-        public string? LastError { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the cumulative number of callbacks where <c>ScanState = true</c>.
-        /// </summary>
-        public long GoodUpdateCount { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the cumulative number of callbacks where <c>ScanState != true</c>
-        ///     or the item status reported failure.
-        /// </summary>
-        public long FailureCount { get; set; }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/IGalaxyRepository.cs

@@ -1,46 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.Threading;
-using System.Threading.Tasks;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Interface for Galaxy repository database queries. (GR-001 through GR-004)
-    /// </summary>
-    public interface IGalaxyRepository
-    {
-        /// <summary>
-        ///     Retrieves the Galaxy object hierarchy used to construct the OPC UA browse tree.
-        /// </summary>
-        /// <param name="ct">A token that cancels the repository query.</param>
-        /// <returns>A list of Galaxy objects ordered for address-space construction.</returns>
-        Task<List<GalaxyObjectInfo>> GetHierarchyAsync(CancellationToken ct = default);
-
-        /// <summary>
-        ///     Retrieves the Galaxy attributes that become OPC UA variables under the object hierarchy.
-        /// </summary>
-        /// <param name="ct">A token that cancels the repository query.</param>
-        /// <returns>A list of attribute definitions with MXAccess references and type metadata.</returns>
-        Task<List<GalaxyAttributeInfo>> GetAttributesAsync(CancellationToken ct = default);
-
-        /// <summary>
-        ///     Gets the last Galaxy deploy timestamp used to detect metadata changes that require an address-space rebuild.
-        /// </summary>
-        /// <param name="ct">A token that cancels the repository query.</param>
-        /// <returns>The latest deploy timestamp, or <see langword="null" /> when it cannot be determined.</returns>
-        Task<DateTime?> GetLastDeployTimeAsync(CancellationToken ct = default);
-
-        /// <summary>
-        ///     Verifies that the service can reach the Galaxy repository before it attempts to build the address space.
-        /// </summary>
-        /// <param name="ct">A token that cancels the connectivity check.</param>
-        /// <returns><see langword="true" /> when repository access succeeds; otherwise, <see langword="false" />.</returns>
-        Task<bool> TestConnectionAsync(CancellationToken ct = default);
-
-        /// <summary>
-        ///     Occurs when the repository detects a Galaxy deployment change that should trigger an OPC UA rebuild.
-        /// </summary>
-        event Action? OnGalaxyChanged;
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/IMxAccessClient.cs

@@ -1,79 +0,0 @@
-using System;
-using System.Threading;
-using System.Threading.Tasks;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Abstraction over MXAccess COM client for tag read/write/subscribe operations.
-    ///     (MXA-001 through MXA-009, OPC-007, OPC-008, OPC-009)
-    /// </summary>
-    public interface IMxAccessClient : IDisposable
-    {
-        /// <summary>
-        ///     Gets the current runtime connectivity state for the bridge.
-        /// </summary>
-        ConnectionState State { get; }
-
-        /// <summary>
-        ///     Gets the number of active runtime subscriptions currently being mirrored into OPC UA.
-        /// </summary>
-        int ActiveSubscriptionCount { get; }
-
-        /// <summary>
-        ///     Gets the number of reconnect cycles attempted since the client was created.
-        /// </summary>
-        int ReconnectCount { get; }
-
-        /// <summary>
-        ///     Occurs when the MXAccess session changes state so the host can update diagnostics and retry logic.
-        /// </summary>
-        event EventHandler<ConnectionStateChangedEventArgs>? ConnectionStateChanged;
-
-        /// <summary>
-        ///     Occurs when a subscribed Galaxy attribute publishes a new runtime value.
-        /// </summary>
-        event Action<string, Vtq>? OnTagValueChanged;
-
-        /// <summary>
-        ///     Opens the MXAccess session required for runtime reads, writes, and subscriptions.
-        /// </summary>
-        /// <param name="ct">A token that cancels the connection attempt.</param>
-        Task ConnectAsync(CancellationToken ct = default);
-
-        /// <summary>
-        ///     Closes the MXAccess session and releases runtime resources.
-        /// </summary>
-        Task DisconnectAsync();
-
-        /// <summary>
-        ///     Starts monitoring a Galaxy attribute so value changes can be pushed to OPC UA subscribers.
