Phase 3 PR 27 — Fleet status dashboard page. New /fleet route shows per-node apply state (ClusterNodeGenerationState joined with ClusterNode for the ClusterId) in a sortable table with summary cards for Total / Applied / Stale / Failed node counts. Stale detection: LastSeenAt older than 30s triggers a table-warning row class + yellow count card. Failed rows get table-danger + red card. Badge classes per LastAppliedStatus: Applied=bg-success, Failed=bg-danger, Applying=bg-info, unknown=bg-secondary. Timestamps rendered as relative-age strings ('42s ago', '15m ago', '3h ago', then absolute date for >24h). Error column is truncated to 320px with the full message in a tooltip so the table stays readable on wide fleets. Initial data load on OnInitializedAsync; auto-refresh every 5s via a Timer that calls InvokeAsync(RefreshAsync) — matches the FleetStatusPoller's 5s cadence so the dashboard sees the most recent state without polling ahead of the broadcaster. A Refresh button also kicks a manual reload; _refreshing gate prevents double-runs when the timer fires during an in-flight query. IServiceScopeFactory (matches FleetStatusPoller's pattern) creates a fresh DI scope per refresh so the per-page DbContext can't race the timer with the render thread; no new DI registrations needed. Live SignalR hub push is deliberately deferred to a follow-up PR — the existing FleetStatusHub + NodeStateChangedMessage already works for external JavaScript clients; wiring an in-process Blazor Server consumer adds HubConnectionBuilder plumbing that's worth its own focused change. Sidebar link added to MainLayout between Overview and Clusters. Full Admin.Tests Unit suite 14 pass / 0 fail — unchanged, no tests regressed. Full Admin build clean (0 errors, 0 warnings). Closes the 'no per-driver dashboard' gap from lmx-followups item #7 at the fleet level; per-host (platform/engine/Modbus PLC) granularity still needs a dedicated page that consumes IHostConnectivityProbe.GetHostStatuses from the Server process — that's the live-SignalR follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/v2/lmx-followups.md

@@ -27,21 +27,19 @@ only exposes `ReadRawAsync` + `ReadProcessedAsync`.
 - Integration test: OPC UA client calls `HistoryReadAtTime` / `HistoryReadEvents`,
   value flows through IPC to the Host's `HistorianDataSource`, back to the client.
 
-## 2. Write-gating by role
+## 2. Write-gating by role — **DONE (PR 26)**
 
-**Status**: `RoleBasedIdentity.Roles` populated on the session (PR 19) but
-`DriverNodeManager.OnWriteValue` doesn't consult it.
+Landed in PR 26. `WriteAuthzPolicy` in `Server/Security/` maps
+`SecurityClassification` → required role (`FreeAccess` → no role required,
+`Operate`/`SecuredWrite` → `WriteOperate`, `Tune` → `WriteTune`,
+`Configure`/`VerifiedWrite` → `WriteConfigure`, `ViewOnly` → deny regardless).
+`DriverNodeManager` caches the classification per variable during discovery and
+checks the session's roles (via `IRoleBearer`) in `OnWriteValue` before calling
+`IWritable.WriteAsync`. Roles do not cascade — a session with `WriteOperate`
+can't write a `Tune` attribute unless it also carries `WriteTune`.
 
-CLAUDE.md defines the role set: `ReadOnly` / `WriteOperate` / `WriteTune` /
-`WriteConfigure` / `AlarmAck`. Each `DriverAttributeInfo.SecurityClassification`
-maps to a required role for writes.
-
-**To do**:
-- Add a `RoleRequirements` table: `SecurityClassification` → required role.
-- `OnWriteValue` reads `context.UserIdentity` → cast to `RoleBasedIdentity`
-  → check role membership before calling `IWritable.WriteAsync`. Return
-  `BadUserAccessDenied` on miss.
-- Unit test against a fake `ISystemContext` with varying role sets.
+See `feedback_acl_at_server_layer.md` in memory for the architectural directive
+that authz stays at the server layer and never delegates to driver-specific auth.
 
 ## 3. Admin UI client-cert trust management
 

docs/v2/modbus-test-plan.md

@@ -0,0 +1,103 @@
+# Modbus driver — test plan + device-quirk catalog
+
+The Modbus TCP driver unit tests (PRs 21–24) cover the protocol surface against an
+in-memory fake transport. They validate the codec, state machine, and function-code
+routing against a textbook Modbus server. That's necessary but not sufficient: real PLC
+populations disagree with the spec in small, device-specific ways, and a driver that
+passes textbook tests can still misbehave against actual equipment.
+
+This doc is the harness-and-quirks playbook. It's what gets wired up in the
+`tests/Driver.Modbus.IntegrationTests` project when we ship that (PR 26 candidate).
+
+## Harness
+
+**Chosen simulator: ModbusPal** (Java, scriptable). Rationale:
+- Scriptable enough to mimic device-specific behaviors (non-standard register
+  layouts, custom exception codes, intentional response delays).
+- Runs locally, no CI dependency. Tests skip when `localhost:502` (or the configured
+  simulator endpoint) isn't reachable.
+- Free + long-maintained — physical PLC bench is unavailable in most dev
+  environments, and renting cloud PLCs isn't worth the per-test cost.
+
+**Setup pattern** (not yet codified in a script — will land alongside the integration
+test project):
+1. Install ModbusPal, load the per-device `.xmpp` profile from
+   `tests/Driver.Modbus.IntegrationTests/ModbusPal/` (TBD directory).
+2. Start the simulator listening on `localhost:502` (or override via
+   `MODBUS_SIM_ENDPOINT` env var).
+3. `dotnet test` the integration project — tests auto-skip when the endpoint is
+   unreachable, so forgetting to start the simulator doesn't wedge CI.
+
+## Per-device quirk catalog
+
+### AutomationDirect DL205
+
+First known target device. Quirks to document and cover with named tests (to be
+filled in when user validates each behavior in ModbusPal with a DL205 profile):
+
+- **Word order for 32-bit values**: _pending_ — confirm whether DL205 uses ABCD
+  (Modbus TCP standard) or CDAB (Siemens-style word-swap) for Int32/UInt32/Float32.
+  Test name: `DL205_Float32_word_order_is_CDAB` (or `ABCD`, whichever proves out).
+- **Register-zero access**: _pending_ — some DL205 configurations reject FC03 at
+  register 0 with exception code 02 (illegal data address). If confirmed, the
+  integration test suite verifies `ModbusProbeOptions.ProbeAddress` default of 0
+  triggers the rejection and operators must override; test name:
+  `DL205_FC03_at_register_0_returns_IllegalDataAddress`.
+- **Coil addressing base**: _pending_ — DL205 documentation sometimes uses 1-based
+  coil addresses; verify the driver's zero-based addressing matches the physical
+  PLC without an off-by-one adjustment.
+- **Maximum registers per FC03**: _pending_ — Modbus spec caps at 125; some DL205
+  models enforce a lower limit (e.g., 64). Test name:
+  `DL205_FC03_beyond_max_registers_returns_IllegalDataValue`.
+- **Response framing under sustained load**: _pending_ — the driver's
+  single-flight semaphore assumes the server pairs requests/responses by
+  transaction id; at least one DL205 firmware revision is reported to drop the
+  TxId under load. If reproduced in ModbusPal we add a retry + log-and-continue
+  path to `ModbusTcpTransport`.
+- **Exception code on coil write to a protected bit**: _pending_ — some DL205
+  setups protect internal coils; the driver should surface the PLC's exception
+  PDU as `BadNotWritable` rather than `BadInternalError`.
+
+_User action item_: as each quirk is validated in ModbusPal, replace the _pending_
+marker with the confirmed behavior and file a named test in the integration suite.
+
+### Future devices
+
+One section per device class, same shape as DL205. Quirks that apply across
+multiple devices (e.g., "all AB PLCs use CDAB") can be noted in the cross-device
+patterns section below once we have enough data points.
+
+## Cross-device patterns
+
+Once multiple device catalogs accumulate, quirks that recur across two or more
+vendors get promoted into driver defaults or opt-in options:
+
+- _(empty — filled in as catalogs grow)_
+
+## Test conventions
+
+- **One named test per quirk.** `DL205_word_order_is_CDAB_for_Float32` is easier to
+  diagnose on failure than a generic `Float32_roundtrip`. The `DL205_` prefix makes
+  filtering by device class trivial (`--filter "DisplayName~DL205"`).
+- **Skip with a clear SkipReason.** Follow the pattern from
+  `GalaxyRepositoryLiveSmokeTests`: check reachability in the fixture, capture
+  a `SkipReason` string, and have each test call `Assert.Skip(SkipReason)` when
+  it's set. Don't throw — skipped tests read cleanly in CI logs.
+- **Use the real `ModbusTcpTransport`.** Integration tests exercise the wire
+  protocol end-to-end. The in-memory `FakeTransport` from the unit test suite is
+  deliberately not used here — its value is speed + determinism, which doesn't
+  help reproduce device-specific issues.
+- **Don't depend on ModbusPal state between tests.** Each test resets the
+  simulator's register bank or uses a unique address range. Avoid relying on
+  "previous test left value at register 10" setups that flake when tests run in
+  parallel or re-order.
+
+## Next concrete PRs
+
+- **PR 26 — Integration test project + DL205 profile scaffold**: creates
+  `tests/Driver.Modbus.IntegrationTests`, imports the ModbusPal profile (or
+  generates it from JSON), adds the fixture with skip-when-unreachable, plus
+  one smoke test that reads a register. No DL205-specific assertions yet — that
+  waits for the user to validate each quirk.
+- **PR 27+**: one PR per confirmed DL205 quirk, landing the named test + any
+  driver-side adjustment (e.g., retry on dropped TxId) needed to pass it.

