Phase 3 PR 17 — complete OPC UA server startup end-to-end + integration test. PR 16 shipped the materialization shape (DriverNodeManager / OtOpcUaServer) without the activation glue; this PR finishes the scope so an external OPC UA client can actually connect, browse, and read. New OpcUaServerOptions DTO bound from the OpcUaServer section of appsettings.json (EndpointUrl default opc.tcp://0.0.0.0:4840/OtOpcUa, ApplicationName, ApplicationUri, PkiStoreRoot default %ProgramData%\OtOpcUa\pki, AutoAcceptUntrustedClientCertificates default true for dev — production flips via config). OpcUaApplicationHost wraps Opc.Ua.Configuration.ApplicationInstance: BuildConfiguration constructs the ApplicationConfiguration programmatically (no external XML) with SecurityConfiguration pointing at <PkiStoreRoot>/own, /issuers, /trusted, /rejected directories — stack auto-creates the cert folders on first run and generates a self-signed application certificate via CheckApplicationInstanceCertificate, ServerConfiguration.BaseAddresses set to the endpoint URL + SecurityPolicies just None + UserTokenPolicies just Anonymous with PolicyId='Anonymous' + SecurityPolicyUri=None so the client's UserTokenPolicy lookup succeeds at OpenSession, TransportQuotas.OperationTimeout=15s + MinRequestThreadCount=5 / MaxRequestThreadCount=100 / MaxQueuedRequestCount=200, CertificateValidator auto-accepts untrusted when configured. StartAsync creates the OtOpcUaServer (passes DriverHost + ILoggerFactory so one DriverNodeManager is created per registered driver in CreateMasterNodeManager from PR 16), calls ApplicationInstance.Start(server) to bind the endpoint, then walks each DriverNodeManager and drives a fresh GenericDriverNodeManager.BuildAddressSpaceAsync against it so the driver's discovery streams into the address space that's already serving clients. Per-driver discovery is isolated per decision #12: a discovery exception marks the driver's subtree faulted but the server stays up serving the other drivers' subtrees. DriverHost.GetDriver(instanceId) public accessor added alongside the existing GetHealth so OtOpcUaServer can enumerate drivers during CreateMasterNodeManager. DriverNodeManager.Driver property made public so OpcUaApplicationHost can identify which driver each node manager wraps during the discovery loop. OpcUaServerService constructor takes OpcUaApplicationHost — ExecuteAsync sequence now: bootstrap.LoadCurrentGenerationAsync → applicationHost.StartAsync → infinite Task.Delay until stop. StopAsync disposes the application host (which stops the server via OtOpcUaServer.Stop) before disposing DriverHost. Program.cs binds OpcUaServerOptions from appsettings + registers OpcUaApplicationHost + OpcUaServerOptions as singletons. Integration test (OpcUaServerIntegrationTests, Category=Integration): IAsyncLifetime spins up the server on a random non-default port (48400+random for test isolation) with a per-test-run PKI store root (%temp%/otopcua-test-<guid>) + a FakeDriver registered in DriverHost that has ITagDiscovery + IReadable implementations — DiscoverAsync registers TestFolder>Var1, ReadAsync returns 42. Client_can_connect_and_browse_driver_subtree creates an in-process OPC UA client session via CoreClientUtils.SelectEndpoint (which talks to the running server's GetEndpoints and fetches the live EndpointDescription with the actual PolicyId), browses the fake driver's root, asserts TestFolder appears in the returned references. Client_can_read_a_driver_variable_through_the_node_manager constructs the variable NodeId using the namespace index the server registered (urn:OtOpcUa:fake), calls Session.ReadValue, asserts the DataValue.Value is 42 — the whole pipeline (client → server endpoint → DriverNodeManager.OnReadValue → FakeDriver.ReadAsync → back through the node manager → response to client) round-trips correctly. Dispose tears down the session, server, driver host, and PKI store directory. Full solution: 0 errors, 165 tests pass (8 Core unit + 14 Proxy unit + 24 Configuration unit + 6 Shared unit + 91 Galaxy.Host unit + 4 Server (2 unit NodeBootstrap + 2 new integration) + 18 Admin). End-to-end outcome: PR 14's GalaxyAlarmTracker alarm events now flow through PR 15's GenericDriverNodeManager event forwarder → PR 16's ConditionSink → OPC UA AlarmConditionState.ReportEvent → out to every OPC UA client subscribed to the alarm condition. The full alarm subsystem (driver-side subscription of the Galaxy 4-attribute quartet, Core-side routing by source node id, Server-side AlarmConditionState materialization with ReportEvent dispatch) is now complete and observable through any compliant OPC UA client. LDAP / security-profile wire-up (replacing the anonymous-only endpoint with BasicSignAndEncrypt + user identity mapping to NodePermissions role) is the next layer — it reuses the same ApplicationConfiguration plumbing this PR introduces but needs a deployment-policy source (central config DB) for the cert trust decisions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.OtOpcUa.Core/Hosting/DriverHost.cs

@@ -24,6 +24,17 @@ public sealed class DriverHost : IAsyncDisposable
             return _drivers.TryGetValue(driverInstanceId, out var d) ? d.GetHealth() : null;
     }
 
+    /// <summary>
+    ///     Look up a registered driver by instance id. Used by the OPC UA server runtime
+    ///     (<c>OtOpcUaServer</c>) to instantiate one <c>DriverNodeManager</c> per driver at
+    ///     startup. Returns null when the driver is not registered.
+    /// </summary>
+    public IDriver? GetDriver(string driverInstanceId)
+    {
+        lock (_lock)
+            return _drivers.TryGetValue(driverInstanceId, out var d) ? d : null;
+    }
+
     /// <summary>
     ///     Registers the driver and calls <see cref="IDriver.InitializeAsync"/>. If initialization
     ///     throws, the driver is kept in the registry so the operator can retry; quality on its