-        /// </summary>
-        /// <param name="fullTagReference">The fully qualified MXAccess reference for the target attribute.</param>
-        /// <param name="callback">The callback to invoke when the runtime publishes a new value for the attribute.</param>
-        Task SubscribeAsync(string fullTagReference, Action<string, Vtq> callback);
-
-        /// <summary>
-        ///     Stops monitoring a Galaxy attribute when it is no longer needed by the OPC UA layer.
-        /// </summary>
-        /// <param name="fullTagReference">The fully qualified MXAccess reference for the target attribute.</param>
-        Task UnsubscribeAsync(string fullTagReference);
-
-        /// <summary>
-        ///     Reads the current runtime value for a Galaxy attribute.
-        /// </summary>
-        /// <param name="fullTagReference">The fully qualified MXAccess reference for the target attribute.</param>
-        /// <param name="ct">A token that cancels the read.</param>
-        /// <returns>The value, timestamp, and quality returned by the runtime.</returns>
-        Task<Vtq> ReadAsync(string fullTagReference, CancellationToken ct = default);
-
-        /// <summary>
-        ///     Writes a new runtime value to a writable Galaxy attribute.
-        /// </summary>
-        /// <param name="fullTagReference">The fully qualified MXAccess reference for the target attribute.</param>
-        /// <param name="value">The value to write to the runtime.</param>
-        /// <param name="ct">A token that cancels the write.</param>
-        /// <returns><see langword="true" /> when the write is accepted by the runtime; otherwise, <see langword="false" />.</returns>
-        Task<bool> WriteAsync(string fullTagReference, object value, CancellationToken ct = default);
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/IMxProxy.cs

@@ -1,99 +0,0 @@
-using ArchestrA.MxAccess;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Delegate matching LMXProxyServer.OnDataChange COM event signature.
-    /// </summary>
-    /// <param name="hLMXServerHandle">The runtime connection handle that raised the change.</param>
-    /// <param name="phItemHandle">The runtime item handle for the attribute that changed.</param>
-    /// <param name="pvItemValue">The new raw runtime value for the attribute.</param>
-    /// <param name="pwItemQuality">The OPC DA quality code supplied by the runtime.</param>
-    /// <param name="pftItemTimeStamp">The timestamp object supplied by the runtime for the value.</param>
-    /// <param name="ItemStatus">The MXAccess status payload associated with the callback.</param>
-    public delegate void MxDataChangeHandler(
-        int hLMXServerHandle,
-        int phItemHandle,
-        object pvItemValue,
-        int pwItemQuality,
-        object pftItemTimeStamp,
-        ref MXSTATUS_PROXY[] ItemStatus);
-
-    /// <summary>
-    ///     Delegate matching LMXProxyServer.OnWriteComplete COM event signature.
-    /// </summary>
-    /// <param name="hLMXServerHandle">The runtime connection handle that processed the write.</param>
-    /// <param name="phItemHandle">The runtime item handle that was written.</param>
-    /// <param name="ItemStatus">The MXAccess status payload describing the write outcome.</param>
-    public delegate void MxWriteCompleteHandler(
-        int hLMXServerHandle,
-        int phItemHandle,
-        ref MXSTATUS_PROXY[] ItemStatus);
-
-    /// <summary>
-    ///     Abstraction over LMXProxyServer COM object to enable testing without the COM runtime. (MXA-001)
-    /// </summary>
-    public interface IMxProxy
-    {
-        /// <summary>
-        ///     Registers the bridge as an MXAccess client with the runtime proxy.
-        /// </summary>
-        /// <param name="clientName">The client identity reported to the runtime for diagnostics and session tracking.</param>
-        /// <returns>The runtime connection handle assigned to the client session.</returns>
-        int Register(string clientName);
-
-        /// <summary>
-        ///     Unregisters the bridge from the runtime proxy and releases the connection handle.
-        /// </summary>
-        /// <param name="handle">The connection handle returned by <see cref="Register(string)" />.</param>
-        void Unregister(int handle);
-
-        /// <summary>
-        ///     Adds a Galaxy attribute reference to the active runtime session.
-        /// </summary>
-        /// <param name="handle">The runtime connection handle.</param>
-        /// <param name="address">The fully qualified attribute reference to resolve.</param>
-        /// <returns>The runtime item handle assigned to the attribute.</returns>
-        int AddItem(int handle, string address);
-
-        /// <summary>
-        ///     Removes a previously registered attribute from the runtime session.
-        /// </summary>
-        /// <param name="handle">The runtime connection handle.</param>
-        /// <param name="itemHandle">The item handle returned by <see cref="AddItem(int, string)" />.</param>
-        void RemoveItem(int handle, int itemHandle);
-
-        /// <summary>
-        ///     Starts supervisory updates for an attribute so runtime changes are pushed to the bridge.
