Phase 3 PR 29 — Account/session page expanding the minimal sidebar role display into a dedicated /account route. Shows the authenticated operator's identity (username from ClaimTypes.NameIdentifier, display name from ClaimTypes.Name), their Admin roles as badges (from ClaimTypes.Role), the raw LDAP groups that mapped to those roles (from the 'ldap_group' claim added by Login.razor at sign-in), and a capability table listing each Admin capability with its required role and a Yes/No badge showing whether this session has it. Capability list mirrors the Program.cs authorization policies + each page's [Authorize] attribute so operators can self-service check whether their session has access without trial-and-error navigation — capabilities covered: view clusters + fleet status (all roles), edit configuration drafts (ConfigEditor or FleetAdmin per CanEdit policy), publish generations (FleetAdmin per CanPublish policy), manage certificate trust (FleetAdmin per PR 28 Certificates page attribute), manage external-ID reservations (ConfigEditor or FleetAdmin per Reservations page attribute).

Sidebar's 'Signed in as' line now wraps the display name in a link to /account so the existing sidebar-compact view becomes the entry point for the fuller page — keeps the sign-out button where it was for muscle memory, just adds the detail page one click away. Page is gated with [Authorize] (any authenticated admin) rather than a specific role — the capability table deliberately works for every signed-in user so they can see what they DON'T have access to, which helps them file the right ticket with their LDAP admin instead of getting a plain Access Denied when navigating blindly.
Capability → required-role table is defined as a private readonly record list in the page rather than pulled from a service because it's a UI-presentation concern, not runtime policy state — the runtime policy IS Program.cs's AddAuthorizationBuilder + each page's [Authorize] attribute, and this table just mirrors it for operator readability. Comment on the list reminds future-me to extend it when a new policy or [Authorize] page lands. No behavior change if roles are empty, but the page surfaces a hint ('Sign-in would have been blocked, so if you're seeing this, the session claim is likely stale') that nudges the operator toward signing out + back in.
No new tests added — the page is pure display over claims; its only logic is the 'has-capability' Any-overlap check which is exactly what ASP.NET's [Authorize(Roles=...)] does in-framework, and duplicating that in a unit test would test the framework rather than our code. Admin.Tests Unit stays 23 pass / 0 fail. Admin build clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ZB.MOM.WW.OtOpcUa.slnx

@@ -8,6 +8,7 @@
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ZB.MOM.WW.OtOpcUa.Driver.Modbus.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.Shared/ZB.MOM.WW.OtOpcUa.Client.Shared.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.CLI/ZB.MOM.WW.OtOpcUa.Client.CLI.csproj"/>
         <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.UI/ZB.MOM.WW.OtOpcUa.Client.UI.csproj"/>
@@ -22,6 +23,7 @@
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.UI.Tests/ZB.MOM.WW.OtOpcUa.Client.UI.Tests.csproj"/>

docs/v2/lmx-followups.md

@@ -0,0 +1,109 @@
+# LMX Galaxy bridge — remaining follow-ups
+
+State after PR 19: the Galaxy driver is functionally at v1 parity through the
+`IDriver` abstraction; the OPC UA server runs with LDAP-authenticated
+Basic256Sha256 endpoints and alarms are observable through
+`AlarmConditionState.ReportEvent`. The items below are what remains LMX-
+specific before the stack can fully replace the v1 deployment, in
+rough priority order.
+
+## 1. Proxy-side `IHistoryProvider` for `ReadAtTime` / `ReadEvents`
+
+**Status**: Host-side IPC shipped (PR 10 + PR 11). Proxy consumer not written.
+
+PR 10 added `HistoryReadAtTimeRequest/Response` on the IPC wire and
+`MxAccessGalaxyBackend.HistoryReadAtTimeAsync` delegates to
+`HistorianDataSource.ReadAtTimeAsync`. PR 11 did the same for events
+(`HistoryReadEventsRequest/Response` + `GalaxyHistoricalEvent`). The Proxy
+side (`GalaxyProxyDriver`) doesn't call those yet — `Core.Abstractions.IHistoryProvider`
+only exposes `ReadRawAsync` + `ReadProcessedAsync`.
+
+**To do**:
+- Extend `IHistoryProvider` with `ReadAtTimeAsync(string, DateTime[], …)` and
+  `ReadEventsAsync(string?, DateTime, DateTime, int, …)`.
+- `GalaxyProxyDriver` calls the new IPC message kinds.
+- `DriverNodeManager` wires the new capability methods onto `HistoryRead`
+  `AtTime` + `Events` service handlers.
+- Integration test: OPC UA client calls `HistoryReadAtTime` / `HistoryReadEvents`,
+  value flows through IPC to the Host's `HistorianDataSource`, back to the client.
+
+## 2. Write-gating by role — **DONE (PR 26)**
+
+Landed in PR 26. `WriteAuthzPolicy` in `Server/Security/` maps
+`SecurityClassification` → required role (`FreeAccess` → no role required,
+`Operate`/`SecuredWrite` → `WriteOperate`, `Tune` → `WriteTune`,
+`Configure`/`VerifiedWrite` → `WriteConfigure`, `ViewOnly` → deny regardless).
+`DriverNodeManager` caches the classification per variable during discovery and
+checks the session's roles (via `IRoleBearer`) in `OnWriteValue` before calling
+`IWritable.WriteAsync`. Roles do not cascade — a session with `WriteOperate`
+can't write a `Tune` attribute unless it also carries `WriteTune`.
+
+See `feedback_acl_at_server_layer.md` in memory for the architectural directive
+that authz stays at the server layer and never delegates to driver-specific auth.
+
+## 3. Admin UI client-cert trust management — **DONE (PR 28)**
+
+PR 28 shipped `/certificates` in the Admin UI. `CertTrustService` reads the OPC
+UA server's PKI store root (`OpcUaServerOptions.PkiStoreRoot` — default
+`%ProgramData%\OtOpcUa\pki`) and lists rejected + trusted certs by parsing the
+`.der` files directly, so it has no `Opc.Ua` dependency and runs on any
+Admin host that can reach the shared PKI directory.
+
+Operator actions: Trust (moves `rejected/certs/*.der` → `trusted/certs/*.der`),
+Delete rejected, Revoke trust. The OPC UA stack re-reads the trusted store on
+each new client handshake, so no explicit reload signal is needed —
+operators retry the rejected client's connection after trusting.
+
+Deferred: flipping `AutoAcceptUntrustedClientCertificates` to `false` as the
+deployment default. That's a production-hardening config change, not a code
+gap — the Admin UI is now ready to be the trust gate.
+
+## 4. Live-LDAP integration test
+
+**Status**: PR 19 unit-tested the auth-flow shape; the live bind path is
+exercised only by the pre-existing `Admin.Tests/LdapLiveBindTests.cs` which
+uses the same Novell library against a running GLAuth at `localhost:3893`.
+
+**To do**:
+- Add `OpcUaServerIntegrationTests.Valid_username_authenticates_against_live_ldap`
+  with the same skip-when-unreachable guard.
+- Assert `session.Identity` on the server side carries the expected role
+  after bind — requires exposing a test hook or reading identity from a
+  new `IHostConnectivityProbe`-style "whoami" variable in the address space.
+
+## 5. Full Galaxy live-service smoke test against the merged v2 stack
+
+**Status**: Individual pieces have live smoke tests (PR 5 MXAccess, PR 13
+probe manager, PR 14 alarm tracker), but the full loop — OPC UA client →
+`OtOpcUaServer` → `GalaxyProxyDriver` (in-process) → named-pipe to
+Galaxy.Host subprocess → live MXAccess runtime → real Galaxy objects — has
+no single end-to-end smoke test.
+
+**To do**:
+- Test that spawns the full topology, discovers a deployed Galaxy object,
+  subscribes to one of its attributes, writes a value back, and asserts the
+  write round-tripped through MXAccess. Skip when ArchestrA isn't running.
+
+## 6. Second driver instance on the same server
+
+**Status**: `DriverHost.RegisterAsync` supports multiple drivers; the OPC UA
+server creates one `DriverNodeManager` per driver and isolates their
+subtrees under distinct namespace URIs. Not proven with two active
+`GalaxyProxyDriver` instances pointing at different Galaxies.
+
+**To do**:
+- Integration test that registers two driver instances, each with a distinct
+  `DriverInstanceId` + endpoint in its own session, asserts nodes from both
+  appear under the correct subtrees, alarm events land on the correct
+  instance's condition nodes.
+
+## 7. Host-status per-AppEngine granularity → Admin UI dashboard
+
+**Status**: PR 13 ships per-platform/per-AppEngine `ScanState` probing; PR 17
+surfaces the resulting `OnHostStatusChanged` events through OPC UA. Admin
+UI doesn't render a per-host dashboard yet.
+
+**To do**:
+- SignalR hub push of `HostStatusChangedEventArgs` to the Admin UI.
+- Dashboard page showing each tracked host, current state, last transition
+  time, failure count.

docs/v2/modbus-test-plan.md

@@ -0,0 +1,103 @@
+# Modbus driver — test plan + device-quirk catalog
+
+The Modbus TCP driver unit tests (PRs 21–24) cover the protocol surface against an
+in-memory fake transport. They validate the codec, state machine, and function-code
+routing against a textbook Modbus server. That's necessary but not sufficient: real PLC
+populations disagree with the spec in small, device-specific ways, and a driver that
+passes textbook tests can still misbehave against actual equipment.
+
+This doc is the harness-and-quirks playbook. It's what gets wired up in the
+`tests/Driver.Modbus.IntegrationTests` project when we ship that (PR 26 candidate).
+
+## Harness
+
+**Chosen simulator: ModbusPal** (Java, scriptable). Rationale:
+- Scriptable enough to mimic device-specific behaviors (non-standard register
+  layouts, custom exception codes, intentional response delays).
+- Runs locally, no CI dependency. Tests skip when `localhost:502` (or the configured
+  simulator endpoint) isn't reachable.
+- Free + long-maintained — physical PLC bench is unavailable in most dev
+  environments, and renting cloud PLCs isn't worth the per-test cost.
+
+**Setup pattern** (not yet codified in a script — will land alongside the integration
+test project):
+1. Install ModbusPal, load the per-device `.xmpp` profile from
+   `tests/Driver.Modbus.IntegrationTests/ModbusPal/` (TBD directory).
+2. Start the simulator listening on `localhost:502` (or override via
+   `MODBUS_SIM_ENDPOINT` env var).
+3. `dotnet test` the integration project — tests auto-skip when the endpoint is
+   unreachable, so forgetting to start the simulator doesn't wedge CI.
+
+## Per-device quirk catalog
+
+### AutomationDirect DL205
+
+First known target device. Quirks to document and cover with named tests (to be
+filled in when user validates each behavior in ModbusPal with a DL205 profile):
+
+- **Word order for 32-bit values**: _pending_ — confirm whether DL205 uses ABCD
+  (Modbus TCP standard) or CDAB (Siemens-style word-swap) for Int32/UInt32/Float32.
+  Test name: `DL205_Float32_word_order_is_CDAB` (or `ABCD`, whichever proves out).
+- **Register-zero access**: _pending_ — some DL205 configurations reject FC03 at
+  register 0 with exception code 02 (illegal data address). If confirmed, the
+  integration test suite verifies `ModbusProbeOptions.ProbeAddress` default of 0
+  triggers the rejection and operators must override; test name:
+  `DL205_FC03_at_register_0_returns_IllegalDataAddress`.
+- **Coil addressing base**: _pending_ — DL205 documentation sometimes uses 1-based
+  coil addresses; verify the driver's zero-based addressing matches the physical
+  PLC without an off-by-one adjustment.
+- **Maximum registers per FC03**: _pending_ — Modbus spec caps at 125; some DL205
+  models enforce a lower limit (e.g., 64). Test name:
+  `DL205_FC03_beyond_max_registers_returns_IllegalDataValue`.
+- **Response framing under sustained load**: _pending_ — the driver's
+  single-flight semaphore assumes the server pairs requests/responses by
+  transaction id; at least one DL205 firmware revision is reported to drop the
+  TxId under load. If reproduced in ModbusPal we add a retry + log-and-continue
+  path to `ModbusTcpTransport`.
+- **Exception code on coil write to a protected bit**: _pending_ — some DL205
+  setups protect internal coils; the driver should surface the PLC's exception
+  PDU as `BadNotWritable` rather than `BadInternalError`.
+
+_User action item_: as each quirk is validated in ModbusPal, replace the _pending_
+marker with the confirmed behavior and file a named test in the integration suite.
+
+### Future devices
+
+One section per device class, same shape as DL205. Quirks that apply across
+multiple devices (e.g., "all AB PLCs use CDAB") can be noted in the cross-device
+patterns section below once we have enough data points.
+
+## Cross-device patterns
+
+Once multiple device catalogs accumulate, quirks that recur across two or more
+vendors get promoted into driver defaults or opt-in options:
+
+- _(empty — filled in as catalogs grow)_
+
+## Test conventions
+
+- **One named test per quirk.** `DL205_word_order_is_CDAB_for_Float32` is easier to
+  diagnose on failure than a generic `Float32_roundtrip`. The `DL205_` prefix makes
+  filtering by device class trivial (`--filter "DisplayName~DL205"`).
+- **Skip with a clear SkipReason.** Follow the pattern from
+  `GalaxyRepositoryLiveSmokeTests`: check reachability in the fixture, capture
+  a `SkipReason` string, and have each test call `Assert.Skip(SkipReason)` when
+  it's set. Don't throw — skipped tests read cleanly in CI logs.
+- **Use the real `ModbusTcpTransport`.** Integration tests exercise the wire
+  protocol end-to-end. The in-memory `FakeTransport` from the unit test suite is
+  deliberately not used here — its value is speed + determinism, which doesn't
+  help reproduce device-specific issues.
+- **Don't depend on ModbusPal state between tests.** Each test resets the
+  simulator's register bank or uses a unique address range. Avoid relying on
+  "previous test left value at register 10" setups that flake when tests run in
+  parallel or re-order.
+
+## Next concrete PRs
+
+- **PR 26 — Integration test project + DL205 profile scaffold**: creates
+  `tests/Driver.Modbus.IntegrationTests`, imports the ModbusPal profile (or
+  generates it from JSON), adds the fixture with skip-when-unreachable, plus
+  one smoke test that reads a register. No DL205-specific assertions yet — that
+  waits for the user to validate each quirk.
+- **PR 27+**: one PR per confirmed DL205 quirk, landing the named test + any
+  driver-side adjustment (e.g., retry on dropped TxId) needed to pass it.

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor

@@ -5,15 +5,17 @@
         <h5 class="mb-4">OtOpcUa Admin</h5>
         <ul class="nav flex-column">
             <li class="nav-item"><a class="nav-link text-light" href="/">Overview</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/fleet">Fleet status</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/clusters">Clusters</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/reservations">Reservations</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/certificates">Certificates</a></li>
         </ul>
 
         <div class="mt-5">
             <AuthorizeView>
                 <Authorized>
                     <div class="small text-light">
-                        Signed in as <strong>@context.User.Identity?.Name</strong>
+                        Signed in as <a class="text-light" href="/account"><strong>@context.User.Identity?.Name</strong></a>
                     </div>
                     <div class="small text-muted">
                         @string.Join(", ", context.User.Claims.Where(c => c.Type.EndsWith("/role")).Select(c => c.Value))

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Account.razor

@@ -0,0 +1,129 @@
+@page "/account"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@using System.Security.Claims
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+
+<h1 class="mb-4">My account</h1>
+
+<AuthorizeView>
+    <Authorized>
+        @{
+            var username = context.User.FindFirst(ClaimTypes.NameIdentifier)?.Value ?? "—";
+            var displayName = context.User.Identity?.Name ?? "—";
+            var roles = context.User.Claims
+                .Where(c => c.Type == ClaimTypes.Role).Select(c => c.Value).ToList();
+            var ldapGroups = context.User.Claims
+                .Where(c => c.Type == "ldap_group").Select(c => c.Value).ToList();
+        }
+
+        <div class="row g-4">
+            <div class="col-md-6">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Identity</h5>
+                        <dl class="row mb-0">
+                            <dt class="col-sm-4">Username</dt><dd class="col-sm-8"><code>@username</code></dd>
+                            <dt class="col-sm-4">Display name</dt><dd class="col-sm-8">@displayName</dd>
+                        </dl>
+                    </div>
+                </div>
+            </div>
+
+            <div class="col-md-6">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Admin roles</h5>
+                        @if (roles.Count == 0)
+                        {
+                            <p class="text-muted mb-0">No Admin roles mapped — sign-in would have been blocked, so if you're seeing this, the session claim is likely stale.</p>
+                        }
+                        else
+                        {
+                            <div class="mb-2">
+                                @foreach (var r in roles)
+                                {
+                                    <span class="badge bg-primary me-1">@r</span>
+                                }
+                            </div>
+                            <small class="text-muted">LDAP groups: @(ldapGroups.Count == 0 ? "(none surfaced)" : string.Join(", ", ldapGroups))</small>
+                        }
+                    </div>
+                </div>
+            </div>
+
+            <div class="col-12">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Capabilities</h5>
+                        <p class="text-muted small">
+                            Each Admin role grants a fixed capability set per <code>admin-ui.md</code> §Admin Roles.
+                            Pages below reflect what this session can access; the route's <code>[Authorize]</code> guard
+                            is the ground truth — this table mirrors it for readability.
+                        </p>
+                        <table class="table table-sm align-middle mb-0">
+                            <thead>
+                                <tr>
+                                    <th>Capability</th>
+                                    <th>Required role(s)</th>
+                                    <th class="text-end">You have it?</th>
+                                </tr>
+                            </thead>
+                            <tbody>
+                            @foreach (var cap in Capabilities)
+                            {
+                                var has = cap.RequiredRoles.Any(r => roles.Contains(r, StringComparer.OrdinalIgnoreCase));
+                                <tr>
+                                    <td>@cap.Name<br /><small class="text-muted">@cap.Description</small></td>
+                                    <td>@string.Join(" or ", cap.RequiredRoles)</td>
+                                    <td class="text-end">
+                                        @if (has)
+                                        {
+                                            <span class="badge bg-success">Yes</span>
+                                        }
+                                        else
+                                        {
+                                            <span class="badge bg-secondary">No</span>
+                                        }
+                                    </td>
+                                </tr>
+                            }
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="mt-4">
+            <form method="post" action="/auth/logout">
+                <button class="btn btn-outline-danger" type="submit">Sign out</button>
+            </form>
+        </div>
+    </Authorized>
+</AuthorizeView>
+
+@code {
+    private sealed record Capability(string Name, string Description, string[] RequiredRoles);
+
+    // Kept in sync with Program.cs authorization policies + each page's [Authorize] attribute.
+    // When a new page or policy is added, extend this list so operators can self-service check
+    // whether their session has access without trial-and-error navigation.
+    private static readonly IReadOnlyList<Capability> Capabilities =
+    [
+        new("View clusters + fleet status",
+            "Read-only access to the cluster list, fleet dashboard, and generation history.",
+            [AdminRoles.ConfigViewer, AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+        new("Edit configuration drafts",
+            "Create and edit draft generations, manage namespace bindings and node ACLs. CanEdit policy.",
+            [AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+        new("Publish generations",
+            "Promote a draft to Published — triggers node roll-out. CanPublish policy.",
+            [AdminRoles.FleetAdmin]),
+        new("Manage certificate trust",
+            "Trust rejected client certs + revoke trust. FleetAdmin-only because the trust decision gates OPC UA client access.",
+            [AdminRoles.FleetAdmin]),
+        new("Manage external-ID reservations",
+            "Reserve / release external IDs that map into Galaxy contained names.",
+            [AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+    ];
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Certificates.razor