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs

@@ -0,0 +1,363 @@
+using System.Globalization;
+using Microsoft.Extensions.Logging;
+using Opc.Ua;
+using Opc.Ua.Server;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using DriverWriteRequest = ZB.MOM.WW.OtOpcUa.Core.Abstractions.WriteRequest;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+
+/// <summary>
+///     Concrete <see cref="CustomNodeManager2"/> that materializes the driver's address space
+///     into OPC UA nodes. Implements <see cref="IAddressSpaceBuilder"/> itself so
+///     <c>GenericDriverNodeManager.BuildAddressSpaceAsync</c> can stream nodes directly into the
+///     OPC UA server's namespace. PR 15's <c>MarkAsAlarmCondition</c> hook creates a sibling
+///     <see cref="AlarmConditionState"/> node per alarm-flagged variable; subsequent driver
+///     <c>OnAlarmEvent</c> pushes land through the returned sink to drive Activate /
+///     Acknowledge / Deactivate transitions.
+/// </summary>
+/// <remarks>
+///     Read / Subscribe / Write are routed to the driver's capability interfaces — the node
+///     manager holds references to <see cref="IReadable"/>, <see cref="ISubscribable"/>, and
+///     <see cref="IWritable"/> when present. Nodes with no driver backing (plain folders) are
+///     served directly from the internal PredefinedNodes table.
+/// </remarks>
+public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
+{
+    private readonly IDriver _driver;
+    private readonly IReadable? _readable;
+    private readonly IWritable? _writable;
+    private readonly ILogger<DriverNodeManager> _logger;
+
+    /// <summary>The driver whose address space this node manager exposes.</summary>
+    public IDriver Driver => _driver;
+
+    private FolderState? _driverRoot;
+    private readonly Dictionary<string, BaseDataVariableState> _variablesByFullRef = new(StringComparer.OrdinalIgnoreCase);
+
+    // Active building folder — set per Folder() call so Variable() lands under the right parent.
+    // A stack would support nested folders; we use a single current folder because IAddressSpaceBuilder
+    // returns a child builder per Folder call and the caller threads nesting through those references.
+    private FolderState _currentFolder = null!;
+
+    public DriverNodeManager(IServerInternal server, ApplicationConfiguration configuration,
+        IDriver driver, ILogger<DriverNodeManager> logger)
+        : base(server, configuration, namespaceUris: $"urn:OtOpcUa:{driver.DriverInstanceId}")
+    {
+        _driver = driver;
+        _readable = driver as IReadable;
+        _writable = driver as IWritable;
+        _logger = logger;
+    }
+
+    protected override NodeStateCollection LoadPredefinedNodes(ISystemContext context) => new();
+
+    public override void CreateAddressSpace(IDictionary<NodeId, IList<IReference>> externalReferences)
+    {
+        lock (Lock)
+        {
+            _driverRoot = new FolderState(null)
+            {
+                SymbolicName = _driver.DriverInstanceId,
+                ReferenceTypeId = ReferenceTypeIds.Organizes,
+                TypeDefinitionId = ObjectTypeIds.FolderType,
+                NodeId = new NodeId(_driver.DriverInstanceId, NamespaceIndex),
+                BrowseName = new QualifiedName(_driver.DriverInstanceId, NamespaceIndex),
+                DisplayName = new LocalizedText(_driver.DriverInstanceId),
+                EventNotifier = EventNotifiers.None,
+            };
+
+            // Link under Objects folder so clients see the driver subtree at browse root.
+            if (!externalReferences.TryGetValue(ObjectIds.ObjectsFolder, out var references))
+            {
+                references = new List<IReference>();
+                externalReferences[ObjectIds.ObjectsFolder] = references;
+            }
+            references.Add(new NodeStateReference(ReferenceTypeIds.Organizes, false, _driverRoot.NodeId));
+
+            AddPredefinedNode(SystemContext, _driverRoot);
+            _currentFolder = _driverRoot;
+        }
+    }
+
+    // ------- IAddressSpaceBuilder implementation (PR 15 contract) -------
+
+    public IAddressSpaceBuilder Folder(string browseName, string displayName)
+    {
+        lock (Lock)
+        {
+            var folder = new FolderState(_currentFolder)
+            {
+                SymbolicName = browseName,
+                ReferenceTypeId = ReferenceTypeIds.Organizes,
+                TypeDefinitionId = ObjectTypeIds.FolderType,
+                NodeId = new NodeId($"{_currentFolder.NodeId.Identifier}/{browseName}", NamespaceIndex),
+                BrowseName = new QualifiedName(browseName, NamespaceIndex),
+                DisplayName = new LocalizedText(displayName),
+            };
+            _currentFolder.AddChild(folder);
+            AddPredefinedNode(SystemContext, folder);
+            return new NestedBuilder(this, folder);
+        }
+    }
+
+    public IVariableHandle Variable(string browseName, string displayName, DriverAttributeInfo attributeInfo)
+    {
+        lock (Lock)
+        {
+            var v = new BaseDataVariableState(_currentFolder)
+            {
+                SymbolicName = browseName,
+                ReferenceTypeId = ReferenceTypeIds.Organizes,
+                TypeDefinitionId = VariableTypeIds.BaseDataVariableType,
+                NodeId = new NodeId(attributeInfo.FullName, NamespaceIndex),