-        /// </summary>
-        /// <param name="handle">The runtime connection handle.</param>
-        /// <param name="itemHandle">The item handle to monitor.</param>
-        void AdviseSupervisory(int handle, int itemHandle);
-
-        /// <summary>
-        ///     Stops supervisory updates for an attribute.
-        /// </summary>
-        /// <param name="handle">The runtime connection handle.</param>
-        /// <param name="itemHandle">The item handle to stop monitoring.</param>
-        void UnAdviseSupervisory(int handle, int itemHandle);
-
-        /// <summary>
-        ///     Writes a new value to a runtime attribute through the COM proxy.
-        /// </summary>
-        /// <param name="handle">The runtime connection handle.</param>
-        /// <param name="itemHandle">The item handle to write.</param>
-        /// <param name="value">The new value to push into the runtime.</param>
-        /// <param name="securityClassification">The Wonderware security classification applied to the write.</param>
-        void Write(int handle, int itemHandle, object value, int securityClassification);
-
-        /// <summary>
-        ///     Occurs when the runtime pushes a data-change callback for a subscribed attribute.
-        /// </summary>
-        event MxDataChangeHandler? OnDataChange;
-
-        /// <summary>
-        ///     Occurs when the runtime acknowledges completion of a write request.
-        /// </summary>
-        event MxWriteCompleteHandler? OnWriteComplete;
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/IUserAuthenticationProvider.cs

@@ -1,41 +0,0 @@
-using System.Collections.Generic;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Pluggable interface for validating user credentials. Implement for different backing stores (config file, LDAP,
-    ///     etc.).
-    /// </summary>
-    public interface IUserAuthenticationProvider
-    {
-        /// <summary>
-        ///     Validates a username/password combination.
-        /// </summary>
-        bool ValidateCredentials(string username, string password);
-    }
-
-    /// <summary>
-    ///     Extended interface for providers that can resolve application-level roles for authenticated users.
-    ///     When the auth provider implements this interface, OnImpersonateUser uses the returned roles
-    ///     to control write and alarm-ack permissions.
-    /// </summary>
-    public interface IRoleProvider
-    {
-        /// <summary>
-        ///     Returns the set of application-level roles granted to the user.
-        /// </summary>
-        IReadOnlyList<string> GetUserRoles(string username);
-    }
-
-    /// <summary>
-    ///     Well-known application-level role names used for permission enforcement.
-    /// </summary>
-    public static class AppRoles
-    {
-        public const string ReadOnly = "ReadOnly";
-        public const string WriteOperate = "WriteOperate";
-        public const string WriteTune = "WriteTune";
-        public const string WriteConfigure = "WriteConfigure";
-        public const string AlarmAck = "AlarmAck";
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/LdapAuthenticationProvider.cs

@@ -1,148 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.DirectoryServices.Protocols;
-using System.Net;
-using Serilog;
-using ZB.MOM.WW.OtOpcUa.Host.Configuration;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Validates credentials via LDAP bind and resolves group membership to application roles.
-    /// </summary>
-    public class LdapAuthenticationProvider : IUserAuthenticationProvider, IRoleProvider
-    {
-        private static readonly ILogger Log = Serilog.Log.ForContext<LdapAuthenticationProvider>();
-
-        private readonly LdapConfiguration _config;
-        private readonly Dictionary<string, string> _groupToRole;
-
-        public LdapAuthenticationProvider(LdapConfiguration config)
-        {
-            _config = config;
-            _groupToRole = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
-            {
-                { config.ReadOnlyGroup, AppRoles.ReadOnly },
-                { config.WriteOperateGroup, AppRoles.WriteOperate },
-                { config.WriteTuneGroup, AppRoles.WriteTune },
-                { config.WriteConfigureGroup, AppRoles.WriteConfigure },
-                { config.AlarmAckGroup, AppRoles.AlarmAck }
-            };
-        }
-
-        public IReadOnlyList<string> GetUserRoles(string username)
-        {
-            try
-            {
-                using (var connection = CreateConnection())
-                {
-                    // Bind with service account to search
-                    connection.Bind(new NetworkCredential(_config.ServiceAccountDn, _config.ServiceAccountPassword));
-
-                    var request = new SearchRequest(
-                        _config.BaseDN,
-                        $"(cn={EscapeLdapFilter(username)})",
-                        SearchScope.Subtree,
-                        "memberOf");
-
-                    var response = (SearchResponse)connection.SendRequest(request);
-
-                    if (response.Entries.Count == 0)
-                    {
-                        Log.Warning("LDAP search returned no entries for {Username}", username);
-                        return new[] { AppRoles.ReadOnly }; // safe fallback
-                    }
-
-                    var entry = response.Entries[0];
-                    var memberOf = entry.Attributes["memberOf"];
-                    if (memberOf == null || memberOf.Count == 0)
-                    {
-                        Log.Debug("No memberOf attributes for {Username}, defaulting to ReadOnly", username);
-                        return new[] { AppRoles.ReadOnly };
-                    }
-
-                    var roles = new List<string>();
-                    for (var i = 0; i < memberOf.Count; i++)
-                    {
-                        var dn = memberOf[i]?.ToString() ?? "";
-                        // Extract the OU/CN from the memberOf DN (e.g., "ou=ReadWrite,ou=groups,dc=...")