@@ -0,0 +1,154 @@
+@page "/certificates"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize(Roles = AdminRoles.FleetAdmin)]
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@inject CertTrustService Certs
+@inject AuthenticationStateProvider AuthState
+@inject ILogger<Certificates> Log
+
+<h1 class="mb-4">Certificate trust</h1>
+
+<div class="alert alert-info small mb-4">
+    PKI store root <code>@Certs.PkiStoreRoot</code>. Trusting a rejected cert moves the file into the trusted store — the OPC UA server picks up the change on the next client handshake, so operators should retry the rejected client's connection after trusting.
+</div>
+
+@if (_status is not null)
+{
+    <div class="alert alert-@_statusKind alert-dismissible">
+        @_status
+        <button type="button" class="btn-close" @onclick="ClearStatus"></button>
+    </div>
+}
+
+<h2 class="h4">Rejected (@_rejected.Count)</h2>
+@if (_rejected.Count == 0)
+{
+    <p class="text-muted">No rejected certificates. Clients that fail to handshake with an untrusted cert land here.</p>
+}
+else
+{
+    <table class="table table-sm align-middle">
+        <thead><tr><th>Subject</th><th>Issuer</th><th>Thumbprint</th><th>Valid</th><th class="text-end">Actions</th></tr></thead>
+        <tbody>
+        @foreach (var c in _rejected)
+        {
+            <tr>
+                <td>@c.Subject</td>
+                <td>@c.Issuer</td>
+                <td><code class="small">@c.Thumbprint</code></td>
+                <td class="small">@c.NotBefore.ToString("yyyy-MM-dd") → @c.NotAfter.ToString("yyyy-MM-dd")</td>
+                <td class="text-end">
+                    <button class="btn btn-sm btn-success me-1" @onclick="() => TrustAsync(c)">Trust</button>
+                    <button class="btn btn-sm btn-outline-danger" @onclick="() => DeleteRejectedAsync(c)">Delete</button>
+                </td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+<h2 class="h4 mt-5">Trusted (@_trusted.Count)</h2>
+@if (_trusted.Count == 0)
+{
+    <p class="text-muted">No client certs have been explicitly trusted. The server's own application cert lives in <code>own/</code> and is not listed here.</p>
+}
+else
+{
+    <table class="table table-sm align-middle">
+        <thead><tr><th>Subject</th><th>Issuer</th><th>Thumbprint</th><th>Valid</th><th class="text-end">Actions</th></tr></thead>
+        <tbody>
+        @foreach (var c in _trusted)
+        {
+            <tr>
+                <td>@c.Subject</td>
+                <td>@c.Issuer</td>
+                <td><code class="small">@c.Thumbprint</code></td>
+                <td class="small">@c.NotBefore.ToString("yyyy-MM-dd") → @c.NotAfter.ToString("yyyy-MM-dd")</td>
+                <td class="text-end">
+                    <button class="btn btn-sm btn-outline-danger" @onclick="() => UntrustAsync(c)">Revoke</button>
+                </td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    private IReadOnlyList<CertInfo> _rejected = [];
+    private IReadOnlyList<CertInfo> _trusted = [];
+    private string? _status;
+    private string _statusKind = "success";
+
+    protected override void OnInitialized() => Reload();
+
+    private void Reload()
+    {
+        _rejected = Certs.ListRejected();
+        _trusted = Certs.ListTrusted();
+    }
+
+    private async Task TrustAsync(CertInfo c)
+    {
+        if (Certs.TrustRejected(c.Thumbprint))
+        {
+            await LogActionAsync("cert.trust", c);
+            Set($"Trusted cert {c.Subject} ({Short(c.Thumbprint)}).", "success");
+        }
+        else
+        {
+            Set($"Could not trust {Short(c.Thumbprint)} — file missing; another admin may have already handled it.", "warning");
+        }
+        Reload();
+    }
+
+    private async Task DeleteRejectedAsync(CertInfo c)
+    {
+        if (Certs.DeleteRejected(c.Thumbprint))
+        {
+            await LogActionAsync("cert.delete.rejected", c);
+            Set($"Deleted rejected cert {c.Subject} ({Short(c.Thumbprint)}).", "success");
+        }
+        else
+        {
+            Set($"Could not delete {Short(c.Thumbprint)} — file missing.", "warning");
+        }
+        Reload();
+    }
+
+    private async Task UntrustAsync(CertInfo c)
+    {
+        if (Certs.UntrustCert(c.Thumbprint))
+        {
+            await LogActionAsync("cert.untrust", c);
+            Set($"Revoked trust for {c.Subject} ({Short(c.Thumbprint)}).", "success");
+        }
+        else
+        {
+            Set($"Could not revoke {Short(c.Thumbprint)} — file missing.", "warning");
+        }
+        Reload();
+    }
+
+    private async Task LogActionAsync(string action, CertInfo c)
+    {
+        // Cert trust changes are operator-initiated and security-sensitive — Serilog captures the
+        // user + thumbprint trail. CertTrustService also logs at Information on each filesystem
+        // move/delete; this line ties the action to the authenticated admin user so the two logs
+        // correlate. DB-level ConfigAuditLog persistence is deferred — its schema is
+        // cluster-scoped and cert actions are cluster-agnostic.
+        var state = await AuthState.GetAuthenticationStateAsync();
+        var user = state.User.Identity?.Name ?? "(anonymous)";
+        Log.LogInformation("Admin cert action: user={User} action={Action} thumbprint={Thumbprint} subject={Subject}",
+            user, action, c.Thumbprint, c.Subject);
+    }
+
+    private void Set(string message, string kind)
+    {
+        _status = message;
+        _statusKind = kind;
+    }
+
+    private void ClearStatus() => _status = null;
+
+    private static string Short(string thumbprint) =>
+        thumbprint.Length > 12 ? thumbprint[..12] + "…" : thumbprint;
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Fleet.razor

@@ -0,0 +1,172 @@
+@page "/fleet"
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IServiceScopeFactory ScopeFactory
+@implements IDisposable
+
+<h1 class="mb-4">Fleet status</h1>
+
+<div class="d-flex align-items-center mb-3 gap-2">
+    <button class="btn btn-sm btn-outline-primary" @onclick="RefreshAsync" disabled="@_refreshing">
+        @if (_refreshing) { <span class="spinner-border spinner-border-sm me-1" /> }
+        Refresh
+    </button>
+    <span class="text-muted small">
+        Auto-refresh every @RefreshIntervalSeconds s. Last updated: @(_lastRefreshUtc?.ToString("HH:mm:ss 'UTC'") ?? "—")
+    </span>
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <div class="alert alert-info">
+        No node state recorded yet. Nodes publish their state to the central DB on each poll; if
+        this list is empty, either no nodes have been registered or the poller hasn't run yet.
+    </div>
+}
+else
+{
+    <div class="row g-3 mb-4">
+        <div class="col-md-3">
+            <div class="card"><div class="card-body">
+                <h6 class="text-muted mb-1">Nodes</h6>
+                <div class="fs-3">@_rows.Count</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-success"><div class="card-body">
+                <h6 class="text-muted mb-1">Applied</h6>
+                <div class="fs-3 text-success">@_rows.Count(r => r.Status == "Applied")</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-warning"><div class="card-body">
+                <h6 class="text-muted mb-1">Stale</h6>
+                <div class="fs-3 text-warning">@_rows.Count(r => IsStale(r))</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-danger"><div class="card-body">
+                <h6 class="text-muted mb-1">Failed</h6>
+                <div class="fs-3 text-danger">@_rows.Count(r => r.Status == "Failed")</div>
+            </div></div>
+        </div>
+    </div>
+
+    <table class="table table-hover align-middle">
+        <thead>
+            <tr>
+                <th>Node</th>
+                <th>Cluster</th>
+                <th>Generation</th>
+                <th>Status</th>
+                <th>Last applied</th>
+                <th>Last seen</th>
+                <th>Error</th>
+            </tr>
+        </thead>
+        <tbody>
+        @foreach (var r in _rows)
+        {
+            <tr class="@RowClass(r)">
+                <td><code>@r.NodeId</code></td>
+                <td>@r.ClusterId</td>
+                <td>@(r.GenerationId?.ToString() ?? "—")</td>
+                <td>
+                    <span class="badge @StatusBadge(r.Status)">@(r.Status ?? "—")</span>
+                </td>
+                <td>@FormatAge(r.AppliedAt)</td>
+                <td class="@(IsStale(r) ? "text-warning" : "")">@FormatAge(r.SeenAt)</td>
+                <td class="text-truncate" style="max-width: 320px;" title="@r.Error">@r.Error</td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    // Refresh cadence. 5s matches FleetStatusPoller's poll interval — the dashboard always sees
+    // the most recent published state without polling ahead of the broadcaster.
+    private const int RefreshIntervalSeconds = 5;
+
+    private List<FleetNodeRow>? _rows;
+    private bool _refreshing;
+    private DateTime? _lastRefreshUtc;
+    private Timer? _timer;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await RefreshAsync();
+        _timer = new Timer(async _ => await InvokeAsync(RefreshAsync),
+            state: null,
+            dueTime: TimeSpan.FromSeconds(RefreshIntervalSeconds),
+            period: TimeSpan.FromSeconds(RefreshIntervalSeconds));
+    }
+
+    private async Task RefreshAsync()
+    {
+        if (_refreshing) return;
+        _refreshing = true;
+        try
+        {
+            using var scope = ScopeFactory.CreateScope();
+            var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+            var rows = await db.ClusterNodeGenerationStates.AsNoTracking()
+                .Join(db.ClusterNodes.AsNoTracking(), s => s.NodeId, n => n.NodeId, (s, n) => new FleetNodeRow(
+                    s.NodeId, n.ClusterId, s.CurrentGenerationId,
+                    s.LastAppliedStatus != null ? s.LastAppliedStatus.ToString() : null,
+                    s.LastAppliedError, s.LastAppliedAt, s.LastSeenAt))
+                .OrderBy(r => r.ClusterId)
+                .ThenBy(r => r.NodeId)
+                .ToListAsync();
+            _rows = rows;
+            _lastRefreshUtc = DateTime.UtcNow;
+        }
+        finally
+        {
+            _refreshing = false;
+            StateHasChanged();
+        }
+    }
+
+    private static bool IsStale(FleetNodeRow r)
+    {
+        if (r.SeenAt is null) return true;
+        return (DateTime.UtcNow - r.SeenAt.Value) > TimeSpan.FromSeconds(30);
+    }
+
+    private static string RowClass(FleetNodeRow r) => r.Status switch
+    {
+        "Failed" => "table-danger",
+        _ when IsStale(r) => "table-warning",
+        _ => "",
+    };
+
+    private static string StatusBadge(string? status) => status switch
+    {
+        "Applied" => "bg-success",
+        "Failed" => "bg-danger",
+        "Applying" => "bg-info",
+        _ => "bg-secondary",
+    };
+
+    private static string FormatAge(DateTime? t)
+    {
+        if (t is null) return "—";
+        var age = DateTime.UtcNow - t.Value;
+        if (age.TotalSeconds < 60) return $"{(int)age.TotalSeconds}s ago";
+        if (age.TotalMinutes < 60) return $"{(int)age.TotalMinutes}m ago";
+        if (age.TotalHours < 24) return $"{(int)age.TotalHours}h ago";
+        return t.Value.ToString("yyyy-MM-dd HH:mm 'UTC'");
+    }
+
+    public void Dispose() => _timer?.Dispose();
+
+    internal sealed record FleetNodeRow(
+        string NodeId, string ClusterId, long? GenerationId,
+        string? Status, string? Error, DateTime? AppliedAt, DateTime? SeenAt);
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs

@@ -48,6 +48,12 @@ builder.Services.AddScoped<ReservationService>();
 builder.Services.AddScoped<DraftValidationService>();
 builder.Services.AddScoped<AuditLogService>();
 
+// Cert-trust management — reads the OPC UA server's PKI store root so rejected client certs
+// can be promoted to trusted via the Admin UI. Singleton: no per-request state, just
+// filesystem operations.
+builder.Services.Configure<CertTrustOptions>(builder.Configuration.GetSection(CertTrustOptions.SectionName));
+builder.Services.AddSingleton<CertTrustService>();
+
 // LDAP auth — parity with ScadaLink's LdapAuthService (decision #102).
 builder.Services.Configure<LdapOptions>(
     builder.Configuration.GetSection("Authentication:Ldap"));

src/ZB.MOM.WW.OtOpcUa.Admin/Services/CertTrustOptions.cs

@@ -0,0 +1,22 @@
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Points the Admin UI at the OPC UA Server's PKI store root so
+///     <see cref="CertTrustService"/> can list and move certs between the
+///     <c>rejected/</c> and <c>trusted/</c> directories the server maintains. Must match the
+///     <c>OpcUaServer:PkiStoreRoot</c> the Server process is configured with.
+/// </summary>
+public sealed class CertTrustOptions
+{
+    public const string SectionName = "CertTrust";
+
+    /// <summary>
+    ///     Absolute path to the PKI root. Defaults to
+    ///     <c>%ProgramData%\OtOpcUa\pki</c> — matches <c>OpcUaServerOptions.PkiStoreRoot</c>'s
+    ///     default so a standard side-by-side install needs no override.
+    /// </summary>
+    public string PkiStoreRoot { get; init; } =
+        Path.Combine(
+            Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData),
+            "OtOpcUa", "pki");
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/CertTrustService.cs

@@ -0,0 +1,135 @@
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Options;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Metadata for a certificate file found in one of the OPC UA server's PKI stores. The
+///     <see cref="FilePath"/> is the absolute path of the DER/CRT file the stack created when it
+///     rejected the cert (for <see cref="CertStoreKind.Rejected"/>) or when an operator trusted
+///     it (for <see cref="CertStoreKind.Trusted"/>).
+/// </summary>
+public sealed record CertInfo(
+    string Thumbprint,
+    string Subject,
+    string Issuer,
+    DateTime NotBefore,
+    DateTime NotAfter,
+    string FilePath,
+    CertStoreKind Store);
+
+public enum CertStoreKind
+{
+    Rejected,
+    Trusted,
+}
+
+/// <summary>
+///     Filesystem-backed view over the OPC UA server's PKI store. The Opc.Ua stack uses a
+///     Directory-typed store — each cert is a <c>.der</c> file under <c>{root}/{store}/certs/</c>
+///     with a filename derived from subject + thumbprint. This service exposes operators for the
+///     Admin UI: list rejected, list trusted, trust a rejected cert (move to trusted), remove a
+///     rejected cert (delete), untrust a previously trusted cert (delete from trusted).
+/// </summary>
+/// <remarks>
+///     The Admin process is separate from the Server process; this service deliberately has no
+///     Opc.Ua dependency — it works on the on-disk layout directly so it can run on the Admin
+///     host even when the Server isn't installed locally, as long as the PKI root is reachable
+///     (typical deployment has Admin + Server side-by-side on the same machine).
+///
+///     Trust/untrust requires the Server to re-read its trust list. The Opc.Ua stack re-reads
+///     the Directory store on each new incoming connection, so there's no explicit signal
+///     needed — the next client handshake picks up the change. Operators should retry the
+///     rejected client's connection after trusting.
+/// </remarks>
+public sealed class CertTrustService
+{
+    private readonly CertTrustOptions _options;
+    private readonly ILogger<CertTrustService> _logger;
+
+    public CertTrustService(IOptions<CertTrustOptions> options, ILogger<CertTrustService> logger)
+    {
+        _options = options.Value;
+        _logger = logger;
+    }
+
+    public string PkiStoreRoot => _options.PkiStoreRoot;
+
+    public IReadOnlyList<CertInfo> ListRejected() => ListStore(CertStoreKind.Rejected);
+    public IReadOnlyList<CertInfo> ListTrusted() => ListStore(CertStoreKind.Trusted);
+
+    /// <summary>
+    ///     Move the cert with <paramref name="thumbprint"/> from the rejected store to the
+    ///     trusted store. No-op returns false if the rejected file doesn't exist (already moved
+    ///     by another operator, or thumbprint mismatch). Overwrites an existing trusted copy
+    ///     silently — idempotent.
+    /// </summary>
+    public bool TrustRejected(string thumbprint)
+    {
+        var cert = FindInStore(CertStoreKind.Rejected, thumbprint);
+        if (cert is null) return false;
+
+        var trustedDir = CertsDir(CertStoreKind.Trusted);
+        Directory.CreateDirectory(trustedDir);
+        var destPath = Path.Combine(trustedDir, Path.GetFileName(cert.FilePath));
+        File.Move(cert.FilePath, destPath, overwrite: true);
+        _logger.LogInformation("Trusted cert {Thumbprint} (subject={Subject}) — moved {From} → {To}",
+            cert.Thumbprint, cert.Subject, cert.FilePath, destPath);
+        return true;
+    }
+
+    public bool DeleteRejected(string thumbprint) => DeleteFromStore(CertStoreKind.Rejected, thumbprint);
+    public bool UntrustCert(string thumbprint) => DeleteFromStore(CertStoreKind.Trusted, thumbprint);
+
+    private bool DeleteFromStore(CertStoreKind store, string thumbprint)
+    {
+        var cert = FindInStore(store, thumbprint);
+        if (cert is null) return false;
+        File.Delete(cert.FilePath);
+        _logger.LogInformation("Deleted cert {Thumbprint} (subject={Subject}) from {Store} store",
+            cert.Thumbprint, cert.Subject, store);
+        return true;
+    }
+
+    private CertInfo? FindInStore(CertStoreKind store, string thumbprint) =>
+        ListStore(store).FirstOrDefault(c =>
+            string.Equals(c.Thumbprint, thumbprint, StringComparison.OrdinalIgnoreCase));
+
+    private IReadOnlyList<CertInfo> ListStore(CertStoreKind store)
+    {
+        var dir = CertsDir(store);
+        if (!Directory.Exists(dir)) return [];
+
+        var results = new List<CertInfo>();
+        foreach (var path in Directory.EnumerateFiles(dir))
+        {
+            // Skip CRL sidecars + private-key files — trust operations only concern public certs.
+            var ext = Path.GetExtension(path);
+            if (!ext.Equals(".der", StringComparison.OrdinalIgnoreCase) &&
+                !ext.Equals(".crt", StringComparison.OrdinalIgnoreCase) &&
+                !ext.Equals(".cer", StringComparison.OrdinalIgnoreCase))
+            {
+                continue;
+            }
+
+            try
+            {
+                var cert = X509CertificateLoader.LoadCertificateFromFile(path);
+                results.Add(new CertInfo(
+                    cert.Thumbprint, cert.Subject, cert.Issuer,
+                    cert.NotBefore.ToUniversalTime(), cert.NotAfter.ToUniversalTime(),
+                    path, store));
+            }
+            catch (Exception ex)
+            {
+                // A malformed file in the store shouldn't take down the page. Surface it in logs
+                // but skip — operators see the other certs and can clean the bad file manually.
+                _logger.LogWarning(ex, "Failed to parse cert at {Path} — skipping", path);
+            }
+        }
+        return results;
+    }
+
+    private string CertsDir(CertStoreKind store) =>
+        Path.Combine(_options.PkiStoreRoot, store == CertStoreKind.Rejected ? "rejected" : "trusted", "certs");
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/IModbusTransport.cs