+                BrowseName = new QualifiedName(browseName, NamespaceIndex),
+                DisplayName = new LocalizedText(displayName),
+                DataType = MapDataType(attributeInfo.DriverDataType),
+                ValueRank = attributeInfo.IsArray ? ValueRanks.OneDimension : ValueRanks.Scalar,
+                AccessLevel = AccessLevels.CurrentReadOrWrite,
+                UserAccessLevel = AccessLevels.CurrentReadOrWrite,
+                Historizing = attributeInfo.IsHistorized,
+            };
+            _currentFolder.AddChild(v);
+            AddPredefinedNode(SystemContext, v);
+            _variablesByFullRef[attributeInfo.FullName] = v;
+
+            v.OnReadValue = OnReadValue;
+            v.OnWriteValue = OnWriteValue;
+            return new VariableHandle(this, v, attributeInfo.FullName);
+        }
+    }
+
+    public void AddProperty(string browseName, DriverDataType dataType, object? value)
+    {
+        lock (Lock)
+        {
+            var p = new PropertyState(_currentFolder)
+            {
+                SymbolicName = browseName,
+                ReferenceTypeId = ReferenceTypeIds.HasProperty,
+                TypeDefinitionId = VariableTypeIds.PropertyType,
+                NodeId = new NodeId($"{_currentFolder.NodeId.Identifier}/{browseName}", NamespaceIndex),
+                BrowseName = new QualifiedName(browseName, NamespaceIndex),
+                DisplayName = new LocalizedText(browseName),
+                DataType = MapDataType(dataType),
+                ValueRank = ValueRanks.Scalar,
+                Value = value,
+            };
+            _currentFolder.AddChild(p);
+            AddPredefinedNode(SystemContext, p);
+        }
+    }
+
+    private ServiceResult OnReadValue(ISystemContext context, NodeState node, NumericRange indexRange,
+        QualifiedName dataEncoding, ref object? value, ref StatusCode statusCode, ref DateTime timestamp)
+    {
+        if (_readable is null)
+        {
+            statusCode = StatusCodes.BadNotReadable;
+            return ServiceResult.Good;
+        }
+
+        try
+        {
+            var fullRef = node.NodeId.Identifier as string ?? "";
+            var result = _readable.ReadAsync([fullRef], CancellationToken.None).GetAwaiter().GetResult();
+            if (result.Count == 0)
+            {
+                statusCode = StatusCodes.BadNoData;
+                return ServiceResult.Good;
+            }
+            var snap = result[0];
+            value = snap.Value;
+            statusCode = snap.StatusCode;
+            timestamp = snap.ServerTimestampUtc;
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "OnReadValue failed for {NodeId}", node.NodeId);
+            statusCode = StatusCodes.BadInternalError;
+        }
+        return ServiceResult.Good;
+    }
+
+    private static NodeId MapDataType(DriverDataType t) => t switch
+    {
+        DriverDataType.Boolean => DataTypeIds.Boolean,
+        DriverDataType.Int32 => DataTypeIds.Int32,
+        DriverDataType.Float32 => DataTypeIds.Float,
+        DriverDataType.Float64 => DataTypeIds.Double,
+        DriverDataType.String => DataTypeIds.String,
+        DriverDataType.DateTime => DataTypeIds.DateTime,
+        _ => DataTypeIds.BaseDataType,
+    };
+
+    /// <summary>
+    ///     Nested builder returned by <see cref="Folder"/>. Temporarily retargets the parent's
+    ///     <see cref="_currentFolder"/> during each call so Variable/Folder calls land under the
+    ///     correct subtree. Not thread-safe if callers drive Discovery concurrently — but
+    ///     <c>GenericDriverNodeManager</c> discovery is sequential per driver.
+    /// </summary>
+    private sealed class NestedBuilder(DriverNodeManager owner, FolderState folder) : IAddressSpaceBuilder
+    {
+        public IAddressSpaceBuilder Folder(string browseName, string displayName)
+        {
+            var prior = owner._currentFolder;
+            owner._currentFolder = folder;
+            try { return owner.Folder(browseName, displayName); }
+            finally { owner._currentFolder = prior; }
+        }
+
+        public IVariableHandle Variable(string browseName, string displayName, DriverAttributeInfo attributeInfo)
+        {
+            var prior = owner._currentFolder;
+            owner._currentFolder = folder;
+            try { return owner.Variable(browseName, displayName, attributeInfo); }
+            finally { owner._currentFolder = prior; }
+        }
+
+        public void AddProperty(string browseName, DriverDataType dataType, object? value)
+        {
+            var prior = owner._currentFolder;
+            owner._currentFolder = folder;
+            try { owner.AddProperty(browseName, dataType, value); }
+            finally { owner._currentFolder = prior; }
+        }
+    }
+
+    private sealed class VariableHandle : IVariableHandle
+    {
+        private readonly DriverNodeManager _owner;
+        private readonly BaseDataVariableState _variable;
+        public string FullReference { get; }
+
+        public VariableHandle(DriverNodeManager owner, BaseDataVariableState variable, string fullRef)
+        {
+            _owner = owner;
+            _variable = variable;
+            FullReference = fullRef;
+        }
+
+        public IAlarmConditionSink MarkAsAlarmCondition(AlarmConditionInfo info)
+        {
+            lock (_owner.Lock)
+            {
+                var alarm = new AlarmConditionState(_variable)
