Phase 3 PR 40 — LiveStackSmokeTests: write-roundtrip + subscribe-receives-OnDataChange against the live Galaxy. Finishes LMX #5 by exercising the IWritable + ISubscribable capability paths end-to-end through the Proxy → OtOpcUaGalaxyHost service → MXAccess → real Galaxy.

Two new facts target DelmiaReceiver_001.TestAttribute — the writable Boolean UDA on the TestMachine_001 hierarchy in this dev Galaxy. The user nominated TestMachine_001 (the deployed test-target object) as a scratch surface for live testing; ZB query showed DelmiaReceiver_001 carries one dynamic_attribute named TestAttribute (mx_data_type=1=Boolean, lock_type=0=writable, security_classification=1=Operate). Naming makes the intent obvious — the attribute exists for exactly this kind of integration testing — and Boolean keeps the assertions simple (invert, write, read back).
Write_then_read_roundtrips_a_writable_Boolean_attribute_on_TestMachine_001: reads the current value as the baseline (Galaxy may return Uncertain quality until the Engine has scanned the attribute at least once — we don't read into a typed bool until Status is Good), inverts it, writes via IWritable, then polls reads in a 5s loop until either the new value comes back or the budget expires. The scan-window poll (rather than a single read after a fixed delay) accommodates Galaxy's variable scan latency on a fresh service start. Restore-on-finally writes the original value back so re-running the test doesn't accumulate a flipped TestAttribute on the dev box (Galaxy holds UDA values across runs since they're deployed). Best-effort restore — swallows exceptions so a failure in restore doesn't mask the primary assertion.
Subscribe_fires_OnDataChange_with_initial_value_then_again_after_a_write: subscribes to the same attribute with a 250ms publishing interval, captures every OnDataChange notification onto a thread-safe ConcurrentQueue (MXAccess advisory fires on its own thread per Galaxy's COM apartment model — must not block it), waits up to 5s for the initial-value callback (per ISubscribable's contract: 'driver MAY fire OnDataChange immediately with the current value'), records the queue depth as a baseline, writes the toggled value, waits up to 8s for at least one MORE notification, then searches the queue tail for the notification carrying the toggled value (initial value may appear multiple times before the write commits — looking at the tail finds the post-write delta even if the queue grew during the wait window). Unsubscribes on finally + restores baseline.
Both tests use Convert.ToBoolean(value ?? false) to defensively handle the Boxed-vs-typed quirk in MessagePack-deserialized Galaxy values — depending on the wire encoding the Boolean might come back as System.Boolean or System.Object boxing one. Convert.ToBoolean handles both. Same pattern in OnReadValue's existing usage.
WaitForAsync helper does the loop+budget pattern shared by both tests.
PR 40 is the code side of LMX #5's final two deferred facts. To actually run them green requires re-executing from a normal (non-admin) PowerShell — the elevated-shell skip from PR 39 fires correctly under bash + sc.exe-context (verified). lmx-followups.md #5 updated to note the new facts + the run command + the one remaining genuine follow-up (alarm-condition fact when an alarm-flagged attribute is deployed on TestMachine_001).
Test posture from elevated bash: 7 LiveStackSmokeTests facts discovered (was 5; +2 new), all skip cleanly with the elevation message. Build clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -29,3 +29,4 @@ packages/
 # Claude Code (per-developer settings, runtime lock files, agent transcripts)
 .claude/
 
+.local/

ZB.MOM.WW.OtOpcUa.slnx

@@ -21,9 +21,11 @@
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/ZB.MOM.WW.OtOpcUa.Admin.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.UI.Tests/ZB.MOM.WW.OtOpcUa.Client.UI.Tests.csproj"/>

docs/security.md

@@ -348,6 +348,44 @@ The project uses [GLAuth](https://github.com/glauth/glauth) v2.4.0 as the LDAP s
 
 Enable LDAP in `appsettings.json` under `Authentication.Ldap`. See [Configuration Guide](Configuration.md) for the full property reference.
 
+### Active Directory configuration
+
+Production deployments typically point at Active Directory instead of GLAuth. Only four properties differ from the dev defaults: `Server`, `Port`, `UserNameAttribute`, and `ServiceAccountDn`. The same `GroupToRole` mechanism works — map your AD security groups to OPC UA roles.
+
+```json
+{
+  "OpcUaServer": {
+    "Ldap": {
+      "Enabled": true,
+      "Server": "dc01.corp.example.com",
+      "Port": 636,
+      "UseTls": true,
+      "AllowInsecureLdap": false,
+      "SearchBase": "DC=corp,DC=example,DC=com",
+      "ServiceAccountDn": "CN=OpcUaSvc,OU=Service Accounts,DC=corp,DC=example,DC=com",
+      "ServiceAccountPassword": "<from your secret store>",
+      "DisplayNameAttribute": "displayName",
+      "GroupAttribute": "memberOf",
+      "UserNameAttribute": "sAMAccountName",
+      "GroupToRole": {
+        "OPCUA-Operators": "WriteOperate",
+        "OPCUA-Engineers": "WriteConfigure",
+        "OPCUA-AlarmAck": "AlarmAck",
+        "OPCUA-Tuners": "WriteTune"
+      }
+    }
+  }
+}
+```
+
+Notes:
+
+- `UserNameAttribute: "sAMAccountName"` is the critical AD override — the default `uid` is not populated on AD user entries, so the user-DN lookup returns no results without it. Use `userPrincipalName` instead if operators log in with `user@corp.example.com` form.
+- `Port: 636` + `UseTls: true` is required under AD's LDAP-signing enforcement. AD increasingly rejects plain-LDAP bind; set `AllowInsecureLdap: false` to refuse fallback.
+- `ServiceAccountDn` should name a dedicated read-only service principal — not a privileged admin. The account needs read access to user and group entries in the search base.
+- `memberOf` values come back as full DNs like `CN=OPCUA-Operators,OU=OPC UA Security Groups,OU=Groups,DC=corp,DC=example,DC=com`. The authenticator strips the leading `CN=` RDN value so operators configure `GroupToRole` with readable group common-names.
+- Nested group membership is **not** expanded — assign users directly to the role-mapped groups, or pre-flatten membership in AD. `LDAP_MATCHING_RULE_IN_CHAIN` / `tokenGroups` expansion is an authenticator enhancement, not a config change.
+
 ### Security Considerations
 
 - LDAP credentials are transmitted in plaintext over the OPC UA channel unless transport security is enabled. Use `Basic256Sha256-SignAndEncrypt` for production deployments.

docs/v2/lmx-followups.md

@@ -7,100 +7,189 @@ Basic256Sha256 endpoints and alarms are observable through
 specific before the stack can fully replace the v1 deployment, in
 rough priority order.
 
-## 1. Proxy-side `IHistoryProvider` for `ReadAtTime` / `ReadEvents`
+## 1. Proxy-side `IHistoryProvider` for `ReadAtTime` / `ReadEvents` — **DONE (PRs 35 + 38)**
 
-**Status**: Host-side IPC shipped (PR 10 + PR 11). Proxy consumer not written.
+PR 35 extended `IHistoryProvider` with `ReadAtTimeAsync` + `ReadEventsAsync`
+(default throwing implementations so existing impls keep compiling), added the
+`HistoricalEvent` + `HistoricalEventsResult` records to `Core.Abstractions`,
+and implemented both methods in `GalaxyProxyDriver` on top of the PR 10 / PR 11
+IPC messages.
 
-PR 10 added `HistoryReadAtTimeRequest/Response` on the IPC wire and
-`MxAccessGalaxyBackend.HistoryReadAtTimeAsync` delegates to
-`HistorianDataSource.ReadAtTimeAsync`. PR 11 did the same for events
-(`HistoryReadEventsRequest/Response` + `GalaxyHistoricalEvent`). The Proxy
-side (`GalaxyProxyDriver`) doesn't call those yet — `Core.Abstractions.IHistoryProvider`
-only exposes `ReadRawAsync` + `ReadProcessedAsync`.
+PR 38 wired the OPC UA HistoryRead service-handler through
+`DriverNodeManager` by overriding `CustomNodeManager2`'s four per-kind hooks —
+`HistoryReadRawModified` / `HistoryReadProcessed` / `HistoryReadAtTime` /
+`HistoryReadEvents`. Each walks `nodesToProcess`, resolves the driver-side
+full reference from `NodeId.Identifier`, dispatches to the right
+`IHistoryProvider` method, and populates the paired results + errors lists
+(both must be set — the MasterNodeManager merges them and a Good result with
+an unset error slot serializes as `BadHistoryOperationUnsupported` on the
+wire). Historized variables gain `AccessLevels.HistoryRead` so the stack
+dispatches; the driver root folder gains `EventNotifiers.HistoryRead` so
+`HistoryReadEvents` can target it.
 
-**To do**:
-- Extend `IHistoryProvider` with `ReadAtTimeAsync(string, DateTime[], …)` and
-  `ReadEventsAsync(string?, DateTime, DateTime, int, …)`.
-- `GalaxyProxyDriver` calls the new IPC message kinds.
-- `DriverNodeManager` wires the new capability methods onto `HistoryRead`
-  `AtTime` + `Events` service handlers.
-- Integration test: OPC UA client calls `HistoryReadAtTime` / `HistoryReadEvents`,
-  value flows through IPC to the Host's `HistorianDataSource`, back to the client.
+Aggregate translation uses a small `MapAggregate` helper that handles
+`Average` / `Minimum` / `Maximum` / `Total` / `Count` (the enum surface the
+driver exposes) and returns null for unsupported aggregates so the handler
+can surface `BadAggregateNotSupported`. Raw+Processed+AtTime wrap driver
+samples as `HistoryData` in an `ExtensionObject`; Events emits a
+`HistoryEvent` with the standard BaseEventType field list (EventId /
+SourceName / Message / Severity / Time / ReceiveTime) — custom
+`SelectClause` evaluation is an explicit follow-up.
 
-## 2. Write-gating by role
+**Tests**:
 
-**Status**: `RoleBasedIdentity.Roles` populated on the session (PR 19) but
-`DriverNodeManager.OnWriteValue` doesn't consult it.
+- `DriverNodeManagerHistoryMappingTests` — 12 unit cases pinning
+  `MapAggregate`, `BuildHistoryData`, `BuildHistoryEvent`, `ToDataValue`.
+- `HistoryReadIntegrationTests` — 5 end-to-end cases drive a real OPC UA
+  client (`Session.HistoryRead`) against a fake `IHistoryProvider` driver
+  through the running stack. Covers raw round-trip, processed with Average
+  aggregate, unsupported aggregate → `BadAggregateNotSupported`, at-time
+  timestamp forwarding, and events field-list shape.
 
-CLAUDE.md defines the role set: `ReadOnly` / `WriteOperate` / `WriteTune` /
-`WriteConfigure` / `AlarmAck`. Each `DriverAttributeInfo.SecurityClassification`
-maps to a required role for writes.
+**Deferred**:
+- Continuation-point plumbing via `Session.Save/RestoreHistoryContinuationPoint`.
+  Driver returns null continuations today so the pass-through is fine.
+- Per-`SelectClause` evaluation in HistoryReadEvents — clients that send a
+  custom field selection currently get the standard BaseEventType layout.
 
-**To do**:
-- Add a `RoleRequirements` table: `SecurityClassification` → required role.
-- `OnWriteValue` reads `context.UserIdentity` → cast to `RoleBasedIdentity`
-  → check role membership before calling `IWritable.WriteAsync`. Return
-  `BadUserAccessDenied` on miss.
-- Unit test against a fake `ISystemContext` with varying role sets.
+## 2. Write-gating by role — **DONE (PR 26)**
 
-## 3. Admin UI client-cert trust management
+Landed in PR 26. `WriteAuthzPolicy` in `Server/Security/` maps
+`SecurityClassification` → required role (`FreeAccess` → no role required,
+`Operate`/`SecuredWrite` → `WriteOperate`, `Tune` → `WriteTune`,
+`Configure`/`VerifiedWrite` → `WriteConfigure`, `ViewOnly` → deny regardless).
+`DriverNodeManager` caches the classification per variable during discovery and
+checks the session's roles (via `IRoleBearer`) in `OnWriteValue` before calling
+`IWritable.WriteAsync`. Roles do not cascade — a session with `WriteOperate`
+can't write a `Tune` attribute unless it also carries `WriteTune`.
 
-**Status**: Server side auto-accepts untrusted client certs when the
-`AutoAcceptUntrustedClientCertificates` option is true (dev default).
-Production deployments want operator-controlled trust via the Admin UI.
+See `feedback_acl_at_server_layer.md` in memory for the architectural directive
+that authz stays at the server layer and never delegates to driver-specific auth.
 
-**To do**:
-- Surface the server's rejected-certificate store in the Admin UI.
-- Page to move certs between `rejected` / `trusted`.
-- Flip `AutoAcceptUntrustedClientCertificates` to false once Admin UI is the
-  trust gate.
+## 3. Admin UI client-cert trust management — **DONE (PR 28)**
 
-## 4. Live-LDAP integration test
+PR 28 shipped `/certificates` in the Admin UI. `CertTrustService` reads the OPC
+UA server's PKI store root (`OpcUaServerOptions.PkiStoreRoot` — default
+`%ProgramData%\OtOpcUa\pki`) and lists rejected + trusted certs by parsing the
+`.der` files directly, so it has no `Opc.Ua` dependency and runs on any
+Admin host that can reach the shared PKI directory.
 
-**Status**: PR 19 unit-tested the auth-flow shape; the live bind path is
-exercised only by the pre-existing `Admin.Tests/LdapLiveBindTests.cs` which
-uses the same Novell library against a running GLAuth at `localhost:3893`.
+Operator actions: Trust (moves `rejected/certs/*.der` → `trusted/certs/*.der`),
+Delete rejected, Revoke trust. The OPC UA stack re-reads the trusted store on
+each new client handshake, so no explicit reload signal is needed —
+operators retry the rejected client's connection after trusting.
 
-**To do**:
-- Add `OpcUaServerIntegrationTests.Valid_username_authenticates_against_live_ldap`
-  with the same skip-when-unreachable guard.
-- Assert `session.Identity` on the server side carries the expected role
-  after bind — requires exposing a test hook or reading identity from a
-  new `IHostConnectivityProbe`-style "whoami" variable in the address space.
+Deferred: flipping `AutoAcceptUntrustedClientCertificates` to `false` as the
+deployment default. That's a production-hardening config change, not a code
+gap — the Admin UI is now ready to be the trust gate.
 
-## 5. Full Galaxy live-service smoke test against the merged v2 stack
+## 4. Live-LDAP integration test — **DONE (PR 31)**
 
-**Status**: Individual pieces have live smoke tests (PR 5 MXAccess, PR 13
-probe manager, PR 14 alarm tracker), but the full loop — OPC UA client →
-`OtOpcUaServer` → `GalaxyProxyDriver` (in-process) → named-pipe to
-Galaxy.Host subprocess → live MXAccess runtime → real Galaxy objects — has
-no single end-to-end smoke test.
+PR 31 shipped `Server.Tests/LdapUserAuthenticatorLiveTests.cs` — 6 live-bind
+tests against the dev GLAuth instance at `localhost:3893`, skipped cleanly
+when the port is unreachable. Covers: valid bind, wrong password, unknown
+user, empty credentials, single-group → WriteOperate mapping, multi-group
+admin user surfacing all mapped roles.
 
-**To do**:
-- Test that spawns the full topology, discovers a deployed Galaxy object,
-  subscribes to one of its attributes, writes a value back, and asserts the
-  write round-tripped through MXAccess. Skip when ArchestrA isn't running.
+Also added `UserNameAttribute` to `LdapOptions` (default `uid` for RFC 2307
+compat) so Active Directory deployments can configure `sAMAccountName` /
+`userPrincipalName` without code changes. `LdapUserAuthenticatorAdCompatTests`
+(5 unit guards) pins the AD-shape DN parsing + filter escape behaviors. See
+`docs/security.md` §"Active Directory configuration" for the AD appsettings
+snippet.
 
-## 6. Second driver instance on the same server
+Deferred: asserting `session.Identity` end-to-end on the server side (i.e.
+drive a full OPC UA session with username/password, then read an
+`IHostConnectivityProbe`-style "whoami" node to verify the role surfaced).
+That needs a test-only address-space node and is a separate PR.
 
-**Status**: `DriverHost.RegisterAsync` supports multiple drivers; the OPC UA
-server creates one `DriverNodeManager` per driver and isolates their
-subtrees under distinct namespace URIs. Not proven with two active
-`GalaxyProxyDriver` instances pointing at different Galaxies.
+## 5. Full Galaxy live-service smoke test against the merged v2 stack — **IN PROGRESS (PRs 36 + 37)**
 
-**To do**:
-- Integration test that registers two driver instances, each with a distinct
-  `DriverInstanceId` + endpoint in its own session, asserts nodes from both
-  appear under the correct subtrees, alarm events land on the correct
-  instance's condition nodes.
+PR 36 shipped the prerequisites helper (`AvevaPrerequisites`) that probes
+every dependency a live smoke test needs and produces actionable skip
+messages.
 
-## 7. Host-status per-AppEngine granularity → Admin UI dashboard
+PR 37 shipped the live-stack smoke test project structure:
+`tests/Driver.Galaxy.Proxy.Tests/LiveStack/` with `LiveStackFixture` (connects
+to the *already-running* `OtOpcUaGalaxyHost` Windows service via named pipe;
+never spawns the Host process) and `LiveStackSmokeTests` covering:
 
-**Status**: PR 13 ships per-platform/per-AppEngine `ScanState` probing; PR 17
-surfaces the resulting `OnHostStatusChanged` events through OPC UA. Admin
-UI doesn't render a per-host dashboard yet.
+- Fixture initializes successfully (IPC handshake succeeds end-to-end).
+- Driver reports `DriverState.Healthy` post-handshake.
+- `DiscoverAsync` returns at least one variable from the live Galaxy.
+- `GetHostStatuses` reports at least one Platform/AppEngine host.
+- `ReadAsync` on a discovered variable round-trips through
+  Proxy → Host pipe → MXAccess → back without a BadInternalError.
 