@@ -0,0 +1,25 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+/// <summary>
+///     Abstraction over the Modbus TCP socket. Takes a <c>PDU</c> (function code + data, excluding
+///     the 7-byte MBAP header) and returns the response PDU — the transport owns transaction-id
+///     pairing, framing, and socket I/O. Tests supply in-memory fakes.
+/// </summary>
+public interface IModbusTransport : IAsyncDisposable
+{
+    Task ConnectAsync(CancellationToken ct);
+
+    /// <summary>
+    ///     Send a Modbus PDU (function code + function-specific data) and read the response PDU.
+    ///     Throws <see cref="ModbusException"/> when the server returns an exception PDU
+    ///     (function code + 0x80 + exception code).
+    /// </summary>
+    Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct);
+}
+
+public sealed class ModbusException(byte functionCode, byte exceptionCode, string message)
+    : Exception(message)
+{
+    public byte FunctionCode { get; } = functionCode;
+    public byte ExceptionCode { get; } = exceptionCode;
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriver.cs

@@ -0,0 +1,583 @@
+using System.Buffers.Binary;
+using System.Text.Json;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+/// <summary>
+///     Modbus TCP implementation of <see cref="IDriver"/> + <see cref="ITagDiscovery"/> +
+///     <see cref="IReadable"/> + <see cref="IWritable"/>. First native-protocol greenfield
+///     driver for the v2 stack — validates the driver-agnostic <c>IAddressSpaceBuilder</c> +
+///     <c>IReadable</c>/<c>IWritable</c> abstractions generalize beyond Galaxy.
+/// </summary>
+/// <remarks>
+///     Scope limits: synchronous Read/Write only, no subscriptions (Modbus has no push model;
+///     subscriptions would need a polling loop over the declared tags — additive PR). Historian
+///     + alarm capabilities are out of scope (the protocol doesn't express them).
+/// </remarks>
+public sealed class ModbusDriver(ModbusDriverOptions options, string driverInstanceId,
+    Func<ModbusDriverOptions, IModbusTransport>? transportFactory = null)
+    : IDriver, ITagDiscovery, IReadable, IWritable, ISubscribable, IHostConnectivityProbe, IDisposable, IAsyncDisposable
+{
+    // Active polling subscriptions. Each subscription owns a background Task that polls the
+    // tags at its configured interval, diffs against _lastKnownValues, and fires OnDataChange
+    // per changed tag. UnsubscribeAsync cancels the task via the CTS stored on the handle.
+    private readonly System.Collections.Concurrent.ConcurrentDictionary<long, SubscriptionState> _subscriptions = new();
+    private long _nextSubscriptionId;
+
+    public event EventHandler<DataChangeEventArgs>? OnDataChange;
+    public event EventHandler<HostStatusChangedEventArgs>? OnHostStatusChanged;
+
+    // Single-host probe state — Modbus driver talks to exactly one endpoint so the "hosts"
+    // collection has at most one entry. HostName is the Host:Port string so the Admin UI can
+    // display the PLC endpoint uniformly with Galaxy platforms/engines.
+    private readonly object _probeLock = new();
+    private HostState _hostState = HostState.Unknown;
+    private DateTime _hostStateChangedUtc = DateTime.UtcNow;
+    private CancellationTokenSource? _probeCts;
+    private readonly ModbusDriverOptions _options = options;
+    private readonly Func<ModbusDriverOptions, IModbusTransport> _transportFactory =
+        transportFactory ?? (o => new ModbusTcpTransport(o.Host, o.Port, o.Timeout));
+
+    private IModbusTransport? _transport;
+    private DriverHealth _health = new(DriverState.Unknown, null, null);
+    private readonly Dictionary<string, ModbusTagDefinition> _tagsByName = new(StringComparer.OrdinalIgnoreCase);
+
+    public string DriverInstanceId => driverInstanceId;
+    public string DriverType => "Modbus";
+
+    public async Task InitializeAsync(string driverConfigJson, CancellationToken cancellationToken)
+    {
+        _health = new DriverHealth(DriverState.Initializing, null, null);
+        try
+        {
+            _transport = _transportFactory(_options);
+            await _transport.ConnectAsync(cancellationToken).ConfigureAwait(false);
+            foreach (var t in _options.Tags) _tagsByName[t.Name] = t;
+            _health = new DriverHealth(DriverState.Healthy, DateTime.UtcNow, null);
+
+            // PR 23: kick off the probe loop once the transport is up. Initial state stays
+            // Unknown until the first probe tick succeeds — avoids broadcasting a premature
+            // Running transition before any register round-trip has happened.
+            if (_options.Probe.Enabled)
+            {
+                _probeCts = new CancellationTokenSource();
+                _ = Task.Run(() => ProbeLoopAsync(_probeCts.Token), _probeCts.Token);
+            }
+        }
+        catch (Exception ex)
+        {
+            _health = new DriverHealth(DriverState.Faulted, null, ex.Message);
+            throw;
+        }
+    }
+
+    public async Task ReinitializeAsync(string driverConfigJson, CancellationToken cancellationToken)
+    {
+        await ShutdownAsync(cancellationToken);
+        await InitializeAsync(driverConfigJson, cancellationToken);
+    }
+
+    public async Task ShutdownAsync(CancellationToken cancellationToken)
+    {
+        try { _probeCts?.Cancel(); } catch { }
+        _probeCts?.Dispose();
+        _probeCts = null;
+
+        foreach (var state in _subscriptions.Values)
+        {
+            try { state.Cts.Cancel(); } catch { }
+            state.Cts.Dispose();
+        }
+        _subscriptions.Clear();
+
+        if (_transport is not null) await _transport.DisposeAsync().ConfigureAwait(false);
+        _transport = null;
+        _health = new DriverHealth(DriverState.Unknown, _health.LastSuccessfulRead, null);
+    }
+
+    public DriverHealth GetHealth() => _health;
+    public long GetMemoryFootprint() => 0;
+    public Task FlushOptionalCachesAsync(CancellationToken cancellationToken) => Task.CompletedTask;
+
+    // ---- ITagDiscovery ----
+
+    public Task DiscoverAsync(IAddressSpaceBuilder builder, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(builder);
+        var folder = builder.Folder("Modbus", "Modbus");
+        foreach (var t in _options.Tags)
+        {
+            folder.Variable(t.Name, t.Name, new DriverAttributeInfo(
+                FullName: t.Name,
+                DriverDataType: MapDataType(t.DataType),
+                IsArray: false,
+                ArrayDim: null,
+                SecurityClass: t.Writable ? SecurityClassification.Operate : SecurityClassification.ViewOnly,
+                IsHistorized: false,
+                IsAlarm: false));
+        }
+        return Task.CompletedTask;
+    }
+
+    // ---- IReadable ----
+
+    public async Task<IReadOnlyList<DataValueSnapshot>> ReadAsync(
+        IReadOnlyList<string> fullReferences, CancellationToken cancellationToken)
+    {
+        var transport = RequireTransport();
+        var now = DateTime.UtcNow;
+        var results = new DataValueSnapshot[fullReferences.Count];
+        for (var i = 0; i < fullReferences.Count; i++)
+        {
+            if (!_tagsByName.TryGetValue(fullReferences[i], out var tag))
+            {
+                results[i] = new DataValueSnapshot(null, StatusBadNodeIdUnknown, null, now);
+                continue;
+            }
+            try
+            {
+                var value = await ReadOneAsync(transport, tag, cancellationToken).ConfigureAwait(false);
+                results[i] = new DataValueSnapshot(value, 0u, now, now);
+                _health = new DriverHealth(DriverState.Healthy, now, null);
+            }
+            catch (Exception ex)
+            {
+                results[i] = new DataValueSnapshot(null, StatusBadInternalError, null, now);
+                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, ex.Message);
+            }
+        }
+        return results;
+    }
+
+    private async Task<object> ReadOneAsync(IModbusTransport transport, ModbusTagDefinition tag, CancellationToken ct)
+    {
+        switch (tag.Region)
+        {
+            case ModbusRegion.Coils:
+            {
+                var pdu = new byte[] { 0x01, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF), 0x00, 0x01 };
+                var resp = await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                return (resp[2] & 0x01) == 1;
+            }
+            case ModbusRegion.DiscreteInputs:
+            {
+                var pdu = new byte[] { 0x02, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF), 0x00, 0x01 };
+                var resp = await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                return (resp[2] & 0x01) == 1;
+            }
+            case ModbusRegion.HoldingRegisters:
+            case ModbusRegion.InputRegisters:
+            {
+                var quantity = RegisterCount(tag);
+                var fc = tag.Region == ModbusRegion.HoldingRegisters ? (byte)0x03 : (byte)0x04;
+                var pdu = new byte[] { fc, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF),
+                                       (byte)(quantity >> 8), (byte)(quantity & 0xFF) };
+                var resp = await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                // resp = [fc][byte-count][data...]
+                var data = new ReadOnlySpan<byte>(resp, 2, resp[1]);
+                return DecodeRegister(data, tag);
+            }
+            default:
+                throw new InvalidOperationException($"Unknown region {tag.Region}");
+        }
+    }
+
+    // ---- IWritable ----
+
+    public async Task<IReadOnlyList<WriteResult>> WriteAsync(
+        IReadOnlyList<WriteRequest> writes, CancellationToken cancellationToken)
+    {
+        var transport = RequireTransport();
+        var results = new WriteResult[writes.Count];
+        for (var i = 0; i < writes.Count; i++)
+        {
+            var w = writes[i];
+            if (!_tagsByName.TryGetValue(w.FullReference, out var tag))
+            {
+                results[i] = new WriteResult(StatusBadNodeIdUnknown);
+                continue;
+            }
+            if (!tag.Writable || tag.Region is ModbusRegion.DiscreteInputs or ModbusRegion.InputRegisters)
+            {
+                results[i] = new WriteResult(StatusBadNotWritable);
+                continue;
+            }
+            try
+            {
+                await WriteOneAsync(transport, tag, w.Value, cancellationToken).ConfigureAwait(false);
+                results[i] = new WriteResult(0u);
+            }
+            catch (Exception)
+            {
+                results[i] = new WriteResult(StatusBadInternalError);
+            }
+        }
+        return results;
+    }
+
+    private async Task WriteOneAsync(IModbusTransport transport, ModbusTagDefinition tag, object? value, CancellationToken ct)
+    {
+        switch (tag.Region)
+        {
+            case ModbusRegion.Coils:
+            {
+                var on = Convert.ToBoolean(value);
+                var pdu = new byte[] { 0x05, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF),
+                                       on ? (byte)0xFF : (byte)0x00, 0x00 };
+                await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                return;
+            }
+            case ModbusRegion.HoldingRegisters:
+            {
+                var bytes = EncodeRegister(value, tag);
+                if (bytes.Length == 2)
+                {
+                    var pdu = new byte[] { 0x06, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF),
+                                           bytes[0], bytes[1] };
+                    await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                }
+                else
+                {
+                    // FC 16 (Write Multiple Registers) for 32-bit types
+                    var qty = (ushort)(bytes.Length / 2);
+                    var pdu = new byte[6 + 1 + bytes.Length];
+                    pdu[0] = 0x10;
+                    pdu[1] = (byte)(tag.Address >> 8); pdu[2] = (byte)(tag.Address & 0xFF);
+                    pdu[3] = (byte)(qty >> 8); pdu[4] = (byte)(qty & 0xFF);
+                    pdu[5] = (byte)bytes.Length;
+                    Buffer.BlockCopy(bytes, 0, pdu, 6, bytes.Length);
+                    await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
+                }
+                return;
+            }
+            default:
+                throw new InvalidOperationException($"Writes not supported for region {tag.Region}");
+        }
+    }
+
+    // ---- ISubscribable (polling overlay) ----
+
+    public Task<ISubscriptionHandle> SubscribeAsync(
+        IReadOnlyList<string> fullReferences, TimeSpan publishingInterval, CancellationToken cancellationToken)
+    {
+        var id = Interlocked.Increment(ref _nextSubscriptionId);
+        var cts = new CancellationTokenSource();
+        var interval = publishingInterval < TimeSpan.FromMilliseconds(100)
+            ? TimeSpan.FromMilliseconds(100) // floor — Modbus can't sustain < 100ms polling reliably
+            : publishingInterval;
+        var handle = new ModbusSubscriptionHandle(id);
+        var state = new SubscriptionState(handle, [.. fullReferences], interval, cts);
+        _subscriptions[id] = state;
+        _ = Task.Run(() => PollLoopAsync(state, cts.Token), cts.Token);
+        return Task.FromResult<ISubscriptionHandle>(handle);
+    }
+
+    public Task UnsubscribeAsync(ISubscriptionHandle handle, CancellationToken cancellationToken)
+    {
+        if (handle is ModbusSubscriptionHandle h && _subscriptions.TryRemove(h.Id, out var state))
+        {
+            state.Cts.Cancel();
+            state.Cts.Dispose();
+        }
+        return Task.CompletedTask;
+    }
+
+    private async Task PollLoopAsync(SubscriptionState state, CancellationToken ct)
+    {
+        // Initial-data push: read every tag once at subscribe time so OPC UA clients see the
+        // current value per Part 4 convention, even if the value never changes thereafter.
+        try { await PollOnceAsync(state, forceRaise: true, ct).ConfigureAwait(false); }
+        catch (OperationCanceledException) { return; }
+        catch { /* first-read error — polling continues */ }
+
+        while (!ct.IsCancellationRequested)
+        {
+            try { await Task.Delay(state.Interval, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { return; }
+
+            try { await PollOnceAsync(state, forceRaise: false, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { return; }
+            catch { /* transient polling error — loop continues, health surface reflects it */ }
+        }
+    }
+
+    private async Task PollOnceAsync(SubscriptionState state, bool forceRaise, CancellationToken ct)
+    {
+        var snapshots = await ReadAsync(state.TagReferences, ct).ConfigureAwait(false);
+        for (var i = 0; i < state.TagReferences.Count; i++)
+        {
+            var tagRef = state.TagReferences[i];
+            var current = snapshots[i];
+            var lastSeen = state.LastValues.TryGetValue(tagRef, out var prev) ? prev : default;
+
+            // Raise on first read (forceRaise) OR when the boxed value differs from last-known.
+            if (forceRaise || !Equals(lastSeen?.Value, current.Value) || lastSeen?.StatusCode != current.StatusCode)
+            {
+                state.LastValues[tagRef] = current;
+                OnDataChange?.Invoke(this, new DataChangeEventArgs(state.Handle, tagRef, current));
+            }
+        }
+    }
+
+    private sealed record SubscriptionState(
+        ModbusSubscriptionHandle Handle,
+        IReadOnlyList<string> TagReferences,
+        TimeSpan Interval,
+        CancellationTokenSource Cts)
+    {
+        public System.Collections.Concurrent.ConcurrentDictionary<string, DataValueSnapshot> LastValues { get; }
+            = new(StringComparer.OrdinalIgnoreCase);
+    }
+
+    private sealed record ModbusSubscriptionHandle(long Id) : ISubscriptionHandle
+    {
+        public string DiagnosticId => $"modbus-sub-{Id}";
+    }
+
+    // ---- IHostConnectivityProbe ----
+
+    public IReadOnlyList<HostConnectivityStatus> GetHostStatuses()
+    {
+        lock (_probeLock)
+            return [new HostConnectivityStatus(HostName, _hostState, _hostStateChangedUtc)];
+    }
+
+    /// <summary>
+    ///     Host identifier surfaced to <c>IHostConnectivityProbe.GetHostStatuses</c> and the Admin UI.
+    ///     Formatted as <c>host:port</c> so multiple Modbus drivers in the same server disambiguate
+    ///     by endpoint without needing the driver-instance-id in the Admin dashboard.
+    /// </summary>
+    public string HostName => $"{_options.Host}:{_options.Port}";
+
+    private async Task ProbeLoopAsync(CancellationToken ct)
+    {
+        var transport = _transport; // captured reference; disposal tears the loop down via ct
+        while (!ct.IsCancellationRequested)
+        {
+            var success = false;
+            try
+            {
+                using var probeCts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+                probeCts.CancelAfter(_options.Probe.Timeout);
+                var pdu = new byte[] { 0x03,
+                    (byte)(_options.Probe.ProbeAddress >> 8),
+                    (byte)(_options.Probe.ProbeAddress & 0xFF), 0x00, 0x01 };
+                _ = await transport!.SendAsync(_options.UnitId, pdu, probeCts.Token).ConfigureAwait(false);
+                success = true;
+            }
+            catch (OperationCanceledException) when (ct.IsCancellationRequested)
+            {
+                return;
+            }
+            catch
+            {
+                // transport / timeout / exception PDU — treated as Stopped below
+            }
+
+            TransitionTo(success ? HostState.Running : HostState.Stopped);
+
+            try { await Task.Delay(_options.Probe.Interval, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { return; }
+        }
+    }
+
+    private void TransitionTo(HostState newState)
+    {
+        HostState old;
+        lock (_probeLock)
+        {
+            old = _hostState;
+            if (old == newState) return;
+            _hostState = newState;
+            _hostStateChangedUtc = DateTime.UtcNow;
+        }
+        OnHostStatusChanged?.Invoke(this, new HostStatusChangedEventArgs(HostName, old, newState));
+    }
+
+    // ---- codec ----
+
+    /// <summary>
+    ///     How many 16-bit registers a given tag occupies. Accounts for multi-register logical
+    ///     types (Int32/Float32 = 2 regs, Int64/Float64 = 4 regs) and for strings (rounded up
+    ///     from 2 chars per register).
+    /// </summary>
+    internal static ushort RegisterCount(ModbusTagDefinition tag) => tag.DataType switch
+    {
+        ModbusDataType.Int16 or ModbusDataType.UInt16 or ModbusDataType.BitInRegister => 1,
+        ModbusDataType.Int32 or ModbusDataType.UInt32 or ModbusDataType.Float32 => 2,
+        ModbusDataType.Int64 or ModbusDataType.UInt64 or ModbusDataType.Float64 => 4,
+        ModbusDataType.String => (ushort)((tag.StringLength + 1) / 2), // 2 chars per register
+        _ => throw new InvalidOperationException($"Non-register data type {tag.DataType}"),
+    };
+
+    /// <summary>
+    ///     Word-swap the input into the big-endian layout the decoders expect. For 2-register
+    ///     types this reverses the two words; for 4-register types it reverses the four words
+    ///     (PLC stored [hi-mid, low-mid, hi-high, low-high] → memory [hi-high, low-high, hi-mid, low-mid]).
+    /// </summary>
+    private static byte[] NormalizeWordOrder(ReadOnlySpan<byte> data, ModbusByteOrder order)
+    {
+        if (order == ModbusByteOrder.BigEndian) return data.ToArray();
+        var result = new byte[data.Length];
+        for (var word = 0; word < data.Length / 2; word++)
+        {
+            var srcWord = data.Length / 2 - 1 - word;
+            result[word * 2] = data[srcWord * 2];
+            result[word * 2 + 1] = data[srcWord * 2 + 1];
+        }
+        return result;
+    }
+
+    internal static object DecodeRegister(ReadOnlySpan<byte> data, ModbusTagDefinition tag)
+    {
+        switch (tag.DataType)
+        {
+            case ModbusDataType.Int16: return BinaryPrimitives.ReadInt16BigEndian(data);
+            case ModbusDataType.UInt16: return BinaryPrimitives.ReadUInt16BigEndian(data);
+            case ModbusDataType.BitInRegister:
+            {
+                var raw = BinaryPrimitives.ReadUInt16BigEndian(data);
+                return (raw & (1 << tag.BitIndex)) != 0;
+            }
+            case ModbusDataType.Int32:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadInt32BigEndian(b);
+            }
+            case ModbusDataType.UInt32:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadUInt32BigEndian(b);
+            }
+            case ModbusDataType.Float32:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadSingleBigEndian(b);
+            }
+            case ModbusDataType.Int64:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadInt64BigEndian(b);
+            }
+            case ModbusDataType.UInt64:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadUInt64BigEndian(b);
+            }
+            case ModbusDataType.Float64:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadDoubleBigEndian(b);
+            }
+            case ModbusDataType.String:
+            {
+                // ASCII, 2 chars per register, packed high byte = first char.
+                // Respect the caller's StringLength (truncate nul-padded regions).
+                var chars = new char[tag.StringLength];
+                for (var i = 0; i < tag.StringLength; i++)
+                {
+                    var b = data[i];
+                    if (b == 0) { return new string(chars, 0, i); }
+                    chars[i] = (char)b;
+                }
+                return new string(chars);
+            }
+            default:
+                throw new InvalidOperationException($"Non-register data type {tag.DataType}");
+        }
+    }
+
+    internal static byte[] EncodeRegister(object? value, ModbusTagDefinition tag)
+    {
+        switch (tag.DataType)
+        {
+            case ModbusDataType.Int16:
+            {
+                var v = Convert.ToInt16(value);
+                var b = new byte[2]; BinaryPrimitives.WriteInt16BigEndian(b, v); return b;
+            }
+            case ModbusDataType.UInt16:
+            {
+                var v = Convert.ToUInt16(value);
+                var b = new byte[2]; BinaryPrimitives.WriteUInt16BigEndian(b, v); return b;
+            }
+            case ModbusDataType.Int32:
+            {
+                var v = Convert.ToInt32(value);
+                var b = new byte[4]; BinaryPrimitives.WriteInt32BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.UInt32:
+            {
+                var v = Convert.ToUInt32(value);
+                var b = new byte[4]; BinaryPrimitives.WriteUInt32BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.Float32:
+            {
+                var v = Convert.ToSingle(value);
+                var b = new byte[4]; BinaryPrimitives.WriteSingleBigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.Int64:
+            {
+                var v = Convert.ToInt64(value);
+                var b = new byte[8]; BinaryPrimitives.WriteInt64BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.UInt64:
+            {
+                var v = Convert.ToUInt64(value);
+                var b = new byte[8]; BinaryPrimitives.WriteUInt64BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.Float64:
+            {
+                var v = Convert.ToDouble(value);
+                var b = new byte[8]; BinaryPrimitives.WriteDoubleBigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.String:
+            {
+                var s = Convert.ToString(value) ?? string.Empty;
+                var regs = (tag.StringLength + 1) / 2;
+                var b = new byte[regs * 2];
+                for (var i = 0; i < tag.StringLength && i < s.Length; i++) b[i] = (byte)s[i];
+                // remaining bytes stay 0 — nul-padded per PLC convention
+                return b;
+            }
+            case ModbusDataType.BitInRegister:
+                throw new InvalidOperationException(
+                    "BitInRegister writes require a read-modify-write; not supported in PR 24 (separate follow-up).");
+            default:
+                throw new InvalidOperationException($"Non-register data type {tag.DataType}");
+        }
+    }
+
+    private static DriverDataType MapDataType(ModbusDataType t) => t switch
+    {
+        ModbusDataType.Bool or ModbusDataType.BitInRegister => DriverDataType.Boolean,
+        ModbusDataType.Int16 or ModbusDataType.Int32 => DriverDataType.Int32,
+        ModbusDataType.UInt16 or ModbusDataType.UInt32 => DriverDataType.Int32,
+        ModbusDataType.Int64 or ModbusDataType.UInt64 => DriverDataType.Int32, // widening to Int32 loses precision; PR 25 adds Int64 to DriverDataType
+        ModbusDataType.Float32 => DriverDataType.Float32,
+        ModbusDataType.Float64 => DriverDataType.Float64,
+        ModbusDataType.String => DriverDataType.String,
+        _ => DriverDataType.Int32,
+    };
+
+    private IModbusTransport RequireTransport() =>
+        _transport ?? throw new InvalidOperationException("ModbusDriver not initialized");
+
+    private const uint StatusBadInternalError = 0x80020000u;
+    private const uint StatusBadNodeIdUnknown = 0x80340000u;
+    private const uint StatusBadNotWritable = 0x803B0000u;
+
+    public void Dispose() => DisposeAsync().AsTask().GetAwaiter().GetResult();
+    public async ValueTask DisposeAsync()
+    {
+        if (_transport is not null) await _transport.DisposeAsync().ConfigureAwait(false);
+        _transport = null;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriverOptions.cs