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor

@@ -5,6 +5,7 @@
         <h5 class="mb-4">OtOpcUa Admin</h5>
         <ul class="nav flex-column">
             <li class="nav-item"><a class="nav-link text-light" href="/">Overview</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/fleet">Fleet status</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/clusters">Clusters</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/reservations">Reservations</a></li>
         </ul>

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Fleet.razor

@@ -0,0 +1,172 @@
+@page "/fleet"
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IServiceScopeFactory ScopeFactory
+@implements IDisposable
+
+<h1 class="mb-4">Fleet status</h1>
+
+<div class="d-flex align-items-center mb-3 gap-2">
+    <button class="btn btn-sm btn-outline-primary" @onclick="RefreshAsync" disabled="@_refreshing">
+        @if (_refreshing) { <span class="spinner-border spinner-border-sm me-1" /> }
+        Refresh
+    </button>
+    <span class="text-muted small">
+        Auto-refresh every @RefreshIntervalSeconds s. Last updated: @(_lastRefreshUtc?.ToString("HH:mm:ss 'UTC'") ?? "—")
+    </span>
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <div class="alert alert-info">
+        No node state recorded yet. Nodes publish their state to the central DB on each poll; if
+        this list is empty, either no nodes have been registered or the poller hasn't run yet.
+    </div>
+}
+else
+{
+    <div class="row g-3 mb-4">
+        <div class="col-md-3">
+            <div class="card"><div class="card-body">
+                <h6 class="text-muted mb-1">Nodes</h6>
+                <div class="fs-3">@_rows.Count</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-success"><div class="card-body">
+                <h6 class="text-muted mb-1">Applied</h6>
+                <div class="fs-3 text-success">@_rows.Count(r => r.Status == "Applied")</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-warning"><div class="card-body">
+                <h6 class="text-muted mb-1">Stale</h6>
+                <div class="fs-3 text-warning">@_rows.Count(r => IsStale(r))</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-danger"><div class="card-body">
+                <h6 class="text-muted mb-1">Failed</h6>
+                <div class="fs-3 text-danger">@_rows.Count(r => r.Status == "Failed")</div>
+            </div></div>
+        </div>
+    </div>
+
+    <table class="table table-hover align-middle">
+        <thead>
+            <tr>
+                <th>Node</th>
+                <th>Cluster</th>
+                <th>Generation</th>
+                <th>Status</th>
+                <th>Last applied</th>
+                <th>Last seen</th>
+                <th>Error</th>
+            </tr>
+        </thead>
+        <tbody>
+        @foreach (var r in _rows)
+        {
+            <tr class="@RowClass(r)">
+                <td><code>@r.NodeId</code></td>
+                <td>@r.ClusterId</td>
+                <td>@(r.GenerationId?.ToString() ?? "—")</td>
+                <td>
+                    <span class="badge @StatusBadge(r.Status)">@(r.Status ?? "—")</span>
+                </td>
+                <td>@FormatAge(r.AppliedAt)</td>
+                <td class="@(IsStale(r) ? "text-warning" : "")">@FormatAge(r.SeenAt)</td>
+                <td class="text-truncate" style="max-width: 320px;" title="@r.Error">@r.Error</td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    // Refresh cadence. 5s matches FleetStatusPoller's poll interval — the dashboard always sees
+    // the most recent published state without polling ahead of the broadcaster.
+    private const int RefreshIntervalSeconds = 5;
+
+    private List<FleetNodeRow>? _rows;
+    private bool _refreshing;
+    private DateTime? _lastRefreshUtc;
+    private Timer? _timer;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await RefreshAsync();
+        _timer = new Timer(async _ => await InvokeAsync(RefreshAsync),
+            state: null,
+            dueTime: TimeSpan.FromSeconds(RefreshIntervalSeconds),
+            period: TimeSpan.FromSeconds(RefreshIntervalSeconds));
+    }
+
+    private async Task RefreshAsync()
+    {
+        if (_refreshing) return;
+        _refreshing = true;
+        try
+        {
+            using var scope = ScopeFactory.CreateScope();
+            var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+            var rows = await db.ClusterNodeGenerationStates.AsNoTracking()
+                .Join(db.ClusterNodes.AsNoTracking(), s => s.NodeId, n => n.NodeId, (s, n) => new FleetNodeRow(
+                    s.NodeId, n.ClusterId, s.CurrentGenerationId,
+                    s.LastAppliedStatus != null ? s.LastAppliedStatus.ToString() : null,
+                    s.LastAppliedError, s.LastAppliedAt, s.LastSeenAt))
+                .OrderBy(r => r.ClusterId)
+                .ThenBy(r => r.NodeId)
+                .ToListAsync();
+            _rows = rows;
+            _lastRefreshUtc = DateTime.UtcNow;
+        }
+        finally
+        {
+            _refreshing = false;
+            StateHasChanged();
+        }
+    }
+
+    private static bool IsStale(FleetNodeRow r)
+    {
+        if (r.SeenAt is null) return true;
+        return (DateTime.UtcNow - r.SeenAt.Value) > TimeSpan.FromSeconds(30);
+    }
+
+    private static string RowClass(FleetNodeRow r) => r.Status switch
+    {
+        "Failed" => "table-danger",
+        _ when IsStale(r) => "table-warning",
+        _ => "",
+    };
+
+    private static string StatusBadge(string? status) => status switch
+    {
+        "Applied" => "bg-success",
+        "Failed" => "bg-danger",
+        "Applying" => "bg-info",
+        _ => "bg-secondary",
+    };
+
+    private static string FormatAge(DateTime? t)
+    {
+        if (t is null) return "—";
+        var age = DateTime.UtcNow - t.Value;
+        if (age.TotalSeconds < 60) return $"{(int)age.TotalSeconds}s ago";
+        if (age.TotalMinutes < 60) return $"{(int)age.TotalMinutes}m ago";
+        if (age.TotalHours < 24) return $"{(int)age.TotalHours}h ago";
+        return t.Value.ToString("yyyy-MM-dd HH:mm 'UTC'");
+    }
+
+    public void Dispose() => _timer?.Dispose();
+
+    internal sealed record FleetNodeRow(
+        string NodeId, string ClusterId, long? GenerationId,
+        string? Status, string? Error, DateTime? AppliedAt, DateTime? SeenAt);
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriver.cs