-                        var groupName = ExtractGroupName(dn);
-                        if (groupName != null && _groupToRole.TryGetValue(groupName, out var role)) roles.Add(role);
-                    }
-
-                    if (roles.Count == 0)
-                    {
-                        Log.Debug("No matching role groups for {Username}, defaulting to ReadOnly", username);
-                        roles.Add(AppRoles.ReadOnly);
-                    }
-
-                    Log.Debug("LDAP roles for {Username}: [{Roles}]", username, string.Join(", ", roles));
-                    return roles;
-                }
-            }
-            catch (Exception ex)
-            {
-                Log.Warning(ex, "Failed to resolve LDAP roles for {Username}, defaulting to ReadOnly", username);
-                return new[] { AppRoles.ReadOnly };
-            }
-        }
-
-        public bool ValidateCredentials(string username, string password)
-        {
-            try
-            {
-                var bindDn = _config.BindDnTemplate.Replace("{username}", username);
-                using (var connection = CreateConnection())
-                {
-                    connection.Bind(new NetworkCredential(bindDn, password));
-                }
-
-                Log.Debug("LDAP bind succeeded for {Username}", username);
-                return true;
-            }
-            catch (LdapException ex)
-            {
-                Log.Debug("LDAP bind failed for {Username}: {Error}", username, ex.Message);
-                return false;
-            }
-            catch (Exception ex)
-            {
-                Log.Warning(ex, "LDAP error during credential validation for {Username}", username);
-                return false;
-            }
-        }
-
-        private LdapConnection CreateConnection()
-        {
-            var identifier = new LdapDirectoryIdentifier(_config.Host, _config.Port);
-            var connection = new LdapConnection(identifier)
-            {
-                AuthType = AuthType.Basic,
-                Timeout = TimeSpan.FromSeconds(_config.TimeoutSeconds)
-            };
-            connection.SessionOptions.ProtocolVersion = 3;
-            return connection;
-        }
-
-        private static string? ExtractGroupName(string dn)
-        {
-            // Parse "ou=ReadWrite,ou=groups,dc=..." or "cn=ReadWrite,..."
-            if (string.IsNullOrEmpty(dn)) return null;
-            var parts = dn.Split(',');
-            if (parts.Length == 0) return null;
-            var first = parts[0].Trim();
-            var eqIdx = first.IndexOf('=');
-            return eqIdx >= 0 ? first.Substring(eqIdx + 1) : null;
-        }
-
-        private static string EscapeLdapFilter(string input)
-        {
-            return input
-                .Replace("\\", "\\5c")
-                .Replace("*", "\\2a")
-                .Replace("(", "\\28")
-                .Replace(")", "\\29")
-                .Replace("\0", "\\00");
-        }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/LmxRoleIds.cs

@@ -1,18 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Stable identifiers for custom OPC UA roles mapped from LDAP groups.
-    ///     The namespace URI is registered in the server namespace table at startup,
-    ///     and the string identifiers are resolved to runtime NodeIds before use.
-    /// </summary>
-    public static class LmxRoleIds
-    {
-        public const string NamespaceUri = "urn:zbmom:lmxopcua:roles";
-
-        public const string ReadOnly = "Role.ReadOnly";
-        public const string WriteOperate = "Role.WriteOperate";
-        public const string WriteTune = "Role.WriteTune";
-        public const string WriteConfigure = "Role.WriteConfigure";
-        public const string AlarmAck = "Role.AlarmAck";
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/MxDataTypeMapper.cs

@@ -1,87 +0,0 @@
-using System;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Maps Galaxy mx_data_type integers to OPC UA data types and CLR types. (OPC-005)
-    ///     See gr/data_type_mapping.md for full mapping table.