-**To do**:
-- SignalR hub push of `HostStatusChangedEventArgs` to the Admin UI.
-- Dashboard page showing each tracked host, current state, last transition
-  time, failure count.
+Shared secret + pipe name resolve from `OTOPCUA_GALAXY_SECRET` /
+`OTOPCUA_GALAXY_PIPE` env vars, falling back to reading the service's
+registry-stored Environment values (requires elevated test host).
+
+**PR 40** added the write + subscribe facts targeting
+`DelmiaReceiver_001.TestAttribute` (the writable Boolean UDA the dev Galaxy
+ships under TestMachine_001) — write-then-read with a 5s scan-window poll +
+restore-on-finally, and subscribe-then-write asserting both an initial-value
+OnDataChange and a post-write OnDataChange. PR 39 added the elevated-shell
+short-circuit so a developer running from an admin window gets an actionable
+skip instead of `UnauthorizedAccessException`.
+
+**Run the live tests** (from a NORMAL non-admin PowerShell):
+
+```powershell
+$env:OTOPCUA_GALAXY_SECRET = Get-Content C:\Users\dohertj2\Desktop\lmxopcua\.local\galaxy-host-secret.txt
+cd C:\Users\dohertj2\Desktop\lmxopcua
+dotnet test tests\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests --filter "FullyQualifiedName~LiveStackSmokeTests"
+```
+
+Expected: 7/7 pass against the running `OtOpcUaGalaxyHost` service.
+
+**Remaining for #5 in production-grade form**:
+- Confirm the suite passes from a non-elevated shell (operator action).
+- Add similar facts for an alarm-source attribute once `TestMachine_001` (or
+  a sibling) carries a deployed alarm condition — the current dev Galaxy's
+  TestAttribute isn't alarm-flagged.
+
+## 6. Second driver instance on the same server — **DONE (PR 32)**
+
+`Server.Tests/MultipleDriverInstancesIntegrationTests.cs` registers two
+drivers with distinct `DriverInstanceId`s on one `DriverHost`, spins up the
+full OPC UA server, and asserts three behaviors: (1) each driver's namespace
+URI (`urn:OtOpcUa:{id}`) resolves to a distinct index in the client's
+NamespaceUris, (2) browsing one subtree returns that driver's folder and
+does NOT leak the other driver's folder, (3) reads route to the correct
+driver — the alpha instance returns 42 while beta returns 99, so a misroute
+would surface at the assertion layer.
+
+Deferred: the alarm-event multi-driver parity case (two drivers each raising
+a `GalaxyAlarmEvent`, assert each condition lands on its owning instance's
+condition node). Alarm tracking already has its own integration test
+(`AlarmSubscription*`); the multi-driver alarm case would need a stub
+`IAlarmSource` that's worth its own focused PR.
+
+## 7. Host-status per-AppEngine granularity → Admin UI dashboard — **DONE (PRs 33 + 34)**
+
+**PR 33** landed the data layer: `DriverHostStatus` entity + migration with
+composite key `(NodeId, DriverInstanceId, HostName)` and two query-supporting
+indexes (per-cluster drill-down on `NodeId`, stale-row detection on
+`LastSeenUtc`).
+
+**PR 34** wired the publisher + consumer. `HostStatusPublisher` is a
+`BackgroundService` in the Server process that walks every registered
+`IHostConnectivityProbe`-capable driver every 10s, calls
+`GetHostStatuses()`, and upserts rows (`LastSeenUtc` advances each tick;
+`State` + `StateChangedUtc` update on transitions). Admin UI `/hosts` page
+groups by cluster, shows four summary cards (Hosts / Running / Stale /
+Faulted), and flags rows whose `LastSeenUtc` is older than 30s as Stale so
+operators see crashed Servers without waiting for a state change.
+
+Deferred as follow-ups:
+
+- Event-driven push (subscribe to `OnHostStatusChanged` per driver for
+  sub-heartbeat latency). Adds DriverHost lifecycle-event plumbing;
+  10s polling is fine for operator-scale use.
+- Failure-count column — needs the publisher to track a transition history
+  per host, not just current-state.
+- SignalR fan-out to the Admin page (currently the page polls the DB, not
+  a hub). The DB-polled version is fine at current cadence but a hub push
+  would eliminate the 10s race where a new row sits in the DB before the
+  Admin page notices.

docs/v2/modbus-test-plan.md

@@ -0,0 +1,108 @@
+# Modbus driver — test plan + device-quirk catalog
+
+The Modbus TCP driver unit tests (PRs 21–24) cover the protocol surface against an
+in-memory fake transport. They validate the codec, state machine, and function-code
+routing against a textbook Modbus server. That's necessary but not sufficient: real PLC
+populations disagree with the spec in small, device-specific ways, and a driver that
+passes textbook tests can still misbehave against actual equipment.
+
+This doc is the harness-and-quirks playbook. The project it describes lives at
+`tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/` — scaffolded in PR 30 with
+the simulator fixture, DL205 profile stub, and one write/read smoke test. Each
+confirmed DL205 quirk lands in a follow-up PR as a named test in that project.
+
+## Harness
+
+**Chosen simulator: ModbusPal** (Java, scriptable). Rationale:
+- Scriptable enough to mimic device-specific behaviors (non-standard register
+  layouts, custom exception codes, intentional response delays).
+- Runs locally, no CI dependency. Tests skip when `localhost:502` (or the configured
+  simulator endpoint) isn't reachable.
+- Free + long-maintained — physical PLC bench is unavailable in most dev
+  environments, and renting cloud PLCs isn't worth the per-test cost.
+
+**Setup pattern** (not yet codified in a script — will land alongside the integration
+test project):
+1. Install ModbusPal, load the per-device `.xmpp` profile from
+   `tests/Driver.Modbus.IntegrationTests/ModbusPal/` (TBD directory).
+2. Start the simulator listening on `localhost:502` (or override via
+   `MODBUS_SIM_ENDPOINT` env var).
+3. `dotnet test` the integration project — tests auto-skip when the endpoint is
+   unreachable, so forgetting to start the simulator doesn't wedge CI.
+
+## Per-device quirk catalog
+
+### AutomationDirect DL205
+
+First known target device. Quirks to document and cover with named tests (to be
+filled in when user validates each behavior in ModbusPal with a DL205 profile):
+
+- **Word order for 32-bit values**: _pending_ — confirm whether DL205 uses ABCD
+  (Modbus TCP standard) or CDAB (Siemens-style word-swap) for Int32/UInt32/Float32.
+  Test name: `DL205_Float32_word_order_is_CDAB` (or `ABCD`, whichever proves out).
+- **Register-zero access**: _pending_ — some DL205 configurations reject FC03 at
+  register 0 with exception code 02 (illegal data address). If confirmed, the
+  integration test suite verifies `ModbusProbeOptions.ProbeAddress` default of 0
+  triggers the rejection and operators must override; test name:
+  `DL205_FC03_at_register_0_returns_IllegalDataAddress`.
+- **Coil addressing base**: _pending_ — DL205 documentation sometimes uses 1-based
+  coil addresses; verify the driver's zero-based addressing matches the physical
+  PLC without an off-by-one adjustment.
+- **Maximum registers per FC03**: _pending_ — Modbus spec caps at 125; some DL205
+  models enforce a lower limit (e.g., 64). Test name:
+  `DL205_FC03_beyond_max_registers_returns_IllegalDataValue`.
+- **Response framing under sustained load**: _pending_ — the driver's
+  single-flight semaphore assumes the server pairs requests/responses by
+  transaction id; at least one DL205 firmware revision is reported to drop the
+  TxId under load. If reproduced in ModbusPal we add a retry + log-and-continue
+  path to `ModbusTcpTransport`.
+- **Exception code on coil write to a protected bit**: _pending_ — some DL205
+  setups protect internal coils; the driver should surface the PLC's exception
+  PDU as `BadNotWritable` rather than `BadInternalError`.
+
+_User action item_: as each quirk is validated in ModbusPal, replace the _pending_
+marker with the confirmed behavior and file a named test in the integration suite.
+
+### Future devices
+
+One section per device class, same shape as DL205. Quirks that apply across
+multiple devices (e.g., "all AB PLCs use CDAB") can be noted in the cross-device
+patterns section below once we have enough data points.
+
+## Cross-device patterns
+
+Once multiple device catalogs accumulate, quirks that recur across two or more
+vendors get promoted into driver defaults or opt-in options:
+
+- _(empty — filled in as catalogs grow)_
+
+## Test conventions
+
+- **One named test per quirk.** `DL205_word_order_is_CDAB_for_Float32` is easier to
+  diagnose on failure than a generic `Float32_roundtrip`. The `DL205_` prefix makes
+  filtering by device class trivial (`--filter "DisplayName~DL205"`).
+- **Skip with a clear SkipReason.** Follow the pattern from
+  `GalaxyRepositoryLiveSmokeTests`: check reachability in the fixture, capture
+  a `SkipReason` string, and have each test call `Assert.Skip(SkipReason)` when
+  it's set. Don't throw — skipped tests read cleanly in CI logs.
+- **Use the real `ModbusTcpTransport`.** Integration tests exercise the wire
+  protocol end-to-end. The in-memory `FakeTransport` from the unit test suite is
+  deliberately not used here — its value is speed + determinism, which doesn't
+  help reproduce device-specific issues.
+- **Don't depend on ModbusPal state between tests.** Each test resets the
+  simulator's register bank or uses a unique address range. Avoid relying on
+  "previous test left value at register 10" setups that flake when tests run in
+  parallel or re-order.
+
+## Next concrete PRs
+
+- **PR 30 — Integration test project + DL205 profile scaffold** — **DONE**.
+  Shipped `tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` with
+  `ModbusSimulatorFixture` (TCP-probe, skips with a clear `SkipReason` when the
+  endpoint is unreachable), `DL205/DL205Profile.cs` (tag map stub — one
+  writable holding register at address 100), and `DL205/DL205SmokeTests.cs`
+  (write-then-read round-trip). `ModbusPal/` directory holds the README
+  pointing at the to-be-committed `DL205.xmpp` profile.
+- **PR 31+**: one PR per confirmed DL205 quirk, landing the named test + any
+  driver-side adjustment (e.g., retry on dropped TxId) needed to pass it. Drop
+  the `DL205.xmpp` profile into `ModbusPal/` alongside the first quirk PR.

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor

@@ -5,15 +5,18 @@
         <h5 class="mb-4">OtOpcUa Admin</h5>
         <ul class="nav flex-column">
             <li class="nav-item"><a class="nav-link text-light" href="/">Overview</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/fleet">Fleet status</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/hosts">Host status</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/clusters">Clusters</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/reservations">Reservations</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/certificates">Certificates</a></li>
         </ul>
 
         <div class="mt-5">
             <AuthorizeView>
                 <Authorized>
                     <div class="small text-light">
-                        Signed in as <strong>@context.User.Identity?.Name</strong>
+                        Signed in as <a class="text-light" href="/account"><strong>@context.User.Identity?.Name</strong></a>
                     </div>
                     <div class="small text-muted">
                         @string.Join(", ", context.User.Claims.Where(c => c.Type.EndsWith("/role")).Select(c => c.Value))

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Account.razor

@@ -0,0 +1,129 @@
+@page "/account"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@using System.Security.Claims
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+
+<h1 class="mb-4">My account</h1>
+
+<AuthorizeView>
+    <Authorized>
+        @{
+            var username = context.User.FindFirst(ClaimTypes.NameIdentifier)?.Value ?? "—";
+            var displayName = context.User.Identity?.Name ?? "—";
+            var roles = context.User.Claims
+                .Where(c => c.Type == ClaimTypes.Role).Select(c => c.Value).ToList();
+            var ldapGroups = context.User.Claims
+                .Where(c => c.Type == "ldap_group").Select(c => c.Value).ToList();
+        }
+
+        <div class="row g-4">
+            <div class="col-md-6">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Identity</h5>
+                        <dl class="row mb-0">
+                            <dt class="col-sm-4">Username</dt><dd class="col-sm-8"><code>@username</code></dd>
+                            <dt class="col-sm-4">Display name</dt><dd class="col-sm-8">@displayName</dd>
+                        </dl>
+                    </div>
+                </div>
+            </div>
+
+            <div class="col-md-6">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Admin roles</h5>
+                        @if (roles.Count == 0)
+                        {
+                            <p class="text-muted mb-0">No Admin roles mapped — sign-in would have been blocked, so if you're seeing this, the session claim is likely stale.</p>
+                        }
+                        else
+                        {
+                            <div class="mb-2">
+                                @foreach (var r in roles)
+                                {
+                                    <span class="badge bg-primary me-1">@r</span>
+                                }
+                            </div>
+                            <small class="text-muted">LDAP groups: @(ldapGroups.Count == 0 ? "(none surfaced)" : string.Join(", ", ldapGroups))</small>
+                        }
+                    </div>
+                </div>
+            </div>
+
+            <div class="col-12">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Capabilities</h5>
+                        <p class="text-muted small">
+                            Each Admin role grants a fixed capability set per <code>admin-ui.md</code> §Admin Roles.
+                            Pages below reflect what this session can access; the route's <code>[Authorize]</code> guard
+                            is the ground truth — this table mirrors it for readability.
+                        </p>
+                        <table class="table table-sm align-middle mb-0">
+                            <thead>
+                                <tr>
+                                    <th>Capability</th>
+                                    <th>Required role(s)</th>
+                                    <th class="text-end">You have it?</th>
+                                </tr>
+                            </thead>
+                            <tbody>
+                            @foreach (var cap in Capabilities)
+                            {
+                                var has = cap.RequiredRoles.Any(r => roles.Contains(r, StringComparer.OrdinalIgnoreCase));
+                                <tr>
+                                    <td>@cap.Name<br /><small class="text-muted">@cap.Description</small></td>
+                                    <td>@string.Join(" or ", cap.RequiredRoles)</td>
+                                    <td class="text-end">
+                                        @if (has)
+                                        {
+                                            <span class="badge bg-success">Yes</span>
+                                        }
+                                        else
+                                        {
+                                            <span class="badge bg-secondary">No</span>
+                                        }
+                                    </td>
+                                </tr>
+                            }
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="mt-4">
+            <form method="post" action="/auth/logout">
+                <button class="btn btn-outline-danger" type="submit">Sign out</button>
+            </form>
+        </div>
+    </Authorized>
+</AuthorizeView>
+
+@code {
+    private sealed record Capability(string Name, string Description, string[] RequiredRoles);
+
+    // Kept in sync with Program.cs authorization policies + each page's [Authorize] attribute.
+    // When a new page or policy is added, extend this list so operators can self-service check
+    // whether their session has access without trial-and-error navigation.
+    private static readonly IReadOnlyList<Capability> Capabilities =
+    [
+        new("View clusters + fleet status",
+            "Read-only access to the cluster list, fleet dashboard, and generation history.",
+            [AdminRoles.ConfigViewer, AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+        new("Edit configuration drafts",
+            "Create and edit draft generations, manage namespace bindings and node ACLs. CanEdit policy.",
+            [AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+        new("Publish generations",
+            "Promote a draft to Published — triggers node roll-out. CanPublish policy.",
+            [AdminRoles.FleetAdmin]),
+        new("Manage certificate trust",
+            "Trust rejected client certs + revoke trust. FleetAdmin-only because the trust decision gates OPC UA client access.",
+            [AdminRoles.FleetAdmin]),
+        new("Manage external-ID reservations",
+            "Reserve / release external IDs that map into Galaxy contained names.",
+            [AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+    ];
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Certificates.razor

@@ -0,0 +1,154 @@
+@page "/certificates"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize(Roles = AdminRoles.FleetAdmin)]
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@inject CertTrustService Certs
+@inject AuthenticationStateProvider AuthState
+@inject ILogger<Certificates> Log
+
+<h1 class="mb-4">Certificate trust</h1>
+
+<div class="alert alert-info small mb-4">
+    PKI store root <code>@Certs.PkiStoreRoot</code>. Trusting a rejected cert moves the file into the trusted store — the OPC UA server picks up the change on the next client handshake, so operators should retry the rejected client's connection after trusting.
+</div>
+
+@if (_status is not null)
+{
+    <div class="alert alert-@_statusKind alert-dismissible">
+        @_status
+        <button type="button" class="btn-close" @onclick="ClearStatus"></button>
+    </div>
+}
+
+<h2 class="h4">Rejected (@_rejected.Count)</h2>
+@if (_rejected.Count == 0)
+{
+    <p class="text-muted">No rejected certificates. Clients that fail to handshake with an untrusted cert land here.</p>
+}
+else
+{
+    <table class="table table-sm align-middle">
+        <thead><tr><th>Subject</th><th>Issuer</th><th>Thumbprint</th><th>Valid</th><th class="text-end">Actions</th></tr></thead>
+        <tbody>
+        @foreach (var c in _rejected)
+        {
+            <tr>
+                <td>@c.Subject</td>
+                <td>@c.Issuer</td>
+                <td><code class="small">@c.Thumbprint</code></td>
+                <td class="small">@c.NotBefore.ToString("yyyy-MM-dd") → @c.NotAfter.ToString("yyyy-MM-dd")</td>
+                <td class="text-end">
+                    <button class="btn btn-sm btn-success me-1" @onclick="() => TrustAsync(c)">Trust</button>
+                    <button class="btn btn-sm btn-outline-danger" @onclick="() => DeleteRejectedAsync(c)">Delete</button>
+                </td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+<h2 class="h4 mt-5">Trusted (@_trusted.Count)</h2>
+@if (_trusted.Count == 0)
+{
+    <p class="text-muted">No client certs have been explicitly trusted. The server's own application cert lives in <code>own/</code> and is not listed here.</p>
+}
+else
+{
+    <table class="table table-sm align-middle">
+        <thead><tr><th>Subject</th><th>Issuer</th><th>Thumbprint</th><th>Valid</th><th class="text-end">Actions</th></tr></thead>
+        <tbody>
+        @foreach (var c in _trusted)
+        {
+            <tr>
+                <td>@c.Subject</td>
+                <td>@c.Issuer</td>
+                <td><code class="small">@c.Thumbprint</code></td>
+                <td class="small">@c.NotBefore.ToString("yyyy-MM-dd") → @c.NotAfter.ToString("yyyy-MM-dd")</td>
+                <td class="text-end">
+                    <button class="btn btn-sm btn-outline-danger" @onclick="() => UntrustAsync(c)">Revoke</button>
+                </td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    private IReadOnlyList<CertInfo> _rejected = [];
+    private IReadOnlyList<CertInfo> _trusted = [];
+    private string? _status;
+    private string _statusKind = "success";
+
+    protected override void OnInitialized() => Reload();
+
+    private void Reload()
+    {
+        _rejected = Certs.ListRejected();
+        _trusted = Certs.ListTrusted();
+    }
+
+    private async Task TrustAsync(CertInfo c)
+    {
+        if (Certs.TrustRejected(c.Thumbprint))
+        {
+            await LogActionAsync("cert.trust", c);
+            Set($"Trusted cert {c.Subject} ({Short(c.Thumbprint)}).", "success");
+        }
+        else
+        {
+            Set($"Could not trust {Short(c.Thumbprint)} — file missing; another admin may have already handled it.", "warning");
+        }
+        Reload();
+    }
+
+    private async Task DeleteRejectedAsync(CertInfo c)
+    {
+        if (Certs.DeleteRejected(c.Thumbprint))
+        {
+            await LogActionAsync("cert.delete.rejected", c);
+            Set($"Deleted rejected cert {c.Subject} ({Short(c.Thumbprint)}).", "success");
+        }
+        else
+        {
+            Set($"Could not delete {Short(c.Thumbprint)} — file missing.", "warning");
+        }
+        Reload();
+    }
+
+    private async Task UntrustAsync(CertInfo c)
+    {
+        if (Certs.UntrustCert(c.Thumbprint))
+        {
+            await LogActionAsync("cert.untrust", c);
+            Set($"Revoked trust for {c.Subject} ({Short(c.Thumbprint)}).", "success");
+        }
+        else
+        {
+            Set($"Could not revoke {Short(c.Thumbprint)} — file missing.", "warning");
+        }
+        Reload();
+    }
+
+    private async Task LogActionAsync(string action, CertInfo c)
+    {
+        // Cert trust changes are operator-initiated and security-sensitive — Serilog captures the
+        // user + thumbprint trail. CertTrustService also logs at Information on each filesystem
+        // move/delete; this line ties the action to the authenticated admin user so the two logs
+        // correlate. DB-level ConfigAuditLog persistence is deferred — its schema is
+        // cluster-scoped and cert actions are cluster-agnostic.
+        var state = await AuthState.GetAuthenticationStateAsync();
+        var user = state.User.Identity?.Name ?? "(anonymous)";
+        Log.LogInformation("Admin cert action: user={User} action={Action} thumbprint={Thumbprint} subject={Subject}",
+            user, action, c.Thumbprint, c.Subject);
+    }
+
+    private void Set(string message, string kind)
+    {
+        _status = message;
+        _statusKind = kind;
+    }
+
+    private void ClearStatus() => _status = null;
+
+    private static string Short(string thumbprint) =>
+        thumbprint.Length > 12 ? thumbprint[..12] + "…" : thumbprint;
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Fleet.razor