@@ -0,0 +1,97 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+/// <summary>
+///     Modbus TCP driver configuration. Bound from the driver's <c>DriverConfig</c> JSON at
+///     <c>DriverHost.RegisterAsync</c>. Every register the driver exposes appears in
+///     <see cref="Tags"/>; names become the OPC UA browse name + full reference.
+/// </summary>
+public sealed class ModbusDriverOptions
+{
+    public string Host { get; init; } = "127.0.0.1";
+    public int Port { get; init; } = 502;
+    public byte UnitId { get; init; } = 1;
+    public TimeSpan Timeout { get; init; } = TimeSpan.FromSeconds(2);
+
+    /// <summary>Pre-declared tag map. Modbus has no discovery protocol — the driver returns exactly these.</summary>
+    public IReadOnlyList<ModbusTagDefinition> Tags { get; init; } = [];
+
+    /// <summary>
+    ///     Background connectivity-probe settings. When <see cref="ModbusProbeOptions.Enabled"/>
+    ///     is true the driver runs a tick loop that issues a cheap FC03 at register 0 every
+    ///     <see cref="ModbusProbeOptions.Interval"/> and raises <c>OnHostStatusChanged</c> on
+    ///     Running ↔ Stopped transitions. The Admin UI / OPC UA clients see the state through
+    ///     <see cref="IHostConnectivityProbe"/>.
+    /// </summary>
+    public ModbusProbeOptions Probe { get; init; } = new();
+}
+
+public sealed class ModbusProbeOptions
+{
+    public bool Enabled { get; init; } = true;
+    public TimeSpan Interval { get; init; } = TimeSpan.FromSeconds(5);
+    public TimeSpan Timeout { get; init; } = TimeSpan.FromSeconds(2);
+    /// <summary>Register to read for the probe. Zero is usually safe; override for PLCs that lock register 0.</summary>
+    public ushort ProbeAddress { get; init; } = 0;
+}
+
+/// <summary>
+///     One Modbus-backed OPC UA variable. Address is zero-based (Modbus spec numbering, not
+///     the documentation's 1-based coil/register conventions). Multi-register types
+///     (Int32/UInt32/Float32 = 2 regs; Int64/UInt64/Float64 = 4 regs) respect the
+///     <see cref="ByteOrder"/> field — real-world PLCs disagree on word ordering.
+/// </summary>
+/// <param name="Name">
+///     Tag name, used for both the OPC UA browse name and the driver's full reference. Must be
+///     unique within the driver.
+/// </param>
+/// <param name="Region">Coils / DiscreteInputs / InputRegisters / HoldingRegisters.</param>
+/// <param name="Address">Zero-based address within the region.</param>
+/// <param name="DataType">
+///     Logical data type. See <see cref="ModbusDataType"/> for the register count each encodes.
+/// </param>
+/// <param name="Writable">When true and Region supports writes (Coils / HoldingRegisters), IWritable routes writes here.</param>
+/// <param name="ByteOrder">Word ordering for multi-register types. Ignored for Bool / Int16 / UInt16 / BitInRegister / String.</param>
+/// <param name="BitIndex">For <c>DataType = BitInRegister</c>: which bit of the holding register (0-15, LSB-first).</param>
+/// <param name="StringLength">For <c>DataType = String</c>: number of ASCII characters (2 per register, rounded up).</param>
+public sealed record ModbusTagDefinition(
+    string Name,
+    ModbusRegion Region,
+    ushort Address,
+    ModbusDataType DataType,
+    bool Writable = true,
+    ModbusByteOrder ByteOrder = ModbusByteOrder.BigEndian,
+    byte BitIndex = 0,
+    ushort StringLength = 0);
+
+public enum ModbusRegion { Coils, DiscreteInputs, InputRegisters, HoldingRegisters }
+
+public enum ModbusDataType
+{
+    Bool,
+    Int16,
+    UInt16,
+    Int32,
+    UInt32,
+    Int64,
+    UInt64,
+    Float32,
+    Float64,
+    /// <summary>Single bit within a holding register. <see cref="ModbusTagDefinition.BitIndex"/> selects 0-15 LSB-first.</summary>
+    BitInRegister,
+    /// <summary>ASCII string packed 2 chars per register, <see cref="ModbusTagDefinition.StringLength"/> characters long.</summary>
+    String,
+}
+
+/// <summary>
+///     Word ordering for multi-register types. Modbus TCP standard is <see cref="BigEndian"/>
+///     (ABCD for 32-bit: high word at the lower address). Many PLCs — Siemens S7, several
+///     Allen-Bradley series, some Modicon families — use <see cref="WordSwap"/> (CDAB), which
+///     keeps bytes big-endian within each register but reverses the word pair(s).
+/// </summary>
+public enum ModbusByteOrder
+{
+    BigEndian,
+    WordSwap,
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusTcpTransport.cs

@@ -0,0 +1,113 @@
+using System.Net.Sockets;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+/// <summary>
+///     Concrete Modbus TCP transport. Wraps a single <see cref="TcpClient"/> and serializes
+///     requests so at most one transaction is in-flight at a time — Modbus servers typically
+///     support concurrent transactions, but the single-flight model keeps the wire trace
+///     easy to diagnose and avoids interleaved-response correlation bugs.
+/// </summary>
+public sealed class ModbusTcpTransport : IModbusTransport
+{
+    private readonly string _host;
+    private readonly int _port;
+    private readonly TimeSpan _timeout;
+    private readonly SemaphoreSlim _gate = new(1, 1);
+    private TcpClient? _client;
+    private NetworkStream? _stream;
+    private ushort _nextTx;
+    private bool _disposed;
+
+    public ModbusTcpTransport(string host, int port, TimeSpan timeout)
+    {
+        _host = host;
+        _port = port;
+        _timeout = timeout;
+    }
+
+    public async Task ConnectAsync(CancellationToken ct)
+    {
+        _client = new TcpClient();
+        using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+        cts.CancelAfter(_timeout);
+        await _client.ConnectAsync(_host, _port, cts.Token).ConfigureAwait(false);
+        _stream = _client.GetStream();
+    }
+
+    public async Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct)
+    {
+        if (_disposed) throw new ObjectDisposedException(nameof(ModbusTcpTransport));
+        if (_stream is null) throw new InvalidOperationException("Transport not connected");
+
+        await _gate.WaitAsync(ct).ConfigureAwait(false);
+        try
+        {
+            var txId = ++_nextTx;
+
+            // MBAP: [TxId(2)][Proto=0(2)][Length(2)][UnitId(1)] + PDU
+            var adu = new byte[7 + pdu.Length];
+            adu[0] = (byte)(txId >> 8);
+            adu[1] = (byte)(txId & 0xFF);
+            // protocol id already zero
+            var len = (ushort)(1 + pdu.Length); // unit id + pdu
+            adu[4] = (byte)(len >> 8);
+            adu[5] = (byte)(len & 0xFF);
+            adu[6] = unitId;
+            Buffer.BlockCopy(pdu, 0, adu, 7, pdu.Length);
+
+            using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+            cts.CancelAfter(_timeout);
+            await _stream.WriteAsync(adu.AsMemory(), cts.Token).ConfigureAwait(false);
+            await _stream.FlushAsync(cts.Token).ConfigureAwait(false);
+
+            var header = new byte[7];
+            await ReadExactlyAsync(_stream, header, cts.Token).ConfigureAwait(false);
+            var respTxId = (ushort)((header[0] << 8) | header[1]);
+            if (respTxId != txId)
+                throw new InvalidDataException($"Modbus TxId mismatch: expected {txId} got {respTxId}");
+            var respLen = (ushort)((header[4] << 8) | header[5]);
+            if (respLen < 1) throw new InvalidDataException($"Modbus response length too small: {respLen}");
+            var respPdu = new byte[respLen - 1];
+            await ReadExactlyAsync(_stream, respPdu, cts.Token).ConfigureAwait(false);
+
+            // Exception PDU: function code has high bit set.
+            if ((respPdu[0] & 0x80) != 0)
+            {
+                var fc = (byte)(respPdu[0] & 0x7F);
+                var ex = respPdu[1];
+                throw new ModbusException(fc, ex, $"Modbus exception fc={fc} code={ex}");
+            }
+
+            return respPdu;
+        }
+        finally
+        {
+            _gate.Release();
+        }
+    }
+
+    private static async Task ReadExactlyAsync(Stream s, byte[] buf, CancellationToken ct)
+    {
+        var read = 0;
+        while (read < buf.Length)
+        {
+            var n = await s.ReadAsync(buf.AsMemory(read), ct).ConfigureAwait(false);
+            if (n == 0) throw new EndOfStreamException("Modbus socket closed mid-response");
+            read += n;
+        }
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_disposed) return;
+        _disposed = true;
+        try
+        {
+            if (_stream is not null) await _stream.DisposeAsync().ConfigureAwait(false);
+        }
+        catch { /* best-effort */ }
+        _client?.Dispose();
+        _gate.Dispose();
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ZB.MOM.WW.OtOpcUa.Driver.Modbus.csproj

@@ -0,0 +1,27 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <LangVersion>latest</LangVersion>
+        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+        <GenerateDocumentationFile>true</GenerateDocumentationFile>
+        <NoWarn>$(NoWarn);CS1591</NoWarn>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Driver.Modbus</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.Abstractions\ZB.MOM.WW.OtOpcUa.Core.Abstractions.csproj"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <InternalsVisibleTo Include="ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+</Project>

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs

@@ -3,6 +3,7 @@ using Microsoft.Extensions.Logging;
 using Opc.Ua;
 using Opc.Ua.Server;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
 using DriverWriteRequest = ZB.MOM.WW.OtOpcUa.Core.Abstractions.WriteRequest;
 
 namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
@@ -35,6 +36,12 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
     private FolderState? _driverRoot;
     private readonly Dictionary<string, BaseDataVariableState> _variablesByFullRef = new(StringComparer.OrdinalIgnoreCase);
 
+    // PR 26: SecurityClassification per variable, populated during Variable() registration.
+    // OnWriteValue looks up the classification here to gate the write by the session's roles.
+    // Drivers never enforce authz themselves — the classification is discovery-time metadata
+    // only (feedback_acl_at_server_layer.md).
+    private readonly Dictionary<string, SecurityClassification> _securityByFullRef = new(StringComparer.OrdinalIgnoreCase);
+
     // Active building folder — set per Folder() call so Variable() lands under the right parent.
     // A stack would support nested folders; we use a single current folder because IAddressSpaceBuilder
     // returns a child builder per Folder call and the caller threads nesting through those references.
@@ -122,6 +129,7 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
             _currentFolder.AddChild(v);
             AddPredefinedNode(SystemContext, v);
             _variablesByFullRef[attributeInfo.FullName] = v;
+            _securityByFullRef[attributeInfo.FullName] = attributeInfo.SecurityClass;
 
             v.OnReadValue = OnReadValue;
             v.OnWriteValue = OnWriteValue;
@@ -337,6 +345,22 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
         var fullRef = node.NodeId.Identifier as string;
         if (string.IsNullOrEmpty(fullRef)) return StatusCodes.BadNodeIdUnknown;
 
+        // PR 26: server-layer write authorization. Look up the attribute's classification
+        // (populated during Variable() in Discover) and check the session's roles against the
+        // policy table. Drivers don't participate in this decision — IWritable.WriteAsync
+        // never sees a request we'd have refused here.
+        if (_securityByFullRef.TryGetValue(fullRef!, out var classification))
+        {
+            var roles = context.UserIdentity is IRoleBearer rb ? rb.Roles : [];
+            if (!WriteAuthzPolicy.IsAllowed(classification, roles))
+            {
+                _logger.LogInformation(
+                    "Write denied for {FullRef}: classification={Classification} userRoles=[{Roles}]",
+                    fullRef, classification, string.Join(",", roles));
+                return new ServiceResult(StatusCodes.BadUserAccessDenied);
+            }
+        }
+
         try
         {
             var results = _writable.WriteAsync(