@@ -17,7 +17,7 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
 /// </remarks>
 public sealed class ModbusDriver(ModbusDriverOptions options, string driverInstanceId,
     Func<ModbusDriverOptions, IModbusTransport>? transportFactory = null)
-    : IDriver, ITagDiscovery, IReadable, IWritable, ISubscribable, IDisposable, IAsyncDisposable
+    : IDriver, ITagDiscovery, IReadable, IWritable, ISubscribable, IHostConnectivityProbe, IDisposable, IAsyncDisposable
 {
     // Active polling subscriptions. Each subscription owns a background Task that polls the
     // tags at its configured interval, diffs against _lastKnownValues, and fires OnDataChange
@@ -26,6 +26,15 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
     private long _nextSubscriptionId;
 
     public event EventHandler<DataChangeEventArgs>? OnDataChange;
+    public event EventHandler<HostStatusChangedEventArgs>? OnHostStatusChanged;
+
+    // Single-host probe state — Modbus driver talks to exactly one endpoint so the "hosts"
+    // collection has at most one entry. HostName is the Host:Port string so the Admin UI can
+    // display the PLC endpoint uniformly with Galaxy platforms/engines.
+    private readonly object _probeLock = new();
+    private HostState _hostState = HostState.Unknown;
+    private DateTime _hostStateChangedUtc = DateTime.UtcNow;
+    private CancellationTokenSource? _probeCts;
     private readonly ModbusDriverOptions _options = options;
     private readonly Func<ModbusDriverOptions, IModbusTransport> _transportFactory =
         transportFactory ?? (o => new ModbusTcpTransport(o.Host, o.Port, o.Timeout));
@@ -46,6 +55,15 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
             await _transport.ConnectAsync(cancellationToken).ConfigureAwait(false);
             foreach (var t in _options.Tags) _tagsByName[t.Name] = t;
             _health = new DriverHealth(DriverState.Healthy, DateTime.UtcNow, null);
+
+            // PR 23: kick off the probe loop once the transport is up. Initial state stays
+            // Unknown until the first probe tick succeeds — avoids broadcasting a premature
+            // Running transition before any register round-trip has happened.
+            if (_options.Probe.Enabled)
+            {
+                _probeCts = new CancellationTokenSource();
+                _ = Task.Run(() => ProbeLoopAsync(_probeCts.Token), _probeCts.Token);
+            }
         }
         catch (Exception ex)
         {
@@ -62,6 +80,10 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
 
     public async Task ShutdownAsync(CancellationToken cancellationToken)
     {
+        try { _probeCts?.Cancel(); } catch { }
+        _probeCts?.Dispose();
+        _probeCts = null;
+
         foreach (var state in _subscriptions.Values)
         {
             try { state.Cts.Cancel(); } catch { }
@@ -147,14 +169,14 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
             case ModbusRegion.HoldingRegisters:
             case ModbusRegion.InputRegisters:
             {
-                var quantity = RegisterCount(tag.DataType);
+                var quantity = RegisterCount(tag);
                 var fc = tag.Region == ModbusRegion.HoldingRegisters ? (byte)0x03 : (byte)0x04;
                 var pdu = new byte[] { fc, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF),
                                        (byte)(quantity >> 8), (byte)(quantity & 0xFF) };
                 var resp = await transport.SendAsync(_options.UnitId, pdu, ct).ConfigureAwait(false);
                 // resp = [fc][byte-count][data...]
                 var data = new ReadOnlySpan<byte>(resp, 2, resp[1]);
-                return DecodeRegister(data, tag.DataType);
+                return DecodeRegister(data, tag);
             }
             default:
                 throw new InvalidOperationException($"Unknown region {tag.Region}");
@@ -208,7 +230,7 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
             }
             case ModbusRegion.HoldingRegisters:
             {
-                var bytes = EncodeRegister(value, tag.DataType);
+                var bytes = EncodeRegister(value, tag);
                 if (bytes.Length == 2)
                 {
                     var pdu = new byte[] { 0x06, (byte)(tag.Address >> 8), (byte)(tag.Address & 0xFF),
@@ -313,75 +335,235 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
         public string DiagnosticId => $"modbus-sub-{Id}";
     }
 
+    // ---- IHostConnectivityProbe ----
+
+    public IReadOnlyList<HostConnectivityStatus> GetHostStatuses()
+    {
+        lock (_probeLock)
+            return [new HostConnectivityStatus(HostName, _hostState, _hostStateChangedUtc)];
+    }
+
+    /// <summary>
+    ///     Host identifier surfaced to <c>IHostConnectivityProbe.GetHostStatuses</c> and the Admin UI.
+    ///     Formatted as <c>host:port</c> so multiple Modbus drivers in the same server disambiguate
+    ///     by endpoint without needing the driver-instance-id in the Admin dashboard.
+    /// </summary>
+    public string HostName => $"{_options.Host}:{_options.Port}";
+
+    private async Task ProbeLoopAsync(CancellationToken ct)
+    {
+        var transport = _transport; // captured reference; disposal tears the loop down via ct
+        while (!ct.IsCancellationRequested)
+        {
+            var success = false;
+            try
+            {
+                using var probeCts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+                probeCts.CancelAfter(_options.Probe.Timeout);
+                var pdu = new byte[] { 0x03,
+                    (byte)(_options.Probe.ProbeAddress >> 8),
+                    (byte)(_options.Probe.ProbeAddress & 0xFF), 0x00, 0x01 };
+                _ = await transport!.SendAsync(_options.UnitId, pdu, probeCts.Token).ConfigureAwait(false);
+                success = true;
+            }
+            catch (OperationCanceledException) when (ct.IsCancellationRequested)
+            {
+                return;
+            }
+            catch
+            {
+                // transport / timeout / exception PDU — treated as Stopped below
+            }
+
+            TransitionTo(success ? HostState.Running : HostState.Stopped);
+
+            try { await Task.Delay(_options.Probe.Interval, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { return; }
+        }
+    }
+
+    private void TransitionTo(HostState newState)
+    {
+        HostState old;
+        lock (_probeLock)
+        {
+            old = _hostState;
+            if (old == newState) return;
+            _hostState = newState;
+            _hostStateChangedUtc = DateTime.UtcNow;
+        }
+        OnHostStatusChanged?.Invoke(this, new HostStatusChangedEventArgs(HostName, old, newState));
+    }
+
     // ---- codec ----
 
-    internal static ushort RegisterCount(ModbusDataType t) => t switch
+    /// <summary>
+    ///     How many 16-bit registers a given tag occupies. Accounts for multi-register logical
+    ///     types (Int32/Float32 = 2 regs, Int64/Float64 = 4 regs) and for strings (rounded up
+    ///     from 2 chars per register).
+    /// </summary>
+    internal static ushort RegisterCount(ModbusTagDefinition tag) => tag.DataType switch
     {
-        ModbusDataType.Int16 or ModbusDataType.UInt16 => 1,
+        ModbusDataType.Int16 or ModbusDataType.UInt16 or ModbusDataType.BitInRegister => 1,
         ModbusDataType.Int32 or ModbusDataType.UInt32 or ModbusDataType.Float32 => 2,
-        _ => throw new InvalidOperationException($"Non-register data type {t}"),
+        ModbusDataType.Int64 or ModbusDataType.UInt64 or ModbusDataType.Float64 => 4,
+        ModbusDataType.String => (ushort)((tag.StringLength + 1) / 2), // 2 chars per register
+        _ => throw new InvalidOperationException($"Non-register data type {tag.DataType}"),
     };
 