@@ -0,0 +1,172 @@
+@page "/fleet"
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Configuration
+@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
+@inject IServiceScopeFactory ScopeFactory
+@implements IDisposable
+
+<h1 class="mb-4">Fleet status</h1>
+
+<div class="d-flex align-items-center mb-3 gap-2">
+    <button class="btn btn-sm btn-outline-primary" @onclick="RefreshAsync" disabled="@_refreshing">
+        @if (_refreshing) { <span class="spinner-border spinner-border-sm me-1" /> }
+        Refresh
+    </button>
+    <span class="text-muted small">
+        Auto-refresh every @RefreshIntervalSeconds s. Last updated: @(_lastRefreshUtc?.ToString("HH:mm:ss 'UTC'") ?? "—")
+    </span>
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <div class="alert alert-info">
+        No node state recorded yet. Nodes publish their state to the central DB on each poll; if
+        this list is empty, either no nodes have been registered or the poller hasn't run yet.
+    </div>
+}
+else
+{
+    <div class="row g-3 mb-4">
+        <div class="col-md-3">
+            <div class="card"><div class="card-body">
+                <h6 class="text-muted mb-1">Nodes</h6>
+                <div class="fs-3">@_rows.Count</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-success"><div class="card-body">
+                <h6 class="text-muted mb-1">Applied</h6>
+                <div class="fs-3 text-success">@_rows.Count(r => r.Status == "Applied")</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-warning"><div class="card-body">
+                <h6 class="text-muted mb-1">Stale</h6>
+                <div class="fs-3 text-warning">@_rows.Count(r => IsStale(r))</div>
+            </div></div>
+        </div>
+        <div class="col-md-3">
+            <div class="card border-danger"><div class="card-body">
+                <h6 class="text-muted mb-1">Failed</h6>
+                <div class="fs-3 text-danger">@_rows.Count(r => r.Status == "Failed")</div>
+            </div></div>
+        </div>
+    </div>
+
+    <table class="table table-hover align-middle">
+        <thead>
+            <tr>
+                <th>Node</th>
+                <th>Cluster</th>
+                <th>Generation</th>
+                <th>Status</th>
+                <th>Last applied</th>
+                <th>Last seen</th>
+                <th>Error</th>
+            </tr>
+        </thead>
+        <tbody>
+        @foreach (var r in _rows)
+        {
+            <tr class="@RowClass(r)">
+                <td><code>@r.NodeId</code></td>
+                <td>@r.ClusterId</td>
+                <td>@(r.GenerationId?.ToString() ?? "—")</td>
+                <td>
+                    <span class="badge @StatusBadge(r.Status)">@(r.Status ?? "—")</span>
+                </td>
+                <td>@FormatAge(r.AppliedAt)</td>
+                <td class="@(IsStale(r) ? "text-warning" : "")">@FormatAge(r.SeenAt)</td>
+                <td class="text-truncate" style="max-width: 320px;" title="@r.Error">@r.Error</td>
+            </tr>
+        }
+        </tbody>
+    </table>
+}
+
+@code {
+    // Refresh cadence. 5s matches FleetStatusPoller's poll interval — the dashboard always sees
+    // the most recent published state without polling ahead of the broadcaster.
+    private const int RefreshIntervalSeconds = 5;
+
+    private List<FleetNodeRow>? _rows;
+    private bool _refreshing;
+    private DateTime? _lastRefreshUtc;
+    private Timer? _timer;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await RefreshAsync();
+        _timer = new Timer(async _ => await InvokeAsync(RefreshAsync),
+            state: null,
+            dueTime: TimeSpan.FromSeconds(RefreshIntervalSeconds),
+            period: TimeSpan.FromSeconds(RefreshIntervalSeconds));
+    }
+
+    private async Task RefreshAsync()
+    {
+        if (_refreshing) return;
+        _refreshing = true;
+        try
+        {
+            using var scope = ScopeFactory.CreateScope();
+            var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+            var rows = await db.ClusterNodeGenerationStates.AsNoTracking()
+                .Join(db.ClusterNodes.AsNoTracking(), s => s.NodeId, n => n.NodeId, (s, n) => new FleetNodeRow(
+                    s.NodeId, n.ClusterId, s.CurrentGenerationId,
+                    s.LastAppliedStatus != null ? s.LastAppliedStatus.ToString() : null,
+                    s.LastAppliedError, s.LastAppliedAt, s.LastSeenAt))
+                .OrderBy(r => r.ClusterId)
+                .ThenBy(r => r.NodeId)
+                .ToListAsync();
+            _rows = rows;
+            _lastRefreshUtc = DateTime.UtcNow;
+        }
+        finally
+        {
+            _refreshing = false;
+            StateHasChanged();
+        }
+    }
+
+    private static bool IsStale(FleetNodeRow r)
+    {
+        if (r.SeenAt is null) return true;
+        return (DateTime.UtcNow - r.SeenAt.Value) > TimeSpan.FromSeconds(30);
+    }
+
+    private static string RowClass(FleetNodeRow r) => r.Status switch
+    {
+        "Failed" => "table-danger",
+        _ when IsStale(r) => "table-warning",
+        _ => "",
+    };
+
+    private static string StatusBadge(string? status) => status switch
+    {
+        "Applied" => "bg-success",
+        "Failed" => "bg-danger",
+        "Applying" => "bg-info",
+        _ => "bg-secondary",
+    };
+
+    private static string FormatAge(DateTime? t)
+    {
+        if (t is null) return "—";
+        var age = DateTime.UtcNow - t.Value;
+        if (age.TotalSeconds < 60) return $"{(int)age.TotalSeconds}s ago";
+        if (age.TotalMinutes < 60) return $"{(int)age.TotalMinutes}m ago";
+        if (age.TotalHours < 24) return $"{(int)age.TotalHours}h ago";
+        return t.Value.ToString("yyyy-MM-dd HH:mm 'UTC'");
+    }
+
+    public void Dispose() => _timer?.Dispose();
+
+    internal sealed record FleetNodeRow(
+        string NodeId, string ClusterId, long? GenerationId,
+        string? Status, string? Error, DateTime? AppliedAt, DateTime? SeenAt);
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Hosts.razor

@@ -0,0 +1,160 @@
+@page "/hosts"
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject IServiceScopeFactory ScopeFactory
+@implements IDisposable
+
+<h1 class="mb-4">Driver host status</h1>
+
+<div class="d-flex align-items-center mb-3 gap-2">
+    <button class="btn btn-sm btn-outline-primary" @onclick="RefreshAsync" disabled="@_refreshing">
+        @if (_refreshing) { <span class="spinner-border spinner-border-sm me-1" /> }
+        Refresh
+    </button>
+    <span class="text-muted small">
+        Auto-refresh every @RefreshIntervalSeconds s. Last updated: @(_lastRefreshUtc?.ToString("HH:mm:ss 'UTC'") ?? "—")
+    </span>
+</div>
+
+<div class="alert alert-info small mb-4">
+    Each row is one host reported by a driver instance on a server node. Galaxy drivers report
+    per-Platform / per-AppEngine entries; Modbus drivers report the PLC endpoint. Rows age out
+    of the Server's publisher on every 10-second heartbeat — rows whose LastSeen is older than
+    30s are flagged Stale, which usually means the owning Server process has crashed or lost
+    its DB connection.
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <div class="alert alert-secondary">
+        No host-status rows yet. The Server publishes its first tick 2s after startup; if this list stays empty, check that the Server is running and the driver implements <code>IHostConnectivityProbe</code>.
+    </div>
+}
+else
+{
+    <div class="row g-3 mb-4">
+        <div class="col-md-3"><div class="card"><div class="card-body">
+            <h6 class="text-muted mb-1">Hosts</h6>
+            <div class="fs-3">@_rows.Count</div>
+        </div></div></div>
+        <div class="col-md-3"><div class="card border-success"><div class="card-body">
+            <h6 class="text-muted mb-1">Running</h6>
+            <div class="fs-3 text-success">@_rows.Count(r => r.State == DriverHostState.Running && !HostStatusService.IsStale(r))</div>
+        </div></div></div>
+        <div class="col-md-3"><div class="card border-warning"><div class="card-body">
+            <h6 class="text-muted mb-1">Stale</h6>
+            <div class="fs-3 text-warning">@_rows.Count(HostStatusService.IsStale)</div>
+        </div></div></div>
+        <div class="col-md-3"><div class="card border-danger"><div class="card-body">
+            <h6 class="text-muted mb-1">Faulted</h6>
+            <div class="fs-3 text-danger">@_rows.Count(r => r.State == DriverHostState.Faulted)</div>
+        </div></div></div>
+    </div>
+
+    @foreach (var cluster in _rows.GroupBy(r => r.ClusterId ?? "(unassigned)").OrderBy(g => g.Key))
+    {
+        <h2 class="h5 mt-4">Cluster: <code>@cluster.Key</code></h2>
+        <table class="table table-sm table-hover align-middle">
+            <thead>
+                <tr>
+                    <th>Node</th>
+                    <th>Driver</th>
+                    <th>Host</th>
+                    <th>State</th>
+                    <th>Last transition</th>
+                    <th>Last seen</th>
+                    <th>Detail</th>
+                </tr>
+            </thead>
+            <tbody>
+            @foreach (var r in cluster)
+            {
+                <tr class="@RowClass(r)">
+                    <td><code>@r.NodeId</code></td>
+                    <td><code>@r.DriverInstanceId</code></td>
+                    <td>@r.HostName</td>
+                    <td>
+                        <span class="badge @StateBadge(r.State)">@r.State</span>
+                        @if (HostStatusService.IsStale(r))
+                        {
+                            <span class="badge bg-warning text-dark ms-1">Stale</span>
+                        }
+                    </td>
+                    <td class="small">@FormatAge(r.StateChangedUtc)</td>
+                    <td class="small @(HostStatusService.IsStale(r) ? "text-warning" : "")">@FormatAge(r.LastSeenUtc)</td>
+                    <td class="text-truncate small" style="max-width: 320px;" title="@r.Detail">@r.Detail</td>
+                </tr>
+            }
+            </tbody>
+        </table>
+    }
+}
+
+@code {
+    // Mirrors HostStatusPublisher.HeartbeatInterval — polling ahead of the broadcaster
+    // produces stale-looking rows mid-cycle.
+    private const int RefreshIntervalSeconds = 10;
+
+    private List<HostStatusRow>? _rows;
+    private bool _refreshing;
+    private DateTime? _lastRefreshUtc;
+    private Timer? _timer;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await RefreshAsync();
+        _timer = new Timer(async _ => await InvokeAsync(RefreshAsync),
+            state: null,
+            dueTime: TimeSpan.FromSeconds(RefreshIntervalSeconds),
+            period: TimeSpan.FromSeconds(RefreshIntervalSeconds));
+    }
+
+    private async Task RefreshAsync()
+    {
+        if (_refreshing) return;
+        _refreshing = true;
+        try
+        {
+            using var scope = ScopeFactory.CreateScope();
+            var svc = scope.ServiceProvider.GetRequiredService<HostStatusService>();
+            _rows = (await svc.ListAsync()).ToList();
+            _lastRefreshUtc = DateTime.UtcNow;
+        }
+        finally
+        {
+            _refreshing = false;
+            StateHasChanged();
+        }
+    }
+
+    private static string RowClass(HostStatusRow r) => r.State switch
+    {
+        DriverHostState.Faulted => "table-danger",
+        _ when HostStatusService.IsStale(r) => "table-warning",
+        _ => "",
+    };
+
+    private static string StateBadge(DriverHostState s) => s switch
+    {
+        DriverHostState.Running => "bg-success",
+        DriverHostState.Stopped => "bg-secondary",
+        DriverHostState.Faulted => "bg-danger",
+        _ => "bg-secondary",
+    };
+
+    private static string FormatAge(DateTime t)
+    {
+        var age = DateTime.UtcNow - t;
+        if (age.TotalSeconds < 60) return $"{(int)age.TotalSeconds}s ago";
+        if (age.TotalMinutes < 60) return $"{(int)age.TotalMinutes}m ago";
+        if (age.TotalHours < 24) return $"{(int)age.TotalHours}h ago";
+        return t.ToString("yyyy-MM-dd HH:mm 'UTC'");
+    }
+
+    public void Dispose() => _timer?.Dispose();
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs

@@ -47,6 +47,13 @@ builder.Services.AddScoped<NodeAclService>();
 builder.Services.AddScoped<ReservationService>();
 builder.Services.AddScoped<DraftValidationService>();
 builder.Services.AddScoped<AuditLogService>();
+builder.Services.AddScoped<HostStatusService>();
+
+// Cert-trust management — reads the OPC UA server's PKI store root so rejected client certs
+// can be promoted to trusted via the Admin UI. Singleton: no per-request state, just
+// filesystem operations.
+builder.Services.Configure<CertTrustOptions>(builder.Configuration.GetSection(CertTrustOptions.SectionName));
+builder.Services.AddSingleton<CertTrustService>();
 
 // LDAP auth — parity with ScadaLink's LdapAuthService (decision #102).
 builder.Services.Configure<LdapOptions>(

src/ZB.MOM.WW.OtOpcUa.Admin/Services/CertTrustOptions.cs

@@ -0,0 +1,22 @@
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Points the Admin UI at the OPC UA Server's PKI store root so
+///     <see cref="CertTrustService"/> can list and move certs between the
+///     <c>rejected/</c> and <c>trusted/</c> directories the server maintains. Must match the
+///     <c>OpcUaServer:PkiStoreRoot</c> the Server process is configured with.
+/// </summary>
+public sealed class CertTrustOptions
+{
+    public const string SectionName = "CertTrust";
+
+    /// <summary>
+    ///     Absolute path to the PKI root. Defaults to
+    ///     <c>%ProgramData%\OtOpcUa\pki</c> — matches <c>OpcUaServerOptions.PkiStoreRoot</c>'s
+    ///     default so a standard side-by-side install needs no override.
+    /// </summary>
+    public string PkiStoreRoot { get; init; } =
+        Path.Combine(
+            Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData),
+            "OtOpcUa", "pki");
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/CertTrustService.cs

@@ -0,0 +1,135 @@
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Options;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Metadata for a certificate file found in one of the OPC UA server's PKI stores. The
+///     <see cref="FilePath"/> is the absolute path of the DER/CRT file the stack created when it
+///     rejected the cert (for <see cref="CertStoreKind.Rejected"/>) or when an operator trusted
+///     it (for <see cref="CertStoreKind.Trusted"/>).
+/// </summary>
+public sealed record CertInfo(
+    string Thumbprint,
+    string Subject,
+    string Issuer,
+    DateTime NotBefore,
+    DateTime NotAfter,
+    string FilePath,
+    CertStoreKind Store);
+
+public enum CertStoreKind
+{
+    Rejected,
+    Trusted,
+}
+
+/// <summary>
+///     Filesystem-backed view over the OPC UA server's PKI store. The Opc.Ua stack uses a
+///     Directory-typed store — each cert is a <c>.der</c> file under <c>{root}/{store}/certs/</c>
+///     with a filename derived from subject + thumbprint. This service exposes operators for the
+///     Admin UI: list rejected, list trusted, trust a rejected cert (move to trusted), remove a
+///     rejected cert (delete), untrust a previously trusted cert (delete from trusted).
+/// </summary>
+/// <remarks>
+///     The Admin process is separate from the Server process; this service deliberately has no
+///     Opc.Ua dependency — it works on the on-disk layout directly so it can run on the Admin
+///     host even when the Server isn't installed locally, as long as the PKI root is reachable
+///     (typical deployment has Admin + Server side-by-side on the same machine).
+///
+///     Trust/untrust requires the Server to re-read its trust list. The Opc.Ua stack re-reads
+///     the Directory store on each new incoming connection, so there's no explicit signal
+///     needed — the next client handshake picks up the change. Operators should retry the
+///     rejected client's connection after trusting.
+/// </remarks>
+public sealed class CertTrustService
+{
+    private readonly CertTrustOptions _options;
+    private readonly ILogger<CertTrustService> _logger;
+
+    public CertTrustService(IOptions<CertTrustOptions> options, ILogger<CertTrustService> logger)
+    {
+        _options = options.Value;
+        _logger = logger;
+    }
+
+    public string PkiStoreRoot => _options.PkiStoreRoot;
+
+    public IReadOnlyList<CertInfo> ListRejected() => ListStore(CertStoreKind.Rejected);
+    public IReadOnlyList<CertInfo> ListTrusted() => ListStore(CertStoreKind.Trusted);
+
+    /// <summary>
+    ///     Move the cert with <paramref name="thumbprint"/> from the rejected store to the
+    ///     trusted store. No-op returns false if the rejected file doesn't exist (already moved
+    ///     by another operator, or thumbprint mismatch). Overwrites an existing trusted copy
+    ///     silently — idempotent.
+    /// </summary>
+    public bool TrustRejected(string thumbprint)
+    {
+        var cert = FindInStore(CertStoreKind.Rejected, thumbprint);
+        if (cert is null) return false;
+
+        var trustedDir = CertsDir(CertStoreKind.Trusted);
+        Directory.CreateDirectory(trustedDir);
+        var destPath = Path.Combine(trustedDir, Path.GetFileName(cert.FilePath));
+        File.Move(cert.FilePath, destPath, overwrite: true);
+        _logger.LogInformation("Trusted cert {Thumbprint} (subject={Subject}) — moved {From} → {To}",
+            cert.Thumbprint, cert.Subject, cert.FilePath, destPath);
+        return true;
+    }
+
+    public bool DeleteRejected(string thumbprint) => DeleteFromStore(CertStoreKind.Rejected, thumbprint);
+    public bool UntrustCert(string thumbprint) => DeleteFromStore(CertStoreKind.Trusted, thumbprint);
+
+    private bool DeleteFromStore(CertStoreKind store, string thumbprint)
+    {
+        var cert = FindInStore(store, thumbprint);
+        if (cert is null) return false;
+        File.Delete(cert.FilePath);
+        _logger.LogInformation("Deleted cert {Thumbprint} (subject={Subject}) from {Store} store",
+            cert.Thumbprint, cert.Subject, store);
+        return true;
+    }
+
+    private CertInfo? FindInStore(CertStoreKind store, string thumbprint) =>
+        ListStore(store).FirstOrDefault(c =>
+            string.Equals(c.Thumbprint, thumbprint, StringComparison.OrdinalIgnoreCase));
+
+    private IReadOnlyList<CertInfo> ListStore(CertStoreKind store)
+    {
+        var dir = CertsDir(store);
+        if (!Directory.Exists(dir)) return [];
+
+        var results = new List<CertInfo>();
+        foreach (var path in Directory.EnumerateFiles(dir))
+        {
+            // Skip CRL sidecars + private-key files — trust operations only concern public certs.
+            var ext = Path.GetExtension(path);
+            if (!ext.Equals(".der", StringComparison.OrdinalIgnoreCase) &&
+                !ext.Equals(".crt", StringComparison.OrdinalIgnoreCase) &&
+                !ext.Equals(".cer", StringComparison.OrdinalIgnoreCase))
+            {
+                continue;
+            }
+
+            try
+            {
+                var cert = X509CertificateLoader.LoadCertificateFromFile(path);
+                results.Add(new CertInfo(
+                    cert.Thumbprint, cert.Subject, cert.Issuer,
+                    cert.NotBefore.ToUniversalTime(), cert.NotAfter.ToUniversalTime(),
+                    path, store));
+            }
+            catch (Exception ex)
+            {
+                // A malformed file in the store shouldn't take down the page. Surface it in logs
+                // but skip — operators see the other certs and can clean the bad file manually.
+                _logger.LogWarning(ex, "Failed to parse cert at {Path} — skipping", path);
+            }
+        }
+        return results;
+    }
+
+    private string CertsDir(CertStoreKind store) =>
+        Path.Combine(_options.PkiStoreRoot, store == CertStoreKind.Rejected ? "rejected" : "trusted", "certs");
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Services/HostStatusService.cs