-    /// </summary>
-    public static class MxDataTypeMapper
-    {
-        /// <summary>
-        ///     Maps mx_data_type to OPC UA DataType NodeId numeric identifier.
-        ///     Unknown types default to String (i=12).
-        /// </summary>
-        /// <param name="mxDataType">The Galaxy MX data type code.</param>
-        /// <returns>The OPC UA built-in data type node identifier.</returns>
-        public static uint MapToOpcUaDataType(int mxDataType)
-        {
-            return mxDataType switch
-            {
-                1 => 1, // Boolean → i=1
-                2 => 6, // Integer → Int32 i=6
-                3 => 10, // Float → Float i=10
-                4 => 11, // Double → Double i=11
-                5 => 12, // String → String i=12
-                6 => 13, // Time → DateTime i=13
-                7 => 11, // ElapsedTime → Double i=11 (seconds)
-                8 => 12, // Reference → String i=12
-                13 => 6, // Enumeration → Int32 i=6
-                14 => 12, // Custom → String i=12
-                15 => 21, // InternationalizedString → LocalizedText i=21
-                16 => 12, // Custom → String i=12
-                _ => 12 // Unknown → String i=12
-            };
-        }
-
-        /// <summary>
-        ///     Maps mx_data_type to the corresponding CLR type.
-        /// </summary>
-        /// <param name="mxDataType">The Galaxy MX data type code.</param>
-        /// <returns>The CLR type used to represent runtime values for the MX type.</returns>
-        public static Type MapToClrType(int mxDataType)
-        {
-            return mxDataType switch
-            {
-                1 => typeof(bool),
-                2 => typeof(int),
-                3 => typeof(float),
-                4 => typeof(double),
-                5 => typeof(string),
-                6 => typeof(DateTime),
-                7 => typeof(double), // ElapsedTime as seconds
-                8 => typeof(string), // Reference as string
-                13 => typeof(int), // Enum backing integer
-                14 => typeof(string),
-                15 => typeof(string), // LocalizedText stored as string
-                16 => typeof(string),
-                _ => typeof(string)
-            };
-        }
-
-        /// <summary>
-        ///     Returns the OPC UA type name for a given mx_data_type.
-        /// </summary>
-        /// <param name="mxDataType">The Galaxy MX data type code.</param>
-        /// <returns>The OPC UA type name used in diagnostics.</returns>
-        public static string GetOpcUaTypeName(int mxDataType)
-        {
-            return mxDataType switch
-            {
-                1 => "Boolean",
-                2 => "Int32",
-                3 => "Float",
-                4 => "Double",
-                5 => "String",
-                6 => "DateTime",
-                7 => "Double",
-                8 => "String",
-                13 => "Int32",
-                14 => "String",
-                15 => "LocalizedText",
-                16 => "String",
-                _ => "String"
-            };
-        }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/MxErrorCodes.cs

@@ -1,76 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Translates MXAccess error codes (1008, 1012, 1013, etc.) to human-readable messages. (MXA-009)
-    /// </summary>
-    public static class MxErrorCodes
-    {
-        /// <summary>
-        ///     The requested Galaxy attribute reference does not resolve in the runtime.
-        /// </summary>
-        public const int MX_E_InvalidReference = 1008;
-
-        /// <summary>
-        ///     The supplied value does not match the attribute's configured data type.
-        /// </summary>
-        public const int MX_E_WrongDataType = 1012;
-
-        /// <summary>
-        ///     The target attribute cannot be written because it is read-only or protected.
-        /// </summary>
-        public const int MX_E_NotWritable = 1013;
-
-        /// <summary>
-        ///     The runtime did not complete the operation within the configured timeout.
-        /// </summary>
-        public const int MX_E_RequestTimedOut = 1014;
-
-        /// <summary>
-        ///     Communication with the MXAccess runtime failed during the operation.
-        /// </summary>
-        public const int MX_E_CommFailure = 1015;
-
-        /// <summary>
-        ///     The operation was attempted without an active MXAccess session.
-        /// </summary>
-        public const int MX_E_NotConnected = 1016;
-
-        /// <summary>
-        ///     Converts a numeric MXAccess error code into an operator-facing message.