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OpcUaApplicationHost.cs

@@ -3,6 +3,7 @@ using Opc.Ua;
 using Opc.Ua.Configuration;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Core.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
 
 namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
 
@@ -18,6 +19,7 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
 {
     private readonly OpcUaServerOptions _options;
     private readonly DriverHost _driverHost;
+    private readonly IUserAuthenticator _authenticator;
     private readonly ILoggerFactory _loggerFactory;
     private readonly ILogger<OpcUaApplicationHost> _logger;
     private ApplicationInstance? _application;
@@ -25,10 +27,11 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
     private bool _disposed;
 
     public OpcUaApplicationHost(OpcUaServerOptions options, DriverHost driverHost,
-        ILoggerFactory loggerFactory, ILogger<OpcUaApplicationHost> logger)
+        IUserAuthenticator authenticator, ILoggerFactory loggerFactory, ILogger<OpcUaApplicationHost> logger)
     {
         _options = options;
         _driverHost = driverHost;
+        _authenticator = authenticator;
         _loggerFactory = loggerFactory;
         _logger = logger;
     }
@@ -55,7 +58,7 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
             throw new InvalidOperationException(
                 $"OPC UA application certificate could not be validated or created in {_options.PkiStoreRoot}");
 
-        _server = new OtOpcUaServer(_driverHost, _loggerFactory);
+        _server = new OtOpcUaServer(_driverHost, _authenticator, _loggerFactory);
         await _application.Start(_server).ConfigureAwait(false);
 
         _logger.LogInformation("OPC UA server started — endpoint={Endpoint} driverCount={Count}",
@@ -126,22 +129,8 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
             ServerConfiguration = new ServerConfiguration
             {
                 BaseAddresses = new StringCollection { _options.EndpointUrl },
-                SecurityPolicies = new ServerSecurityPolicyCollection
-                {
-                    new ServerSecurityPolicy
-                    {
-                        SecurityMode = MessageSecurityMode.None,
-                        SecurityPolicyUri = SecurityPolicies.None,
-                    },
-                },
-                UserTokenPolicies = new UserTokenPolicyCollection
-                {
-                    new UserTokenPolicy(UserTokenType.Anonymous)
-                    {
-                        PolicyId = "Anonymous",
-                        SecurityPolicyUri = SecurityPolicies.None,
-                    },
-                },
+                SecurityPolicies = BuildSecurityPolicies(),
+                UserTokenPolicies = BuildUserTokenPolicies(),
                 MinRequestThreadCount = 5,
                 MaxRequestThreadCount = 100,
                 MaxQueuedRequestCount = 200,
@@ -164,6 +153,58 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
         return cfg;
     }
 
+    private ServerSecurityPolicyCollection BuildSecurityPolicies()
+    {
+        var policies = new ServerSecurityPolicyCollection
+        {
+            // Keep the None policy present so legacy clients can discover + browse. Locked-down
+            // deployments remove this by setting Ldap.Enabled=true + dropping None here; left in
+            // for PR 19 so the PR 17 test harness continues to pass unchanged.
+            new ServerSecurityPolicy
+            {
+                SecurityMode = MessageSecurityMode.None,
+                SecurityPolicyUri = SecurityPolicies.None,
+            },
+        };
+
+        if (_options.SecurityProfile == OpcUaSecurityProfile.Basic256Sha256SignAndEncrypt)
+        {
+            policies.Add(new ServerSecurityPolicy
+            {
+                SecurityMode = MessageSecurityMode.SignAndEncrypt,
+                SecurityPolicyUri = SecurityPolicies.Basic256Sha256,
+            });
+        }
+
+        return policies;
+    }
+
+    private UserTokenPolicyCollection BuildUserTokenPolicies()
+    {
+        var tokens = new UserTokenPolicyCollection
+        {
+            new UserTokenPolicy(UserTokenType.Anonymous)
+            {
+                PolicyId = "Anonymous",
+                SecurityPolicyUri = SecurityPolicies.None,
+            },
+        };
+
+        if (_options.SecurityProfile == OpcUaSecurityProfile.Basic256Sha256SignAndEncrypt
+            && _options.Ldap.Enabled)
+        {
+            tokens.Add(new UserTokenPolicy(UserTokenType.UserName)
+            {
+                PolicyId = "UserName",
+                // Passwords must ride an encrypted channel — scope this token to Basic256Sha256
+                // so the stack rejects any attempt to send UserName over the None endpoint.
+                SecurityPolicyUri = SecurityPolicies.Basic256Sha256,
+            });
+        }
+
+        return tokens;
+    }
+
     public async ValueTask DisposeAsync()
     {
         if (_disposed) return;

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OpcUaServerOptions.cs

@@ -1,5 +1,23 @@
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
 namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
 
+/// <summary>
+///     OPC UA transport security profile selector. Controls which <c>ServerSecurityPolicy</c>
+///     entries the endpoint advertises + which token types the <c>UserTokenPolicies</c> permits.
+/// </summary>
+public enum OpcUaSecurityProfile
+{
+    /// <summary>Anonymous only on <c>SecurityPolicies.None</c> — dev-only, no signing or encryption.</summary>
+    None,
+
+    /// <summary>
+    ///     <c>Basic256Sha256 SignAndEncrypt</c> with <c>UserName</c> and <c>Anonymous</c> token
+    ///     policies. Clients must present a valid application certificate + user credentials.
+    /// </summary>
+    Basic256Sha256SignAndEncrypt,
+}
+
 /// <summary>
 ///     OPC UA server endpoint + application-identity configuration. Bound from the
 ///     <c>OpcUaServer</c> section of <c>appsettings.json</c>. PR 17 minimum-viable scope: no LDAP,
@@ -39,4 +57,18 @@ public sealed class OpcUaServerOptions
     ///     Admin UI.
     /// </summary>
     public bool AutoAcceptUntrustedClientCertificates { get; init; } = true;
+
+    /// <summary>
+    ///     Security profile advertised on the endpoint. Default <see cref="OpcUaSecurityProfile.None"/>
+    ///     preserves the PR 17 endpoint shape; set to <see cref="OpcUaSecurityProfile.Basic256Sha256SignAndEncrypt"/>
+    ///     for production deployments with LDAP-backed UserName auth.
+    /// </summary>
+    public OpcUaSecurityProfile SecurityProfile { get; init; } = OpcUaSecurityProfile.None;
+
+    /// <summary>
+    ///     LDAP binding for UserName token validation. Only consulted when the active
+    ///     <see cref="SecurityProfile"/> advertises a UserName token policy. When
+    ///     <c>LdapOptions.Enabled = false</c>, UserName token attempts are rejected.
+    /// </summary>
+    public LdapOptions Ldap { get; init; } = new();
 }

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OtOpcUaServer.cs

@@ -5,6 +5,7 @@ using Opc.Ua.Server;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Core.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
 
 namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
 
@@ -17,12 +18,14 @@ namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
 public sealed class OtOpcUaServer : StandardServer
 {
     private readonly DriverHost _driverHost;
+    private readonly IUserAuthenticator _authenticator;
     private readonly ILoggerFactory _loggerFactory;
     private readonly List<DriverNodeManager> _driverNodeManagers = new();
 
-    public OtOpcUaServer(DriverHost driverHost, ILoggerFactory loggerFactory)
+    public OtOpcUaServer(DriverHost driverHost, IUserAuthenticator authenticator, ILoggerFactory loggerFactory)
     {
         _driverHost = driverHost;
+        _authenticator = authenticator;
         _loggerFactory = loggerFactory;
     }
 
@@ -50,6 +53,63 @@ public sealed class OtOpcUaServer : StandardServer
         return new MasterNodeManager(server, configuration, null, _driverNodeManagers.ToArray());
     }
 
+    protected override void OnServerStarted(IServerInternal server)
+    {
+        base.OnServerStarted(server);
+        // Hook UserName / Anonymous token validation here. Anonymous passes through; UserName
+        // is validated against the IUserAuthenticator (LDAP in production). Rejected identities
+        // throw ServiceResultException which the stack translates to Bad_IdentityTokenInvalid.
+        server.SessionManager.ImpersonateUser += OnImpersonateUser;
+    }
+
+    private void OnImpersonateUser(Session session, ImpersonateEventArgs args)
+    {
+        switch (args.NewIdentity)
+        {
+            case AnonymousIdentityToken:
+                args.Identity = new UserIdentity(); // anonymous
+                return;
+
+            case UserNameIdentityToken user:
+            {
+                var result = _authenticator.AuthenticateAsync(
+                    user.UserName, user.DecryptedPassword, CancellationToken.None)
+                    .GetAwaiter().GetResult();
+                if (!result.Success)
+                {
+                    throw ServiceResultException.Create(
+                        StatusCodes.BadUserAccessDenied,
+                        "Invalid username or password ({0})", result.Error ?? "no detail");
+                }
+                args.Identity = new RoleBasedIdentity(user.UserName, result.DisplayName, result.Roles);
+                return;
+            }
+
+            default:
+                throw ServiceResultException.Create(
+                    StatusCodes.BadIdentityTokenInvalid,
+                    "Unsupported user identity token type: {0}", args.NewIdentity?.GetType().Name ?? "null");
+        }
+    }
+
+    /// <summary>
+    ///     Tiny UserIdentity carrier that preserves the resolved roles so downstream node
+    ///     managers can gate writes by role via <c>session.Identity</c>. Anonymous identity still
+    ///     uses the stack's default.
+    /// </summary>
+    private sealed class RoleBasedIdentity : UserIdentity, IRoleBearer
+    {
+        public IReadOnlyList<string> Roles { get; }
+        public string? Display { get; }
+
+        public RoleBasedIdentity(string userName, string? displayName, IReadOnlyList<string> roles)
+            : base(userName, "")
+        {
+            Display = displayName;
+            Roles = roles;
+        }
+    }
+
     protected override ServerProperties LoadServerProperties() => new()
     {
         ManufacturerName = "OtOpcUa",

src/ZB.MOM.WW.OtOpcUa.Server/Program.cs

@@ -1,11 +1,13 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
 using Serilog;
 using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Server;
 using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
 
 var builder = Host.CreateApplicationBuilder(args);
 
@@ -31,6 +33,20 @@ var options = new NodeOptions
 };
 
 var opcUaSection = builder.Configuration.GetSection(OpcUaServerOptions.SectionName);
+var ldapSection = opcUaSection.GetSection("Ldap");
+var ldapOptions = new LdapOptions
+{
+    Enabled = ldapSection.GetValue<bool?>("Enabled") ?? false,
+    Server = ldapSection.GetValue<string>("Server") ?? "localhost",
+    Port = ldapSection.GetValue<int?>("Port") ?? 3893,
+    UseTls = ldapSection.GetValue<bool?>("UseTls") ?? false,
+    AllowInsecureLdap = ldapSection.GetValue<bool?>("AllowInsecureLdap") ?? true,
+    SearchBase = ldapSection.GetValue<string>("SearchBase") ?? "dc=lmxopcua,dc=local",
+    ServiceAccountDn = ldapSection.GetValue<string>("ServiceAccountDn") ?? string.Empty,
+    ServiceAccountPassword = ldapSection.GetValue<string>("ServiceAccountPassword") ?? string.Empty,
+    GroupToRole = ldapSection.GetSection("GroupToRole").Get<Dictionary<string, string>>() ?? new(StringComparer.OrdinalIgnoreCase),
+};
+
 var opcUaOptions = new OpcUaServerOptions
 {
     EndpointUrl = opcUaSection.GetValue<string>("EndpointUrl") ?? "opc.tcp://0.0.0.0:4840/OtOpcUa",
@@ -39,10 +55,17 @@ var opcUaOptions = new OpcUaServerOptions
     PkiStoreRoot = opcUaSection.GetValue<string>("PkiStoreRoot")
                    ?? Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), "OtOpcUa", "pki"),
     AutoAcceptUntrustedClientCertificates = opcUaSection.GetValue<bool?>("AutoAcceptUntrustedClientCertificates") ?? true,
+    SecurityProfile = Enum.TryParse<OpcUaSecurityProfile>(opcUaSection.GetValue<string>("SecurityProfile"), true, out var p)
+        ? p : OpcUaSecurityProfile.None,
+    Ldap = ldapOptions,
 };
 
 builder.Services.AddSingleton(options);
 builder.Services.AddSingleton(opcUaOptions);
+builder.Services.AddSingleton(ldapOptions);
+builder.Services.AddSingleton<IUserAuthenticator>(sp => ldapOptions.Enabled
+    ? new LdapUserAuthenticator(ldapOptions, sp.GetRequiredService<ILogger<LdapUserAuthenticator>>())
+    : new DenyAllUserAuthenticator());
 builder.Services.AddSingleton<ILocalConfigCache>(_ => new LiteDbConfigCache(options.LocalCachePath));
 builder.Services.AddSingleton<DriverHost>();
 builder.Services.AddSingleton<NodeBootstrap>();

src/ZB.MOM.WW.OtOpcUa.Server/Security/IRoleBearer.cs

@@ -0,0 +1,13 @@
+namespace ZB.MOM.WW.OtOpcUa.Server.Security;
+
+/// <summary>
+///     Minimal interface a <see cref="Opc.Ua.IUserIdentity"/> implementation can expose so
+///     <see cref="ZB.MOM.WW.OtOpcUa.Server.OpcUa.DriverNodeManager"/> can read the session's
+///     resolved roles without a hard dependency on any specific identity subtype. Implemented
+///     by <c>OtOpcUaServer.RoleBasedIdentity</c>; tests implement it with stub identities to
+///     drive the authz policy under different role sets.
+/// </summary>
+public interface IRoleBearer
+{
+    IReadOnlyList<string> Roles { get; }
+}

src/ZB.MOM.WW.OtOpcUa.Server/Security/IUserAuthenticator.cs

@@ -0,0 +1,23 @@
+namespace ZB.MOM.WW.OtOpcUa.Server.Security;
+
+/// <summary>
+///     Validates a (username, password) pair and returns the resolved OPC UA roles for the user.
+///     The Server's <c>SessionManager_ImpersonateUser</c> hook delegates here so unit tests can
+///     swap in a fake authenticator without a live LDAP.
+/// </summary>
+public interface IUserAuthenticator
+{
+    Task<UserAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct = default);
+}
+
+public sealed record UserAuthResult(bool Success, string? DisplayName, IReadOnlyList<string> Roles, string? Error);
+
+/// <summary>
+///     Always-reject authenticator used when no security config is provided. Lets the server
+///     start (with only an anonymous endpoint) without throwing on UserName token attempts.
+/// </summary>
+public sealed class DenyAllUserAuthenticator : IUserAuthenticator
+{
+    public Task<UserAuthResult> AuthenticateAsync(string _, string __, CancellationToken ___)
+        => Task.FromResult(new UserAuthResult(false, null, [], "UserName token not supported"));
+}

src/ZB.MOM.WW.OtOpcUa.Server/Security/LdapOptions.cs

@@ -0,0 +1,32 @@
+namespace ZB.MOM.WW.OtOpcUa.Server.Security;
+
+/// <summary>
+///     LDAP settings for the OPC UA server's UserName token validator. Bound from
+///     <c>appsettings.json</c> <c>OpcUaServer:Ldap</c>. Defaults match the GLAuth dev instance
+///     (localhost:3893, dc=lmxopcua,dc=local). Production deployments set <see cref="UseTls"/>
+///     true, populate <see cref="ServiceAccountDn"/> for search-then-bind, and maintain
+///     <see cref="GroupToRole"/> with the real LDAP group names.
+/// </summary>
+public sealed class LdapOptions
+{
+    public bool Enabled { get; init; } = false;
+    public string Server { get; init; } = "localhost";
+    public int Port { get; init; } = 3893;
+    public bool UseTls { get; init; } = false;
+
+    /// <summary>Dev-only escape hatch — must be false in production.</summary>
+    public bool AllowInsecureLdap { get; init; } = true;
+
+    public string SearchBase { get; init; } = "dc=lmxopcua,dc=local";
+    public string ServiceAccountDn { get; init; } = string.Empty;
+    public string ServiceAccountPassword { get; init; } = string.Empty;
+    public string DisplayNameAttribute { get; init; } = "cn";
+    public string GroupAttribute { get; init; } = "memberOf";
+
+    /// <summary>
+    ///     LDAP group → OPC UA role. Each authenticated user gets every role whose source group
+    ///     is in their membership list. Recognized role names (CLAUDE.md): <c>ReadOnly</c> (browse
+    ///     + read), <c>WriteOperate</c>, <c>WriteTune</c>, <c>WriteConfigure</c>, <c>AlarmAck</c>.
+    /// </summary>
+    public Dictionary<string, string> GroupToRole { get; init; } = new(StringComparer.OrdinalIgnoreCase);
+}