@@ -0,0 +1,63 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     One row per <see cref="DriverHostStatus"/> record, enriched with the owning
+///     <c>ClusterNode.ClusterId</c> when available (left-join). The Admin <c>/hosts</c> page
+///     groups by cluster and renders a per-node → per-driver → per-host tree.
+/// </summary>
+public sealed record HostStatusRow(
+    string NodeId,
+    string? ClusterId,
+    string DriverInstanceId,
+    string HostName,
+    DriverHostState State,
+    DateTime StateChangedUtc,
+    DateTime LastSeenUtc,
+    string? Detail);
+
+/// <summary>
+///     Read-side service for the Admin UI's per-host drill-down. Loads
+///     <see cref="DriverHostStatus"/> rows (written by the Server process's
+///     <c>HostStatusPublisher</c>) and left-joins <c>ClusterNode</c> so each row knows which
+///     cluster it belongs to — the Admin UI groups by cluster for the fleet-wide view.
+/// </summary>
+/// <remarks>
+///     The publisher heartbeat is 10s (<c>HostStatusPublisher.HeartbeatInterval</c>). The
+///     Admin page also polls every ~10s and treats rows with <c>LastSeenUtc</c> older than
+///     <c>StaleThreshold</c> (30s) as stale — covers a missed heartbeat tolerance plus
+///     a generous buffer for clock skew and publisher GC pauses.
+/// </remarks>
+public sealed class HostStatusService(OtOpcUaConfigDbContext db)
+{
+    public static readonly TimeSpan StaleThreshold = TimeSpan.FromSeconds(30);
+
+    public async Task<IReadOnlyList<HostStatusRow>> ListAsync(CancellationToken ct = default)
+    {
+        // LEFT JOIN on NodeId so a row persists even when its owning ClusterNode row hasn't
+        // been created yet (first-boot bootstrap case — keeps the UI from losing sight of
+        // the reporting server).
+        var rows = await (from s in db.DriverHostStatuses.AsNoTracking()
+                          join n in db.ClusterNodes.AsNoTracking()
+                              on s.NodeId equals n.NodeId into nodeJoin
+                          from n in nodeJoin.DefaultIfEmpty()
+                          orderby s.NodeId, s.DriverInstanceId, s.HostName
+                          select new HostStatusRow(
+                              s.NodeId,
+                              n != null ? n.ClusterId : null,
+                              s.DriverInstanceId,
+                              s.HostName,
+                              s.State,
+                              s.StateChangedUtc,
+                              s.LastSeenUtc,
+                              s.Detail)).ToListAsync(ct);
+        return rows;
+    }
+
+    public static bool IsStale(HostStatusRow row) =>
+        DateTime.UtcNow - row.LastSeenUtc > StaleThreshold;
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/DriverHostStatus.cs

@@ -0,0 +1,61 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Per-host connectivity snapshot the Server publishes for each driver's
+///     <c>IHostConnectivityProbe.GetHostStatuses</c> entry. One row per
+///     (<see cref="NodeId"/>, <see cref="DriverInstanceId"/>, <see cref="HostName"/>) triple —
+///     a redundant 2-node cluster with one Galaxy driver reporting 3 platforms produces 6
+///     rows, not 3, because each server node owns its own runtime view.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Closes the data-layer piece of LMX follow-up #7 (per-AppEngine Admin dashboard
+///         drill-down). The publisher hosted service on the Server side subscribes to every
+///         registered driver's <c>OnHostStatusChanged</c> and upserts rows on transitions +
+///         periodic liveness heartbeats. <see cref="LastSeenUtc"/> advances on every
+///         heartbeat so the Admin UI can flag stale rows from a crashed Server.
+///     </para>
+///     <para>
+///         No foreign-key to <see cref="ClusterNode"/> — a Server may start reporting host
+///         status before its ClusterNode row exists (e.g. first-boot bootstrap), and we'd
+///         rather keep the status row than drop it. The Admin-side service left-joins on
+///         NodeId when presenting rows.
+///     </para>
+/// </remarks>
+public sealed class DriverHostStatus
+{
+    /// <summary>Server node that's running the driver.</summary>
+    public required string NodeId { get; set; }
+
+    /// <summary>Driver instance's stable id (matches <c>IDriver.DriverInstanceId</c>).</summary>
+    public required string DriverInstanceId { get; set; }
+
+    /// <summary>
+    ///     Driver-side host identifier — Galaxy Platform / AppEngine name, Modbus
+    ///     <c>host:port</c>, whatever the probe returns. Opaque to the Admin UI except as
+    ///     a display string.
+    /// </summary>
+    public required string HostName { get; set; }
+
+    public DriverHostState State { get; set; } = DriverHostState.Unknown;
+
+    /// <summary>Timestamp of the last state transition (not of the most recent heartbeat).</summary>
+    public DateTime StateChangedUtc { get; set; }
+
+    /// <summary>
+    ///     Advances on every publisher heartbeat — the Admin UI uses
+    ///     <c>now - LastSeenUtc &gt; threshold</c> to flag rows whose owning Server has
+    ///     stopped reporting (crashed, network-partitioned, etc.), independent of
+    ///     <see cref="State"/>.
+    /// </summary>
+    public DateTime LastSeenUtc { get; set; }
+
+    /// <summary>
+    ///     Optional human-readable detail populated when <see cref="State"/> is
+    ///     <see cref="DriverHostState.Faulted"/> — e.g. the exception message from the
+    ///     driver's probe. Null for Running / Stopped / Unknown transitions.
+    /// </summary>
+    public string? Detail { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/DriverHostState.cs

@@ -0,0 +1,21 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>
+///     Persisted mirror of <c>Core.Abstractions.HostState</c> — the lifecycle state each
+///     <c>IHostConnectivityProbe</c>-capable driver reports for its per-host topology
+///     (Galaxy Platforms / AppEngines, Modbus PLC endpoints, future OPC UA gateway upstreams).
+///     Defined here instead of re-using <c>Core.Abstractions.HostState</c> so the
+///     Configuration project stays free of driver-runtime dependencies.
+/// </summary>
+/// <remarks>
+///     The server-side publisher (follow-up PR) translates
+///     <c>HostStatusChangedEventArgs.NewState</c> to this enum on every transition and
+///     upserts into <see cref="Entities.DriverHostStatus"/>. Admin UI reads from the DB.
+/// </remarks>
+public enum DriverHostState
+{
+    Unknown,
+    Running,
+    Stopped,
+    Faulted,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260418193608_AddDriverHostStatus.cs

@@ -0,0 +1,49 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddDriverHostStatus : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "DriverHostStatus",
+                columns: table => new
+                {
+                    NodeId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    DriverInstanceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    HostName = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: false),
+                    State = table.Column<string>(type: "nvarchar(16)", maxLength: 16, nullable: false),
+                    StateChangedUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: false),
+                    LastSeenUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: false),
+                    Detail = table.Column<string>(type: "nvarchar(1024)", maxLength: 1024, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_DriverHostStatus", x => new { x.NodeId, x.DriverInstanceId, x.HostName });
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DriverHostStatus_LastSeen",
+                table: "DriverHostStatus",
+                column: "LastSeenUtc");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DriverHostStatus_Node",
+                table: "DriverHostStatus",
+                column: "NodeId");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "DriverHostStatus");
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/OtOpcUaConfigDbContextModelSnapshot.cs

@@ -332,6 +332,46 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
                         });
                 });
 
+            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.DriverHostStatus", b =>
+                {
+                    b.Property<string>("NodeId")
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("DriverInstanceId")
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("HostName")
+                        .HasMaxLength(256)
+                        .HasColumnType("nvarchar(256)");
+
+                    b.Property<string>("Detail")
+                        .HasMaxLength(1024)
+                        .HasColumnType("nvarchar(1024)");
+
+                    b.Property<DateTime>("LastSeenUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.Property<string>("State")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("nvarchar(16)");
+
+                    b.Property<DateTime>("StateChangedUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.HasKey("NodeId", "DriverInstanceId", "HostName");
+
+                    b.HasIndex("LastSeenUtc")
+                        .HasDatabaseName("IX_DriverHostStatus_LastSeen");
+
+                    b.HasIndex("NodeId")
+                        .HasDatabaseName("IX_DriverHostStatus_Node");
+
+                    b.ToTable("DriverHostStatus", (string)null);
+                });
+
             modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.DriverInstance", b =>
                 {
                     b.Property<Guid>("DriverInstanceRowId")

src/ZB.MOM.WW.OtOpcUa.Configuration/OtOpcUaConfigDbContext.cs

@@ -27,6 +27,7 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
     public DbSet<ClusterNodeGenerationState> ClusterNodeGenerationStates => Set<ClusterNodeGenerationState>();
     public DbSet<ConfigAuditLog> ConfigAuditLogs => Set<ConfigAuditLog>();
     public DbSet<ExternalIdReservation> ExternalIdReservations => Set<ExternalIdReservation>();
+    public DbSet<DriverHostStatus> DriverHostStatuses => Set<DriverHostStatus>();
 
     protected override void OnModelCreating(ModelBuilder modelBuilder)
     {
@@ -47,6 +48,7 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
         ConfigureClusterNodeGenerationState(modelBuilder);
         ConfigureConfigAuditLog(modelBuilder);
         ConfigureExternalIdReservation(modelBuilder);
+        ConfigureDriverHostStatus(modelBuilder);
     }
 
     private static void ConfigureServerCluster(ModelBuilder modelBuilder)
@@ -484,4 +486,30 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
             e.HasIndex(x => x.EquipmentUuid).HasDatabaseName("IX_ExternalIdReservation_Equipment");
         });
     }
+
+    private static void ConfigureDriverHostStatus(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<DriverHostStatus>(e =>
+        {
+            e.ToTable("DriverHostStatus");
+            // Composite key — one row per (server node, driver instance, probe-reported host).
+            // A redundant 2-node cluster with one Galaxy driver reporting 3 platforms produces
+            // 6 rows because each server node owns its own runtime view; the composite key is
+            // what lets both views coexist without shadowing each other.
+            e.HasKey(x => new { x.NodeId, x.DriverInstanceId, x.HostName });
+            e.Property(x => x.NodeId).HasMaxLength(64);
+            e.Property(x => x.DriverInstanceId).HasMaxLength(64);
+            e.Property(x => x.HostName).HasMaxLength(256);
+            e.Property(x => x.State).HasConversion<string>().HasMaxLength(16);
+            e.Property(x => x.StateChangedUtc).HasColumnType("datetime2(3)");
+            e.Property(x => x.LastSeenUtc).HasColumnType("datetime2(3)");
+            e.Property(x => x.Detail).HasMaxLength(1024);
+
+            // NodeId-only index drives the Admin UI's per-cluster drill-down (select all host
+            // statuses for the nodes of a specific cluster via join on ClusterNode.ClusterId).
+            e.HasIndex(x => x.NodeId).HasDatabaseName("IX_DriverHostStatus_Node");
+            // LastSeenUtc index powers the Admin UI's stale-row query (now - LastSeen > N).
+            e.HasIndex(x => x.LastSeenUtc).HasDatabaseName("IX_DriverHostStatus_LastSeen");
+        });
+    }
 }

src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/IHistoryProvider.cs

@@ -30,6 +30,52 @@ public interface IHistoryProvider
         TimeSpan interval,
         HistoryAggregateType aggregate,
         CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Read one sample per requested timestamp — OPC UA HistoryReadAtTime service. The
+    ///     driver interpolates (or returns the prior-boundary sample) when no exact match
+    ///     exists. Optional; drivers that can't interpolate throw <see cref="NotSupportedException"/>.
+    /// </summary>
+    /// <remarks>
+    ///     Default implementation throws. Drivers opt in by overriding; keeps existing
+    ///     <c>IHistoryProvider</c> implementations compiling without forcing a ReadAtTime path
+    ///     they may not have a backend for.
+    /// </remarks>
+    Task<HistoryReadResult> ReadAtTimeAsync(
+        string fullReference,
+        IReadOnlyList<DateTime> timestampsUtc,
+        CancellationToken cancellationToken)
+        => throw new NotSupportedException(
+            $"{GetType().Name} does not implement ReadAtTimeAsync. " +
+            "Drivers whose backends support at-time reads override this method.");
+
+    /// <summary>
+    ///     Read historical alarm/event records — OPC UA HistoryReadEvents service. Distinct
+    ///     from the live event stream — historical rows come from an event historian (Galaxy's
+    ///     Alarm Provider history log, etc.) rather than the driver's active subscription.
+    /// </summary>
+    /// <param name="sourceName">
+    ///     Optional filter: null means "all sources", otherwise restrict to events from that
+    ///     source-object name. Drivers may ignore the filter if the backend doesn't support it.
+    /// </param>
+    /// <param name="startUtc">Inclusive lower bound on <c>EventTimeUtc</c>.</param>
+    /// <param name="endUtc">Exclusive upper bound on <c>EventTimeUtc</c>.</param>
+    /// <param name="maxEvents">Upper cap on returned events — the driver's backend enforces this.</param>
+    /// <param name="cancellationToken">Request cancellation.</param>
+    /// <remarks>
+    ///     Default implementation throws. Only drivers with an event historian (Galaxy via the
+    ///     Wonderware Alarm &amp; Events log) override. Modbus / the OPC UA Client driver stay
+    ///     with the default and let callers see <c>BadHistoryOperationUnsupported</c>.
+    /// </remarks>
+    Task<HistoricalEventsResult> ReadEventsAsync(
+        string? sourceName,
+        DateTime startUtc,
+        DateTime endUtc,
+        int maxEvents,
+        CancellationToken cancellationToken)
+        => throw new NotSupportedException(
+            $"{GetType().Name} does not implement ReadEventsAsync. " +
+            "Drivers whose backends have an event historian override this method.");
 }
 
 /// <summary>Result of a HistoryRead call.</summary>
@@ -48,3 +94,29 @@ public enum HistoryAggregateType
     Total,
     Count,
 }
+
+/// <summary>
+///     One row returned by <see cref="IHistoryProvider.ReadEventsAsync"/> — a historical
+///     alarm/event record, not the OPC UA live-event stream. Fields match the minimum set the
+///     Server needs to populate a <c>HistoryEventFieldList</c> for HistoryReadEvents responses.
+/// </summary>
+/// <param name="EventId">Stable unique id for the event — driver-specific format.</param>
+/// <param name="SourceName">Source object that emitted the event. May differ from the <c>sourceName</c> filter the caller passed (fuzzy matches).</param>
+/// <param name="EventTimeUtc">Process-side timestamp — when the event actually occurred.</param>
+/// <param name="ReceivedTimeUtc">Historian-side timestamp — when the historian persisted the row; may lag <paramref name="EventTimeUtc"/> by the historian's buffer flush cadence.</param>
+/// <param name="Message">Human-readable message text.</param>
+/// <param name="Severity">OPC UA severity (1-1000). Drivers map their native priority scale onto this range.</param>
+public sealed record HistoricalEvent(
+    string EventId,
+    string? SourceName,
+    DateTime EventTimeUtc,
+    DateTime ReceivedTimeUtc,
+    string? Message,
+    ushort Severity);
+
+/// <summary>Result of a <see cref="IHistoryProvider.ReadEventsAsync"/> call.</summary>
+/// <param name="Events">Events in chronological order by <c>EventTimeUtc</c>.</param>
+/// <param name="ContinuationPoint">Opaque token for the next call when more events are available; null when complete.</param>
+public sealed record HistoricalEventsResult(
+    IReadOnlyList<HistoricalEvent> Events,
+    byte[]? ContinuationPoint);

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/GalaxyProxyDriver.cs

@@ -339,6 +339,64 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
         return new HistoryReadResult(samples, ContinuationPoint: null);
     }
 
+    public async Task<HistoryReadResult> ReadAtTimeAsync(
+        string fullReference, IReadOnlyList<DateTime> timestampsUtc, CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        var resp = await client.CallAsync<HistoryReadAtTimeRequest, HistoryReadAtTimeResponse>(
+            MessageKind.HistoryReadAtTimeRequest,
+            new HistoryReadAtTimeRequest
+            {
+                SessionId = _sessionId,
+                TagReference = fullReference,
+                TimestampsUtcUnixMs = [.. timestampsUtc.Select(t => new DateTimeOffset(t, TimeSpan.Zero).ToUnixTimeMilliseconds())],
+            },
+            MessageKind.HistoryReadAtTimeResponse,
+            cancellationToken);
+
+        if (!resp.Success)
+            throw new InvalidOperationException($"Galaxy.Host HistoryReadAtTime failed: {resp.Error}");
+
+        // ReadAtTime returns one sample per requested timestamp in the same order — the Host
+        // pads with bad-quality snapshots when a timestamp can't be interpolated, so response
+        // length matches request length exactly. We trust that contract rather than
+        // re-aligning here, because the Host is the source-of-truth for interpolation policy.
+        IReadOnlyList<DataValueSnapshot> samples = [.. resp.Values.Select(ToSnapshot)];
+        return new HistoryReadResult(samples, ContinuationPoint: null);
+    }
+
+    public async Task<HistoricalEventsResult> ReadEventsAsync(
+        string? sourceName, DateTime startUtc, DateTime endUtc, int maxEvents, CancellationToken cancellationToken)
+    {
+        var client = RequireClient();
+        var resp = await client.CallAsync<HistoryReadEventsRequest, HistoryReadEventsResponse>(
+            MessageKind.HistoryReadEventsRequest,
+            new HistoryReadEventsRequest
+            {
+                SessionId = _sessionId,
+                SourceName = sourceName,
+                StartUtcUnixMs = new DateTimeOffset(startUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+                EndUtcUnixMs = new DateTimeOffset(endUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+                MaxEvents = maxEvents,
+            },
+            MessageKind.HistoryReadEventsResponse,
+            cancellationToken);
+
+        if (!resp.Success)
+            throw new InvalidOperationException($"Galaxy.Host HistoryReadEvents failed: {resp.Error}");
+
+        IReadOnlyList<HistoricalEvent> events = [.. resp.Events.Select(ToHistoricalEvent)];
+        return new HistoricalEventsResult(events, ContinuationPoint: null);
+    }
+
+    internal static HistoricalEvent ToHistoricalEvent(GalaxyHistoricalEvent wire) => new(
+        EventId: wire.EventId,
+        SourceName: wire.SourceName,
+        EventTimeUtc: DateTimeOffset.FromUnixTimeMilliseconds(wire.EventTimeUtcUnixMs).UtcDateTime,
+        ReceivedTimeUtc: DateTimeOffset.FromUnixTimeMilliseconds(wire.ReceivedTimeUtcUnixMs).UtcDateTime,
+        Message: wire.DisplayText,
+        Severity: wire.Severity);
+
     /// <summary>
     ///     Maps the OPC UA Part 13 aggregate enum onto the Wonderware Historian
     ///     AnalogSummaryQuery column names consumed by <c>HistorianDataSource.ReadAggregateAsync</c>.