+                {
+                    SymbolicName = _variable.BrowseName.Name + "_Condition",
+                    ReferenceTypeId = ReferenceTypeIds.HasComponent,
+                    NodeId = new NodeId(FullReference + ".Condition", _owner.NamespaceIndex),
+                    BrowseName = new QualifiedName(_variable.BrowseName.Name + "_Condition", _owner.NamespaceIndex),
+                    DisplayName = new LocalizedText(info.SourceName),
+                };
+                alarm.Create(_owner.SystemContext, alarm.NodeId, alarm.BrowseName, alarm.DisplayName, false);
+                alarm.SourceName.Value = info.SourceName;
+                alarm.Severity.Value = (ushort)MapSeverity(info.InitialSeverity);
+                alarm.Message.Value = new LocalizedText(info.InitialDescription ?? info.SourceName);
+                alarm.EnabledState.Value = new LocalizedText("Enabled");
+                alarm.EnabledState.Id.Value = true;
+                alarm.Retain.Value = false;
+                alarm.AckedState.Value = new LocalizedText("Acknowledged");
+                alarm.AckedState.Id.Value = true;
+                alarm.ActiveState.Value = new LocalizedText("Inactive");
+                alarm.ActiveState.Id.Value = false;
+
+                _variable.AddChild(alarm);
+                _owner.AddPredefinedNode(_owner.SystemContext, alarm);
+
+                return new ConditionSink(_owner, alarm);
+            }
+        }
+
+        private static int MapSeverity(AlarmSeverity s) => s switch
+        {
+            AlarmSeverity.Low => 250,
+            AlarmSeverity.Medium => 500,
+            AlarmSeverity.High => 700,
+            AlarmSeverity.Critical => 900,
+            _ => 500,
+        };
+    }
+
+    private sealed class ConditionSink(DriverNodeManager owner, AlarmConditionState alarm)
+        : IAlarmConditionSink
+    {
+        public void OnTransition(AlarmEventArgs args)
+        {
+            lock (owner.Lock)
+            {
+                alarm.Severity.Value = (ushort)MapSeverity(args.Severity);
+                alarm.Time.Value = args.SourceTimestampUtc;
+                alarm.Message.Value = new LocalizedText(args.Message);
+
+                // Map the driver's transition type to OPC UA Part 9 state. The driver uses
+                // AlarmEventArgs but the state transition kind is encoded in AlarmType by
+                // convention — Galaxy's GalaxyAlarmTracker emits "Active"/"Acknowledged"/"Inactive".
+                switch (args.AlarmType)
+                {
+                    case "Active":
+                        alarm.SetActiveState(owner.SystemContext, true);
+                        alarm.SetAcknowledgedState(owner.SystemContext, false);
+                        alarm.Retain.Value = true;
+                        break;
+                    case "Acknowledged":
+                        alarm.SetAcknowledgedState(owner.SystemContext, true);
+                        break;
+                    case "Inactive":
+                        alarm.SetActiveState(owner.SystemContext, false);
+                        // Retain stays true until the condition is both Inactive and Acknowledged
+                        // so alarm clients keep the record in their condition refresh snapshot.
+                        if (alarm.AckedState.Id.Value) alarm.Retain.Value = false;
+                        break;
+                }
+
+                alarm.ClearChangeMasks(owner.SystemContext, true);
+                alarm.ReportEvent(owner.SystemContext, alarm);
+            }
+        }
+
+        private static int MapSeverity(AlarmSeverity s) => s switch
+        {
+            AlarmSeverity.Low => 250,
+            AlarmSeverity.Medium => 500,
+            AlarmSeverity.High => 700,
+            AlarmSeverity.Critical => 900,
+            _ => 500,
+        };
+    }
+
+    /// <summary>
+    ///     Per-variable write hook wired on each <see cref="BaseDataVariableState"/>. Routes the
+    ///     value into the driver's <see cref="IWritable"/> and surfaces its per-tag status code.
+    /// </summary>
+    private ServiceResult OnWriteValue(ISystemContext context, NodeState node, NumericRange indexRange,
+        QualifiedName dataEncoding, ref object? value, ref StatusCode statusCode, ref DateTime timestamp)
+    {
+        if (_writable is null) return StatusCodes.BadNotWritable;
+        var fullRef = node.NodeId.Identifier as string;
+        if (string.IsNullOrEmpty(fullRef)) return StatusCodes.BadNodeIdUnknown;
+
+        try
+        {
+            var results = _writable.WriteAsync(
+                [new DriverWriteRequest(fullRef!, value)],
+                CancellationToken.None).GetAwaiter().GetResult();
+            if (results.Count > 0 && results[0].StatusCode != 0)
+            {
+                statusCode = results[0].StatusCode;
+                return ServiceResult.Good;
+            }
+            return ServiceResult.Good;
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Write failed for {FullRef}", fullRef);
+            return new ServiceResult(StatusCodes.BadInternalError);
+        }
+    }
+
+    // Diagnostics hook for tests — number of variables registered in this node manager.
+    internal int VariableCount => _variablesByFullRef.Count;
+    internal bool TryGetVariable(string fullRef, out BaseDataVariableState? v)
+        => _variablesByFullRef.TryGetValue(fullRef, out v!);
+}