src/ZB.MOM.WW.OtOpcUa.Server/Security/LdapUserAuthenticator.cs

@@ -0,0 +1,151 @@
+using Microsoft.Extensions.Logging;
+using Novell.Directory.Ldap;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Security;
+
+/// <summary>
+///     <see cref="IUserAuthenticator"/> that binds to the configured LDAP directory to validate
+///     the (username, password) pair, then pulls group membership and maps to OPC UA roles.
+///     Mirrors the bind-then-search pattern in <c>Admin.Security.LdapAuthService</c> but stays
+///     in the Server project so the Server process doesn't take a cross-app dependency on Admin.
+/// </summary>
+public sealed class LdapUserAuthenticator(LdapOptions options, ILogger<LdapUserAuthenticator> logger)
+    : IUserAuthenticator
+{
+    public async Task<UserAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct = default)
+    {
+        if (!options.Enabled)
+            return new UserAuthResult(false, null, [], "LDAP authentication disabled");
+        if (string.IsNullOrWhiteSpace(username) || string.IsNullOrWhiteSpace(password))
+            return new UserAuthResult(false, null, [], "Credentials required");
+
+        if (!options.UseTls && !options.AllowInsecureLdap)
+            return new UserAuthResult(false, null, [],
+                "Insecure LDAP is disabled. Set UseTls or AllowInsecureLdap for dev/test.");
+
+        try
+        {
+            using var conn = new LdapConnection();
+            if (options.UseTls) conn.SecureSocketLayer = true;
+            await Task.Run(() => conn.Connect(options.Server, options.Port), ct);
+
+            var bindDn = await ResolveUserDnAsync(conn, username, ct);
+            await Task.Run(() => conn.Bind(bindDn, password), ct);
+
+            // Rebind as service account for attribute read, if configured — otherwise the just-
+            // bound user reads their own entry (works when ACL permits self-read).
+            if (!string.IsNullOrWhiteSpace(options.ServiceAccountDn))
+                await Task.Run(() => conn.Bind(options.ServiceAccountDn, options.ServiceAccountPassword), ct);
+
+            var displayName = username;
+            var groups = new List<string>();
+
+            try
+            {
+                var filter = $"(cn={EscapeLdapFilter(username)})";
+                var results = await Task.Run(() =>
+                    conn.Search(options.SearchBase, LdapConnection.ScopeSub, filter, attrs: null, typesOnly: false), ct);
+
+                while (results.HasMore())
+                {
+                    try
+                    {
+                        var entry = results.Next();
+                        var name = entry.GetAttribute(options.DisplayNameAttribute);
+                        if (name is not null) displayName = name.StringValue;
+
+                        var groupAttr = entry.GetAttribute(options.GroupAttribute);
+                        if (groupAttr is not null)
+                        {
+                            foreach (var groupDn in groupAttr.StringValueArray)
+                                groups.Add(ExtractFirstRdnValue(groupDn));
+                        }
+
+                        // GLAuth fallback: primary group is encoded as the ou= RDN above cn=.
+                        if (groups.Count == 0 && !string.IsNullOrEmpty(entry.Dn))
+                        {
+                            var primary = ExtractOuSegment(entry.Dn);
+                            if (primary is not null) groups.Add(primary);
+                        }
+                    }
+                    catch (LdapException) { break; }
+                }
+            }
+            catch (LdapException ex)
+            {
+                logger.LogWarning(ex, "LDAP attribute lookup failed for {User}", username);
+            }
+
+            conn.Disconnect();
+
+            var roles = groups
+                .Where(g => options.GroupToRole.ContainsKey(g))
+                .Select(g => options.GroupToRole[g])
+                .Distinct(StringComparer.OrdinalIgnoreCase)
+                .ToList();
+
+            return new UserAuthResult(true, displayName, roles, null);
+        }
+        catch (LdapException ex)
+        {
+            logger.LogInformation("LDAP bind rejected user {User}: {Reason}", username, ex.ResultCode);
+            return new UserAuthResult(false, null, [], "Invalid username or password");
+        }
+        catch (Exception ex) when (ex is not OperationCanceledException)
+        {
+            logger.LogError(ex, "Unexpected LDAP error for {User}", username);
+            return new UserAuthResult(false, null, [], "Authentication error");
+        }
+    }
+
+    private async Task<string> ResolveUserDnAsync(LdapConnection conn, string username, CancellationToken ct)
+    {
+        if (username.Contains('=')) return username; // caller passed a DN directly
+
+        if (!string.IsNullOrWhiteSpace(options.ServiceAccountDn))
+        {
+            await Task.Run(() => conn.Bind(options.ServiceAccountDn, options.ServiceAccountPassword), ct);
+
+            var filter = $"(uid={EscapeLdapFilter(username)})";
+            var results = await Task.Run(() =>
+                conn.Search(options.SearchBase, LdapConnection.ScopeSub, filter, ["dn"], false), ct);
+
+            if (results.HasMore())
+                return results.Next().Dn;
+
+            throw new LdapException("User not found", LdapException.NoSuchObject,
+                $"No entry for uid={username}");
+        }
+
+        return string.IsNullOrWhiteSpace(options.SearchBase)
+            ? $"cn={username}"
+            : $"cn={username},{options.SearchBase}";
+    }
+
+    internal static string EscapeLdapFilter(string input) =>
+        input.Replace("\\", "\\5c")
+             .Replace("*", "\\2a")
+             .Replace("(", "\\28")
+             .Replace(")", "\\29")
+             .Replace("\0", "\\00");
+
+    internal static string? ExtractOuSegment(string dn)
+    {
+        foreach (var segment in dn.Split(','))
+        {
+            var trimmed = segment.Trim();
+            if (trimmed.StartsWith("ou=", StringComparison.OrdinalIgnoreCase))
+                return trimmed[3..];
+        }
+        return null;
+    }
+
+    internal static string ExtractFirstRdnValue(string dn)
+    {
+        var eq = dn.IndexOf('=');
+        if (eq < 0) return dn;
+        var valueStart = eq + 1;
+        var comma = dn.IndexOf(',', valueStart);
+        return comma > valueStart ? dn[valueStart..comma] : dn[valueStart..];
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Server/Security/WriteAuthzPolicy.cs

@@ -0,0 +1,70 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Security;
+
+/// <summary>
+///     Server-layer write-authorization policy. ACL enforcement lives here — drivers report
+///     <see cref="SecurityClassification"/> as discovery metadata only; the server decides
+///     whether a given session is allowed to write a given attribute by checking the session's
+///     roles (resolved at login via <see cref="LdapUserAuthenticator"/>) against the required
+///     role for the attribute's classification.
+/// </summary>
+/// <remarks>
+///     Matches the table in <c>docs/Configuration.md</c>:
+///     <list type="bullet">
+///         <item><c>FreeAccess</c>: no role required — anonymous sessions can write (matches v1 default).</item>
+///         <item><c>Operate</c> / <c>SecuredWrite</c>: <c>WriteOperate</c> role required.</item>
+///         <item><c>Tune</c>: <c>WriteTune</c> role required.</item>
+///         <item><c>VerifiedWrite</c> / <c>Configure</c>: <c>WriteConfigure</c> role required.</item>
+///         <item><c>ViewOnly</c>: no role grants write access.</item>
+///     </list>
+///     <c>AlarmAck</c> is checked at the alarm-acknowledge path, not here.
+/// </remarks>
+public static class WriteAuthzPolicy
+{
+    public const string RoleWriteOperate = "WriteOperate";
+    public const string RoleWriteTune = "WriteTune";
+    public const string RoleWriteConfigure = "WriteConfigure";
+
+    /// <summary>
+    ///     Decide whether a session with <paramref name="userRoles"/> is allowed to write to an
+    ///     attribute with the given <paramref name="classification"/>. Returns true for
+    ///     <c>FreeAccess</c> regardless of roles (including empty / anonymous sessions) and
+    ///     false for <c>ViewOnly</c> regardless of roles. Every other classification requires
+    ///     the session to carry the mapped role — case-insensitive match.
+    /// </summary>
+    public static bool IsAllowed(SecurityClassification classification, IReadOnlyCollection<string> userRoles)
+    {
+        if (classification == SecurityClassification.FreeAccess) return true;
+        if (classification == SecurityClassification.ViewOnly) return false;
+
+        var required = RequiredRole(classification);
+        if (required is null) return false;
+
+        foreach (var r in userRoles)
+        {
+            if (string.Equals(r, required, StringComparison.OrdinalIgnoreCase))
+                return true;
+        }
+        return false;
+    }
+
+    /// <summary>
+    ///     Required role for a classification, or null when no role grants access
+    ///     (<see cref="SecurityClassification.ViewOnly"/>) or no role is needed
+    ///     (<see cref="SecurityClassification.FreeAccess"/> — also returns null; callers use
+    ///     <see cref="IsAllowed"/> which handles the special-cases rather than branching on
+    ///     null themselves).
+    /// </summary>
+    public static string? RequiredRole(SecurityClassification classification) => classification switch
+    {
+        SecurityClassification.FreeAccess => null, // IsAllowed short-circuits
+        SecurityClassification.Operate => RoleWriteOperate,
+        SecurityClassification.SecuredWrite => RoleWriteOperate,
+        SecurityClassification.Tune => RoleWriteTune,
+        SecurityClassification.VerifiedWrite => RoleWriteConfigure,
+        SecurityClassification.Configure => RoleWriteConfigure,
+        SecurityClassification.ViewOnly => null, // IsAllowed short-circuits
+        _ => null,
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Server/ZB.MOM.WW.OtOpcUa.Server.csproj

@@ -23,12 +23,17 @@
         <PackageReference Include="Serilog.Sinks.File" Version="7.0.0"/>
         <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Server" Version="1.5.374.126"/>
         <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Configuration" Version="1.5.374.126"/>
+        <PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.6.0"/>
     </ItemGroup>
 
     <ItemGroup>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core\ZB.MOM.WW.OtOpcUa.Core.csproj"/>
     </ItemGroup>
 
+    <ItemGroup>
+        <InternalsVisibleTo Include="ZB.MOM.WW.OtOpcUa.Server.Tests"/>
+    </ItemGroup>
+
     <ItemGroup>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
         <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>

tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/CertTrustServiceTests.cs

@@ -0,0 +1,153 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class CertTrustServiceTests : IDisposable
+{
+    private readonly string _root;
+
+    public CertTrustServiceTests()
+    {
+        _root = Path.Combine(Path.GetTempPath(), $"otopcua-cert-test-{Guid.NewGuid():N}");
+        Directory.CreateDirectory(Path.Combine(_root, "rejected", "certs"));
+        Directory.CreateDirectory(Path.Combine(_root, "trusted", "certs"));
+    }
+
+    public void Dispose()
+    {
+        if (Directory.Exists(_root)) Directory.Delete(_root, recursive: true);
+    }
+
+    private CertTrustService Service() => new(
+        Options.Create(new CertTrustOptions { PkiStoreRoot = _root }),
+        NullLogger<CertTrustService>.Instance);
+
+    private X509Certificate2 WriteTestCert(CertStoreKind kind, string subject)
+    {
+        using var rsa = RSA.Create(2048);
+        var req = new CertificateRequest($"CN={subject}", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        var cert = req.CreateSelfSigned(DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddYears(1));
+        var dir = Path.Combine(_root, kind == CertStoreKind.Rejected ? "rejected" : "trusted", "certs");
+        var path = Path.Combine(dir, $"{subject} [{cert.Thumbprint}].der");
+        File.WriteAllBytes(path, cert.Export(X509ContentType.Cert));
+        return cert;
+    }
+
+    [Fact]
+    public void ListRejected_returns_parsed_cert_info_for_each_der_in_rejected_certs_dir()
+    {
+        var c = WriteTestCert(CertStoreKind.Rejected, "test-client-A");
+
+        var rows = Service().ListRejected();
+
+        rows.Count.ShouldBe(1);
+        rows[0].Thumbprint.ShouldBe(c.Thumbprint);
+        rows[0].Subject.ShouldContain("test-client-A");
+        rows[0].Store.ShouldBe(CertStoreKind.Rejected);
+    }
+
+    [Fact]
+    public void ListTrusted_is_separate_from_rejected()
+    {
+        WriteTestCert(CertStoreKind.Rejected, "rej");
+        WriteTestCert(CertStoreKind.Trusted, "trust");
+
+        var svc = Service();
+        svc.ListRejected().Count.ShouldBe(1);
+        svc.ListTrusted().Count.ShouldBe(1);
+        svc.ListRejected()[0].Subject.ShouldContain("rej");
+        svc.ListTrusted()[0].Subject.ShouldContain("trust");
+    }
+
+    [Fact]
+    public void TrustRejected_moves_file_from_rejected_to_trusted()
+    {
+        var c = WriteTestCert(CertStoreKind.Rejected, "promoteme");
+        var svc = Service();
+
+        svc.TrustRejected(c.Thumbprint).ShouldBeTrue();
+
+        svc.ListRejected().ShouldBeEmpty();
+        var trusted = svc.ListTrusted();
+        trusted.Count.ShouldBe(1);
+        trusted[0].Thumbprint.ShouldBe(c.Thumbprint);
+    }
+
+    [Fact]
+    public void TrustRejected_returns_false_when_thumbprint_not_in_rejected()
+    {
+        var svc = Service();
+        svc.TrustRejected("00DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void DeleteRejected_removes_the_file()
+    {
+        var c = WriteTestCert(CertStoreKind.Rejected, "killme");
+        var svc = Service();
+
+        svc.DeleteRejected(c.Thumbprint).ShouldBeTrue();
+        svc.ListRejected().ShouldBeEmpty();
+    }
+
+    [Fact]
+    public void UntrustCert_removes_from_trusted_only()
+    {
+        var c = WriteTestCert(CertStoreKind.Trusted, "revoke");
+        var svc = Service();
+
+        svc.UntrustCert(c.Thumbprint).ShouldBeTrue();
+        svc.ListTrusted().ShouldBeEmpty();
+    }
+
+    [Fact]
+    public void Thumbprint_match_is_case_insensitive()
+    {
+        var c = WriteTestCert(CertStoreKind.Rejected, "case");
+        var svc = Service();
+
+        // X509Certificate2.Thumbprint is upper-case hex; operators pasting from logs often
+        // lowercase it. IsAllowed-style case-insensitive match keeps the UX forgiving.
+        svc.TrustRejected(c.Thumbprint.ToLowerInvariant()).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Missing_store_directories_produce_empty_lists_not_exceptions()
+    {
+        // Fresh root with no certs subfolder — service should tolerate a pristine install.
+        var altRoot = Path.Combine(Path.GetTempPath(), $"otopcua-cert-empty-{Guid.NewGuid():N}");
+        try
+        {
+            var svc = new CertTrustService(
+                Options.Create(new CertTrustOptions { PkiStoreRoot = altRoot }),
+                NullLogger<CertTrustService>.Instance);
+            svc.ListRejected().ShouldBeEmpty();
+            svc.ListTrusted().ShouldBeEmpty();
+        }
+        finally
+        {
+            if (Directory.Exists(altRoot)) Directory.Delete(altRoot, recursive: true);
+        }
+    }
+
+    [Fact]
+    public void Malformed_file_is_skipped_not_fatal()
+    {
+        // Drop junk bytes that don't parse as a cert into the rejected/certs directory. The
+        // service must skip it and still return the valid certs — one bad file can't take the
+        // whole management page offline.
+        File.WriteAllText(Path.Combine(_root, "rejected", "certs", "junk.der"), "not a cert");
+        var c = WriteTestCert(CertStoreKind.Rejected, "valid");
+
+        var rows = Service().ListRejected();
+        rows.Count.ShouldBe(1);
+        rows[0].Thumbprint.ShouldBe(c.Thumbprint);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusDataTypeTests.cs

@@ -0,0 +1,175 @@
+using System.Buffers.Binary;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class ModbusDataTypeTests
+{
+    /// <summary>
+    ///     Register-count lookup is per-tag now (strings need StringLength; Int64/Float64 need 4).
+    /// </summary>
+    [Theory]
+    [InlineData(ModbusDataType.BitInRegister, 1)]
+    [InlineData(ModbusDataType.Int16, 1)]
+    [InlineData(ModbusDataType.UInt16, 1)]
+    [InlineData(ModbusDataType.Int32, 2)]
+    [InlineData(ModbusDataType.UInt32, 2)]
+    [InlineData(ModbusDataType.Float32, 2)]
+    [InlineData(ModbusDataType.Int64, 4)]
+    [InlineData(ModbusDataType.UInt64, 4)]
+    [InlineData(ModbusDataType.Float64, 4)]
+    public void RegisterCount_returns_correct_register_count_per_type(ModbusDataType t, int expected)
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, t);
+        ModbusDriver.RegisterCount(tag).ShouldBe((ushort)expected);
+    }
+
+    [Theory]
+    [InlineData(0, 1)]   // 0 chars → still 1 byte / 1 register (pathological but well-defined: length 0 is 0 bytes)
+    [InlineData(1, 1)]
+    [InlineData(2, 1)]
+    [InlineData(3, 2)]
+    [InlineData(10, 5)]
+    public void RegisterCount_for_String_rounds_up_to_register_pair(ushort chars, int expectedRegs)
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String, StringLength: chars);
+        // 0-char is encoded as 0 regs; the test case expects 1 for lengths 1-2, 2 for 3-4, etc.
+        if (chars == 0) ModbusDriver.RegisterCount(tag).ShouldBe((ushort)0);
+        else ModbusDriver.RegisterCount(tag).ShouldBe((ushort)expectedRegs);
+    }
+
+    // --- Int32 / UInt32 / Float32 with byte-order variants ---
+
+    [Fact]
+    public void Int32_BigEndian_decodes_ABCD_layout()
+    {
+        // Value 0x12345678 → bytes [0x12, 0x34, 0x56, 0x78] as PLC wrote them.
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int32,
+            ByteOrder: ModbusByteOrder.BigEndian);
+        var bytes = new byte[] { 0x12, 0x34, 0x56, 0x78 };
+        ModbusDriver.DecodeRegister(bytes, tag).ShouldBe(0x12345678);
+    }
+
+    [Fact]
+    public void Int32_WordSwap_decodes_CDAB_layout()
+    {
+        // Siemens/AB PLC stored 0x12345678 as register[0] = 0x5678, register[1] = 0x1234.
+        // Wire bytes are [0x56, 0x78, 0x12, 0x34]; with ByteOrder=WordSwap we get 0x12345678 back.
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int32,
+            ByteOrder: ModbusByteOrder.WordSwap);
+        var bytes = new byte[] { 0x56, 0x78, 0x12, 0x34 };
+        ModbusDriver.DecodeRegister(bytes, tag).ShouldBe(0x12345678);
+    }
+
+    [Fact]
+    public void Float32_WordSwap_encode_decode_roundtrips()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Float32,
+            ByteOrder: ModbusByteOrder.WordSwap);
+        var wire = ModbusDriver.EncodeRegister(25.5f, tag);
+        wire.Length.ShouldBe(4);
+        ModbusDriver.DecodeRegister(wire, tag).ShouldBe(25.5f);
+    }
+
+    // --- Int64 / UInt64 / Float64 ---
+
+    [Fact]
+    public void Int64_BigEndian_roundtrips()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int64);
+        var wire = ModbusDriver.EncodeRegister(0x0123456789ABCDEFL, tag);
+        wire.Length.ShouldBe(8);
+        BinaryPrimitives.ReadInt64BigEndian(wire).ShouldBe(0x0123456789ABCDEFL);
+        ModbusDriver.DecodeRegister(wire, tag).ShouldBe(0x0123456789ABCDEFL);
+    }
+
+    [Fact]
+    public void UInt64_WordSwap_reverses_four_words()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.UInt64,
+            ByteOrder: ModbusByteOrder.WordSwap);
+        var value = 0xAABBCCDDEEFF0011UL;
+
+        var wireBE = new byte[8];
+        BinaryPrimitives.WriteUInt64BigEndian(wireBE, value);
+
+        // Word-swap layout: [word3, word2, word1, word0] where each word keeps its bytes big-endian.
+        var wireWS = new byte[] { wireBE[6], wireBE[7], wireBE[4], wireBE[5], wireBE[2], wireBE[3], wireBE[0], wireBE[1] };
+        ModbusDriver.DecodeRegister(wireWS, tag).ShouldBe(value);
+
+        var roundtrip = ModbusDriver.EncodeRegister(value, tag);
+        roundtrip.ShouldBe(wireWS);
+    }
+
+    [Fact]
+    public void Float64_roundtrips_under_word_swap()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Float64,
+            ByteOrder: ModbusByteOrder.WordSwap);
+        var wire = ModbusDriver.EncodeRegister(3.14159265358979d, tag);
+        wire.Length.ShouldBe(8);
+        ((double)ModbusDriver.DecodeRegister(wire, tag)!).ShouldBe(3.14159265358979d, tolerance: 1e-12);
+    }
+
+    // --- BitInRegister ---
+
+    [Theory]
+    [InlineData(0b0000_0000_0000_0001, 0, true)]
+    [InlineData(0b0000_0000_0000_0001, 1, false)]
+    [InlineData(0b1000_0000_0000_0000, 15, true)]
+    [InlineData(0b0100_0000_0100_0000, 6, true)]
+    [InlineData(0b0100_0000_0100_0000, 14, true)]
+    [InlineData(0b0100_0000_0100_0000, 7, false)]
+    public void BitInRegister_extracts_bit_at_index(ushort raw, byte bitIndex, bool expected)
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.BitInRegister,
+            BitIndex: bitIndex);
+        var bytes = new byte[] { (byte)(raw >> 8), (byte)(raw & 0xFF) };
+        ModbusDriver.DecodeRegister(bytes, tag).ShouldBe(expected);
+    }
+
+    [Fact]
+    public void BitInRegister_write_is_not_supported_in_PR24()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.BitInRegister,
+            BitIndex: 5);
+        Should.Throw<InvalidOperationException>(() => ModbusDriver.EncodeRegister(true, tag))
+            .Message.ShouldContain("read-modify-write");
+    }
+
+    // --- String ---
+
+    [Fact]
+    public void String_decodes_ASCII_packed_two_chars_per_register()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
+            StringLength: 6);
+        // "HELLO!" = 0x48 0x45 0x4C 0x4C 0x4F 0x21 across 3 registers.
+        var bytes = "HELLO!"u8.ToArray();
+        ModbusDriver.DecodeRegister(bytes, tag).ShouldBe("HELLO!");
+    }
+
+    [Fact]
+    public void String_decode_truncates_at_first_nul()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
+            StringLength: 10);
+        var bytes = new byte[] { 0x48, 0x69, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+        ModbusDriver.DecodeRegister(bytes, tag).ShouldBe("Hi");
+    }
+
+    [Fact]
+    public void String_encode_nul_pads_remaining_bytes()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
+            StringLength: 8);
+        var wire = ModbusDriver.EncodeRegister("Hi", tag);
+        wire.Length.ShouldBe(8);
+        wire[0].ShouldBe((byte)'H');
+        wire[1].ShouldBe((byte)'i');
+        for (var i = 2; i < 8; i++) wire[i].ShouldBe((byte)0);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusDriverTests.cs