-        /// </summary>
-        /// <param name="errorCode">The MXAccess error code returned by the runtime.</param>
-        /// <returns>A human-readable description of the runtime failure.</returns>
-        public static string GetMessage(int errorCode)
-        {
-            return errorCode switch
-            {
-                1008 => "Invalid reference: the tag address does not exist or is malformed",
-                1012 => "Wrong data type: the value type does not match the attribute's expected type",
-                1013 => "Not writable: the attribute is read-only or locked",
-                1014 => "Request timed out: the operation did not complete within the allowed time",
-                1015 => "Communication failure: lost connection to the runtime",
-                1016 => "Not connected: no active connection to the Galaxy runtime",
-                _ => $"Unknown MXAccess error code: {errorCode}"
-            };
-        }
-
-        /// <summary>
-        ///     Maps an MXAccess error code to the OPC quality state that should be exposed to clients.
-        /// </summary>
-        /// <param name="errorCode">The MXAccess error code returned by the runtime.</param>
-        /// <returns>The quality classification that best represents the runtime failure.</returns>
-        public static Quality MapToQuality(int errorCode)
-        {
-            return errorCode switch
-            {
-                1008 => Quality.BadConfigError,
-                1012 => Quality.BadConfigError,
-                1013 => Quality.BadOutOfService,
-                1014 => Quality.BadCommFailure,
-                1015 => Quality.BadCommFailure,
-                1016 => Quality.BadNotConnected,
-                _ => Quality.Bad
-            };
-        }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/PlatformInfo.cs

@@ -1,18 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Maps a deployed Galaxy platform to the hostname where it executes.
-    /// </summary>
-    public class PlatformInfo
-    {
-        /// <summary>
-        ///     Gets or sets the gobject_id of the platform object in the Galaxy repository.
-        /// </summary>
-        public int GobjectId { get; set; }
-
-        /// <summary>
-        ///     Gets or sets the hostname (node_name) where the platform is deployed.
-        /// </summary>
-        public string NodeName { get; set; } = "";
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/Quality.cs

@@ -1,122 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     OPC DA quality codes mapped from MXAccess quality values. (MXA-009, OPC-005)
-    /// </summary>
-    public enum Quality : byte
-    {
-        // Bad family (0-63)
-        /// <summary>
-        ///     No valid process value is available.
-        /// </summary>
-        Bad = 0,
-
-        /// <summary>
-        ///     The value is invalid because the Galaxy attribute definition or mapping is wrong.
-        /// </summary>
-        BadConfigError = 4,
-
-        /// <summary>
-        ///     The bridge is not currently connected to the Galaxy runtime.
-        /// </summary>
-        BadNotConnected = 8,
-
-        /// <summary>
-        ///     The runtime device or adapter failed while obtaining the value.
-        /// </summary>
-        BadDeviceFailure = 12,
-
-        /// <summary>
-        ///     The underlying field source reported a bad sensor condition.
-        /// </summary>
-        BadSensorFailure = 16,
-
-        /// <summary>
-        ///     Communication with the runtime failed while retrieving the value.
-        /// </summary>
-        BadCommFailure = 20,
-
-        /// <summary>
-        ///     The attribute is intentionally unavailable for service, such as a locked or unwritable value.
-        /// </summary>
-        BadOutOfService = 24,
-
-        /// <summary>
-        ///     The bridge is still waiting for the first usable value after startup or resubscription.
-        /// </summary>
-        BadWaitingForInitialData = 32,
-
-        // Uncertain family (64-191)
-        /// <summary>
-        ///     A value is available, but it should be treated cautiously.
-        /// </summary>
-        Uncertain = 64,
-
-        /// <summary>
-        ///     The last usable value is being repeated because a newer one is unavailable.
-        /// </summary>
-        UncertainLastUsable = 68,
-
-        /// <summary>
-        ///     The sensor or source is providing a value with reduced accuracy.
-        /// </summary>
-        UncertainSensorNotAccurate = 80,
-
-        /// <summary>
-        ///     The value exceeds its engineered limits.
-        /// </summary>
-        UncertainEuExceeded = 84,
-
-        /// <summary>
-        ///     The source is operating in a degraded or subnormal state.
-        /// </summary>
-        UncertainSubNormal = 88,
-
-        // Good family (192+)
-        /// <summary>
-        ///     The value is current and suitable for normal client use.
-        /// </summary>
-        Good = 192,
-
-        /// <summary>
-        ///     The value is good but currently overridden locally rather than flowing from the live source.