-    internal static object DecodeRegister(ReadOnlySpan<byte> data, ModbusDataType t) => t switch
+    /// <summary>
+    ///     Word-swap the input into the big-endian layout the decoders expect. For 2-register
+    ///     types this reverses the two words; for 4-register types it reverses the four words
+    ///     (PLC stored [hi-mid, low-mid, hi-high, low-high] → memory [hi-high, low-high, hi-mid, low-mid]).
+    /// </summary>
+    private static byte[] NormalizeWordOrder(ReadOnlySpan<byte> data, ModbusByteOrder order)
     {
-        ModbusDataType.Int16 => BinaryPrimitives.ReadInt16BigEndian(data),
-        ModbusDataType.UInt16 => BinaryPrimitives.ReadUInt16BigEndian(data),
-        ModbusDataType.Int32 => BinaryPrimitives.ReadInt32BigEndian(data),
-        ModbusDataType.UInt32 => BinaryPrimitives.ReadUInt32BigEndian(data),
-        ModbusDataType.Float32 => BinaryPrimitives.ReadSingleBigEndian(data),
-        _ => throw new InvalidOperationException($"Non-register data type {t}"),
-    };
+        if (order == ModbusByteOrder.BigEndian) return data.ToArray();
+        var result = new byte[data.Length];
+        for (var word = 0; word < data.Length / 2; word++)
+        {
+            var srcWord = data.Length / 2 - 1 - word;
+            result[word * 2] = data[srcWord * 2];
+            result[word * 2 + 1] = data[srcWord * 2 + 1];
+        }
+        return result;
+    }
 
-    internal static byte[] EncodeRegister(object? value, ModbusDataType t)
+    internal static object DecodeRegister(ReadOnlySpan<byte> data, ModbusTagDefinition tag)
     {
-        switch (t)
+        switch (tag.DataType)
+        {
+            case ModbusDataType.Int16: return BinaryPrimitives.ReadInt16BigEndian(data);
+            case ModbusDataType.UInt16: return BinaryPrimitives.ReadUInt16BigEndian(data);
+            case ModbusDataType.BitInRegister:
+            {
+                var raw = BinaryPrimitives.ReadUInt16BigEndian(data);
+                return (raw & (1 << tag.BitIndex)) != 0;
+            }
+            case ModbusDataType.Int32:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadInt32BigEndian(b);
+            }
+            case ModbusDataType.UInt32:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadUInt32BigEndian(b);
+            }
+            case ModbusDataType.Float32:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadSingleBigEndian(b);
+            }
+            case ModbusDataType.Int64:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadInt64BigEndian(b);
+            }
+            case ModbusDataType.UInt64:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadUInt64BigEndian(b);
+            }
+            case ModbusDataType.Float64:
+            {
+                var b = NormalizeWordOrder(data, tag.ByteOrder);
+                return BinaryPrimitives.ReadDoubleBigEndian(b);
+            }
+            case ModbusDataType.String:
+            {
+                // ASCII, 2 chars per register, packed high byte = first char.
+                // Respect the caller's StringLength (truncate nul-padded regions).
+                var chars = new char[tag.StringLength];
+                for (var i = 0; i < tag.StringLength; i++)
+                {
+                    var b = data[i];
+                    if (b == 0) { return new string(chars, 0, i); }
+                    chars[i] = (char)b;
+                }
+                return new string(chars);
+            }
+            default:
+                throw new InvalidOperationException($"Non-register data type {tag.DataType}");
+        }
+    }
+
+    internal static byte[] EncodeRegister(object? value, ModbusTagDefinition tag)
+    {
+        switch (tag.DataType)
         {
             case ModbusDataType.Int16:
             {
                 var v = Convert.ToInt16(value);
-                var b = new byte[2];
-                BinaryPrimitives.WriteInt16BigEndian(b, v);
-                return b;
+                var b = new byte[2]; BinaryPrimitives.WriteInt16BigEndian(b, v); return b;
             }
             case ModbusDataType.UInt16:
             {
                 var v = Convert.ToUInt16(value);
-                var b = new byte[2];
-                BinaryPrimitives.WriteUInt16BigEndian(b, v);
-                return b;
+                var b = new byte[2]; BinaryPrimitives.WriteUInt16BigEndian(b, v); return b;
             }
             case ModbusDataType.Int32:
             {
                 var v = Convert.ToInt32(value);
-                var b = new byte[4];
-                BinaryPrimitives.WriteInt32BigEndian(b, v);
-                return b;
+                var b = new byte[4]; BinaryPrimitives.WriteInt32BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
             }
             case ModbusDataType.UInt32:
             {
                 var v = Convert.ToUInt32(value);
-                var b = new byte[4];
-                BinaryPrimitives.WriteUInt32BigEndian(b, v);
-                return b;
+                var b = new byte[4]; BinaryPrimitives.WriteUInt32BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
             }
             case ModbusDataType.Float32:
             {
                 var v = Convert.ToSingle(value);
-                var b = new byte[4];
-                BinaryPrimitives.WriteSingleBigEndian(b, v);
+                var b = new byte[4]; BinaryPrimitives.WriteSingleBigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.Int64:
+            {
+                var v = Convert.ToInt64(value);
+                var b = new byte[8]; BinaryPrimitives.WriteInt64BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.UInt64:
+            {
+                var v = Convert.ToUInt64(value);
+                var b = new byte[8]; BinaryPrimitives.WriteUInt64BigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.Float64:
+            {
+                var v = Convert.ToDouble(value);
+                var b = new byte[8]; BinaryPrimitives.WriteDoubleBigEndian(b, v);
+                return NormalizeWordOrder(b, tag.ByteOrder);
+            }
+            case ModbusDataType.String:
+            {
+                var s = Convert.ToString(value) ?? string.Empty;
+                var regs = (tag.StringLength + 1) / 2;
+                var b = new byte[regs * 2];
+                for (var i = 0; i < tag.StringLength && i < s.Length; i++) b[i] = (byte)s[i];
+                // remaining bytes stay 0 — nul-padded per PLC convention
                 return b;
             }
+            case ModbusDataType.BitInRegister:
+                throw new InvalidOperationException(
+                    "BitInRegister writes require a read-modify-write; not supported in PR 24 (separate follow-up).");
             default:
-                throw new InvalidOperationException($"Non-register data type {t}");
+                throw new InvalidOperationException($"Non-register data type {tag.DataType}");
         }
     }
 
     private static DriverDataType MapDataType(ModbusDataType t) => t switch
     {
-        ModbusDataType.Bool => DriverDataType.Boolean,
+        ModbusDataType.Bool or ModbusDataType.BitInRegister => DriverDataType.Boolean,
         ModbusDataType.Int16 or ModbusDataType.Int32 => DriverDataType.Int32,
         ModbusDataType.UInt16 or ModbusDataType.UInt32 => DriverDataType.Int32,
+        ModbusDataType.Int64 or ModbusDataType.UInt64 => DriverDataType.Int32, // widening to Int32 loses precision; PR 25 adds Int64 to DriverDataType
         ModbusDataType.Float32 => DriverDataType.Float32,
+        ModbusDataType.Float64 => DriverDataType.Float64,
+        ModbusDataType.String => DriverDataType.String,
         _ => DriverDataType.Int32,
     };
 

src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriverOptions.cs

@@ -1,3 +1,5 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
 namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
 