@@ -0,0 +1,244 @@
+using System.Buffers.Binary;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class ModbusDriverTests
+{
+    /// <summary>
+    ///     In-memory Modbus TCP server impl that speaks the function codes the driver uses.
+    ///     Maintains a register/coil bank so Read/Write round-trips work.
+    /// </summary>
+    private sealed class FakeTransport : IModbusTransport
+    {
+        public readonly ushort[] HoldingRegisters = new ushort[256];
+        public readonly ushort[] InputRegisters = new ushort[256];
+        public readonly bool[] Coils = new bool[256];
+        public readonly bool[] DiscreteInputs = new bool[256];
+        public bool ForceConnectFail { get; set; }
+
+        public Task ConnectAsync(CancellationToken ct)
+            => ForceConnectFail ? Task.FromException(new InvalidOperationException("connect refused")) : Task.CompletedTask;
+
+        public Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct)
+        {
+            var fc = pdu[0];
+            return fc switch
+            {
+                0x01 => Task.FromResult(ReadBits(pdu, Coils)),
+                0x02 => Task.FromResult(ReadBits(pdu, DiscreteInputs)),
+                0x03 => Task.FromResult(ReadRegs(pdu, HoldingRegisters)),
+                0x04 => Task.FromResult(ReadRegs(pdu, InputRegisters)),
+                0x05 => Task.FromResult(WriteCoil(pdu)),
+                0x06 => Task.FromResult(WriteSingleReg(pdu)),
+                0x10 => Task.FromResult(WriteMultipleRegs(pdu)),
+                _ => Task.FromException<byte[]>(new ModbusException(fc, 0x01, $"fc={fc} not supported by fake")),
+            };
+        }
+
+        private byte[] ReadBits(byte[] pdu, bool[] bank)
+        {
+            var addr = (ushort)((pdu[1] << 8) | pdu[2]);
+            var qty = (ushort)((pdu[3] << 8) | pdu[4]);
+            var byteCount = (byte)((qty + 7) / 8);
+            var resp = new byte[2 + byteCount];
+            resp[0] = pdu[0];
+            resp[1] = byteCount;
+            for (var i = 0; i < qty; i++)
+                if (bank[addr + i]) resp[2 + (i / 8)] |= (byte)(1 << (i % 8));
+            return resp;
+        }
+
+        private byte[] ReadRegs(byte[] pdu, ushort[] bank)
+        {
+            var addr = (ushort)((pdu[1] << 8) | pdu[2]);
+            var qty = (ushort)((pdu[3] << 8) | pdu[4]);
+            var byteCount = (byte)(qty * 2);
+            var resp = new byte[2 + byteCount];
+            resp[0] = pdu[0];
+            resp[1] = byteCount;
+            for (var i = 0; i < qty; i++)
+            {
+                resp[2 + i * 2] = (byte)(bank[addr + i] >> 8);
+                resp[3 + i * 2] = (byte)(bank[addr + i] & 0xFF);
+            }
+            return resp;
+        }
+
+        private byte[] WriteCoil(byte[] pdu)
+        {
+            var addr = (ushort)((pdu[1] << 8) | pdu[2]);
+            Coils[addr] = pdu[3] == 0xFF;
+            return pdu; // Modbus echoes the request on write success
+        }
+
+        private byte[] WriteSingleReg(byte[] pdu)
+        {
+            var addr = (ushort)((pdu[1] << 8) | pdu[2]);
+            HoldingRegisters[addr] = (ushort)((pdu[3] << 8) | pdu[4]);
+            return pdu;
+        }
+
+        private byte[] WriteMultipleRegs(byte[] pdu)
+        {
+            var addr = (ushort)((pdu[1] << 8) | pdu[2]);
+            var qty = (ushort)((pdu[3] << 8) | pdu[4]);
+            for (var i = 0; i < qty; i++)
+                HoldingRegisters[addr + i] = (ushort)((pdu[6 + i * 2] << 8) | pdu[7 + i * 2]);
+            return new byte[] { 0x10, pdu[1], pdu[2], pdu[3], pdu[4] };
+        }
+
+        public ValueTask DisposeAsync() => ValueTask.CompletedTask;
+    }
+
+    private static (ModbusDriver driver, FakeTransport fake) NewDriver(params ModbusTagDefinition[] tags)
+    {
+        var fake = new FakeTransport();
+        var opts = new ModbusDriverOptions { Host = "fake", Tags = tags };
+        var drv = new ModbusDriver(opts, "modbus-1", _ => fake);
+        return (drv, fake);
+    }
+
+    [Fact]
+    public async Task Initialize_connects_and_populates_tag_map()
+    {
+        var (drv, _) = NewDriver(
+            new ModbusTagDefinition("Level", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16),
+            new ModbusTagDefinition("Run", ModbusRegion.Coils, 0, ModbusDataType.Bool));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        drv.GetHealth().State.ShouldBe(DriverState.Healthy);
+    }
+
+    [Fact]
+    public async Task Read_Int16_holding_register_returns_BigEndian_value()
+    {
+        var (drv, fake) = NewDriver(new ModbusTagDefinition("Level", ModbusRegion.HoldingRegisters, 10, ModbusDataType.Int16));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        fake.HoldingRegisters[10] = 12345;
+
+        var r = await drv.ReadAsync(["Level"], CancellationToken.None);
+        r[0].Value.ShouldBe((short)12345);
+        r[0].StatusCode.ShouldBe(0u);
+    }
+
+    [Fact]
+    public async Task Read_Float32_spans_two_registers_BigEndian()
+    {
+        var (drv, fake) = NewDriver(new ModbusTagDefinition("Temp", ModbusRegion.HoldingRegisters, 4, ModbusDataType.Float32));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        // IEEE 754 single for 25.5f is 0x41CC0000 — [41 CC][00 00] big-endian across two regs.
+        var bytes = new byte[4];
+        BinaryPrimitives.WriteSingleBigEndian(bytes, 25.5f);
+        fake.HoldingRegisters[4] = (ushort)((bytes[0] << 8) | bytes[1]);
+        fake.HoldingRegisters[5] = (ushort)((bytes[2] << 8) | bytes[3]);
+
+        var r = await drv.ReadAsync(["Temp"], CancellationToken.None);
+        r[0].Value.ShouldBe(25.5f);
+    }
+
+    [Fact]
+    public async Task Read_Coil_returns_boolean()
+    {
+        var (drv, fake) = NewDriver(new ModbusTagDefinition("Run", ModbusRegion.Coils, 3, ModbusDataType.Bool));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        fake.Coils[3] = true;
+
+        var r = await drv.ReadAsync(["Run"], CancellationToken.None);
+        r[0].Value.ShouldBe(true);
+    }
+
+    [Fact]
+    public async Task Unknown_tag_returns_BadNodeIdUnknown_not_an_exception()
+    {
+        var (drv, _) = NewDriver();
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var r = await drv.ReadAsync(["DoesNotExist"], CancellationToken.None);
+        r[0].StatusCode.ShouldBe(0x80340000u);
+    }
+
+    [Fact]
+    public async Task Write_UInt16_holding_register_roundtrips()
+    {
+        var (drv, fake) = NewDriver(new ModbusTagDefinition("Setpoint", ModbusRegion.HoldingRegisters, 20, ModbusDataType.UInt16));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var results = await drv.WriteAsync([new WriteRequest("Setpoint", (ushort)42000)], CancellationToken.None);
+        results[0].StatusCode.ShouldBe(0u);
+        fake.HoldingRegisters[20].ShouldBe((ushort)42000);
+    }
+
+    [Fact]
+    public async Task Write_Float32_uses_FC16_WriteMultipleRegisters()
+    {
+        var (drv, fake) = NewDriver(new ModbusTagDefinition("Temp", ModbusRegion.HoldingRegisters, 4, ModbusDataType.Float32));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        await drv.WriteAsync([new WriteRequest("Temp", 25.5f)], CancellationToken.None);
+
+        // Decode back through the fake bank to check the two-register shape.
+        var raw = new byte[4];
+        raw[0] = (byte)(fake.HoldingRegisters[4] >> 8);
+        raw[1] = (byte)(fake.HoldingRegisters[4] & 0xFF);
+        raw[2] = (byte)(fake.HoldingRegisters[5] >> 8);
+        raw[3] = (byte)(fake.HoldingRegisters[5] & 0xFF);
+        BinaryPrimitives.ReadSingleBigEndian(raw).ShouldBe(25.5f);
+    }
+
+    [Fact]
+    public async Task Write_to_InputRegister_returns_BadNotWritable()
+    {
+        var (drv, _) = NewDriver(new ModbusTagDefinition("Ro", ModbusRegion.InputRegisters, 0, ModbusDataType.UInt16, Writable: false));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var r = await drv.WriteAsync([new WriteRequest("Ro", (ushort)7)], CancellationToken.None);
+        r[0].StatusCode.ShouldBe(0x803B0000u);
+    }
+
+    [Fact]
+    public async Task Discover_streams_one_folder_per_driver_with_a_variable_per_tag()
+    {
+        var (drv, _) = NewDriver(
+            new ModbusTagDefinition("Level", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16),
+            new ModbusTagDefinition("Temp", ModbusRegion.HoldingRegisters, 4, ModbusDataType.Float32),
+            new ModbusTagDefinition("Run", ModbusRegion.Coils, 0, ModbusDataType.Bool));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var builder = new RecordingBuilder();
+        await drv.DiscoverAsync(builder, CancellationToken.None);
+
+        builder.Folders.Count.ShouldBe(1);
+        builder.Folders[0].BrowseName.ShouldBe("Modbus");
+        builder.Variables.Count.ShouldBe(3);
+        builder.Variables.ShouldContain(v => v.BrowseName == "Level" && v.Info.DriverDataType == DriverDataType.Int32);
+        builder.Variables.ShouldContain(v => v.BrowseName == "Temp" && v.Info.DriverDataType == DriverDataType.Float32);
+        builder.Variables.ShouldContain(v => v.BrowseName == "Run" && v.Info.DriverDataType == DriverDataType.Boolean);
+    }
+
+    // --- helpers ---
+
+    private sealed class RecordingBuilder : IAddressSpaceBuilder
+    {
+        public List<(string BrowseName, string DisplayName)> Folders { get; } = new();
+        public List<(string BrowseName, DriverAttributeInfo Info)> Variables { get; } = new();
+        public IAddressSpaceBuilder Folder(string browseName, string displayName)
+        { Folders.Add((browseName, displayName)); return this; }
+        public IVariableHandle Variable(string browseName, string displayName, DriverAttributeInfo info)
+        { Variables.Add((browseName, info)); return new Handle(info.FullName); }
+        public void AddProperty(string _, DriverDataType __, object? ___) { }
+        private sealed class Handle(string fullRef) : IVariableHandle
+        {
+            public string FullReference => fullRef;
+            public IAlarmConditionSink MarkAsAlarmCondition(AlarmConditionInfo info) => new NullSink();
+        }
+        private sealed class NullSink : IAlarmConditionSink
+        {
+            public void OnTransition(AlarmEventArgs args) { }
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusProbeTests.cs

@@ -0,0 +1,208 @@
+using System.Collections.Concurrent;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class ModbusProbeTests
+{
+    /// <summary>
+    ///     Transport fake the probe tests flip between "responding" and "unreachable" to
+    ///     exercise the state machine. Calls to SendAsync with FC=0x03 count as probe traffic
+    ///     (the driver's probe loop issues exactly that shape).
+    /// </summary>
+    private sealed class FlappyTransport : IModbusTransport
+    {
+        public volatile bool Reachable = true;
+        public int ProbeCount;
+
+        public Task ConnectAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct)
+        {
+            if (pdu[0] == 0x03) Interlocked.Increment(ref ProbeCount);
+            if (!Reachable)
+                return Task.FromException<byte[]>(new IOException("transport unreachable"));
+
+            // Happy path — return a valid FC03 response for 1 register at addr.
+            if (pdu[0] == 0x03)
+            {
+                var qty = (ushort)((pdu[3] << 8) | pdu[4]);
+                var resp = new byte[2 + qty * 2];
+                resp[0] = 0x03;
+                resp[1] = (byte)(qty * 2);
+                return Task.FromResult(resp);
+            }
+            return Task.FromException<byte[]>(new NotSupportedException());
+        }
+
+        public ValueTask DisposeAsync() => ValueTask.CompletedTask;
+    }
+
+    private static (ModbusDriver drv, FlappyTransport fake) NewDriver(ModbusProbeOptions probe)
+    {
+        var fake = new FlappyTransport();
+        var opts = new ModbusDriverOptions { Host = "fake", Port = 502, Probe = probe };
+        return (new ModbusDriver(opts, "modbus-1", _ => fake), fake);
+    }
+
+    [Fact]
+    public async Task Initial_state_is_Unknown_before_first_probe_tick()
+    {
+        var (drv, _) = NewDriver(new ModbusProbeOptions { Enabled = false });
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var statuses = drv.GetHostStatuses();
+        statuses.Count.ShouldBe(1);
+        statuses[0].State.ShouldBe(HostState.Unknown);
+        statuses[0].HostName.ShouldBe("fake:502");
+    }
+
+    [Fact]
+    public async Task First_successful_probe_transitions_to_Running()
+    {
+        var (drv, fake) = NewDriver(new ModbusProbeOptions
+        {
+            Enabled = true,
+            Interval = TimeSpan.FromMilliseconds(150),
+            Timeout = TimeSpan.FromSeconds(1),
+        });
+        var transitions = new ConcurrentQueue<HostStatusChangedEventArgs>();
+        drv.OnHostStatusChanged += (_, e) => transitions.Enqueue(e);
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        // Wait for the first probe to complete.
+        var deadline = DateTime.UtcNow + TimeSpan.FromSeconds(2);
+        while (fake.ProbeCount == 0 && DateTime.UtcNow < deadline) await Task.Delay(25);
+
+        // Then wait for the event to actually arrive.
+        deadline = DateTime.UtcNow + TimeSpan.FromSeconds(1);
+        while (transitions.Count == 0 && DateTime.UtcNow < deadline) await Task.Delay(25);
+
+        transitions.Count.ShouldBeGreaterThanOrEqualTo(1);
+        transitions.TryDequeue(out var t).ShouldBeTrue();
+        t!.OldState.ShouldBe(HostState.Unknown);
+        t.NewState.ShouldBe(HostState.Running);
+        drv.GetHostStatuses()[0].State.ShouldBe(HostState.Running);
+
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Transport_failure_transitions_to_Stopped()
+    {
+        var (drv, fake) = NewDriver(new ModbusProbeOptions
+        {
+            Enabled = true,
+            Interval = TimeSpan.FromMilliseconds(150),
+            Timeout = TimeSpan.FromSeconds(1),
+        });
+        var transitions = new ConcurrentQueue<HostStatusChangedEventArgs>();
+        drv.OnHostStatusChanged += (_, e) => transitions.Enqueue(e);
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await WaitForStateAsync(drv, HostState.Running, TimeSpan.FromSeconds(2));
+
+        fake.Reachable = false;
+        await WaitForStateAsync(drv, HostState.Stopped, TimeSpan.FromSeconds(2));
+
+        transitions.Select(t => t.NewState).ShouldContain(HostState.Stopped);
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Recovery_transitions_Stopped_back_to_Running()
+    {
+        var (drv, fake) = NewDriver(new ModbusProbeOptions
+        {
+            Enabled = true,
+            Interval = TimeSpan.FromMilliseconds(150),
+            Timeout = TimeSpan.FromSeconds(1),
+        });
+        var transitions = new ConcurrentQueue<HostStatusChangedEventArgs>();
+        drv.OnHostStatusChanged += (_, e) => transitions.Enqueue(e);
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await WaitForStateAsync(drv, HostState.Running, TimeSpan.FromSeconds(2));
+
+        fake.Reachable = false;
+        await WaitForStateAsync(drv, HostState.Stopped, TimeSpan.FromSeconds(2));
+
+        fake.Reachable = true;
+        await WaitForStateAsync(drv, HostState.Running, TimeSpan.FromSeconds(2));
+
+        // We expect at minimum: Unknown→Running, Running→Stopped, Stopped→Running.
+        transitions.Count.ShouldBeGreaterThanOrEqualTo(3);
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Repeated_successful_probes_do_not_generate_duplicate_Running_events()
+    {
+        var (drv, _) = NewDriver(new ModbusProbeOptions
+        {
+            Enabled = true,
+            Interval = TimeSpan.FromMilliseconds(100),
+            Timeout = TimeSpan.FromSeconds(1),
+        });
+        var transitions = new ConcurrentQueue<HostStatusChangedEventArgs>();
+        drv.OnHostStatusChanged += (_, e) => transitions.Enqueue(e);
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await WaitForStateAsync(drv, HostState.Running, TimeSpan.FromSeconds(2));
+        await Task.Delay(500); // several more probe ticks, all successful — state shouldn't thrash
+
+        transitions.Count.ShouldBe(1); // only the initial Unknown→Running
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Disabled_probe_stays_Unknown_and_fires_no_events()
+    {
+        var (drv, _) = NewDriver(new ModbusProbeOptions { Enabled = false });
+        var transitions = new ConcurrentQueue<HostStatusChangedEventArgs>();
+        drv.OnHostStatusChanged += (_, e) => transitions.Enqueue(e);
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await Task.Delay(300);
+
+        transitions.Count.ShouldBe(0);
+        drv.GetHostStatuses()[0].State.ShouldBe(HostState.Unknown);
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Shutdown_stops_the_probe_loop()
+    {
+        var (drv, fake) = NewDriver(new ModbusProbeOptions
+        {
+            Enabled = true,
+            Interval = TimeSpan.FromMilliseconds(100),
+            Timeout = TimeSpan.FromSeconds(1),
+        });
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await WaitForStateAsync(drv, HostState.Running, TimeSpan.FromSeconds(2));
+
+        var before = fake.ProbeCount;
+        await drv.ShutdownAsync(CancellationToken.None);
+        await Task.Delay(400);
+
+        // A handful of in-flight ticks may complete after shutdown in a narrow race; the
+        // contract is that the loop stops scheduling new ones. Tolerate ≤1 extra.
+        (fake.ProbeCount - before).ShouldBeLessThanOrEqualTo(1);
+    }
+
+    private static async Task WaitForStateAsync(ModbusDriver drv, HostState expected, TimeSpan timeout)
+    {
+        var deadline = DateTime.UtcNow + timeout;
+        while (DateTime.UtcNow < deadline)
+        {
+            if (drv.GetHostStatuses()[0].State == expected) return;
+            await Task.Delay(25);
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusSubscriptionTests.cs