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OpcUaApplicationHost.cs

@@ -0,0 +1,181 @@
+using Microsoft.Extensions.Logging;
+using Opc.Ua;
+using Opc.Ua.Configuration;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Core.OpcUa;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+
+/// <summary>
+///     Wraps <see cref="ApplicationInstance"/> to bring the OPC UA server online — builds an
+///     <see cref="ApplicationConfiguration"/> programmatically (no external XML file), ensures
+///     the application certificate exists in the PKI store (auto-generates self-signed on first
+///     run), starts the server, then walks each <see cref="DriverNodeManager"/> and invokes
+///     <see cref="GenericDriverNodeManager.BuildAddressSpaceAsync"/> against it so the driver's
+///     discovery streams into the already-running server's address space.
+/// </summary>
+public sealed class OpcUaApplicationHost : IAsyncDisposable
+{
+    private readonly OpcUaServerOptions _options;
+    private readonly DriverHost _driverHost;
+    private readonly ILoggerFactory _loggerFactory;
+    private readonly ILogger<OpcUaApplicationHost> _logger;
+    private ApplicationInstance? _application;
+    private OtOpcUaServer? _server;
+    private bool _disposed;
+
+    public OpcUaApplicationHost(OpcUaServerOptions options, DriverHost driverHost,
+        ILoggerFactory loggerFactory, ILogger<OpcUaApplicationHost> logger)
+    {
+        _options = options;
+        _driverHost = driverHost;
+        _loggerFactory = loggerFactory;
+        _logger = logger;
+    }
+
+    public OtOpcUaServer? Server => _server;
+
+    /// <summary>
+    ///     Builds the <see cref="ApplicationConfiguration"/>, validates/creates the application
+    ///     certificate, constructs + starts the <see cref="OtOpcUaServer"/>, then drives
+    ///     <see cref="GenericDriverNodeManager.BuildAddressSpaceAsync"/> per registered driver so
+    ///     the address space is populated before the first client connects.
+    /// </summary>
+    public async Task StartAsync(CancellationToken ct)
+    {
+        _application = new ApplicationInstance
+        {
+            ApplicationName = _options.ApplicationName,
+            ApplicationType = ApplicationType.Server,
+            ApplicationConfiguration = BuildConfiguration(),
+        };
+
+        var hasCert = await _application.CheckApplicationInstanceCertificate(silent: true, minimumKeySize: CertificateFactory.DefaultKeySize).ConfigureAwait(false);
+        if (!hasCert)
+            throw new InvalidOperationException(
+                $"OPC UA application certificate could not be validated or created in {_options.PkiStoreRoot}");
+
+        _server = new OtOpcUaServer(_driverHost, _loggerFactory);
+        await _application.Start(_server).ConfigureAwait(false);
+
+        _logger.LogInformation("OPC UA server started — endpoint={Endpoint} driverCount={Count}",
+            _options.EndpointUrl, _server.DriverNodeManagers.Count);
+
+        // Drive each driver's discovery through its node manager. The node manager IS the
+        // IAddressSpaceBuilder; GenericDriverNodeManager captures alarm-condition sinks into
+        // its internal map and wires OnAlarmEvent → sink routing.
+        foreach (var nodeManager in _server.DriverNodeManagers)
+        {
+            var driverId = nodeManager.Driver.DriverInstanceId;
+            try
+            {
+                var generic = new GenericDriverNodeManager(nodeManager.Driver);
+                await generic.BuildAddressSpaceAsync(nodeManager, ct).ConfigureAwait(false);
+                _logger.LogInformation("Address space populated for driver {Driver}", driverId);
+            }
+            catch (Exception ex)
+            {
+                // Per decision #12: driver exceptions isolate — log and keep the server serving
+                // the other drivers' subtrees. Re-building this one takes a Reinitialize call.
+                _logger.LogError(ex, "Discovery failed for driver {Driver}; subtree faulted", driverId);
+            }
+        }
+    }
+
+    private ApplicationConfiguration BuildConfiguration()
+    {
+        Directory.CreateDirectory(_options.PkiStoreRoot);
+
+        var cfg = new ApplicationConfiguration
+        {
+            ApplicationName = _options.ApplicationName,
+            ApplicationUri = _options.ApplicationUri,
+            ApplicationType = ApplicationType.Server,
+            ProductUri = "urn:OtOpcUa:Server",
+
+            SecurityConfiguration = new SecurityConfiguration
+            {
+                ApplicationCertificate = new CertificateIdentifier
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_options.PkiStoreRoot, "own"),
+                    SubjectName = "CN=" + _options.ApplicationName,
+                },
+                TrustedIssuerCertificates = new CertificateTrustList
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_options.PkiStoreRoot, "issuers"),
+                },
+                TrustedPeerCertificates = new CertificateTrustList
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_options.PkiStoreRoot, "trusted"),
+                },
+                RejectedCertificateStore = new CertificateTrustList
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_options.PkiStoreRoot, "rejected"),
+                },
+                AutoAcceptUntrustedCertificates = _options.AutoAcceptUntrustedClientCertificates,
+                AddAppCertToTrustedStore = true,
+            },
+
+            TransportConfigurations = new TransportConfigurationCollection(),
+            TransportQuotas = new TransportQuotas { OperationTimeout = 15000 },
+
+            ServerConfiguration = new ServerConfiguration
+            {
+                BaseAddresses = new StringCollection { _options.EndpointUrl },
+                SecurityPolicies = new ServerSecurityPolicyCollection
+                {
+                    new ServerSecurityPolicy
+                    {
+                        SecurityMode = MessageSecurityMode.None,
+                        SecurityPolicyUri = SecurityPolicies.None,
+                    },
+                },
+                UserTokenPolicies = new UserTokenPolicyCollection
+                {
+                    new UserTokenPolicy(UserTokenType.Anonymous)
+                    {
+                        PolicyId = "Anonymous",
+                        SecurityPolicyUri = SecurityPolicies.None,
+                    },
+                },
+                MinRequestThreadCount = 5,
+                MaxRequestThreadCount = 100,
+                MaxQueuedRequestCount = 200,
+            },
+
+            TraceConfiguration = new TraceConfiguration(),
+        };
+
+        cfg.Validate(ApplicationType.Server).GetAwaiter().GetResult();
+
+        if (cfg.SecurityConfiguration.AutoAcceptUntrustedCertificates)
+        {
+            cfg.CertificateValidator.CertificateValidation += (_, e) =>
+            {
+                if (e.Error.StatusCode == StatusCodes.BadCertificateUntrusted)
+                    e.Accept = true;
+            };
+        }
+
+        return cfg;
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_disposed) return;
+        _disposed = true;
+        try
+        {
+            _server?.Stop();
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "OPC UA server stop threw during dispose");
+        }
+        await Task.CompletedTask;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OpcUaServerOptions.cs