 /// <summary>
@@ -14,11 +16,31 @@ public sealed class ModbusDriverOptions
 
     /// <summary>Pre-declared tag map. Modbus has no discovery protocol — the driver returns exactly these.</summary>
     public IReadOnlyList<ModbusTagDefinition> Tags { get; init; } = [];
+
+    /// <summary>
+    ///     Background connectivity-probe settings. When <see cref="ModbusProbeOptions.Enabled"/>
+    ///     is true the driver runs a tick loop that issues a cheap FC03 at register 0 every
+    ///     <see cref="ModbusProbeOptions.Interval"/> and raises <c>OnHostStatusChanged</c> on
+    ///     Running ↔ Stopped transitions. The Admin UI / OPC UA clients see the state through
+    ///     <see cref="IHostConnectivityProbe"/>.
+    /// </summary>
+    public ModbusProbeOptions Probe { get; init; } = new();
+}
+
+public sealed class ModbusProbeOptions
+{
+    public bool Enabled { get; init; } = true;
+    public TimeSpan Interval { get; init; } = TimeSpan.FromSeconds(5);
+    public TimeSpan Timeout { get; init; } = TimeSpan.FromSeconds(2);
+    /// <summary>Register to read for the probe. Zero is usually safe; override for PLCs that lock register 0.</summary>
+    public ushort ProbeAddress { get; init; } = 0;
 }
 
 /// <summary>
 ///     One Modbus-backed OPC UA variable. Address is zero-based (Modbus spec numbering, not
-///     the documentation's 1-based coil/register conventions).
+///     the documentation's 1-based coil/register conventions). Multi-register types
+///     (Int32/UInt32/Float32 = 2 regs; Int64/UInt64/Float64 = 4 regs) respect the
+///     <see cref="ByteOrder"/> field — real-world PLCs disagree on word ordering.
 /// </summary>
 /// <param name="Name">
 ///     Tag name, used for both the OPC UA browse name and the driver's full reference. Must be
@@ -26,14 +48,50 @@ public sealed class ModbusDriverOptions
 /// </param>
 /// <param name="Region">Coils / DiscreteInputs / InputRegisters / HoldingRegisters.</param>
 /// <param name="Address">Zero-based address within the region.</param>
-/// <param name="DataType">Logical data type. Int16/UInt16 = single register; Int32/UInt32/Float32 = two registers big-endian.</param>
+/// <param name="DataType">
+///     Logical data type. See <see cref="ModbusDataType"/> for the register count each encodes.
+/// </param>
 /// <param name="Writable">When true and Region supports writes (Coils / HoldingRegisters), IWritable routes writes here.</param>
+/// <param name="ByteOrder">Word ordering for multi-register types. Ignored for Bool / Int16 / UInt16 / BitInRegister / String.</param>
+/// <param name="BitIndex">For <c>DataType = BitInRegister</c>: which bit of the holding register (0-15, LSB-first).</param>
+/// <param name="StringLength">For <c>DataType = String</c>: number of ASCII characters (2 per register, rounded up).</param>
 public sealed record ModbusTagDefinition(
     string Name,
     ModbusRegion Region,
     ushort Address,
     ModbusDataType DataType,
-    bool Writable = true);
+    bool Writable = true,
+    ModbusByteOrder ByteOrder = ModbusByteOrder.BigEndian,
+    byte BitIndex = 0,
+    ushort StringLength = 0);
 
 public enum ModbusRegion { Coils, DiscreteInputs, InputRegisters, HoldingRegisters }
-public enum ModbusDataType { Bool, Int16, UInt16, Int32, UInt32, Float32 }
+
+public enum ModbusDataType
+{
+    Bool,
+    Int16,
+    UInt16,
+    Int32,
+    UInt32,
+    Int64,
+    UInt64,
+    Float32,
+    Float64,
+    /// <summary>Single bit within a holding register. <see cref="ModbusTagDefinition.BitIndex"/> selects 0-15 LSB-first.</summary>
+    BitInRegister,
+    /// <summary>ASCII string packed 2 chars per register, <see cref="ModbusTagDefinition.StringLength"/> characters long.</summary>
+    String,
+}
+
+/// <summary>
+///     Word ordering for multi-register types. Modbus TCP standard is <see cref="BigEndian"/>
+///     (ABCD for 32-bit: high word at the lower address). Many PLCs — Siemens S7, several
+///     Allen-Bradley series, some Modicon families — use <see cref="WordSwap"/> (CDAB), which
+///     keeps bytes big-endian within each register but reverses the word pair(s).
+/// </summary>
+public enum ModbusByteOrder
+{
+    BigEndian,
+    WordSwap,
+}

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs

@@ -3,6 +3,7 @@ using Microsoft.Extensions.Logging;
 using Opc.Ua;
 using Opc.Ua.Server;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
 using DriverWriteRequest = ZB.MOM.WW.OtOpcUa.Core.Abstractions.WriteRequest;
 
 namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
@@ -35,6 +36,12 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
     private FolderState? _driverRoot;
     private readonly Dictionary<string, BaseDataVariableState> _variablesByFullRef = new(StringComparer.OrdinalIgnoreCase);
 
+    // PR 26: SecurityClassification per variable, populated during Variable() registration.
+    // OnWriteValue looks up the classification here to gate the write by the session's roles.
+    // Drivers never enforce authz themselves — the classification is discovery-time metadata
+    // only (feedback_acl_at_server_layer.md).
+    private readonly Dictionary<string, SecurityClassification> _securityByFullRef = new(StringComparer.OrdinalIgnoreCase);
+
     // Active building folder — set per Folder() call so Variable() lands under the right parent.
     // A stack would support nested folders; we use a single current folder because IAddressSpaceBuilder
     // returns a child builder per Folder call and the caller threads nesting through those references.
@@ -122,6 +129,7 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
             _currentFolder.AddChild(v);
             AddPredefinedNode(SystemContext, v);
             _variablesByFullRef[attributeInfo.FullName] = v;
+            _securityByFullRef[attributeInfo.FullName] = attributeInfo.SecurityClass;
 
             v.OnReadValue = OnReadValue;
             v.OnWriteValue = OnWriteValue;
@@ -337,6 +345,22 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
         var fullRef = node.NodeId.Identifier as string;
         if (string.IsNullOrEmpty(fullRef)) return StatusCodes.BadNodeIdUnknown;
 
+        // PR 26: server-layer write authorization. Look up the attribute's classification
+        // (populated during Variable() in Discover) and check the session's roles against the
+        // policy table. Drivers don't participate in this decision — IWritable.WriteAsync
+        // never sees a request we'd have refused here.
+        if (_securityByFullRef.TryGetValue(fullRef!, out var classification))
+        {
+            var roles = context.UserIdentity is IRoleBearer rb ? rb.Roles : [];
+            if (!WriteAuthzPolicy.IsAllowed(classification, roles))
+            {
+                _logger.LogInformation(
+                    "Write denied for {FullRef}: classification={Classification} userRoles=[{Roles}]",
+                    fullRef, classification, string.Join(",", roles));
+                return new ServiceResult(StatusCodes.BadUserAccessDenied);
+            }
+        }
+
         try
         {
             var results = _writable.WriteAsync(