-        /// </summary>
-        GoodLocalOverride = 216
-    }
-
-    /// <summary>
-    ///     Helper methods for reasoning about OPC quality families used by the bridge.
-    /// </summary>
-    public static class QualityExtensions
-    {
-        /// <summary>
-        ///     Determines whether the quality represents a good runtime value that can be trusted by OPC UA clients.
-        /// </summary>
-        /// <param name="q">The quality code to inspect.</param>
-        /// <returns><see langword="true" /> when the value is in the good quality range; otherwise, <see langword="false" />.</returns>
-        public static bool IsGood(this Quality q)
-        {
-            return (byte)q >= 192;
-        }
-
-        /// <summary>
-        ///     Determines whether the quality represents an uncertain runtime value that should be treated cautiously.
-        /// </summary>
-        /// <param name="q">The quality code to inspect.</param>
-        /// <returns><see langword="true" /> when the value is in the uncertain range; otherwise, <see langword="false" />.</returns>
-        public static bool IsUncertain(this Quality q)
-        {
-            return (byte)q >= 64 && (byte)q < 192;
-        }
-
-        /// <summary>
-        ///     Determines whether the quality represents a bad runtime value that should not be used as valid process data.
-        /// </summary>
-        /// <param name="q">The quality code to inspect.</param>
-        /// <returns><see langword="true" /> when the value is in the bad range; otherwise, <see langword="false" />.</returns>
-        public static bool IsBad(this Quality q)
-        {
-            return (byte)q < 64;
-        }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/QualityMapper.cs

@@ -1,60 +0,0 @@
-using System;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Maps MXAccess integer quality to domain Quality enum and OPC UA StatusCodes. (MXA-009, OPC-005)
-    /// </summary>
-    public static class QualityMapper
-    {
-        /// <summary>
-        ///     Maps an MXAccess quality integer (OPC DA quality byte) to domain Quality.
-        ///     Uses category bits: 192+ = Good, 64-191 = Uncertain, 0-63 = Bad.
-        /// </summary>
-        /// <param name="mxQuality">The raw MXAccess quality integer.</param>
-        /// <returns>The mapped bridge quality value.</returns>
-        public static Quality MapFromMxAccessQuality(int mxQuality)
-        {
-            var b = (byte)(mxQuality & 0xFF);
-
-            // Try exact match first
-            if (Enum.IsDefined(typeof(Quality), b))
-                return (Quality)b;
-
-            // Fall back to category
-            if (b >= 192) return Quality.Good;
-            if (b >= 64) return Quality.Uncertain;
-            return Quality.Bad;
-        }
-
-        /// <summary>
-        ///     Maps domain Quality to OPC UA StatusCode uint32.
-        /// </summary>
-        /// <param name="quality">The bridge quality value.</param>
-        /// <returns>The OPC UA status code represented as a 32-bit unsigned integer.</returns>
-        public static uint MapToOpcUaStatusCode(Quality quality)
-        {
-            return quality switch
-            {
-                Quality.Good => 0x00000000u, // Good
-                Quality.GoodLocalOverride => 0x00D80000u, // Good_LocalOverride
-                Quality.Uncertain => 0x40000000u, // Uncertain
-                Quality.UncertainLastUsable => 0x40900000u,
-                Quality.UncertainSensorNotAccurate => 0x40930000u,
-                Quality.UncertainEuExceeded => 0x40940000u,
-                Quality.UncertainSubNormal => 0x40950000u,
-                Quality.Bad => 0x80000000u, // Bad
-                Quality.BadConfigError => 0x80890000u,
-                Quality.BadNotConnected => 0x808A0000u,
-                Quality.BadDeviceFailure => 0x808B0000u,
-                Quality.BadSensorFailure => 0x808C0000u,
-                Quality.BadCommFailure => 0x80050000u,
-                Quality.BadOutOfService => 0x808D0000u,
-                Quality.BadWaitingForInitialData => 0x80320000u,
-                _ => quality.IsGood() ? 0x00000000u :
-                    quality.IsUncertain() ? 0x40000000u :
-                    0x80000000u
-            };
-        }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/SecurityClassificationMapper.cs

@@ -1,30 +0,0 @@
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Maps Galaxy security classification values to OPC UA write access decisions.
-    ///     See gr/data_type_mapping.md for the full mapping table.
-    /// </summary>
-    public static class SecurityClassificationMapper
-    {
-        /// <summary>
-        ///     Determines whether an attribute with the given security classification should allow writes.