@@ -0,0 +1,180 @@
+using System.Collections.Concurrent;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class ModbusSubscriptionTests
+{
+    /// <summary>
+    ///     Lightweight fake transport the subscription tests drive through — only the FC03
+    ///     (Read Holding Registers) path is used. Mutating <see cref="HoldingRegisters"/>
+    ///     between polls is how each test simulates a PLC value change.
+    /// </summary>
+    private sealed class FakeTransport : IModbusTransport
+    {
+        public readonly ushort[] HoldingRegisters = new ushort[256];
+        public Task ConnectAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct)
+        {
+            if (pdu[0] != 0x03) return Task.FromException<byte[]>(new NotSupportedException("FC not supported"));
+            var addr = (ushort)((pdu[1] << 8) | pdu[2]);
+            var qty = (ushort)((pdu[3] << 8) | pdu[4]);
+            var resp = new byte[2 + qty * 2];
+            resp[0] = 0x03;
+            resp[1] = (byte)(qty * 2);
+            for (var i = 0; i < qty; i++)
+            {
+                resp[2 + i * 2] = (byte)(HoldingRegisters[addr + i] >> 8);
+                resp[3 + i * 2] = (byte)(HoldingRegisters[addr + i] & 0xFF);
+            }
+            return Task.FromResult(resp);
+        }
+        public ValueTask DisposeAsync() => ValueTask.CompletedTask;
+    }
+
+    private static (ModbusDriver drv, FakeTransport fake) NewDriver(params ModbusTagDefinition[] tags)
+    {
+        var fake = new FakeTransport();
+        var opts = new ModbusDriverOptions { Host = "fake", Tags = tags };
+        return (new ModbusDriver(opts, "modbus-1", _ => fake), fake);
+    }
+
+    [Fact]
+    public async Task Initial_poll_raises_OnDataChange_for_every_subscribed_tag()
+    {
+        var (drv, fake) = NewDriver(
+            new ModbusTagDefinition("Level", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16),
+            new ModbusTagDefinition("Temp", ModbusRegion.HoldingRegisters, 1, ModbusDataType.Int16));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        fake.HoldingRegisters[0] = 100;
+        fake.HoldingRegisters[1] = 200;
+
+        var events = new ConcurrentQueue<DataChangeEventArgs>();
+        drv.OnDataChange += (_, e) => events.Enqueue(e);
+
+        var handle = await drv.SubscribeAsync(["Level", "Temp"], TimeSpan.FromMilliseconds(200), CancellationToken.None);
+        await WaitForCountAsync(events, 2, TimeSpan.FromSeconds(2));
+
+        events.Select(e => e.FullReference).ShouldContain("Level");
+        events.Select(e => e.FullReference).ShouldContain("Temp");
+        await drv.UnsubscribeAsync(handle, CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Unchanged_values_do_not_raise_after_initial_poll()
+    {
+        var (drv, fake) = NewDriver(new ModbusTagDefinition("Level", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        fake.HoldingRegisters[0] = 100;
+
+        var events = new ConcurrentQueue<DataChangeEventArgs>();
+        drv.OnDataChange += (_, e) => events.Enqueue(e);
+
+        var handle = await drv.SubscribeAsync(["Level"], TimeSpan.FromMilliseconds(100), CancellationToken.None);
+        await Task.Delay(500); // ~5 poll cycles at 100ms, value stable the whole time
+        await drv.UnsubscribeAsync(handle, CancellationToken.None);
+
+        events.Count.ShouldBe(1); // only the initial-data push, no change events after
+    }
+
+    [Fact]
+    public async Task Value_change_between_polls_raises_OnDataChange()
+    {
+        var (drv, fake) = NewDriver(new ModbusTagDefinition("Level", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        fake.HoldingRegisters[0] = 100;
+
+        var events = new ConcurrentQueue<DataChangeEventArgs>();
+        drv.OnDataChange += (_, e) => events.Enqueue(e);
+
+        var handle = await drv.SubscribeAsync(["Level"], TimeSpan.FromMilliseconds(100), CancellationToken.None);
+        await WaitForCountAsync(events, 1, TimeSpan.FromSeconds(1));
+        fake.HoldingRegisters[0] = 200; // simulate PLC update
+        await WaitForCountAsync(events, 2, TimeSpan.FromSeconds(2));
+
+        await drv.UnsubscribeAsync(handle, CancellationToken.None);
+        events.Count.ShouldBeGreaterThanOrEqualTo(2);
+        events.Last().Snapshot.Value.ShouldBe((short)200);
+    }
+
+    [Fact]
+    public async Task Unsubscribe_stops_the_polling_loop()
+    {
+        var (drv, fake) = NewDriver(new ModbusTagDefinition("Level", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var events = new ConcurrentQueue<DataChangeEventArgs>();
+        drv.OnDataChange += (_, e) => events.Enqueue(e);
+
+        var handle = await drv.SubscribeAsync(["Level"], TimeSpan.FromMilliseconds(100), CancellationToken.None);
+        await WaitForCountAsync(events, 1, TimeSpan.FromSeconds(1));
+        await drv.UnsubscribeAsync(handle, CancellationToken.None);
+
+        var countAfterUnsub = events.Count;
+        fake.HoldingRegisters[0] = 999; // would trigger a change if still polling
+        await Task.Delay(400);
+        events.Count.ShouldBe(countAfterUnsub);
+    }
+
+    [Fact]
+    public async Task SubscribeAsync_floors_intervals_below_100ms()
+    {
+        var (drv, _) = NewDriver(new ModbusTagDefinition("Level", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        // 10ms requested — implementation floors to 100ms. We verify indirectly: over 300ms, a
+        // 10ms interval would produce many more events than a 100ms interval would on a stable
+        // value. Since the value is unchanged, we only expect the initial-data push (1 event).
+        var events = new ConcurrentQueue<DataChangeEventArgs>();
+        drv.OnDataChange += (_, e) => events.Enqueue(e);
+
+        var handle = await drv.SubscribeAsync(["Level"], TimeSpan.FromMilliseconds(10), CancellationToken.None);
+        await Task.Delay(300);
+        await drv.UnsubscribeAsync(handle, CancellationToken.None);
+
+        events.Count.ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Multiple_subscriptions_fire_independently()
+    {
+        var (drv, fake) = NewDriver(
+            new ModbusTagDefinition("A", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int16),
+            new ModbusTagDefinition("B", ModbusRegion.HoldingRegisters, 1, ModbusDataType.Int16));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var eventsA = new ConcurrentQueue<DataChangeEventArgs>();
+        var eventsB = new ConcurrentQueue<DataChangeEventArgs>();
+        drv.OnDataChange += (_, e) =>
+        {
+            if (e.FullReference == "A") eventsA.Enqueue(e);
+            else if (e.FullReference == "B") eventsB.Enqueue(e);
+        };
+
+        var ha = await drv.SubscribeAsync(["A"], TimeSpan.FromMilliseconds(100), CancellationToken.None);
+        var hb = await drv.SubscribeAsync(["B"], TimeSpan.FromMilliseconds(100), CancellationToken.None);
+        await WaitForCountAsync(eventsA, 1, TimeSpan.FromSeconds(1));
+        await WaitForCountAsync(eventsB, 1, TimeSpan.FromSeconds(1));
+
+        await drv.UnsubscribeAsync(ha, CancellationToken.None);
+        var aCount = eventsA.Count;
+        fake.HoldingRegisters[1] = 77; // only B should pick this up
+        await WaitForCountAsync(eventsB, 2, TimeSpan.FromSeconds(2));
+
+        eventsA.Count.ShouldBe(aCount);        // unchanged since unsubscribe
+        eventsB.Count.ShouldBeGreaterThanOrEqualTo(2);
+        await drv.UnsubscribeAsync(hb, CancellationToken.None);
+    }
+
+    private static async Task WaitForCountAsync<T>(ConcurrentQueue<T> q, int target, TimeSpan timeout)
+    {
+        var deadline = DateTime.UtcNow + timeout;
+        while (q.Count < target && DateTime.UtcNow < deadline)
+            await Task.Delay(25);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests.csproj

@@ -0,0 +1,31 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <IsPackable>false</IsPackable>
+        <IsTestProject>true</IsTestProject>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="xunit.v3" Version="1.1.0"/>
+        <PackageReference Include="Shouldly" Version="4.3.0"/>
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
+        <PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
+            <PrivateAssets>all</PrivateAssets>
+            <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+    </ItemGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Driver.Modbus\ZB.MOM.WW.OtOpcUa.Driver.Modbus.csproj"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+</Project>

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/OpcUaServerIntegrationTests.cs

@@ -7,6 +7,7 @@ using Xunit;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
 
 namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
 
@@ -38,8 +39,8 @@ public sealed class OpcUaServerIntegrationTests : IAsyncLifetime
             AutoAcceptUntrustedClientCertificates = true,
         };
 
-        _server = new OpcUaApplicationHost(options, _driverHost, NullLoggerFactory.Instance,
-            NullLogger<OpcUaApplicationHost>.Instance);
+        _server = new OpcUaApplicationHost(options, _driverHost, new DenyAllUserAuthenticator(),
+            NullLoggerFactory.Instance, NullLogger<OpcUaApplicationHost>.Instance);
         await _server.StartAsync(CancellationToken.None);
     }
 

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/SecurityConfigurationTests.cs

@@ -0,0 +1,88 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class SecurityConfigurationTests
+{
+    [Fact]
+    public async Task DenyAllAuthenticator_rejects_every_credential()
+    {
+        var auth = new DenyAllUserAuthenticator();
+        var r = await auth.AuthenticateAsync("admin", "admin", CancellationToken.None);
+        r.Success.ShouldBeFalse();
+        r.Error.ShouldContain("not supported");
+    }
+
+    [Fact]
+    public async Task LdapAuthenticator_rejects_blank_credentials_without_hitting_server()
+    {
+        var options = new LdapOptions { Enabled = true, AllowInsecureLdap = true };
+        var auth = new LdapUserAuthenticator(options, Microsoft.Extensions.Logging.Abstractions.NullLogger<LdapUserAuthenticator>.Instance);
+
+        var empty = await auth.AuthenticateAsync("", "", CancellationToken.None);
+        empty.Success.ShouldBeFalse();
+        empty.Error.ShouldContain("Credentials");
+    }
+
+    [Fact]
+    public async Task LdapAuthenticator_rejects_when_disabled()
+    {
+        var options = new LdapOptions { Enabled = false };
+        var auth = new LdapUserAuthenticator(options, Microsoft.Extensions.Logging.Abstractions.NullLogger<LdapUserAuthenticator>.Instance);
+
+        var r = await auth.AuthenticateAsync("alice", "pw", CancellationToken.None);
+        r.Success.ShouldBeFalse();
+        r.Error.ShouldContain("disabled");
+    }
+
+    [Fact]
+    public async Task LdapAuthenticator_rejects_plaintext_when_both_TLS_and_insecure_are_disabled()
+    {
+        var options = new LdapOptions { Enabled = true, UseTls = false, AllowInsecureLdap = false };
+        var auth = new LdapUserAuthenticator(options, Microsoft.Extensions.Logging.Abstractions.NullLogger<LdapUserAuthenticator>.Instance);
+
+        var r = await auth.AuthenticateAsync("alice", "pw", CancellationToken.None);
+        r.Success.ShouldBeFalse();
+        r.Error.ShouldContain("Insecure");
+    }
+
+    [Theory]
+    [InlineData("hello", "hello")]
+    [InlineData("hi(there)", "hi\\28there\\29")]
+    [InlineData("name*", "name\\2a")]
+    [InlineData("a\\b", "a\\5cb")]
+    public void LdapFilter_escapes_reserved_characters(string input, string expected)
+    {
+        LdapUserAuthenticator.EscapeLdapFilter(input).ShouldBe(expected);
+    }
+
+    [Theory]
+    [InlineData("cn=alice,ou=Engineering,dc=example,dc=com", "Engineering")]
+    [InlineData("cn=bob,dc=example,dc=com", null)]
+    [InlineData("cn=carol,ou=Ops,dc=example,dc=com", "Ops")]
+    public void ExtractOuSegment_pulls_primary_group_from_DN(string dn, string? expected)
+    {
+        LdapUserAuthenticator.ExtractOuSegment(dn).ShouldBe(expected);
+    }
+
+    [Theory]
+    [InlineData("cn=Operators,ou=Groups,dc=example", "Operators")]
+    [InlineData("cn=LoneValue", "LoneValue")]
+    [InlineData("plain-no-equals", "plain-no-equals")]
+    public void ExtractFirstRdnValue_returns_first_rdn(string dn, string expected)
+    {
+        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe(expected);
+    }
+
+    [Fact]
+    public void OpcUaServerOptions_default_is_anonymous_only()
+    {
+        var opts = new OpcUaServerOptions();
+        opts.SecurityProfile.ShouldBe(OpcUaSecurityProfile.None);
+        opts.Ldap.Enabled.ShouldBeFalse();
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/WriteAuthzPolicyTests.cs

@@ -0,0 +1,134 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class WriteAuthzPolicyTests
+{
+    // --- FreeAccess and ViewOnly special-cases ---
+
+    [Fact]
+    public void FreeAccess_allows_write_even_for_empty_role_set()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.FreeAccess, []).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void FreeAccess_allows_write_for_arbitrary_roles()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.FreeAccess, ["SomeOtherRole"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void ViewOnly_denies_write_even_with_every_role()
+    {
+        var allRoles = new[] { "WriteOperate", "WriteTune", "WriteConfigure", "AlarmAck" };
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.ViewOnly, allRoles).ShouldBeFalse();
+    }
+
+    // --- Operate tier ---
+
+    [Fact]
+    public void Operate_requires_WriteOperate_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["WriteOperate"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Operate_role_match_is_case_insensitive()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["writeoperate"]).ShouldBeTrue();
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["WRITEOPERATE"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Operate_denies_empty_role_set()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, []).ShouldBeFalse();
+    }
+
+    [Fact]
+    public void Operate_denies_wrong_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["ReadOnly"]).ShouldBeFalse();
+    }
+
+    [Fact]
+    public void SecuredWrite_maps_to_same_WriteOperate_requirement_as_Operate()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.SecuredWrite, ["WriteOperate"]).ShouldBeTrue();
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.SecuredWrite, ["WriteTune"]).ShouldBeFalse();
+    }
+
+    // --- Tune tier ---
+
+    [Fact]
+    public void Tune_requires_WriteTune_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Tune, ["WriteTune"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Tune_denies_WriteOperate_only_session()
+    {
+        // Important: role roles do NOT cascade — a session with WriteOperate can't write a Tune
+        // attribute. Operators escalate by adding WriteTune to the session's roles, not by a
+        // hierarchy the policy infers on its own.
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Tune, ["WriteOperate"]).ShouldBeFalse();
+    }
+
+    // --- Configure tier ---
+
+    [Fact]
+    public void Configure_requires_WriteConfigure_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Configure, ["WriteConfigure"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void VerifiedWrite_maps_to_same_WriteConfigure_requirement_as_Configure()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.VerifiedWrite, ["WriteConfigure"]).ShouldBeTrue();
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.VerifiedWrite, ["WriteOperate"]).ShouldBeFalse();
+    }
+
+    // --- Multi-role sessions ---
+
+    [Fact]
+    public void Session_with_multiple_roles_is_allowed_when_any_matches()
+    {
+        var roles = new[] { "ReadOnly", "WriteTune", "AlarmAck" };
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Tune, roles).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Session_with_only_unrelated_roles_is_denied()
+    {
+        var roles = new[] { "ReadOnly", "AlarmAck", "SomeCustomRole" };
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Configure, roles).ShouldBeFalse();
+    }
+
+    // --- Mapping table ---
+
+    [Theory]
+    [InlineData(SecurityClassification.Operate, WriteAuthzPolicy.RoleWriteOperate)]
+    [InlineData(SecurityClassification.SecuredWrite, WriteAuthzPolicy.RoleWriteOperate)]
+    [InlineData(SecurityClassification.Tune, WriteAuthzPolicy.RoleWriteTune)]
+    [InlineData(SecurityClassification.VerifiedWrite, WriteAuthzPolicy.RoleWriteConfigure)]
+    [InlineData(SecurityClassification.Configure, WriteAuthzPolicy.RoleWriteConfigure)]
+    public void RequiredRole_returns_expected_role_for_classification(SecurityClassification c, string expected)
+    {
+        WriteAuthzPolicy.RequiredRole(c).ShouldBe(expected);
+    }
+
+    [Theory]
+    [InlineData(SecurityClassification.FreeAccess)]
+    [InlineData(SecurityClassification.ViewOnly)]
+    public void RequiredRole_returns_null_for_special_classifications(SecurityClassification c)
+    {
+        WriteAuthzPolicy.RequiredRole(c).ShouldBeNull();
+    }
+}