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OtOpcUaServer.cs

@@ -97,7 +97,7 @@ public sealed class OtOpcUaServer : StandardServer
     ///     managers can gate writes by role via <c>session.Identity</c>. Anonymous identity still
     ///     uses the stack's default.
     /// </summary>
-    private sealed class RoleBasedIdentity : UserIdentity
+    private sealed class RoleBasedIdentity : UserIdentity, IRoleBearer
     {
         public IReadOnlyList<string> Roles { get; }
         public string? Display { get; }

src/ZB.MOM.WW.OtOpcUa.Server/Security/IRoleBearer.cs

@@ -0,0 +1,13 @@
+namespace ZB.MOM.WW.OtOpcUa.Server.Security;
+
+/// <summary>
+///     Minimal interface a <see cref="Opc.Ua.IUserIdentity"/> implementation can expose so
+///     <see cref="ZB.MOM.WW.OtOpcUa.Server.OpcUa.DriverNodeManager"/> can read the session's
+///     resolved roles without a hard dependency on any specific identity subtype. Implemented
+///     by <c>OtOpcUaServer.RoleBasedIdentity</c>; tests implement it with stub identities to
+///     drive the authz policy under different role sets.
+/// </summary>
+public interface IRoleBearer
+{
+    IReadOnlyList<string> Roles { get; }
+}

src/ZB.MOM.WW.OtOpcUa.Server/Security/WriteAuthzPolicy.cs

@@ -0,0 +1,70 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Security;
+
+/// <summary>
+///     Server-layer write-authorization policy. ACL enforcement lives here — drivers report
+///     <see cref="SecurityClassification"/> as discovery metadata only; the server decides
+///     whether a given session is allowed to write a given attribute by checking the session's
+///     roles (resolved at login via <see cref="LdapUserAuthenticator"/>) against the required
+///     role for the attribute's classification.
+/// </summary>
+/// <remarks>
+///     Matches the table in <c>docs/Configuration.md</c>:
+///     <list type="bullet">
+///         <item><c>FreeAccess</c>: no role required — anonymous sessions can write (matches v1 default).</item>
+///         <item><c>Operate</c> / <c>SecuredWrite</c>: <c>WriteOperate</c> role required.</item>
+///         <item><c>Tune</c>: <c>WriteTune</c> role required.</item>
+///         <item><c>VerifiedWrite</c> / <c>Configure</c>: <c>WriteConfigure</c> role required.</item>
+///         <item><c>ViewOnly</c>: no role grants write access.</item>
+///     </list>
+///     <c>AlarmAck</c> is checked at the alarm-acknowledge path, not here.
+/// </remarks>
+public static class WriteAuthzPolicy
+{
+    public const string RoleWriteOperate = "WriteOperate";
+    public const string RoleWriteTune = "WriteTune";
+    public const string RoleWriteConfigure = "WriteConfigure";
+
+    /// <summary>
+    ///     Decide whether a session with <paramref name="userRoles"/> is allowed to write to an
+    ///     attribute with the given <paramref name="classification"/>. Returns true for
+    ///     <c>FreeAccess</c> regardless of roles (including empty / anonymous sessions) and
+    ///     false for <c>ViewOnly</c> regardless of roles. Every other classification requires
+    ///     the session to carry the mapped role — case-insensitive match.
+    /// </summary>
+    public static bool IsAllowed(SecurityClassification classification, IReadOnlyCollection<string> userRoles)
+    {
+        if (classification == SecurityClassification.FreeAccess) return true;
+        if (classification == SecurityClassification.ViewOnly) return false;
+
+        var required = RequiredRole(classification);
+        if (required is null) return false;
+
+        foreach (var r in userRoles)
+        {
+            if (string.Equals(r, required, StringComparison.OrdinalIgnoreCase))
+                return true;
+        }
+        return false;
+    }
+
+    /// <summary>
+    ///     Required role for a classification, or null when no role grants access
+    ///     (<see cref="SecurityClassification.ViewOnly"/>) or no role is needed
+    ///     (<see cref="SecurityClassification.FreeAccess"/> — also returns null; callers use
+    ///     <see cref="IsAllowed"/> which handles the special-cases rather than branching on
+    ///     null themselves).
+    /// </summary>
+    public static string? RequiredRole(SecurityClassification classification) => classification switch
+    {
+        SecurityClassification.FreeAccess => null, // IsAllowed short-circuits
+        SecurityClassification.Operate => RoleWriteOperate,
+        SecurityClassification.SecuredWrite => RoleWriteOperate,
+        SecurityClassification.Tune => RoleWriteTune,
+        SecurityClassification.VerifiedWrite => RoleWriteConfigure,
+        SecurityClassification.Configure => RoleWriteConfigure,
+        SecurityClassification.ViewOnly => null, // IsAllowed short-circuits
+        _ => null,
+    };
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusDataTypeTests.cs

@@ -0,0 +1,175 @@
+using System.Buffers.Binary;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class ModbusDataTypeTests
+{
+    /// <summary>
+    ///     Register-count lookup is per-tag now (strings need StringLength; Int64/Float64 need 4).
+    /// </summary>
+    [Theory]
+    [InlineData(ModbusDataType.BitInRegister, 1)]
+    [InlineData(ModbusDataType.Int16, 1)]
+    [InlineData(ModbusDataType.UInt16, 1)]
+    [InlineData(ModbusDataType.Int32, 2)]
+    [InlineData(ModbusDataType.UInt32, 2)]
+    [InlineData(ModbusDataType.Float32, 2)]
+    [InlineData(ModbusDataType.Int64, 4)]
+    [InlineData(ModbusDataType.UInt64, 4)]
+    [InlineData(ModbusDataType.Float64, 4)]
+    public void RegisterCount_returns_correct_register_count_per_type(ModbusDataType t, int expected)
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, t);
+        ModbusDriver.RegisterCount(tag).ShouldBe((ushort)expected);
+    }
+
+    [Theory]
+    [InlineData(0, 1)]   // 0 chars → still 1 byte / 1 register (pathological but well-defined: length 0 is 0 bytes)
+    [InlineData(1, 1)]
+    [InlineData(2, 1)]
+    [InlineData(3, 2)]
+    [InlineData(10, 5)]
+    public void RegisterCount_for_String_rounds_up_to_register_pair(ushort chars, int expectedRegs)
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String, StringLength: chars);
+        // 0-char is encoded as 0 regs; the test case expects 1 for lengths 1-2, 2 for 3-4, etc.
+        if (chars == 0) ModbusDriver.RegisterCount(tag).ShouldBe((ushort)0);
+        else ModbusDriver.RegisterCount(tag).ShouldBe((ushort)expectedRegs);
+    }
+
+    // --- Int32 / UInt32 / Float32 with byte-order variants ---
+
+    [Fact]
+    public void Int32_BigEndian_decodes_ABCD_layout()
+    {
+        // Value 0x12345678 → bytes [0x12, 0x34, 0x56, 0x78] as PLC wrote them.
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int32,
+            ByteOrder: ModbusByteOrder.BigEndian);
+        var bytes = new byte[] { 0x12, 0x34, 0x56, 0x78 };
+        ModbusDriver.DecodeRegister(bytes, tag).ShouldBe(0x12345678);
+    }
+
+    [Fact]
+    public void Int32_WordSwap_decodes_CDAB_layout()
+    {
+        // Siemens/AB PLC stored 0x12345678 as register[0] = 0x5678, register[1] = 0x1234.
+        // Wire bytes are [0x56, 0x78, 0x12, 0x34]; with ByteOrder=WordSwap we get 0x12345678 back.
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int32,
+            ByteOrder: ModbusByteOrder.WordSwap);
+        var bytes = new byte[] { 0x56, 0x78, 0x12, 0x34 };
+        ModbusDriver.DecodeRegister(bytes, tag).ShouldBe(0x12345678);
+    }
+
+    [Fact]
+    public void Float32_WordSwap_encode_decode_roundtrips()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Float32,
+            ByteOrder: ModbusByteOrder.WordSwap);
+        var wire = ModbusDriver.EncodeRegister(25.5f, tag);
+        wire.Length.ShouldBe(4);
+        ModbusDriver.DecodeRegister(wire, tag).ShouldBe(25.5f);
+    }
+
+    // --- Int64 / UInt64 / Float64 ---
+
+    [Fact]
+    public void Int64_BigEndian_roundtrips()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Int64);
+        var wire = ModbusDriver.EncodeRegister(0x0123456789ABCDEFL, tag);
+        wire.Length.ShouldBe(8);
+        BinaryPrimitives.ReadInt64BigEndian(wire).ShouldBe(0x0123456789ABCDEFL);
+        ModbusDriver.DecodeRegister(wire, tag).ShouldBe(0x0123456789ABCDEFL);
+    }
+
+    [Fact]
+    public void UInt64_WordSwap_reverses_four_words()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.UInt64,
+            ByteOrder: ModbusByteOrder.WordSwap);
+        var value = 0xAABBCCDDEEFF0011UL;
+
+        var wireBE = new byte[8];
+        BinaryPrimitives.WriteUInt64BigEndian(wireBE, value);
+
+        // Word-swap layout: [word3, word2, word1, word0] where each word keeps its bytes big-endian.
+        var wireWS = new byte[] { wireBE[6], wireBE[7], wireBE[4], wireBE[5], wireBE[2], wireBE[3], wireBE[0], wireBE[1] };
+        ModbusDriver.DecodeRegister(wireWS, tag).ShouldBe(value);
+
+        var roundtrip = ModbusDriver.EncodeRegister(value, tag);
+        roundtrip.ShouldBe(wireWS);
+    }
+
+    [Fact]
+    public void Float64_roundtrips_under_word_swap()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.Float64,
+            ByteOrder: ModbusByteOrder.WordSwap);
+        var wire = ModbusDriver.EncodeRegister(3.14159265358979d, tag);
+        wire.Length.ShouldBe(8);
+        ((double)ModbusDriver.DecodeRegister(wire, tag)!).ShouldBe(3.14159265358979d, tolerance: 1e-12);
+    }
+
+    // --- BitInRegister ---
+
+    [Theory]
+    [InlineData(0b0000_0000_0000_0001, 0, true)]
+    [InlineData(0b0000_0000_0000_0001, 1, false)]
+    [InlineData(0b1000_0000_0000_0000, 15, true)]
+    [InlineData(0b0100_0000_0100_0000, 6, true)]
+    [InlineData(0b0100_0000_0100_0000, 14, true)]
+    [InlineData(0b0100_0000_0100_0000, 7, false)]
+    public void BitInRegister_extracts_bit_at_index(ushort raw, byte bitIndex, bool expected)
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.BitInRegister,
+            BitIndex: bitIndex);
+        var bytes = new byte[] { (byte)(raw >> 8), (byte)(raw & 0xFF) };
+        ModbusDriver.DecodeRegister(bytes, tag).ShouldBe(expected);
+    }
+
+    [Fact]
+    public void BitInRegister_write_is_not_supported_in_PR24()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.BitInRegister,
+            BitIndex: 5);
+        Should.Throw<InvalidOperationException>(() => ModbusDriver.EncodeRegister(true, tag))
+            .Message.ShouldContain("read-modify-write");
+    }
+
+    // --- String ---
+
+    [Fact]
+    public void String_decodes_ASCII_packed_two_chars_per_register()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
+            StringLength: 6);
+        // "HELLO!" = 0x48 0x45 0x4C 0x4C 0x4F 0x21 across 3 registers.
+        var bytes = "HELLO!"u8.ToArray();
+        ModbusDriver.DecodeRegister(bytes, tag).ShouldBe("HELLO!");
+    }
+
+    [Fact]
+    public void String_decode_truncates_at_first_nul()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
+            StringLength: 10);
+        var bytes = new byte[] { 0x48, 0x69, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+        ModbusDriver.DecodeRegister(bytes, tag).ShouldBe("Hi");
+    }
+
+    [Fact]
+    public void String_encode_nul_pads_remaining_bytes()
+    {
+        var tag = new ModbusTagDefinition("T", ModbusRegion.HoldingRegisters, 0, ModbusDataType.String,
+            StringLength: 8);
+        var wire = ModbusDriver.EncodeRegister("Hi", tag);
+        wire.Length.ShouldBe(8);
+        wire[0].ShouldBe((byte)'H');
+        wire[1].ShouldBe((byte)'i');
+        for (var i = 2; i < 8; i++) wire[i].ShouldBe((byte)0);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ModbusProbeTests.cs