@@ -0,0 +1,42 @@
+namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+
+/// <summary>
+///     OPC UA server endpoint + application-identity configuration. Bound from the
+///     <c>OpcUaServer</c> section of <c>appsettings.json</c>. PR 17 minimum-viable scope: no LDAP,
+///     no security profiles beyond None — those wire in alongside a future deployment-policy PR
+///     that reads from the central config DB instead of appsettings.
+/// </summary>
+public sealed class OpcUaServerOptions
+{
+    public const string SectionName = "OpcUaServer";
+
+    /// <summary>
+    ///     Fully-qualified endpoint URI clients connect to. Use <c>0.0.0.0</c> to bind all
+    ///     interfaces; the stack rewrites to the machine's hostname for the returned endpoint
+    ///     description at GetEndpoints time.
+    /// </summary>
+    public string EndpointUrl { get; init; } = "opc.tcp://0.0.0.0:4840/OtOpcUa";
+
+    /// <summary>Human-readable application name surfaced in the endpoint description.</summary>
+    public string ApplicationName { get; init; } = "OtOpcUa Server";
+
+    /// <summary>Stable application URI — must match the subjectAltName of the app cert.</summary>
+    public string ApplicationUri { get; init; } = "urn:OtOpcUa:Server";
+
+    /// <summary>
+    ///     Directory where the OPC UA stack stores the application certificate + trusted /
+    ///     rejected cert folders. Defaults to <c>%ProgramData%\OtOpcUa\pki</c>; the stack
+    ///     creates the directory tree on first run and generates a self-signed cert.
+    /// </summary>
+    public string PkiStoreRoot { get; init; } =
+        System.IO.Path.Combine(
+            Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData),
+            "OtOpcUa", "pki");
+
+    /// <summary>
+    ///     When true, the stack auto-trusts client certs on first connect. Dev-default = true,
+    ///     production deployments should flip this to false and manually trust clients via the
+    ///     Admin UI.
+    /// </summary>
+    public bool AutoAcceptUntrustedClientCertificates { get; init; } = true;
+}

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OtOpcUaServer.cs

@@ -0,0 +1,62 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using Opc.Ua;
+using Opc.Ua.Server;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Core.OpcUa;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+
+/// <summary>
+///     <see cref="StandardServer"/> subclass that wires one <see cref="DriverNodeManager"/> per
+///     registered driver from <see cref="DriverHost"/>. Anonymous endpoint on
+///     <c>opc.tcp://0.0.0.0:4840</c>, no security — PR 16 minimum-viable scope; LDAP + security
+///     profiles are deferred to their own PR on top of this.
+/// </summary>
+public sealed class OtOpcUaServer : StandardServer
+{
+    private readonly DriverHost _driverHost;
+    private readonly ILoggerFactory _loggerFactory;
+    private readonly List<DriverNodeManager> _driverNodeManagers = new();
+
+    public OtOpcUaServer(DriverHost driverHost, ILoggerFactory loggerFactory)
+    {
+        _driverHost = driverHost;
+        _loggerFactory = loggerFactory;
+    }
+
+    /// <summary>
+    ///     Read-only snapshot of the driver node managers materialized at server start. Used by
+    ///     the generic-driver-node-manager-driven discovery flow after the server starts — the
+    ///     host walks each entry and invokes
+    ///     <c>GenericDriverNodeManager.BuildAddressSpaceAsync(manager)</c> passing the manager
+    ///     as its own <see cref="IAddressSpaceBuilder"/>.
+    /// </summary>
+    public IReadOnlyList<DriverNodeManager> DriverNodeManagers => _driverNodeManagers;
+
+    protected override MasterNodeManager CreateMasterNodeManager(IServerInternal server, ApplicationConfiguration configuration)
+    {
+        foreach (var driverId in _driverHost.RegisteredDriverIds)
+        {
+            var driver = _driverHost.GetDriver(driverId);
+            if (driver is null) continue;
+
+            var logger = _loggerFactory.CreateLogger<DriverNodeManager>();
+            var manager = new DriverNodeManager(server, configuration, driver, logger);
+            _driverNodeManagers.Add(manager);
+        }
+
+        return new MasterNodeManager(server, configuration, null, _driverNodeManagers.ToArray());
+    }
+
+    protected override ServerProperties LoadServerProperties() => new()
+    {
+        ManufacturerName = "OtOpcUa",
+        ProductName = "OtOpcUa.Server",
+        ProductUri = "urn:OtOpcUa:Server",
+        SoftwareVersion = "2.0.0",
+        BuildNumber = "0",
+        BuildDate = DateTime.UtcNow,
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Server/OpcUaServerService.cs

@@ -1,18 +1,20 @@
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
 
 namespace ZB.MOM.WW.OtOpcUa.Server;
 