src/ZB.MOM.WW.OtOpcUa.Server/HostStatusPublisher.cs

@@ -0,0 +1,143 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Server;
+
+/// <summary>
+///     Walks every registered driver once per heartbeat interval, asks each
+///     <see cref="IHostConnectivityProbe"/>-capable driver for its current
+///     <see cref="HostConnectivityStatus"/> list, and upserts one
+///     <see cref="DriverHostStatus"/> row per (NodeId, DriverInstanceId, HostName) into the
+///     central config DB. Powers the Admin UI's per-host drill-down page (LMX follow-up #7).
+/// </summary>
+/// <remarks>
+///     <para>
+///         Polling rather than event-driven: simpler, and matches the cadence the Admin UI
+///         consumes. An event-subscription optimization (push on <c>OnHostStatusChanged</c> for
+///         immediate reflection) is a straightforward follow-up but adds lifecycle complexity
+///         — drivers can be registered after the publisher starts, and subscribing to each
+///         one's event on register + unsubscribing on unregister requires DriverHost to expose
+///         lifecycle events it doesn't today.
+///     </para>
+///     <para>
+///         <see cref="DriverHostStatus.LastSeenUtc"/> advances every heartbeat so the Admin UI
+///         can flag stale rows from a crashed Server process independent of
+///         <see cref="DriverHostStatus.State"/> — a Faulted publisher that stops heartbeating
+///         stays Faulted in the DB but its LastSeenUtc ages out, which is the signal
+///         operators actually want.
+///     </para>
+///     <para>
+///         If the DB is unreachable on a given tick, the publisher logs and moves on — it
+///         does not retry or buffer. The next heartbeat picks up the current-state snapshot,
+///         which is more useful than replaying stale transitions after a long outage.
+///     </para>
+/// </remarks>
+public sealed class HostStatusPublisher(
+    DriverHost driverHost,
+    NodeOptions nodeOptions,
+    IServiceScopeFactory scopeFactory,
+    ILogger<HostStatusPublisher> logger) : BackgroundService
+{
+    internal static readonly TimeSpan HeartbeatInterval = TimeSpan.FromSeconds(10);
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        // Wait a short moment at startup so NodeBootstrap's RegisterAsync calls have had a
+        // chance to land. First tick runs immediately after so a freshly-started Server
+        // surfaces its host topology in the Admin UI without waiting a full interval.
+        try { await Task.Delay(TimeSpan.FromSeconds(2), stoppingToken); }
+        catch (OperationCanceledException) { return; }
+
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            try { await PublishOnceAsync(stoppingToken); }
+            catch (OperationCanceledException) { return; }
+            catch (Exception ex)
+            {
+                // Never take down the Server on a publisher failure. Log and continue —
+                // stale-row detection on the Admin side will surface the outage.
+                logger.LogWarning(ex, "Host-status publisher tick failed — will retry next heartbeat");
+            }
+
+            try { await Task.Delay(HeartbeatInterval, stoppingToken); }
+            catch (OperationCanceledException) { return; }
+        }
+    }
+
+    internal async Task PublishOnceAsync(CancellationToken ct)
+    {
+        var driverIds = driverHost.RegisteredDriverIds;
+        if (driverIds.Count == 0) return;
+
+        var now = DateTime.UtcNow;
+        using var scope = scopeFactory.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+
+        foreach (var driverId in driverIds)
+        {
+            var driver = driverHost.GetDriver(driverId);
+            if (driver is not IHostConnectivityProbe probe) continue;
+
+            IReadOnlyList<HostConnectivityStatus> statuses;
+            try { statuses = probe.GetHostStatuses(); }
+            catch (Exception ex)
+            {
+                logger.LogWarning(ex, "Driver {DriverId} GetHostStatuses threw — skipping this tick", driverId);
+                continue;
+            }
+
+            foreach (var status in statuses)
+            {
+                await UpsertAsync(db, driverId, status, now, ct);
+            }
+        }
+
+        await db.SaveChangesAsync(ct);
+    }
+
+    private async Task UpsertAsync(OtOpcUaConfigDbContext db, string driverId,
+        HostConnectivityStatus status, DateTime now, CancellationToken ct)
+    {
+        var mapped = MapState(status.State);
+        var existing = await db.DriverHostStatuses.SingleOrDefaultAsync(r =>
+            r.NodeId == nodeOptions.NodeId
+            && r.DriverInstanceId == driverId
+            && r.HostName == status.HostName, ct);
+
+        if (existing is null)
+        {
+            db.DriverHostStatuses.Add(new DriverHostStatus
+            {
+                NodeId = nodeOptions.NodeId,
+                DriverInstanceId = driverId,
+                HostName = status.HostName,
+                State = mapped,
+                StateChangedUtc = status.LastChangedUtc,
+                LastSeenUtc = now,
+            });
+            return;
+        }
+
+        existing.LastSeenUtc = now;
+        if (existing.State != mapped)
+        {
+            existing.State = mapped;
+            existing.StateChangedUtc = status.LastChangedUtc;
+        }
+    }
+
+    internal static DriverHostState MapState(HostState state) => state switch
+    {
+        HostState.Running => DriverHostState.Running,
+        HostState.Stopped => DriverHostState.Stopped,
+        HostState.Faulted => DriverHostState.Faulted,
+        _ => DriverHostState.Unknown,
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs

@@ -3,7 +3,13 @@ using Microsoft.Extensions.Logging;
 using Opc.Ua;
 using Opc.Ua.Server;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
 using DriverWriteRequest = ZB.MOM.WW.OtOpcUa.Core.Abstractions.WriteRequest;
+// Core.Abstractions defines a type-named HistoryReadResult (driver-side samples + continuation
+// point) that collides with Opc.Ua.HistoryReadResult (service-layer per-node result). We
+// assign driver-side results to an explicitly-aliased local and construct only the service
+// type in the overrides below.
+using OpcHistoryReadResult = Opc.Ua.HistoryReadResult;
 
 namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
 
@@ -35,6 +41,12 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
     private FolderState? _driverRoot;
     private readonly Dictionary<string, BaseDataVariableState> _variablesByFullRef = new(StringComparer.OrdinalIgnoreCase);
 
+    // PR 26: SecurityClassification per variable, populated during Variable() registration.
+    // OnWriteValue looks up the classification here to gate the write by the session's roles.
+    // Drivers never enforce authz themselves — the classification is discovery-time metadata
+    // only (feedback_acl_at_server_layer.md).
+    private readonly Dictionary<string, SecurityClassification> _securityByFullRef = new(StringComparer.OrdinalIgnoreCase);
+
     // Active building folder — set per Folder() call so Variable() lands under the right parent.
     // A stack would support nested folders; we use a single current folder because IAddressSpaceBuilder
     // returns a child builder per Folder call and the caller threads nesting through those references.
@@ -64,7 +76,13 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
                 NodeId = new NodeId(_driver.DriverInstanceId, NamespaceIndex),
                 BrowseName = new QualifiedName(_driver.DriverInstanceId, NamespaceIndex),
                 DisplayName = new LocalizedText(_driver.DriverInstanceId),
-                EventNotifier = EventNotifiers.None,
+                // Driver root is the conventional event notifier for HistoryReadEvents — clients
+                // request alarm history by targeting it and the node manager routes through
+                // IHistoryProvider.ReadEventsAsync. SubscribeToEvents is also set so live-event
+                // subscriptions (Alarm & Conditions) can point here in a future PR; today the
+                // alarm events are emitted by per-variable AlarmConditionState siblings but a
+                // "subscribe to all events from this driver" path would use this notifier.
+                EventNotifier = (byte)(EventNotifiers.SubscribeToEvents | EventNotifiers.HistoryRead),
             };
 
             // Link under Objects folder so clients see the driver subtree at browse root.
@@ -115,13 +133,21 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
                 DisplayName = new LocalizedText(displayName),
                 DataType = MapDataType(attributeInfo.DriverDataType),
                 ValueRank = attributeInfo.IsArray ? ValueRanks.OneDimension : ValueRanks.Scalar,
-                AccessLevel = AccessLevels.CurrentReadOrWrite,
-                UserAccessLevel = AccessLevels.CurrentReadOrWrite,
+                // Historized attributes get the HistoryRead access bit so the stack dispatches
+                // incoming HistoryRead service calls to this node. Without it the base class
+                // returns BadHistoryOperationUnsupported before our per-kind hook ever runs.
+                // HistoryWrite isn't granted — history rewrite is a separate capability the
+                // driver doesn't support today.
+                AccessLevel = (byte)(AccessLevels.CurrentReadOrWrite
+                    | (attributeInfo.IsHistorized ? AccessLevels.HistoryRead : 0)),
+                UserAccessLevel = (byte)(AccessLevels.CurrentReadOrWrite
+                    | (attributeInfo.IsHistorized ? AccessLevels.HistoryRead : 0)),
                 Historizing = attributeInfo.IsHistorized,
             };
             _currentFolder.AddChild(v);
             AddPredefinedNode(SystemContext, v);
             _variablesByFullRef[attributeInfo.FullName] = v;
+            _securityByFullRef[attributeInfo.FullName] = attributeInfo.SecurityClass;
 
             v.OnReadValue = OnReadValue;
             v.OnWriteValue = OnWriteValue;
@@ -337,6 +363,22 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
         var fullRef = node.NodeId.Identifier as string;
         if (string.IsNullOrEmpty(fullRef)) return StatusCodes.BadNodeIdUnknown;
 
+        // PR 26: server-layer write authorization. Look up the attribute's classification
+        // (populated during Variable() in Discover) and check the session's roles against the
+        // policy table. Drivers don't participate in this decision — IWritable.WriteAsync
+        // never sees a request we'd have refused here.
+        if (_securityByFullRef.TryGetValue(fullRef!, out var classification))
+        {
+            var roles = context.UserIdentity is IRoleBearer rb ? rb.Roles : [];
+            if (!WriteAuthzPolicy.IsAllowed(classification, roles))
+            {
+                _logger.LogInformation(
+                    "Write denied for {FullRef}: classification={Classification} userRoles=[{Roles}]",
+                    fullRef, classification, string.Join(",", roles));
+                return new ServiceResult(StatusCodes.BadUserAccessDenied);
+            }
+        }
+
         try
         {
             var results = _writable.WriteAsync(
@@ -360,4 +402,379 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
     internal int VariableCount => _variablesByFullRef.Count;
     internal bool TryGetVariable(string fullRef, out BaseDataVariableState? v)
         => _variablesByFullRef.TryGetValue(fullRef, out v!);
+
+    // ===================== HistoryRead service handlers (LMX #1, PR 38) =====================
+    //
+    // Wires the driver's IHistoryProvider capability (PR 35 added ReadAtTimeAsync / ReadEventsAsync
+    // alongside the PR 19 ReadRawAsync / ReadProcessedAsync) to the OPC UA HistoryRead service.
+    // CustomNodeManager2 has four protected per-kind hooks; the base dispatches to the right one
+    // based on the concrete HistoryReadDetails subtype. Each hook is sync-returning-void — the
+    // per-driver async calls are bridged via GetAwaiter().GetResult(), matching the pattern
+    // OnReadValue / OnWriteValue already use in this class so HistoryRead doesn't introduce a
+    // different sync-over-async convention.
+    //
+    // Per-node routing: every HistoryReadValueId in nodesToRead has a NodeHandle in
+    // nodesToProcess; the NodeHandle's NodeId.Identifier is the driver-side full reference
+    // (set during Variable() registration) so we can dispatch straight to IHistoryProvider
+    // without a second lookup. Nodes without IHistoryProvider backing (drivers that don't
+    // implement the capability) surface BadHistoryOperationUnsupported per slot and the
+    // rest of the batch continues — same failure-isolation pattern as OnWriteValue.
+    //
+    // Continuation-point handling is pass-through only in this PR: the driver returns null
+    // from its ContinuationPoint field today so the outer result's ContinuationPoint stays
+    // empty. Full Session.SaveHistoryContinuationPoint plumbing is a follow-up when a driver
+    // actually needs paging — the dispatch shape doesn't change, only the result-population.
+
+    private IHistoryProvider? History => _driver as IHistoryProvider;
+
+    protected override void HistoryReadRawModified(
+        ServerSystemContext context, ReadRawModifiedDetails details, TimestampsToReturn timestamps,
+        IList<HistoryReadValueId> nodesToRead, IList<OpcHistoryReadResult> results,
+        IList<ServiceResult> errors, List<NodeHandle> nodesToProcess,
+        IDictionary<NodeId, NodeState> cache)
+    {
+        if (History is null)
+        {
+            MarkAllUnsupported(nodesToProcess, results, errors);
+            return;
+        }
+
+        // IsReadModified=true requests a "modifications" history (who changed the data, when
+        // it was re-written). The driver side has no modifications store — surface that
+        // explicitly rather than silently returning raw data, which would mislead the client.
+        if (details.IsReadModified)
+        {
+            MarkAllUnsupported(nodesToProcess, results, errors, StatusCodes.BadHistoryOperationUnsupported);
+            return;
+        }
+
+        for (var n = 0; n < nodesToProcess.Count; n++)
+        {
+            var handle = nodesToProcess[n];
+            // NodeHandle.Index points back to the slot in the outer results/errors/nodesToRead
+            // arrays. nodesToProcess is the filtered subset (just the nodes this manager
+            // claimed), so writing to results[n] lands in the wrong slot when N > 1 and nodes
+            // are interleaved across multiple node managers.
+            var i = handle.Index;
+            var fullRef = ResolveFullRef(handle);
+            if (fullRef is null)
+            {
+                WriteNodeIdUnknown(results, errors, i);
+                continue;
+            }
+
+            try
+            {
+                var driverResult = History.ReadRawAsync(
+                    fullRef,
+                    details.StartTime,
+                    details.EndTime,
+                    details.NumValuesPerNode,
+                    CancellationToken.None).GetAwaiter().GetResult();
+
+                WriteResult(results, errors, i, StatusCodes.Good,
+                    BuildHistoryData(driverResult.Samples), driverResult.ContinuationPoint);
+            }
+            catch (NotSupportedException)
+            {
+                WriteUnsupported(results, errors, i);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogWarning(ex, "HistoryReadRaw failed for {FullRef}", fullRef);
+                WriteInternalError(results, errors, i);
+            }
+        }
+    }
+
+    protected override void HistoryReadProcessed(
+        ServerSystemContext context, ReadProcessedDetails details, TimestampsToReturn timestamps,
+        IList<HistoryReadValueId> nodesToRead, IList<OpcHistoryReadResult> results,
+        IList<ServiceResult> errors, List<NodeHandle> nodesToProcess,
+        IDictionary<NodeId, NodeState> cache)
+    {
+        if (History is null)
+        {
+            MarkAllUnsupported(nodesToProcess, results, errors);
+            return;
+        }
+
+        // AggregateType is one NodeId shared across every item in the batch — map once.
+        var aggregate = MapAggregate(details.AggregateType?.FirstOrDefault());
+        if (aggregate is null)
+        {
+            MarkAllUnsupported(nodesToProcess, results, errors, StatusCodes.BadAggregateNotSupported);
+            return;
+        }
+
+        var interval = TimeSpan.FromMilliseconds(details.ProcessingInterval);
+        for (var n = 0; n < nodesToProcess.Count; n++)
+        {
+            var handle = nodesToProcess[n];
+            // NodeHandle.Index points back to the slot in the outer results/errors/nodesToRead
+            // arrays. nodesToProcess is the filtered subset (just the nodes this manager
+            // claimed), so writing to results[n] lands in the wrong slot when N > 1 and nodes
+            // are interleaved across multiple node managers.
+            var i = handle.Index;
+            var fullRef = ResolveFullRef(handle);
+            if (fullRef is null)
+            {
+                WriteNodeIdUnknown(results, errors, i);
+                continue;
+            }
+
+            try
+            {
+                var driverResult = History.ReadProcessedAsync(
+                    fullRef,
+                    details.StartTime,
+                    details.EndTime,
+                    interval,
+                    aggregate.Value,
+                    CancellationToken.None).GetAwaiter().GetResult();
+
+                WriteResult(results, errors, i, StatusCodes.Good,
+                    BuildHistoryData(driverResult.Samples), driverResult.ContinuationPoint);
+            }
+            catch (NotSupportedException)
+            {
+                WriteUnsupported(results, errors, i);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogWarning(ex, "HistoryReadProcessed failed for {FullRef}", fullRef);
+                WriteInternalError(results, errors, i);
+            }
+        }
+    }
+
+    protected override void HistoryReadAtTime(
+        ServerSystemContext context, ReadAtTimeDetails details, TimestampsToReturn timestamps,
+        IList<HistoryReadValueId> nodesToRead, IList<OpcHistoryReadResult> results,
+        IList<ServiceResult> errors, List<NodeHandle> nodesToProcess,
+        IDictionary<NodeId, NodeState> cache)
+    {
+        if (History is null)
+        {
+            MarkAllUnsupported(nodesToProcess, results, errors);
+            return;
+        }
+
+        var requestedTimes = (IReadOnlyList<DateTime>)(details.ReqTimes?.ToArray() ?? Array.Empty<DateTime>());
+        for (var n = 0; n < nodesToProcess.Count; n++)
+        {
+            var handle = nodesToProcess[n];
+            // NodeHandle.Index points back to the slot in the outer results/errors/nodesToRead
+            // arrays. nodesToProcess is the filtered subset (just the nodes this manager
+            // claimed), so writing to results[n] lands in the wrong slot when N > 1 and nodes
+            // are interleaved across multiple node managers.
+            var i = handle.Index;
+            var fullRef = ResolveFullRef(handle);
+            if (fullRef is null)
+            {
+                WriteNodeIdUnknown(results, errors, i);
+                continue;
+            }
+
+            try
+            {
+                var driverResult = History.ReadAtTimeAsync(
+                    fullRef, requestedTimes, CancellationToken.None).GetAwaiter().GetResult();
+
+                WriteResult(results, errors, i, StatusCodes.Good,
+                    BuildHistoryData(driverResult.Samples), driverResult.ContinuationPoint);
+            }
+            catch (NotSupportedException)
+            {
+                WriteUnsupported(results, errors, i);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogWarning(ex, "HistoryReadAtTime failed for {FullRef}", fullRef);
+                WriteInternalError(results, errors, i);
+            }
+        }
+    }
+
+    protected override void HistoryReadEvents(
+        ServerSystemContext context, ReadEventDetails details, TimestampsToReturn timestamps,
+        IList<HistoryReadValueId> nodesToRead, IList<OpcHistoryReadResult> results,
+        IList<ServiceResult> errors, List<NodeHandle> nodesToProcess,
+        IDictionary<NodeId, NodeState> cache)
+    {
+        if (History is null)
+        {
+            MarkAllUnsupported(nodesToProcess, results, errors);
+            return;
+        }
+
+        // SourceName filter extraction is deferred — EventFilter SelectClauses + WhereClause
+        // handling is a dedicated concern (proper per-select-clause Variant population + where
+        // filter evaluation). This PR treats the event query as "all events in range for the
+        // node's source" and populates only the standard BaseEventType fields. Richer filter
+        // handling is a follow-up; clients issuing empty/default filters get the right answer
+        // today which covers the common alarm-history browse case.
+        var maxEvents = (int)details.NumValuesPerNode;
+        if (maxEvents <= 0) maxEvents = 1000;
+
+        for (var n = 0; n < nodesToProcess.Count; n++)
+        {
+            var handle = nodesToProcess[n];
+            // NodeHandle.Index points back to the slot in the outer results/errors/nodesToRead
+            // arrays. nodesToProcess is the filtered subset (just the nodes this manager
+            // claimed), so writing to results[n] lands in the wrong slot when N > 1 and nodes
+            // are interleaved across multiple node managers.
+            var i = handle.Index;
+            // Event history queries may target a notifier object (e.g. the driver-root folder)
+            // rather than a specific variable — in that case we pass sourceName=null to mean
+            // "all sources in the driver's namespace" per the IHistoryProvider contract.
+            var fullRef = ResolveFullRef(handle);
+
+            try
+            {
+                var driverResult = History.ReadEventsAsync(
+                    sourceName: fullRef,
+                    startUtc: details.StartTime,
+                    endUtc: details.EndTime,
+                    maxEvents: maxEvents,
+                    cancellationToken: CancellationToken.None).GetAwaiter().GetResult();
+
+                WriteResult(results, errors, i, StatusCodes.Good,
+                    BuildHistoryEvent(driverResult.Events), driverResult.ContinuationPoint);
+            }
+            catch (NotSupportedException)
+            {
+                WriteUnsupported(results, errors, i);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogWarning(ex, "HistoryReadEvents failed for {FullRef}", fullRef);
+                WriteInternalError(results, errors, i);
+            }
+        }
+    }
+
+    private string? ResolveFullRef(NodeHandle handle) => handle.NodeId?.Identifier as string;
+
+    // Both the results list AND the parallel errors list must be populated — MasterNodeManager
+    // merges them and the merged StatusCode is what the client sees. Leaving errors[i] at its
+    // default (BadHistoryOperationUnsupported) overrides a Good result with Unsupported, which
+    // masks a correctly-constructed HistoryData response. This was the subtle failure mode
+    // that cost most of PR 38's debugging budget.
+    private static void WriteResult(IList<OpcHistoryReadResult> results, IList<ServiceResult> errors,
+        int i, uint statusCode, ExtensionObject historyData, byte[]? continuationPoint)
+    {
+        results[i] = new OpcHistoryReadResult
+        {
+            StatusCode = statusCode,
+            HistoryData = historyData,
+            ContinuationPoint = continuationPoint,
+        };
+        errors[i] = statusCode == StatusCodes.Good
+            ? ServiceResult.Good
+            : new ServiceResult(statusCode);
+    }
+
+    private static void WriteUnsupported(IList<OpcHistoryReadResult> results, IList<ServiceResult> errors, int i)
+    {
+        results[i] = new OpcHistoryReadResult { StatusCode = StatusCodes.BadHistoryOperationUnsupported };
+        errors[i] = StatusCodes.BadHistoryOperationUnsupported;
+    }
+
+    private static void WriteInternalError(IList<OpcHistoryReadResult> results, IList<ServiceResult> errors, int i)
+    {
+        results[i] = new OpcHistoryReadResult { StatusCode = StatusCodes.BadInternalError };
+        errors[i] = StatusCodes.BadInternalError;
+    }
+
+    private static void WriteNodeIdUnknown(IList<OpcHistoryReadResult> results, IList<ServiceResult> errors, int i)
+    {
+        WriteNodeIdUnknown(results, errors, i);
+        errors[i] = StatusCodes.BadNodeIdUnknown;
+    }
+
+    private static void MarkAllUnsupported(
+        List<NodeHandle> nodes, IList<OpcHistoryReadResult> results, IList<ServiceResult> errors,
+        uint statusCode = StatusCodes.BadHistoryOperationUnsupported)
+    {
+        foreach (var handle in nodes)
+        {
+            results[handle.Index] = new OpcHistoryReadResult { StatusCode = statusCode };
+            errors[handle.Index] = statusCode == StatusCodes.Good ? ServiceResult.Good : new ServiceResult(statusCode);
+        }
+    }
+
+    /// <summary>
+    ///     Map the OPC UA Part 13 aggregate-function NodeId to the driver's
+    ///     <see cref="HistoryAggregateType"/>. Internal so the test suite can pin the mapping
+    ///     without exposing public API. Returns null for unsupported aggregates so the service
+    ///     handler can surface <c>BadAggregateNotSupported</c> on the whole batch.
+    /// </summary>
+    internal static HistoryAggregateType? MapAggregate(NodeId? aggregateNodeId)
+    {
+        if (aggregateNodeId is null) return null;
+
+        // Every AggregateFunction_* identifier is a numeric uint on the Server (0) namespace.
+        // Comparing NodeIds by value handles all the cross-encoding cases (expanded vs plain).
+        if (aggregateNodeId == ObjectIds.AggregateFunction_Average) return HistoryAggregateType.Average;
+        if (aggregateNodeId == ObjectIds.AggregateFunction_Minimum) return HistoryAggregateType.Minimum;
+        if (aggregateNodeId == ObjectIds.AggregateFunction_Maximum) return HistoryAggregateType.Maximum;
+        if (aggregateNodeId == ObjectIds.AggregateFunction_Total) return HistoryAggregateType.Total;
+        if (aggregateNodeId == ObjectIds.AggregateFunction_Count) return HistoryAggregateType.Count;
+        return null;
+    }
+
+    /// <summary>
+    ///     Wrap driver samples as <c>HistoryData</c> in an <c>ExtensionObject</c> — the on-wire
+    ///     shape the OPC UA HistoryRead service expects for raw / processed / at-time reads.
+    /// </summary>
+    internal static ExtensionObject BuildHistoryData(IReadOnlyList<DataValueSnapshot> samples)
+    {
+        var values = new DataValueCollection(samples.Count);
+        foreach (var s in samples) values.Add(ToDataValue(s));
+        return new ExtensionObject(new HistoryData { DataValues = values });
+    }
+
+    /// <summary>
+    ///     Wrap driver events as <c>HistoryEvent</c> in an <c>ExtensionObject</c>. Populates
+    ///     the minimum BaseEventType field set (SourceName, Message, Severity, Time,
+    ///     ReceiveTime, EventId) so clients that request the default
+    ///     <c>SimpleAttributeOperand</c> select-clauses see useful data. Custom EventFilter
+    ///     SelectClause evaluation is deferred — when a client sends a specific operand list,
+    ///     they currently get the standard fields back and ignore the extras. Documented on the
+    ///     public follow-up list.
+    /// </summary>
+    internal static ExtensionObject BuildHistoryEvent(IReadOnlyList<HistoricalEvent> events)
+    {
+        var fieldLists = new HistoryEventFieldListCollection(events.Count);
+        foreach (var e in events)
+        {
+            var fields = new VariantCollection
+            {
+                // Order must match BaseEventType's conventional field ordering so clients that
+                // didn't customize the SelectClauses still see recognizable columns. A future
+                // PR that respects the client's SelectClause list will drive this from the filter.
+                new Variant(e.EventId),
+                new Variant(e.SourceName ?? string.Empty),
+                new Variant(new LocalizedText(e.Message ?? string.Empty)),
+                new Variant(e.Severity),
+                new Variant(e.EventTimeUtc),
+                new Variant(e.ReceivedTimeUtc),
+            };
+            fieldLists.Add(new HistoryEventFieldList { EventFields = fields });
+        }
+        return new ExtensionObject(new HistoryEvent { Events = fieldLists });
+    }
+
+    internal static DataValue ToDataValue(DataValueSnapshot s)
+    {
+        var dv = new DataValue
+        {
+            Value = s.Value,
+            StatusCode = new StatusCode(s.StatusCode),
+            ServerTimestamp = s.ServerTimestampUtc,
+        };
+        if (s.SourceTimestampUtc.HasValue) dv.SourceTimestamp = s.SourceTimestampUtc.Value;
+        return dv;
+    }
 }