@@ -0,0 +1,208 @@
+using System.Collections.Concurrent;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Driver.Modbus;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class ModbusProbeTests
+{
+    /// <summary>
+    ///     Transport fake the probe tests flip between "responding" and "unreachable" to
+    ///     exercise the state machine. Calls to SendAsync with FC=0x03 count as probe traffic
+    ///     (the driver's probe loop issues exactly that shape).
+    /// </summary>
+    private sealed class FlappyTransport : IModbusTransport
+    {
+        public volatile bool Reachable = true;
+        public int ProbeCount;
+
+        public Task ConnectAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public Task<byte[]> SendAsync(byte unitId, byte[] pdu, CancellationToken ct)
+        {
+            if (pdu[0] == 0x03) Interlocked.Increment(ref ProbeCount);
+            if (!Reachable)
+                return Task.FromException<byte[]>(new IOException("transport unreachable"));
+
+            // Happy path — return a valid FC03 response for 1 register at addr.
+            if (pdu[0] == 0x03)
+            {
+                var qty = (ushort)((pdu[3] << 8) | pdu[4]);
+                var resp = new byte[2 + qty * 2];
+                resp[0] = 0x03;
+                resp[1] = (byte)(qty * 2);
+                return Task.FromResult(resp);
+            }
+            return Task.FromException<byte[]>(new NotSupportedException());
+        }
+
+        public ValueTask DisposeAsync() => ValueTask.CompletedTask;
+    }
+
+    private static (ModbusDriver drv, FlappyTransport fake) NewDriver(ModbusProbeOptions probe)
+    {
+        var fake = new FlappyTransport();
+        var opts = new ModbusDriverOptions { Host = "fake", Port = 502, Probe = probe };
+        return (new ModbusDriver(opts, "modbus-1", _ => fake), fake);
+    }
+
+    [Fact]
+    public async Task Initial_state_is_Unknown_before_first_probe_tick()
+    {
+        var (drv, _) = NewDriver(new ModbusProbeOptions { Enabled = false });
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var statuses = drv.GetHostStatuses();
+        statuses.Count.ShouldBe(1);
+        statuses[0].State.ShouldBe(HostState.Unknown);
+        statuses[0].HostName.ShouldBe("fake:502");
+    }
+
+    [Fact]
+    public async Task First_successful_probe_transitions_to_Running()
+    {
+        var (drv, fake) = NewDriver(new ModbusProbeOptions
+        {
+            Enabled = true,
+            Interval = TimeSpan.FromMilliseconds(150),
+            Timeout = TimeSpan.FromSeconds(1),
+        });
+        var transitions = new ConcurrentQueue<HostStatusChangedEventArgs>();
+        drv.OnHostStatusChanged += (_, e) => transitions.Enqueue(e);
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        // Wait for the first probe to complete.
+        var deadline = DateTime.UtcNow + TimeSpan.FromSeconds(2);
+        while (fake.ProbeCount == 0 && DateTime.UtcNow < deadline) await Task.Delay(25);
+
+        // Then wait for the event to actually arrive.
+        deadline = DateTime.UtcNow + TimeSpan.FromSeconds(1);
+        while (transitions.Count == 0 && DateTime.UtcNow < deadline) await Task.Delay(25);
+
+        transitions.Count.ShouldBeGreaterThanOrEqualTo(1);
+        transitions.TryDequeue(out var t).ShouldBeTrue();
+        t!.OldState.ShouldBe(HostState.Unknown);
+        t.NewState.ShouldBe(HostState.Running);
+        drv.GetHostStatuses()[0].State.ShouldBe(HostState.Running);
+
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Transport_failure_transitions_to_Stopped()
+    {
+        var (drv, fake) = NewDriver(new ModbusProbeOptions
+        {
+            Enabled = true,
+            Interval = TimeSpan.FromMilliseconds(150),
+            Timeout = TimeSpan.FromSeconds(1),
+        });
+        var transitions = new ConcurrentQueue<HostStatusChangedEventArgs>();
+        drv.OnHostStatusChanged += (_, e) => transitions.Enqueue(e);
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await WaitForStateAsync(drv, HostState.Running, TimeSpan.FromSeconds(2));
+
+        fake.Reachable = false;
+        await WaitForStateAsync(drv, HostState.Stopped, TimeSpan.FromSeconds(2));
+
+        transitions.Select(t => t.NewState).ShouldContain(HostState.Stopped);
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Recovery_transitions_Stopped_back_to_Running()
+    {
+        var (drv, fake) = NewDriver(new ModbusProbeOptions
+        {
+            Enabled = true,
+            Interval = TimeSpan.FromMilliseconds(150),
+            Timeout = TimeSpan.FromSeconds(1),
+        });
+        var transitions = new ConcurrentQueue<HostStatusChangedEventArgs>();
+        drv.OnHostStatusChanged += (_, e) => transitions.Enqueue(e);
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await WaitForStateAsync(drv, HostState.Running, TimeSpan.FromSeconds(2));
+
+        fake.Reachable = false;
+        await WaitForStateAsync(drv, HostState.Stopped, TimeSpan.FromSeconds(2));
+
+        fake.Reachable = true;
+        await WaitForStateAsync(drv, HostState.Running, TimeSpan.FromSeconds(2));
+
+        // We expect at minimum: Unknown→Running, Running→Stopped, Stopped→Running.
+        transitions.Count.ShouldBeGreaterThanOrEqualTo(3);
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Repeated_successful_probes_do_not_generate_duplicate_Running_events()
+    {
+        var (drv, _) = NewDriver(new ModbusProbeOptions
+        {
+            Enabled = true,
+            Interval = TimeSpan.FromMilliseconds(100),
+            Timeout = TimeSpan.FromSeconds(1),
+        });
+        var transitions = new ConcurrentQueue<HostStatusChangedEventArgs>();
+        drv.OnHostStatusChanged += (_, e) => transitions.Enqueue(e);
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await WaitForStateAsync(drv, HostState.Running, TimeSpan.FromSeconds(2));
+        await Task.Delay(500); // several more probe ticks, all successful — state shouldn't thrash
+
+        transitions.Count.ShouldBe(1); // only the initial Unknown→Running
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Disabled_probe_stays_Unknown_and_fires_no_events()
+    {
+        var (drv, _) = NewDriver(new ModbusProbeOptions { Enabled = false });
+        var transitions = new ConcurrentQueue<HostStatusChangedEventArgs>();
+        drv.OnHostStatusChanged += (_, e) => transitions.Enqueue(e);
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await Task.Delay(300);
+
+        transitions.Count.ShouldBe(0);
+        drv.GetHostStatuses()[0].State.ShouldBe(HostState.Unknown);
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+
+    [Fact]
+    public async Task Shutdown_stops_the_probe_loop()
+    {
+        var (drv, fake) = NewDriver(new ModbusProbeOptions
+        {
+            Enabled = true,
+            Interval = TimeSpan.FromMilliseconds(100),
+            Timeout = TimeSpan.FromSeconds(1),
+        });
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await WaitForStateAsync(drv, HostState.Running, TimeSpan.FromSeconds(2));
+
+        var before = fake.ProbeCount;
+        await drv.ShutdownAsync(CancellationToken.None);
+        await Task.Delay(400);
+
+        // A handful of in-flight ticks may complete after shutdown in a narrow race; the
+        // contract is that the loop stops scheduling new ones. Tolerate ≤1 extra.
+        (fake.ProbeCount - before).ShouldBeLessThanOrEqualTo(1);
+    }
+
+    private static async Task WaitForStateAsync(ModbusDriver drv, HostState expected, TimeSpan timeout)
+    {
+        var deadline = DateTime.UtcNow + timeout;
+        while (DateTime.UtcNow < deadline)
+        {
+            if (drv.GetHostStatuses()[0].State == expected) return;
+            await Task.Delay(25);
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/WriteAuthzPolicyTests.cs