 /// <summary>
 ///     BackgroundService that owns the OPC UA server lifecycle (decision #30, replacing TopShelf).
-///     Bootstraps config, starts the <see cref="DriverHost"/>, and runs until stopped.
-///     Phase 1 scope: bootstrap-only — the OPC UA transport layer that serves endpoints stays in
-///     the legacy Host until the Phase 2 cutover.
+///     Bootstraps config, starts the <see cref="DriverHost"/>, starts the OPC UA server via
+///     <see cref="OpcUaApplicationHost"/>, drives each driver's discovery into the address space,
+///     runs until stopped.
 /// </summary>
 public sealed class OpcUaServerService(
     NodeBootstrap bootstrap,
     DriverHost driverHost,
+    OpcUaApplicationHost applicationHost,
     ILogger<OpcUaServerService> logger) : BackgroundService
 {
     protected override async Task ExecuteAsync(CancellationToken stoppingToken)
@@ -22,8 +24,11 @@ public sealed class OpcUaServerService(
         var result = await bootstrap.LoadCurrentGenerationAsync(stoppingToken);
         logger.LogInformation("Bootstrap complete: source={Source} generation={Gen}", result.Source, result.GenerationId);
 
-        // Phase 1: no drivers are wired up at bootstrap — Galaxy still lives in legacy Host.
-        // Phase 2 will register drivers here based on the fetched generation.
+        // PR 17: stand up the OPC UA server + drive discovery per registered driver. Driver
+        // registration itself (RegisterAsync on DriverHost) happens during an earlier DI
+        // extension once the central config DB query + per-driver factory land; for now the
+        // server comes up with whatever drivers are in DriverHost at start time.
+        await applicationHost.StartAsync(stoppingToken);
 
         logger.LogInformation("OtOpcUa.Server running. Hosted drivers: {Count}", driverHost.RegisteredDriverIds.Count);
 
@@ -40,6 +45,7 @@ public sealed class OpcUaServerService(
     public override async Task StopAsync(CancellationToken cancellationToken)
     {
         await base.StopAsync(cancellationToken);
+        await applicationHost.DisposeAsync();
         await driverHost.DisposeAsync();
     }
 }

src/ZB.MOM.WW.OtOpcUa.Server/Program.cs

@@ -5,6 +5,7 @@ using Serilog;
 using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Server;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
 
 var builder = Host.CreateApplicationBuilder(args);
 
@@ -29,10 +30,23 @@ var options = new NodeOptions
     LocalCachePath = nodeSection.GetValue<string>("LocalCachePath") ?? "config_cache.db",
 };
 
+var opcUaSection = builder.Configuration.GetSection(OpcUaServerOptions.SectionName);
+var opcUaOptions = new OpcUaServerOptions
+{
+    EndpointUrl = opcUaSection.GetValue<string>("EndpointUrl") ?? "opc.tcp://0.0.0.0:4840/OtOpcUa",
+    ApplicationName = opcUaSection.GetValue<string>("ApplicationName") ?? "OtOpcUa Server",
+    ApplicationUri = opcUaSection.GetValue<string>("ApplicationUri") ?? "urn:OtOpcUa:Server",
+    PkiStoreRoot = opcUaSection.GetValue<string>("PkiStoreRoot")
+                   ?? Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), "OtOpcUa", "pki"),
+    AutoAcceptUntrustedClientCertificates = opcUaSection.GetValue<bool?>("AutoAcceptUntrustedClientCertificates") ?? true,
+};
+
 builder.Services.AddSingleton(options);
+builder.Services.AddSingleton(opcUaOptions);
 builder.Services.AddSingleton<ILocalConfigCache>(_ => new LiteDbConfigCache(options.LocalCachePath));
 builder.Services.AddSingleton<DriverHost>();
 builder.Services.AddSingleton<NodeBootstrap>();
+builder.Services.AddSingleton<OpcUaApplicationHost>();
 builder.Services.AddHostedService<OpcUaServerService>();
 
 var host = builder.Build();

src/ZB.MOM.WW.OtOpcUa.Server/ZB.MOM.WW.OtOpcUa.Server.csproj

@@ -21,6 +21,8 @@
         <PackageReference Include="Serilog.Settings.Configuration" Version="9.0.0"/>
         <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0"/>
         <PackageReference Include="Serilog.Sinks.File" Version="7.0.0"/>
+        <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Server" Version="1.5.374.126"/>
+        <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Configuration" Version="1.5.374.126"/>
     </ItemGroup>
 
     <ItemGroup>
@@ -30,6 +32,9 @@
     <ItemGroup>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+        <!-- OPCFoundation.NetStandard.Opc.Ua.Core advisory — v1 already uses this package at the
+             same version, risk already accepted in the v1 stack. -->
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-h958-fxgg-g7w3"/>
     </ItemGroup>
 
 </Project>

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/OpcUaServerIntegrationTests.cs