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OtOpcUaServer.cs

@@ -97,7 +97,7 @@ public sealed class OtOpcUaServer : StandardServer
     ///     managers can gate writes by role via <c>session.Identity</c>. Anonymous identity still
     ///     uses the stack's default.
     /// </summary>
-    private sealed class RoleBasedIdentity : UserIdentity
+    private sealed class RoleBasedIdentity : UserIdentity, IRoleBearer
     {
         public IReadOnlyList<string> Roles { get; }
         public string? Display { get; }

src/ZB.MOM.WW.OtOpcUa.Server/Program.cs

@@ -1,8 +1,10 @@
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Serilog;
+using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Server;
@@ -72,5 +74,11 @@ builder.Services.AddSingleton<NodeBootstrap>();
 builder.Services.AddSingleton<OpcUaApplicationHost>();
 builder.Services.AddHostedService<OpcUaServerService>();
 
+// Central-config DB access for the host-status publisher (LMX follow-up #7). Scoped context
+// so per-heartbeat change-tracking stays isolated; publisher opens one scope per tick.
+builder.Services.AddDbContext<OtOpcUaConfigDbContext>(opt =>
+    opt.UseSqlServer(options.ConfigDbConnectionString));
+builder.Services.AddHostedService<HostStatusPublisher>();
+
 var host = builder.Build();
 await host.RunAsync();

src/ZB.MOM.WW.OtOpcUa.Server/Security/IRoleBearer.cs

@@ -0,0 +1,13 @@
+namespace ZB.MOM.WW.OtOpcUa.Server.Security;
+
+/// <summary>
+///     Minimal interface a <see cref="Opc.Ua.IUserIdentity"/> implementation can expose so
+///     <see cref="ZB.MOM.WW.OtOpcUa.Server.OpcUa.DriverNodeManager"/> can read the session's
+///     resolved roles without a hard dependency on any specific identity subtype. Implemented
+///     by <c>OtOpcUaServer.RoleBasedIdentity</c>; tests implement it with stub identities to
+///     drive the authz policy under different role sets.
+/// </summary>
+public interface IRoleBearer
+{
+    IReadOnlyList<string> Roles { get; }
+}

src/ZB.MOM.WW.OtOpcUa.Server/Security/LdapOptions.cs

@@ -2,11 +2,37 @@ namespace ZB.MOM.WW.OtOpcUa.Server.Security;
 
 /// <summary>
 ///     LDAP settings for the OPC UA server's UserName token validator. Bound from
-///     <c>appsettings.json</c> <c>OpcUaServer:Ldap</c>. Defaults match the GLAuth dev instance
-///     (localhost:3893, dc=lmxopcua,dc=local). Production deployments set <see cref="UseTls"/>
-///     true, populate <see cref="ServiceAccountDn"/> for search-then-bind, and maintain
-///     <see cref="GroupToRole"/> with the real LDAP group names.
+///     <c>appsettings.json</c> <c>OpcUaServer:Ldap</c>. Defaults target the GLAuth dev instance
+///     (localhost:3893, <c>dc=lmxopcua,dc=local</c>) for the stock inner-loop setup. Production
+///     deployments are expected to point at Active Directory; see <see cref="UserNameAttribute"/>
+///     and the per-field xml-docs for the AD-specific overrides.
 /// </summary>
+/// <remarks>
+///     <para><b>Active Directory cheat-sheet</b>:</para>
+///     <list type="bullet">
+///         <item><see cref="Server"/>: one of the domain controllers, or the domain FQDN (will round-robin DCs).</item>
+///         <item><see cref="Port"/>: <c>389</c> (LDAP) or <c>636</c> (LDAPS); use 636 + <see cref="UseTls"/> in production.</item>
+///         <item><see cref="UseTls"/>: <c>true</c>. AD increasingly rejects plain-LDAP bind under LDAP-signing enforcement.</item>
+///         <item><see cref="AllowInsecureLdap"/>: <c>false</c>. Dev escape hatch only.</item>
+///         <item><see cref="SearchBase"/>: <c>DC=corp,DC=example,DC=com</c> — your domain's base DN.</item>
+///         <item><see cref="ServiceAccountDn"/>: a dedicated service principal with read access to user + group entries
+///         (e.g. <c>CN=OpcUaSvc,OU=Service Accounts,DC=corp,DC=example,DC=com</c>). Never a privileged admin.</item>
+///         <item><see cref="UserNameAttribute"/>: <c>sAMAccountName</c> (classic login name) or <c>userPrincipalName</c>
+///         (user@domain form). Default is <c>uid</c> which AD does <b>not</b> populate, so this override is required.</item>
+///         <item><see cref="DisplayNameAttribute"/>: <c>displayName</c> gives the human name; <c>cn</c> works too but is less rich.</item>
+///         <item><see cref="GroupAttribute"/>: <c>memberOf</c> — matches AD's default. Values are full DNs
+///         (<c>CN=&lt;Group&gt;,OU=...,DC=...</c>); the authenticator strips the leading <c>CN=</c> RDN value and uses
+///         that as the lookup key in <see cref="GroupToRole"/>.</item>
+///         <item><see cref="GroupToRole"/>: maps your AD group common-names to OPC UA roles — e.g.
+///         <c>{"OPCUA-Operators" : "WriteOperate", "OPCUA-Engineers" : "WriteConfigure"}</c>.</item>
+///     </list>
+///     <para>
+///         Nested groups are <b>not</b> expanded — AD's <c>tokenGroups</c> / <c>LDAP_MATCHING_RULE_IN_CHAIN</c>
+///         membership-chain filter isn't used. Assign users directly to the role-mapped groups, or pre-flatten
+///         membership in your directory. If nested expansion becomes a requirement, it's an authenticator
+///         enhancement (not a config change).
+///     </para>
+/// </remarks>
 public sealed class LdapOptions
 {
     public bool Enabled { get; init; } = false;
@@ -23,6 +49,20 @@ public sealed class LdapOptions
     public string DisplayNameAttribute { get; init; } = "cn";
     public string GroupAttribute { get; init; } = "memberOf";
 
+    /// <summary>
+    ///     LDAP attribute used to match a login name against user entries in the directory.
+    ///     Defaults to <c>uid</c> (RFC 2307). Common overrides:
+    ///     <list type="bullet">
+    ///         <item><c>sAMAccountName</c> — Active Directory, classic NT-style login names (e.g. <c>jdoe</c>).</item>
+    ///         <item><c>userPrincipalName</c> — Active Directory, email-style (e.g. <c>jdoe@corp.example.com</c>).</item>
+    ///         <item><c>cn</c> — GLAuth + some OpenLDAP deployments where users are keyed by common-name.</item>
+    ///     </list>
+    ///     Used only when <see cref="ServiceAccountDn"/> is non-empty (search-then-bind path) —
+    ///     direct-bind fallback constructs the DN as <c>cn=&lt;name&gt;,&lt;SearchBase&gt;</c>
+    ///     regardless of this setting and is not a production-grade path against AD.
+    /// </summary>
+    public string UserNameAttribute { get; init; } = "uid";
+
     /// <summary>
     ///     LDAP group → OPC UA role. Each authenticated user gets every role whose source group
     ///     is in their membership list. Recognized role names (CLAUDE.md): <c>ReadOnly</c> (browse

src/ZB.MOM.WW.OtOpcUa.Server/Security/LdapUserAuthenticator.cs

@@ -106,7 +106,7 @@ public sealed class LdapUserAuthenticator(LdapOptions options, ILogger<LdapUserA
         {
             await Task.Run(() => conn.Bind(options.ServiceAccountDn, options.ServiceAccountPassword), ct);
 
-            var filter = $"(uid={EscapeLdapFilter(username)})";
+            var filter = $"({options.UserNameAttribute}={EscapeLdapFilter(username)})";
             var results = await Task.Run(() =>
                 conn.Search(options.SearchBase, LdapConnection.ScopeSub, filter, ["dn"], false), ct);
 

src/ZB.MOM.WW.OtOpcUa.Server/Security/WriteAuthzPolicy.cs

@@ -0,0 +1,70 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Security;
+
+/// <summary>
+///     Server-layer write-authorization policy. ACL enforcement lives here — drivers report
+///     <see cref="SecurityClassification"/> as discovery metadata only; the server decides
+///     whether a given session is allowed to write a given attribute by checking the session's
+///     roles (resolved at login via <see cref="LdapUserAuthenticator"/>) against the required
+///     role for the attribute's classification.
+/// </summary>
+/// <remarks>
+///     Matches the table in <c>docs/Configuration.md</c>:
+///     <list type="bullet">
+///         <item><c>FreeAccess</c>: no role required — anonymous sessions can write (matches v1 default).</item>
+///         <item><c>Operate</c> / <c>SecuredWrite</c>: <c>WriteOperate</c> role required.</item>
+///         <item><c>Tune</c>: <c>WriteTune</c> role required.</item>
+///         <item><c>VerifiedWrite</c> / <c>Configure</c>: <c>WriteConfigure</c> role required.</item>
+///         <item><c>ViewOnly</c>: no role grants write access.</item>
+///     </list>
+///     <c>AlarmAck</c> is checked at the alarm-acknowledge path, not here.
+/// </remarks>
+public static class WriteAuthzPolicy
+{
+    public const string RoleWriteOperate = "WriteOperate";
+    public const string RoleWriteTune = "WriteTune";
+    public const string RoleWriteConfigure = "WriteConfigure";
+
+    /// <summary>
+    ///     Decide whether a session with <paramref name="userRoles"/> is allowed to write to an
+    ///     attribute with the given <paramref name="classification"/>. Returns true for
+    ///     <c>FreeAccess</c> regardless of roles (including empty / anonymous sessions) and
+    ///     false for <c>ViewOnly</c> regardless of roles. Every other classification requires
+    ///     the session to carry the mapped role — case-insensitive match.
+    /// </summary>
+    public static bool IsAllowed(SecurityClassification classification, IReadOnlyCollection<string> userRoles)
+    {
+        if (classification == SecurityClassification.FreeAccess) return true;
+        if (classification == SecurityClassification.ViewOnly) return false;
+
+        var required = RequiredRole(classification);
+        if (required is null) return false;
+
+        foreach (var r in userRoles)
+        {
+            if (string.Equals(r, required, StringComparison.OrdinalIgnoreCase))
+                return true;
+        }
+        return false;
+    }
+
+    /// <summary>
+    ///     Required role for a classification, or null when no role grants access
+    ///     (<see cref="SecurityClassification.ViewOnly"/>) or no role is needed
+    ///     (<see cref="SecurityClassification.FreeAccess"/> — also returns null; callers use
+    ///     <see cref="IsAllowed"/> which handles the special-cases rather than branching on
+    ///     null themselves).
+    /// </summary>
+    public static string? RequiredRole(SecurityClassification classification) => classification switch
+    {
+        SecurityClassification.FreeAccess => null, // IsAllowed short-circuits
+        SecurityClassification.Operate => RoleWriteOperate,
+        SecurityClassification.SecuredWrite => RoleWriteOperate,
+        SecurityClassification.Tune => RoleWriteTune,
+        SecurityClassification.VerifiedWrite => RoleWriteConfigure,
+        SecurityClassification.Configure => RoleWriteConfigure,
+        SecurityClassification.ViewOnly => null, // IsAllowed short-circuits
+        _ => null,
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Server/ZB.MOM.WW.OtOpcUa.Server.csproj

@@ -24,6 +24,7 @@
         <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Server" Version="1.5.374.126"/>
         <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Configuration" Version="1.5.374.126"/>
         <PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.6.0"/>
+        <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="10.0.0"/>
     </ItemGroup>
 
     <ItemGroup>

tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/CertTrustServiceTests.cs

@@ -0,0 +1,153 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class CertTrustServiceTests : IDisposable
+{
+    private readonly string _root;
+
+    public CertTrustServiceTests()
+    {
+        _root = Path.Combine(Path.GetTempPath(), $"otopcua-cert-test-{Guid.NewGuid():N}");
+        Directory.CreateDirectory(Path.Combine(_root, "rejected", "certs"));
+        Directory.CreateDirectory(Path.Combine(_root, "trusted", "certs"));
+    }
+
+    public void Dispose()
+    {
+        if (Directory.Exists(_root)) Directory.Delete(_root, recursive: true);
+    }
+
+    private CertTrustService Service() => new(
+        Options.Create(new CertTrustOptions { PkiStoreRoot = _root }),
+        NullLogger<CertTrustService>.Instance);
+
+    private X509Certificate2 WriteTestCert(CertStoreKind kind, string subject)
+    {
+        using var rsa = RSA.Create(2048);
+        var req = new CertificateRequest($"CN={subject}", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        var cert = req.CreateSelfSigned(DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddYears(1));
+        var dir = Path.Combine(_root, kind == CertStoreKind.Rejected ? "rejected" : "trusted", "certs");
+        var path = Path.Combine(dir, $"{subject} [{cert.Thumbprint}].der");
+        File.WriteAllBytes(path, cert.Export(X509ContentType.Cert));
+        return cert;
+    }
+
+    [Fact]
+    public void ListRejected_returns_parsed_cert_info_for_each_der_in_rejected_certs_dir()
+    {
+        var c = WriteTestCert(CertStoreKind.Rejected, "test-client-A");
+
+        var rows = Service().ListRejected();
+
+        rows.Count.ShouldBe(1);
+        rows[0].Thumbprint.ShouldBe(c.Thumbprint);
+        rows[0].Subject.ShouldContain("test-client-A");
+        rows[0].Store.ShouldBe(CertStoreKind.Rejected);
+    }
+
+    [Fact]
+    public void ListTrusted_is_separate_from_rejected()
+    {
+        WriteTestCert(CertStoreKind.Rejected, "rej");
+        WriteTestCert(CertStoreKind.Trusted, "trust");
+
+        var svc = Service();
+        svc.ListRejected().Count.ShouldBe(1);
+        svc.ListTrusted().Count.ShouldBe(1);
+        svc.ListRejected()[0].Subject.ShouldContain("rej");
+        svc.ListTrusted()[0].Subject.ShouldContain("trust");
+    }
+
+    [Fact]
+    public void TrustRejected_moves_file_from_rejected_to_trusted()
+    {
+        var c = WriteTestCert(CertStoreKind.Rejected, "promoteme");
+        var svc = Service();
+
+        svc.TrustRejected(c.Thumbprint).ShouldBeTrue();
+
+        svc.ListRejected().ShouldBeEmpty();
+        var trusted = svc.ListTrusted();
+        trusted.Count.ShouldBe(1);
+        trusted[0].Thumbprint.ShouldBe(c.Thumbprint);
+    }
+
+    [Fact]
+    public void TrustRejected_returns_false_when_thumbprint_not_in_rejected()
+    {
+        var svc = Service();
+        svc.TrustRejected("00DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void DeleteRejected_removes_the_file()
+    {
+        var c = WriteTestCert(CertStoreKind.Rejected, "killme");
+        var svc = Service();
+
+        svc.DeleteRejected(c.Thumbprint).ShouldBeTrue();
+        svc.ListRejected().ShouldBeEmpty();
+    }
+
+    [Fact]
+    public void UntrustCert_removes_from_trusted_only()
+    {
+        var c = WriteTestCert(CertStoreKind.Trusted, "revoke");
+        var svc = Service();
+
+        svc.UntrustCert(c.Thumbprint).ShouldBeTrue();
+        svc.ListTrusted().ShouldBeEmpty();
+    }
+
+    [Fact]
+    public void Thumbprint_match_is_case_insensitive()
+    {
+        var c = WriteTestCert(CertStoreKind.Rejected, "case");
+        var svc = Service();
+
+        // X509Certificate2.Thumbprint is upper-case hex; operators pasting from logs often
+        // lowercase it. IsAllowed-style case-insensitive match keeps the UX forgiving.
+        svc.TrustRejected(c.Thumbprint.ToLowerInvariant()).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Missing_store_directories_produce_empty_lists_not_exceptions()
+    {
+        // Fresh root with no certs subfolder — service should tolerate a pristine install.
+        var altRoot = Path.Combine(Path.GetTempPath(), $"otopcua-cert-empty-{Guid.NewGuid():N}");
+        try
+        {
+            var svc = new CertTrustService(
+                Options.Create(new CertTrustOptions { PkiStoreRoot = altRoot }),
+                NullLogger<CertTrustService>.Instance);
+            svc.ListRejected().ShouldBeEmpty();
+            svc.ListTrusted().ShouldBeEmpty();
+        }
+        finally
+        {
+            if (Directory.Exists(altRoot)) Directory.Delete(altRoot, recursive: true);
+        }
+    }
+
+    [Fact]
+    public void Malformed_file_is_skipped_not_fatal()
+    {
+        // Drop junk bytes that don't parse as a cert into the rejected/certs directory. The
+        // service must skip it and still return the valid certs — one bad file can't take the
+        // whole management page offline.
+        File.WriteAllText(Path.Combine(_root, "rejected", "certs", "junk.der"), "not a cert");
+        var c = WriteTestCert(CertStoreKind.Rejected, "valid");
+
+        var rows = Service().ListRejected();
+        rows.Count.ShouldBe(1);
+        rows[0].Thumbprint.ShouldBe(c.Thumbprint);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests/DriverHostStatusTests.cs