-        /// </summary>
-        /// <param name="securityClassification">The Galaxy security classification value.</param>
-        /// <returns>
-        ///     <see langword="true" /> for FreeAccess (0), Operate (1), Tune (4), Configure (5);
-        ///     <see langword="false" /> for SecuredWrite (2), VerifiedWrite (3), ViewOnly (6).
-        /// </returns>
-        public static bool IsWritable(int securityClassification)
-        {
-            switch (securityClassification)
-            {
-                case 2: // SecuredWrite
-                case 3: // VerifiedWrite
-                case 6: // ViewOnly
-                    return false;
-                default:
-                    return true;
-            }
-        }
-    }
-}

src/ZB.MOM.WW.OtOpcUa.Host/Domain/Vtq.cs

@@ -1,96 +0,0 @@
-using System;
-
-namespace ZB.MOM.WW.OtOpcUa.Host.Domain
-{
-    /// <summary>
-    ///     Value-Timestamp-Quality triplet for tag data. (MXA-003, OPC-007)
-    /// </summary>
-    public readonly struct Vtq : IEquatable<Vtq>
-    {
-        /// <summary>
-        ///     Gets the runtime value returned for the Galaxy attribute.
-        /// </summary>
-        public object? Value { get; }
-
-        /// <summary>
-        ///     Gets the timestamp associated with the runtime value.
-        /// </summary>
-        public DateTime Timestamp { get; }
-
-        /// <summary>
-        ///     Gets the quality classification that tells OPC UA clients whether the value is usable.
-        /// </summary>
-        public Quality Quality { get; }
-
-        /// <summary>
-        ///     Initializes a new instance of the <see cref="Vtq" /> struct for a Galaxy attribute value.
-        /// </summary>
-        /// <param name="value">The runtime value returned by MXAccess.</param>
-        /// <param name="timestamp">The timestamp assigned to the runtime value.</param>
-        /// <param name="quality">The quality classification for the runtime value.</param>
-        public Vtq(object? value, DateTime timestamp, Quality quality)
-        {
-            Value = value;
-            Timestamp = timestamp;
-            Quality = quality;
-        }
-
-        /// <summary>
-        ///     Creates a good-quality VTQ snapshot for a successfully read or subscribed attribute value.
-        /// </summary>
-        /// <param name="value">The runtime value to wrap.</param>
-        /// <returns>A VTQ carrying the provided value with the current UTC timestamp and good quality.</returns>
-        public static Vtq Good(object? value)
-        {
-            return new Vtq(value, DateTime.UtcNow, Quality.Good);
-        }
-
-        /// <summary>
-        ///     Creates a bad-quality VTQ snapshot when no usable runtime value is available.
-        /// </summary>
-        /// <param name="quality">The specific bad quality reason to expose to clients.</param>
-        /// <returns>A VTQ with no value, the current UTC timestamp, and the requested bad quality.</returns>
-        public static Vtq Bad(Quality quality = Quality.Bad)
-        {
-            return new Vtq(null, DateTime.UtcNow, quality);
-        }
-
-        /// <summary>
-        ///     Creates an uncertain VTQ snapshot when the runtime value exists but should be treated cautiously.
-        /// </summary>
-        /// <param name="value">The runtime value to wrap.</param>
-        /// <returns>A VTQ carrying the provided value with the current UTC timestamp and uncertain quality.</returns>
-        public static Vtq Uncertain(object? value)
-        {
-            return new Vtq(value, DateTime.UtcNow, Quality.Uncertain);
-        }
-
-        /// <summary>
-        ///     Compares two VTQ snapshots for exact value, timestamp, and quality equality.
-        /// </summary>
-        /// <param name="other">The other VTQ snapshot to compare.</param>
-        /// <returns><see langword="true" /> when all fields match; otherwise, <see langword="false" />.</returns>
-        public bool Equals(Vtq other)
-        {
-            return Equals(Value, other.Value) && Timestamp == other.Timestamp && Quality == other.Quality;
-        }
-
-        /// <inheritdoc />
-        public override bool Equals(object? obj)
-        {
-            return obj is Vtq other && Equals(other);
-        }
-
-        /// <inheritdoc />
-        public override int GetHashCode()
-        {
-            return HashCode.Combine(Value, Timestamp, Quality);
-        }
-
-        /// <inheritdoc />
-        public override string ToString()
-        {
-            return $"Vtq({Value}, {Timestamp:O}, {Quality})";
-        }
-    }
-}