@@ -0,0 +1,134 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class WriteAuthzPolicyTests
+{
+    // --- FreeAccess and ViewOnly special-cases ---
+
+    [Fact]
+    public void FreeAccess_allows_write_even_for_empty_role_set()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.FreeAccess, []).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void FreeAccess_allows_write_for_arbitrary_roles()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.FreeAccess, ["SomeOtherRole"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void ViewOnly_denies_write_even_with_every_role()
+    {
+        var allRoles = new[] { "WriteOperate", "WriteTune", "WriteConfigure", "AlarmAck" };
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.ViewOnly, allRoles).ShouldBeFalse();
+    }
+
+    // --- Operate tier ---
+
+    [Fact]
+    public void Operate_requires_WriteOperate_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["WriteOperate"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Operate_role_match_is_case_insensitive()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["writeoperate"]).ShouldBeTrue();
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["WRITEOPERATE"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Operate_denies_empty_role_set()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, []).ShouldBeFalse();
+    }
+
+    [Fact]
+    public void Operate_denies_wrong_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["ReadOnly"]).ShouldBeFalse();
+    }
+
+    [Fact]
+    public void SecuredWrite_maps_to_same_WriteOperate_requirement_as_Operate()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.SecuredWrite, ["WriteOperate"]).ShouldBeTrue();
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.SecuredWrite, ["WriteTune"]).ShouldBeFalse();
+    }
+
+    // --- Tune tier ---
+
+    [Fact]
+    public void Tune_requires_WriteTune_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Tune, ["WriteTune"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Tune_denies_WriteOperate_only_session()
+    {
+        // Important: role roles do NOT cascade — a session with WriteOperate can't write a Tune
+        // attribute. Operators escalate by adding WriteTune to the session's roles, not by a
+        // hierarchy the policy infers on its own.
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Tune, ["WriteOperate"]).ShouldBeFalse();
+    }
+
+    // --- Configure tier ---
+
+    [Fact]
+    public void Configure_requires_WriteConfigure_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Configure, ["WriteConfigure"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void VerifiedWrite_maps_to_same_WriteConfigure_requirement_as_Configure()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.VerifiedWrite, ["WriteConfigure"]).ShouldBeTrue();
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.VerifiedWrite, ["WriteOperate"]).ShouldBeFalse();
+    }
+
+    // --- Multi-role sessions ---
+
+    [Fact]
+    public void Session_with_multiple_roles_is_allowed_when_any_matches()
+    {
+        var roles = new[] { "ReadOnly", "WriteTune", "AlarmAck" };
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Tune, roles).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Session_with_only_unrelated_roles_is_denied()
+    {
+        var roles = new[] { "ReadOnly", "AlarmAck", "SomeCustomRole" };
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Configure, roles).ShouldBeFalse();
+    }
+
+    // --- Mapping table ---
+
+    [Theory]
+    [InlineData(SecurityClassification.Operate, WriteAuthzPolicy.RoleWriteOperate)]
+    [InlineData(SecurityClassification.SecuredWrite, WriteAuthzPolicy.RoleWriteOperate)]
+    [InlineData(SecurityClassification.Tune, WriteAuthzPolicy.RoleWriteTune)]
+    [InlineData(SecurityClassification.VerifiedWrite, WriteAuthzPolicy.RoleWriteConfigure)]
+    [InlineData(SecurityClassification.Configure, WriteAuthzPolicy.RoleWriteConfigure)]
+    public void RequiredRole_returns_expected_role_for_classification(SecurityClassification c, string expected)
+    {
+        WriteAuthzPolicy.RequiredRole(c).ShouldBe(expected);
+    }
+
+    [Theory]
+    [InlineData(SecurityClassification.FreeAccess)]
+    [InlineData(SecurityClassification.ViewOnly)]
+    public void RequiredRole_returns_null_for_special_classifications(SecurityClassification c)
+    {
+        WriteAuthzPolicy.RequiredRole(c).ShouldBeNull();
+    }
+}