@@ -0,0 +1,128 @@
+using Microsoft.EntityFrameworkCore;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Tests;
+
+/// <summary>
+///     End-to-end round-trip through the DB for the <see cref="DriverHostStatus"/> entity
+///     added in PR 33 — exercises the composite primary key (NodeId, DriverInstanceId,
+///     HostName), string-backed <c>DriverHostState</c> conversion, and the two indexes the
+///     Admin UI's drill-down queries will scan (NodeId, LastSeenUtc).
+/// </summary>
+[Trait("Category", "SchemaCompliance")]
+[Collection(nameof(SchemaComplianceCollection))]
+public sealed class DriverHostStatusTests(SchemaComplianceFixture fixture)
+{
+    [Fact]
+    public async Task Composite_key_allows_same_host_across_different_nodes_or_drivers()
+    {
+        await using var ctx = NewContext();
+
+        // Same HostName + DriverInstanceId across two different server nodes — classic 2-node
+        // redundancy case. Both rows must be insertable because each server node owns its own
+        // runtime view of the shared host.
+        var now = DateTime.UtcNow;
+        ctx.DriverHostStatuses.Add(new DriverHostStatus
+        {
+            NodeId = "node-a", DriverInstanceId = "galaxy-1", HostName = "GRPlatform",
+            State = DriverHostState.Running,
+            StateChangedUtc = now, LastSeenUtc = now,
+        });
+        ctx.DriverHostStatuses.Add(new DriverHostStatus
+        {
+            NodeId = "node-b", DriverInstanceId = "galaxy-1", HostName = "GRPlatform",
+            State = DriverHostState.Stopped,
+            StateChangedUtc = now, LastSeenUtc = now,
+            Detail = "secondary hasn't taken over yet",
+        });
+        // Same server node + host, different driver instance — second driver doesn't clobber.
+        ctx.DriverHostStatuses.Add(new DriverHostStatus
+        {
+            NodeId = "node-a", DriverInstanceId = "modbus-plc1", HostName = "GRPlatform",
+            State = DriverHostState.Running,
+            StateChangedUtc = now, LastSeenUtc = now,
+        });
+        await ctx.SaveChangesAsync();
+
+        var rows = await ctx.DriverHostStatuses.AsNoTracking()
+            .Where(r => r.HostName == "GRPlatform").ToListAsync();
+
+        rows.Count.ShouldBe(3);
+        rows.ShouldContain(r => r.NodeId == "node-a" && r.DriverInstanceId == "galaxy-1");
+        rows.ShouldContain(r => r.NodeId == "node-b" && r.State == DriverHostState.Stopped && r.Detail == "secondary hasn't taken over yet");
+        rows.ShouldContain(r => r.NodeId == "node-a" && r.DriverInstanceId == "modbus-plc1");
+    }
+
+    [Fact]
+    public async Task Upsert_pattern_for_same_key_updates_in_place()
+    {
+        // The publisher hosted service (follow-up PR) upserts on every transition +
+        // heartbeat. This test pins the two-step pattern it will use: check-then-add-or-update
+        // keyed on the composite PK. If the composite key ever changes, this test breaks
+        // loudly so the publisher gets a synchronized update.
+        await using var ctx = NewContext();
+        var t0 = DateTime.UtcNow;
+        ctx.DriverHostStatuses.Add(new DriverHostStatus
+        {
+            NodeId = "upsert-node", DriverInstanceId = "upsert-driver", HostName = "upsert-host",
+            State = DriverHostState.Running,
+            StateChangedUtc = t0, LastSeenUtc = t0,
+        });
+        await ctx.SaveChangesAsync();
+
+        var t1 = t0.AddSeconds(30);
+        await using (var ctx2 = NewContext())
+        {
+            var existing = await ctx2.DriverHostStatuses.SingleAsync(r =>
+                r.NodeId == "upsert-node" && r.DriverInstanceId == "upsert-driver" && r.HostName == "upsert-host");
+            existing.State = DriverHostState.Faulted;
+            existing.StateChangedUtc = t1;
+            existing.LastSeenUtc = t1;
+            existing.Detail = "transport reset by peer";
+            await ctx2.SaveChangesAsync();
+        }
+
+        await using var ctx3 = NewContext();
+        var final = await ctx3.DriverHostStatuses.AsNoTracking().SingleAsync(r =>
+            r.NodeId == "upsert-node" && r.HostName == "upsert-host");
+        final.State.ShouldBe(DriverHostState.Faulted);
+        final.Detail.ShouldBe("transport reset by peer");
+        // Only one row — a naive "always insert" would have created a duplicate PK and thrown.
+        (await ctx3.DriverHostStatuses.CountAsync(r => r.NodeId == "upsert-node")).ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Enum_persists_as_string_not_int()
+    {
+        // Fluent config sets HasConversion<string>() on State — the DB stores 'Running' /
+        // 'Stopped' / 'Faulted' / 'Unknown' as nvarchar(16). Verify by reading the raw
+        // string back via ADO; if someone drops the conversion the column will contain '1'
+        // / '2' / '3' and this assertion fails. Matters because DBAs inspecting the table
+        // directly should see readable state names, not enum ordinals.
+        await using var ctx = NewContext();
+        ctx.DriverHostStatuses.Add(new DriverHostStatus
+        {
+            NodeId = "enum-node", DriverInstanceId = "enum-driver", HostName = "enum-host",
+            State = DriverHostState.Faulted,
+            StateChangedUtc = DateTime.UtcNow, LastSeenUtc = DateTime.UtcNow,
+        });
+        await ctx.SaveChangesAsync();
+
+        await using var conn = fixture.OpenConnection();
+        using var cmd = conn.CreateCommand();
+        cmd.CommandText = "SELECT [State] FROM DriverHostStatus WHERE NodeId = 'enum-node'";
+        var rawValue = (string?)await cmd.ExecuteScalarAsync();
+        rawValue.ShouldBe("Faulted");
+    }
+
+    private OtOpcUaConfigDbContext NewContext()
+    {
+        var options = new DbContextOptionsBuilder<OtOpcUaConfigDbContext>()
+            .UseSqlServer(fixture.ConnectionString)
+            .Options;
+        return new OtOpcUaConfigDbContext(options);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests/SchemaComplianceTests.cs

@@ -28,6 +28,7 @@ public sealed class SchemaComplianceTests
             "Namespace", "UnsArea", "UnsLine",
             "DriverInstance", "Device", "Equipment", "Tag", "PollGroup",
             "NodeAcl", "ExternalIdReservation",
+            "DriverHostStatus",
         };
 
         var actual = QueryStrings(@"

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/AvevaPrerequisitesLiveTests.cs

@@ -0,0 +1,127 @@
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+using Shouldly;
+using Xunit;
+using Xunit.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
+{
+    /// <summary>
+    ///     Exercises <see cref="AvevaPrerequisites"/> against the live dev box so the helper
+    ///     itself gets integration coverage — i.e. "do the probes return Pass for things that
+    ///     really are Pass?" as validated against this machine's known-installed topology.
+    ///     Category <c>LiveGalaxy</c> so CI / clean dev boxes skip cleanly.
+    /// </summary>
+    [Trait("Category", "LiveGalaxy")]
+    public sealed class AvevaPrerequisitesLiveTests
+    {
+        private readonly ITestOutputHelper _output;
+
+        public AvevaPrerequisitesLiveTests(ITestOutputHelper output) => _output = output;
+
+        [Fact]
+        public async Task CheckAll_on_live_box_reports_Framework_install()
+        {
+            var report = await AvevaPrerequisites.CheckAllAsync();
+            _output.WriteLine(report.ToString());
+            report.Checks.ShouldContain(c =>
+                c.Name == "registry:ArchestrA.Framework" && c.Status == PrerequisiteStatus.Pass,
+                "ArchestrA Framework registry root should be found on this machine.");
+        }
+
+        [Fact]
+        public async Task CheckAll_on_live_box_reports_aaBootstrap_running()
+        {
+            var report = await AvevaPrerequisites.CheckAllAsync();
+            var bootstrap = report.Checks.FirstOrDefault(c => c.Name == "service:aaBootstrap");
+            bootstrap.ShouldNotBeNull();
+            bootstrap.Status.ShouldBe(PrerequisiteStatus.Pass,
+                $"aaBootstrap must be Running for any live-Galaxy test to work — detail: {bootstrap.Detail}");
+        }
+
+        [Fact]
+        public async Task CheckAll_on_live_box_reports_aaGR_running()
+        {
+            var report = await AvevaPrerequisites.CheckAllAsync();
+            var gr = report.Checks.FirstOrDefault(c => c.Name == "service:aaGR");
+            gr.ShouldNotBeNull();
+            gr.Status.ShouldBe(PrerequisiteStatus.Pass,
+                $"aaGR (Galaxy Repository) must be Running — detail: {gr.Detail}");
+        }
+
+        [Fact]
+        public async Task CheckAll_on_live_box_reports_MxAccess_COM_registered()
+        {
+            var report = await AvevaPrerequisites.CheckAllAsync();
+            var com = report.Checks.FirstOrDefault(c => c.Name == "com:LMXProxy");
+            com.ShouldNotBeNull();
+            com.Status.ShouldBe(PrerequisiteStatus.Pass,
+                $"LMXProxy.LMXProxyServer ProgID must resolve to an InprocServer32 DLL — detail: {com.Detail}");
+        }
+
+        [Fact]
+        public async Task CheckRepositoryOnly_on_live_box_reports_ZB_reachable()
+        {
+            var report = await AvevaPrerequisites.CheckRepositoryOnlyAsync(ct: CancellationToken.None);
+            var zb = report.Checks.FirstOrDefault(c => c.Name == "sql:ZB");
+            zb.ShouldNotBeNull();
+            zb.Status.ShouldBe(PrerequisiteStatus.Pass,
+                $"ZB database must be reachable via SQL Server Windows auth — detail: {zb.Detail}");
+        }
+
+        [Fact]
+        public async Task CheckRepositoryOnly_on_live_box_reports_non_zero_deployed_objects()
+        {
+            // This box has 49 deployed objects per the research; we just assert > 0 so adding/
+            // removing objects doesn't break the test.
+            var report = await AvevaPrerequisites.CheckRepositoryOnlyAsync();
+            var deployed = report.Checks.FirstOrDefault(c => c.Name == "sql:ZB.deployedObjects");
+            deployed.ShouldNotBeNull();
+            deployed.Status.ShouldBe(PrerequisiteStatus.Pass,
+                $"At least one deployed gobject should exist — detail: {deployed.Detail}");
+        }
+
+        [Fact]
+        public async Task Aveva_side_is_ready_on_this_machine()
+        {
+            // Narrower than "livetest ready" — our own services (OtOpcUa / OtOpcUaGalaxyHost)
+            // may not be installed on a developer's box while they're actively iterating on
+            // them, but the AVEVA side (Framework / Galaxy Repository / MXAccess COM /
+            // SQL / core services) should always be up on a machine with System Platform
+            // installed. This assertion is what gates live-Galaxy tests that go straight to
+            // the Galaxy Repository without routing through our stack.
+            var report = await AvevaPrerequisites.CheckAllAsync(
+                new AvevaPrerequisites.Options { CheckGalaxyHostPipe = false });
+            _output.WriteLine(report.ToString());
+            _output.WriteLine(report.Warnings ?? "no warnings");
+
+            // Enumerate AVEVA-side failures (if any) for an actionable assertion message.
+            var avevaFails = report.Checks
+                .Where(c => c.Status == PrerequisiteStatus.Fail &&
+                            c.Category != PrerequisiteCategory.OtOpcUaService)
+                .ToList();
+            report.IsAvevaSideReady.ShouldBeTrue(
+                avevaFails.Count == 0
+                    ? "unexpected state"
+                    : "AVEVA-side failures: " + string.Join(" ; ",
+                        avevaFails.Select(f => $"{f.Name}: {f.Detail}")));
+        }
+
+        [Fact]
+        public async Task Report_captures_OtOpcUa_services_state_even_when_not_installed()
+        {
+            // The helper reports the status of OtOpcUaGalaxyHost + OtOpcUa services even if
+            // they're not installed yet — absence is itself an actionable signal. This test
+            // doesn't assert Pass/Fail on those services (their state depends on what's
+            // installed when the test runs) — it only asserts the helper EMITTED the rows,
+            // so nobody can ship a prerequisite check that silently omits our own services.
+            var report = await AvevaPrerequisites.CheckAllAsync();
+
+            report.Checks.ShouldContain(c => c.Name == "service:OtOpcUaGalaxyHost");
+            report.Checks.ShouldContain(c => c.Name == "service:OtOpcUa");
+            report.Checks.ShouldContain(c => c.Name == "service:GLAuth");
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/GalaxyRepositoryLiveSmokeTests.cs

@@ -6,6 +6,7 @@ using Xunit;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Backend.Galaxy;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport;
 
 namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
 {
@@ -16,6 +17,11 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
     ///     SQL the v1 Host uses, proving the lift is byte-for-byte equivalent at the
     ///     <c>DiscoverHierarchyResponse</c> shape.
     /// </summary>
+    /// <remarks>
+    ///     Since PR 36, skip logic is delegated to <see cref="AvevaPrerequisites.CheckRepositoryOnlyAsync"/>
+    ///     so operators see exactly why a test skipped ("ZB db not found" vs "SQL Server
+    ///     unreachable") instead of a silent return.
+    /// </remarks>
     [Trait("Category", "LiveGalaxy")]
     public sealed class GalaxyRepositoryLiveSmokeTests
     {
@@ -26,15 +32,20 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
             CommandTimeoutSeconds = 10,
         };
 
+        private static async Task<string?> RepositorySkipReasonAsync()
+        {
+            using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(4));
+            var report = await AvevaPrerequisites.CheckRepositoryOnlyAsync(
+                DevZbOptions().ConnectionString, cts.Token);
+            return report.SkipReason;
+        }
+
         private static async Task<bool> ZbReachableAsync()
         {
-            try
-            {
-                var repo = new GalaxyRepository(DevZbOptions());
-                using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(3));
-                return await repo.TestConnectionAsync(cts.Token);
-            }
-            catch { return false; }
+            // Legacy silent-skip adapter — keeps the existing tests compiling while
+            // gradually migrating to the Skip-with-reason pattern. Returns true when the
+            // prerequisite check has no Fail entries.
+            return (await RepositorySkipReasonAsync()) is null;
         }
 
         [Fact]

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests.csproj

@@ -23,6 +23,7 @@
 
     <ItemGroup>
         <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.csproj"/>
         <Reference Include="System.ServiceProcess"/>
         <!-- IMxProxy's delegate signatures mention ArchestrA.MxAccess.MXSTATUS_PROXY, so tests
              implementing the interface must resolve that type at compile time. -->

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/HistoricalEventMappingTests.cs

@@ -0,0 +1,81 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests;
+
+/// <summary>
+///     Pins <see cref="GalaxyProxyDriver.ToHistoricalEvent"/> — the wire-to-domain mapping
+///     from <see cref="GalaxyHistoricalEvent"/> (MessagePack-annotated IPC contract,
+///     Unix-ms timestamps) to <c>Core.Abstractions.HistoricalEvent</c> (domain record,
+///     <see cref="DateTime"/> timestamps). Added in PR 35 alongside the new
+///     <c>IHistoryProvider.ReadEventsAsync</c> method.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class HistoricalEventMappingTests
+{
+    [Fact]
+    public void Maps_every_field_from_wire_to_domain_record()
+    {
+        var wire = new GalaxyHistoricalEvent
+        {
+            EventId = "evt-42",
+            SourceName = "Tank1.HiAlarm",
+            EventTimeUtcUnixMs = 1_700_000_000_000L, // 2023-11-14T22:13:20.000Z
+            ReceivedTimeUtcUnixMs = 1_700_000_000_500L,
+            DisplayText = "High level reached",
+            Severity = 750,
+        };
+
+        var domain = GalaxyProxyDriver.ToHistoricalEvent(wire);
+
+        domain.EventId.ShouldBe("evt-42");
+        domain.SourceName.ShouldBe("Tank1.HiAlarm");
+        domain.EventTimeUtc.ShouldBe(new DateTime(2023, 11, 14, 22, 13, 20, DateTimeKind.Utc));
+        domain.ReceivedTimeUtc.ShouldBe(new DateTime(2023, 11, 14, 22, 13, 20, 500, DateTimeKind.Utc));
+        domain.Message.ShouldBe("High level reached");
+        domain.Severity.ShouldBe((ushort)750);
+    }
+
+    [Fact]
+    public void Preserves_null_SourceName_and_DisplayText()
+    {
+        // Historical rows from the Galaxy event historian often omit source or message for
+        // system events (e.g. time sync). The mapping must preserve null — callers use it to
+        // distinguish system events from alarm events.
+        var wire = new GalaxyHistoricalEvent
+        {
+            EventId = "sys-1",
+            SourceName = null,
+            EventTimeUtcUnixMs = 0,
+            ReceivedTimeUtcUnixMs = 0,
+            DisplayText = null,
+            Severity = 1,
+        };
+
+        var domain = GalaxyProxyDriver.ToHistoricalEvent(wire);
+
+        domain.SourceName.ShouldBeNull();
+        domain.Message.ShouldBeNull();
+    }
+
+    [Fact]
+    public void EventTime_and_ReceivedTime_are_produced_as_DateTimeKind_Utc()
+    {
+        // Unix-ms timestamps come off the wire timezone-agnostic; the mapping must tag the
+        // resulting DateTime as Utc so downstream serializers (JSON, OPC UA types) don't apply
+        // an unexpected local-time offset.
+        var wire = new GalaxyHistoricalEvent
+        {
+            EventId = "e",
+            EventTimeUtcUnixMs = 1_000L,
+            ReceivedTimeUtcUnixMs = 2_000L,
+        };
+
+        var domain = GalaxyProxyDriver.ToHistoricalEvent(wire);
+
+        domain.EventTimeUtc.Kind.ShouldBe(DateTimeKind.Utc);
+        domain.ReceivedTimeUtc.Kind.ShouldBe(DateTimeKind.Utc);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/LiveStack/LiveStackConfig.cs