@@ -0,0 +1,158 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua;
+using Opc.Ua.Client;
+using Opc.Ua.Configuration;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Integration")]
+public sealed class OpcUaServerIntegrationTests : IAsyncLifetime
+{
+    // Use a non-default port + per-test-run PKI root to avoid colliding with anything else
+    // running on the box (a live v1 Host or a developer's previous run).
+    private static readonly int Port = 48400 + Random.Shared.Next(0, 99);
+    private readonly string _endpoint = $"opc.tcp://localhost:{Port}/OtOpcUaTest";
+    private readonly string _pkiRoot = Path.Combine(Path.GetTempPath(), $"otopcua-test-{Guid.NewGuid():N}");
+
+    private DriverHost _driverHost = null!;
+    private OpcUaApplicationHost _server = null!;
+    private FakeDriver _driver = null!;
+
+    public async ValueTask InitializeAsync()
+    {
+        _driverHost = new DriverHost();
+        _driver = new FakeDriver();
+        await _driverHost.RegisterAsync(_driver, "{}", CancellationToken.None);
+
+        var options = new OpcUaServerOptions
+        {
+            EndpointUrl = _endpoint,
+            ApplicationName = "OtOpcUaTest",
+            ApplicationUri = "urn:OtOpcUa:Server:Test",
+            PkiStoreRoot = _pkiRoot,
+            AutoAcceptUntrustedClientCertificates = true,
+        };
+
+        _server = new OpcUaApplicationHost(options, _driverHost, NullLoggerFactory.Instance,
+            NullLogger<OpcUaApplicationHost>.Instance);
+        await _server.StartAsync(CancellationToken.None);
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        await _server.DisposeAsync();
+        await _driverHost.DisposeAsync();
+        try { Directory.Delete(_pkiRoot, recursive: true); } catch { /* best-effort */ }
+    }
+
+    [Fact]
+    public async Task Client_can_connect_and_browse_driver_subtree()
+    {
+        using var session = await OpenSessionAsync();
+
+        // Browse the driver subtree registered under ObjectsFolder. FakeDriver registers one
+        // folder ("TestFolder") with one variable ("Var1"), so we expect to see our driver's
+        // root folder plus standard UA children.
+        var rootRef = new NodeId("fake", (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:fake"));
+        session.Browse(null, null, rootRef, 0, BrowseDirection.Forward, ReferenceTypeIds.HierarchicalReferences,
+            true, (uint)NodeClass.Object | (uint)NodeClass.Variable, out _, out var references);
+
+        references.Count.ShouldBeGreaterThan(0);
+        references.ShouldContain(r => r.BrowseName.Name == "TestFolder");
+    }
+
+    [Fact]
+    public async Task Client_can_read_a_driver_variable_through_the_node_manager()
+    {
+        using var session = await OpenSessionAsync();
+
+        var nsIndex = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:fake");
+        var varNodeId = new NodeId("TestFolder.Var1", nsIndex);
+
+        var dv = session.ReadValue(varNodeId);
+        dv.ShouldNotBeNull();
+        // FakeDriver.ReadAsync returns 42 as the value.
+        dv.Value.ShouldBe(42);
+    }
+
+    private async Task<ISession> OpenSessionAsync()
+    {
+        var cfg = new ApplicationConfiguration
+        {
+            ApplicationName = "OtOpcUaTestClient",
+            ApplicationUri = "urn:OtOpcUa:TestClient",
+            ApplicationType = ApplicationType.Client,
+            SecurityConfiguration = new SecurityConfiguration
+            {
+                ApplicationCertificate = new CertificateIdentifier
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_pkiRoot, "client-own"),
+                    SubjectName = "CN=OtOpcUaTestClient",
+                },
+                TrustedIssuerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-issuers") },
+                TrustedPeerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-trusted") },
+                RejectedCertificateStore = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-rejected") },
+                AutoAcceptUntrustedCertificates = true,
+                AddAppCertToTrustedStore = true,
+            },
+            TransportConfigurations = new TransportConfigurationCollection(),
+            TransportQuotas = new TransportQuotas { OperationTimeout = 15000 },
+            ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = 60000 },
+        };
+        await cfg.Validate(ApplicationType.Client);
+        cfg.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;
+
+        var instance = new ApplicationInstance { ApplicationConfiguration = cfg, ApplicationType = ApplicationType.Client };
+        await instance.CheckApplicationInstanceCertificate(true, CertificateFactory.DefaultKeySize);
+
+        // Let the client fetch the live endpoint description from the running server so the
+        // UserTokenPolicy it signs with matches what the server actually advertised (including
+        // the PolicyId = "Anonymous" the server sets).
+        var selected = CoreClientUtils.SelectEndpoint(cfg, _endpoint, useSecurity: false);
+        var endpointConfig = EndpointConfiguration.Create(cfg);
+        var configuredEndpoint = new ConfiguredEndpoint(null, selected, endpointConfig);
+
+        return await Session.Create(cfg, configuredEndpoint, false, "OtOpcUaTestClientSession", 60000,
+            new UserIdentity(new AnonymousIdentityToken()), null);
+    }
+
+    /// <summary>
+    ///     Minimum driver that implements enough of IDriver + ITagDiscovery + IReadable to drive
+    ///     the integration test. Returns a single folder with one variable that reads as 42.
+    /// </summary>
+    private sealed class FakeDriver : IDriver, ITagDiscovery, IReadable
+    {
+        public string DriverInstanceId => "fake";
+        public string DriverType => "Fake";
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public Task DiscoverAsync(IAddressSpaceBuilder builder, CancellationToken ct)
+        {
+            var folder = builder.Folder("TestFolder", "TestFolder");
+            folder.Variable("Var1", "Var1", new DriverAttributeInfo(
+                "TestFolder.Var1", DriverDataType.Int32, false, null, SecurityClassification.FreeAccess, false, IsAlarm: false));
+            return Task.CompletedTask;
+        }
+
+        public Task<IReadOnlyList<DataValueSnapshot>> ReadAsync(
+            IReadOnlyList<string> fullReferences, CancellationToken cancellationToken)
+        {
+            var now = DateTime.UtcNow;
+            IReadOnlyList<DataValueSnapshot> result =
+                fullReferences.Select(_ => new DataValueSnapshot(42, 0u, now, now)).ToArray();
+            return Task.FromResult(result);
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/ZB.MOM.WW.OtOpcUa.Server.Tests.csproj

@@ -14,6 +14,7 @@
         <PackageReference Include="Shouldly" Version="4.3.0"/>
         <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
         <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0"/>
+        <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Client" Version="1.5.374.126"/>
         <PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
@@ -27,6 +28,7 @@
     <ItemGroup>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-h958-fxgg-g7w3"/>
     </ItemGroup>
 
 </Project>