@@ -0,0 +1,75 @@
+using System.Runtime.InteropServices;
+using System.Runtime.Versioning;
+using Microsoft.Win32;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests.LiveStack;
+
+/// <summary>
+///     Resolves the pipe name + shared secret the live <see cref="GalaxyProxyDriver"/> needs
+///     to connect to a running <c>OtOpcUaGalaxyHost</c> Windows service. Two sources are
+///     consulted, first match wins:
+///     <list type="number">
+///         <item>Explicit env vars (<c>OTOPCUA_GALAXY_PIPE</c>, <c>OTOPCUA_GALAXY_SECRET</c>) — lets CI / benchwork override.</item>
+///         <item>The service's per-process <c>Environment</c> registry values under
+///               <c>HKLM\SYSTEM\CurrentControlSet\Services\OtOpcUaGalaxyHost</c> — what
+///               <c>Install-Services.ps1</c> writes at install time. Requires the test to run as a
+///               principal with read access to that registry key (typically Administrators).</item>
+///     </list>
+/// </summary>
+/// <remarks>
+///     Explicitly NOT baked-in-to-source: the shared secret is rotated per install (the
+///     installer generates 32 random bytes and stores the base64 string). A hard-coded secret
+///     in tests would diverge from production the moment someone re-installed the service.
+/// </remarks>
+public sealed record LiveStackConfig(string PipeName, string SharedSecret, string? Source)
+{
+    public const string EnvPipeName = "OTOPCUA_GALAXY_PIPE";
+    public const string EnvSharedSecret = "OTOPCUA_GALAXY_SECRET";
+    public const string ServiceRegistryKey =
+        @"SYSTEM\CurrentControlSet\Services\OtOpcUaGalaxyHost";
+    public const string DefaultPipeName = "OtOpcUaGalaxy";
+
+    public static LiveStackConfig? Resolve()
+    {
+        var envPipe = Environment.GetEnvironmentVariable(EnvPipeName);
+        var envSecret = Environment.GetEnvironmentVariable(EnvSharedSecret);
+        if (!string.IsNullOrWhiteSpace(envPipe) && !string.IsNullOrWhiteSpace(envSecret))
+            return new LiveStackConfig(envPipe, envSecret, "env vars");
+
+        if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            return null;
+
+        return FromServiceRegistry();
+    }
+
+    [SupportedOSPlatform("windows")]
+    private static LiveStackConfig? FromServiceRegistry()
+    {
+        try
+        {
+            using var key = Registry.LocalMachine.OpenSubKey(ServiceRegistryKey);
+            if (key is null) return null;
+            var env = key.GetValue("Environment") as string[];
+            if (env is null || env.Length == 0) return null;
+
+            string? pipe = null, secret = null;
+            foreach (var line in env)
+            {
+                var eq = line.IndexOf('=');
+                if (eq <= 0) continue;
+                var name = line[..eq];
+                var value = line[(eq + 1)..];
+                if (name.Equals(EnvPipeName, StringComparison.OrdinalIgnoreCase)) pipe = value;
+                else if (name.Equals(EnvSharedSecret, StringComparison.OrdinalIgnoreCase)) secret = value;
+            }
+
+            if (string.IsNullOrWhiteSpace(secret)) return null;
+            return new LiveStackConfig(pipe ?? DefaultPipeName, secret, "service registry");
+        }
+        catch
+        {
+            // Access denied / key missing / malformed — caller gets null and surfaces a Skip.
+            return null;
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/LiveStack/LiveStackFixture.cs

@@ -0,0 +1,164 @@
+using System.Runtime.InteropServices;
+using System.Runtime.Versioning;
+using System.Security.Principal;
+using System.Threading;
+using System.Threading.Tasks;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests.LiveStack;
+
+/// <summary>
+///     Connects a single <see cref="GalaxyProxyDriver"/> to the already-running
+///     <c>OtOpcUaGalaxyHost</c> Windows service for the lifetime of a test class. Uses
+///     <see cref="AvevaPrerequisites"/> to decide whether to proceed; on failure,
+///     <see cref="SkipReason"/> is populated and each test calls <see cref="SkipIfUnavailable"/>
+///     to translate that into <c>Assert.Skip</c>.
+/// </summary>
+/// <remarks>
+///     <para>
+///         <b>Does NOT spawn the Host process.</b> Production deploys <c>OtOpcUaGalaxyHost</c>
+///         as a standalone Windows service — spawning a second instance from a test would
+///         bypass the COM-apartment + service-account setup and fail differently than
+///         production (see <c>project_galaxy_host_service.md</c> memory).
+///     </para>
+///     <para>
+///         <b>Shared-secret handling</b>: read from <see cref="LiveStackConfig"/> — env vars
+///         first, then the service's registry-stored <c>Environment</c> values. Requires
+///         the test process to have read access to
+///         <c>HKLM\SYSTEM\CurrentControlSet\Services\OtOpcUaGalaxyHost</c>; on a dev box
+///         that typically means running the test host elevated, or exporting
+///         <c>OTOPCUA_GALAXY_SECRET</c> out-of-band.
+///     </para>
+/// </remarks>
+public sealed class LiveStackFixture : IAsyncLifetime
+{
+    public GalaxyProxyDriver? Driver { get; private set; }
+
+    public string? SkipReason { get; private set; }
+
+    public PrerequisiteReport? PrerequisiteReport { get; private set; }
+
+    public LiveStackConfig? Config { get; private set; }
+
+    public async ValueTask InitializeAsync()
+    {
+        // 0. Elevated-shell short-circuit. The OtOpcUaGalaxyHost pipe ACL allows the configured
+        //    SID but explicitly DENIES Administrators (decision #76 — production hardening).
+        //    A test process running with a high-integrity token (any elevated shell) carries the
+        //    Admins group in its security context, so the deny rule trumps the user's allow and
+        //    the pipe connect returns UnauthorizedAccessException — technically correct but
+        //    the operationally confusing failure mode that ate most of the PR 37 install
+        //    debugging session. Surfacing it explicitly here saves the next operator the same
+        //    five-step diagnosis. ParityFixture has the same skip with the same rationale.
+        if (IsElevatedAdministratorOnWindows())
+        {
+            SkipReason =
+                "Test host is running with elevated (Administrators) privileges, but the " +
+                "OtOpcUaGalaxyHost named-pipe ACL explicitly denies Administrators per the IPC " +
+                "security design (decision #76 / PipeAcl.cs). Re-run from a NORMAL (non-admin) " +
+                "PowerShell window — even when your user is already in the pipe's allow list, " +
+                "the elevated token's Admins group membership trumps the allow rule.";
+            return;
+        }
+
+        // 1. AVEVA + OtOpcUa service state — actionable diagnostic if anything is missing.
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
+        PrerequisiteReport = await AvevaPrerequisites.CheckAllAsync(
+            new AvevaPrerequisites.Options { CheckGalaxyHostPipe = true, CheckHistorian = false },
+            cts.Token);
+
+        if (!PrerequisiteReport.IsLivetestReady)
+        {
+            SkipReason = PrerequisiteReport.SkipReason;
+            return;
+        }
+
+        // 2. Secret / pipe-name resolution. If the service is running but we can't discover its
+        //    env vars from registry (non-elevated test host), a clear message beats a silent
+        //    connect-rejected failure 10 seconds later.
+        Config = LiveStackConfig.Resolve();
+        if (Config is null)
+        {
+            SkipReason =
+                $"Cannot resolve shared secret. Set {LiveStackConfig.EnvSharedSecret} (and optionally " +
+                $"{LiveStackConfig.EnvPipeName}) in the environment, or run the test host elevated so it " +
+                $"can read HKLM\\{LiveStackConfig.ServiceRegistryKey}\\Environment.";
+            return;
+        }
+
+        // 3. Connect. InitializeAsync does the pipe connect + handshake; a 5-second
+        //    ConnectTimeout gives enough headroom for a service that just started.
+        Driver = new GalaxyProxyDriver(new GalaxyProxyOptions
+        {
+            DriverInstanceId = "live-stack-smoke",
+            PipeName = Config.PipeName,
+            SharedSecret = Config.SharedSecret,
+            ConnectTimeout = TimeSpan.FromSeconds(5),
+        });
+
+        try
+        {
+            await Driver.InitializeAsync(driverConfigJson: "{}", CancellationToken.None);
+        }
+        catch (Exception ex)
+        {
+            SkipReason =
+                $"Connected to named pipe '{Config.PipeName}' but GalaxyProxyDriver.InitializeAsync failed: " +
+                $"{ex.GetType().Name}: {ex.Message}. Common causes: shared secret mismatch (rotated after last install), " +
+                $"service account SID not in pipe ACL (installer sets OTOPCUA_ALLOWED_SID to the service account — " +
+                $"test must run as that user), or Host's backend couldn't connect to ZB.";
+            Driver.Dispose();
+            Driver = null;
+            return;
+        }
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (Driver is not null)
+        {
+            try { await Driver.ShutdownAsync(CancellationToken.None); } catch { /* best-effort */ }
+            Driver.Dispose();
+        }
+    }
+
+    /// <summary>
+    ///     Translate <see cref="SkipReason"/> into <c>Assert.Skip</c>. Tests call this at the
+    ///     top of every fact so a fixture init failure shows up as a cleanly-skipped test with
+    ///     the full prerequisites report, not a cascading NullReferenceException on
+    ///     <see cref="Driver"/>.
+    /// </summary>
+    public void SkipIfUnavailable()
+    {
+        if (SkipReason is not null) Assert.Skip(SkipReason);
+    }
+
+    private static bool IsElevatedAdministratorOnWindows()
+    {
+        if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) return false;
+        return CheckWindowsAdminToken();
+    }
+
+    [SupportedOSPlatform("windows")]
+    private static bool CheckWindowsAdminToken()
+    {
+        try
+        {
+            using var identity = WindowsIdentity.GetCurrent();
+            return new WindowsPrincipal(identity).IsInRole(WindowsBuiltInRole.Administrator);
+        }
+        catch
+        {
+            // Probe shouldn't crash the test; if we can't determine elevation, optimistically
+            // continue and let the actual pipe connect surface its own error.
+            return false;
+        }
+    }
+}
+
+[CollectionDefinition(Name)]
+public sealed class LiveStackCollection : ICollectionFixture<LiveStackFixture>
+{
+    public const string Name = "LiveStack";
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/LiveStack/LiveStackSmokeTests.cs

@@ -0,0 +1,282 @@
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests.LiveStack;
+
+/// <summary>
+///     End-to-end smoke against the installed <c>OtOpcUaGalaxyHost</c> Windows service.
+///     Closes LMX follow-up #5 — exercises the full topology: <see cref="GalaxyProxyDriver"/>
+///     in-process → named-pipe IPC → <c>OtOpcUaGalaxyHost</c> service → <c>MxAccessGalaxyBackend</c> →
+///     live MXAccess runtime → real Galaxy objects + attributes.
+/// </summary>
+/// <remarks>
+///     <para>
+///         <b>Preconditions</b> (all checked by <see cref="LiveStackFixture"/>, surfaced via
+///         <c>Assert.Skip</c> when missing):
+///     </para>
+///     <list type="bullet">
+///         <item>AVEVA System Platform installed + Platform deployed.</item>
+///         <item><c>aaBootstrap</c> / <c>aaGR</c> / <c>NmxSvc</c> / <c>MSSQLSERVER</c> running.</item>
+///         <item>MXAccess COM server registered.</item>
+///         <item>ZB database exists with at least one deployed gobject.</item>
+///         <item><c>OtOpcUaGalaxyHost</c> service installed + running (named pipe accepting connections).</item>
+///         <item>Shared secret discoverable via <c>OTOPCUA_GALAXY_SECRET</c> env var or the
+///               service's registry Environment values (test host typically needs to be elevated
+///               to read the latter).</item>
+///         <item>Test process runs as the account listed in the service's pipe ACL
+///               (<c>OTOPCUA_ALLOWED_SID</c>, typically the service account per decision #76).</item>
+///     </list>
+///     <para>
+///         Tests here are deliberately read-only. Writes against live Galaxy attributes are a
+///         separate concern — they need a test-only UDA or an agreed scratch tag so they can't
+///         accidentally mutate a process-critical value. Adding a write test is a follow-up
+///         PR that reuses this fixture.
+///     </para>
+/// </remarks>
+[Trait("Category", "LiveGalaxy")]
+[Collection(LiveStackCollection.Name)]
+public sealed class LiveStackSmokeTests(LiveStackFixture fixture)
+{
+    [Fact]
+    public void Fixture_initialized_successfully()
+    {
+        fixture.SkipIfUnavailable();
+        // If the fixture init succeeded, Driver is non-null and InitializeAsync completed.
+        // This is the cheapest possible assertion that the IPC handshake worked end-to-end;
+        // every other test in this class depends on it.
+        fixture.Driver.ShouldNotBeNull();
+        fixture.Config.ShouldNotBeNull();
+        fixture.PrerequisiteReport.ShouldNotBeNull();
+        fixture.PrerequisiteReport!.IsLivetestReady.ShouldBeTrue(fixture.PrerequisiteReport.SkipReason);
+    }
+
+    [Fact]
+    public void Driver_reports_Healthy_after_IPC_handshake()
+    {
+        fixture.SkipIfUnavailable();
+        var health = fixture.Driver!.GetHealth();
+        health.State.ShouldBe(DriverState.Healthy,
+            $"Expected Healthy after successful IPC connect; Reason={health.LastError}");
+    }
+
+    [Fact]
+    public async Task DiscoverAsync_returns_at_least_one_variable_from_live_galaxy()
+    {
+        fixture.SkipIfUnavailable();
+        var builder = new CapturingAddressSpaceBuilder();
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(30));
+        await fixture.Driver!.DiscoverAsync(builder, cts.Token);
+
+        builder.Variables.Count.ShouldBeGreaterThan(0,
+            "Live Galaxy has > 0 deployed objects per the prereq check — at least one variable must be discovered. " +
+            "Zero usually means the Host couldn't read ZB (check OTOPCUA_GALAXY_ZB_CONN in the service Environment).");
+
+        // Every discovered attribute must carry a non-empty FullName so the OPC UA server can
+        // route reads/writes back. Regression guard — PR 19 normalized this across drivers.
+        builder.Variables.ShouldAllBe(v => !string.IsNullOrEmpty(v.AttributeInfo.FullName));
+    }
+
+    [Fact]
+    public void GetHostStatuses_reports_at_least_one_platform()
+    {
+        fixture.SkipIfUnavailable();
+        var statuses = fixture.Driver!.GetHostStatuses();
+        statuses.Count.ShouldBeGreaterThan(0,
+            "Live Galaxy must report at least one Platform/AppEngine host via IHostConnectivityProbe. " +
+            "Zero means the Host's probe loop hasn't completed its first tick or the Platform isn't deployed locally.");
+
+        // Host names are driver-opaque to the Core but non-empty by contract.
+        statuses.ShouldAllBe(h => !string.IsNullOrEmpty(h.HostName));
+    }
+
+    [Fact]
+    public async Task Can_read_a_discovered_variable_from_live_galaxy()
+    {
+        fixture.SkipIfUnavailable();
+        var builder = new CapturingAddressSpaceBuilder();
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(30));
+        await fixture.Driver!.DiscoverAsync(builder, cts.Token);
+        builder.Variables.Count.ShouldBeGreaterThan(0);
+
+        // Pick the first discovered variable. Read-only smoke — we don't assert on Value,
+        // only that a ReadAsync round-trip through Proxy → Host pipe → MXAccess → back
+        // returns a snapshot with a non-BadInternalError status. Galaxy attributes default to
+        // Uncertain quality until the Engine's first scan publishes them, which is fine here.
+        var full = builder.Variables[0].AttributeInfo.FullName;
+        var snapshots = await fixture.Driver!.ReadAsync([full], cts.Token);
+
+        snapshots.Count.ShouldBe(1);
+        var snap = snapshots[0];
+        snap.StatusCode.ShouldNotBe(0x80020000u,
+            $"Read returned BadInternalError for {full} — the Host couldn't fulfil the request. " +
+            $"Investigate: the Host service's logs at {System.Environment.GetFolderPath(System.Environment.SpecialFolder.CommonApplicationData)}\\OtOpcUa\\Galaxy\\logs.");
+    }
+
+    [Fact]
+    public async Task Write_then_read_roundtrips_a_writable_Boolean_attribute_on_TestMachine_001()
+    {
+        // PR 40 — finishes LMX #5. Targets DelmiaReceiver_001.TestAttribute, the writable
+        // Boolean attribute on the TestMachine_001 hierarchy that the dev Galaxy was deployed
+        // with for exactly this kind of integration testing. We invert the current value and
+        // assert the new value comes back, then restore the original so the test is effectively
+        // idempotent (Galaxy holds the value across runs since it's a deployed UDA).
+        fixture.SkipIfUnavailable();
+        const string fullRef = "DelmiaReceiver_001.TestAttribute";
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(30));
+
+        // Read current value first — gives the cleanup path the right baseline. Galaxy may
+        // return Uncertain quality until the Engine has scanned the attribute at least once;
+        // we don't read into a strongly-typed bool until Status is Good.
+        var before = (await fixture.Driver!.ReadAsync([fullRef], cts.Token))[0];
+        before.StatusCode.ShouldNotBe(0x80020000u, $"baseline read failed for {fullRef}: {before.Value}");
+        var originalBool = Convert.ToBoolean(before.Value ?? false);
+        var inverted = !originalBool;
+
+        try
+        {
+            // Write the inverted value via IWritable.
+            var writeResults = await fixture.Driver!.WriteAsync(
+                [new(fullRef, inverted)], cts.Token);
+            writeResults.Count.ShouldBe(1);
+            writeResults[0].StatusCode.ShouldBe(0u,
+                $"WriteAsync returned status 0x{writeResults[0].StatusCode:X8} for {fullRef} — " +
+                $"check the Host service log at %ProgramData%\\OtOpcUa\\Galaxy\\.");
+
+            // The Engine's scan + acknowledgement is async — read in a short loop with a 5s
+            // budget. Galaxy's attribute roundtrip on a dev box is typically sub-second but
+            // we give headroom for first-scan after a service restart.
+            DataValueSnapshot after = default!;
+            var deadline = DateTime.UtcNow.AddSeconds(5);
+            while (DateTime.UtcNow < deadline)
+            {
+                after = (await fixture.Driver!.ReadAsync([fullRef], cts.Token))[0];
+                if (after.StatusCode == 0u && Convert.ToBoolean(after.Value ?? false) == inverted) break;
+                await Task.Delay(200, cts.Token);
+            }
+            after.StatusCode.ShouldBe(0u, "post-write read failed");
+            Convert.ToBoolean(after.Value ?? false).ShouldBe(inverted,
+                $"Wrote {inverted} but Galaxy returned {after.Value} after the scan window.");
+        }
+        finally
+        {
+            // Restore — best-effort. If this throws the test still reports its primary result;
+            // we just leave a flipped TestAttribute on the dev box (benign, name says it all).
+            try { await fixture.Driver!.WriteAsync([new(fullRef, originalBool)], cts.Token); }
+            catch { /* swallow */ }
+        }
+    }
+
+    [Fact]
+    public async Task Subscribe_fires_OnDataChange_with_initial_value_then_again_after_a_write()
+    {
+        // Subscribe + write is the canonical "is the data path actually live" test for
+        // an OPC UA driver. We subscribe to the same Boolean attribute, expect an initial-
+        // value callback within a couple of seconds (per ISubscribable's contract — the
+        // driver MAY fire OnDataChange immediately with the current value), then write a
+        // distinct value and expect a second callback carrying the new value.
+        fixture.SkipIfUnavailable();
+        const string fullRef = "DelmiaReceiver_001.TestAttribute";
+        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(30));
+
+        // Capture every OnDataChange notification for this fullRef onto a thread-safe queue
+        // we can poll from the test thread. Galaxy's MXAccess advisory fires on its own
+        // thread; we don't want to block it.
+        var notifications = new System.Collections.Concurrent.ConcurrentQueue<DataValueSnapshot>();
+        void Handler(object? sender, DataChangeEventArgs e)
+        {
+            if (string.Equals(e.FullReference, fullRef, StringComparison.OrdinalIgnoreCase))
+                notifications.Enqueue(e.Snapshot);
+        }
+        fixture.Driver!.OnDataChange += Handler;
+
+        // Read current value so we know which value to write to force a transition.
+        var before = (await fixture.Driver!.ReadAsync([fullRef], cts.Token))[0];
+        var originalBool = Convert.ToBoolean(before.Value ?? false);
+        var toWrite = !originalBool;
+
+        ISubscriptionHandle? handle = null;
+        try
+        {
+            handle = await fixture.Driver!.SubscribeAsync(
+                [fullRef], TimeSpan.FromMilliseconds(250), cts.Token);
+
+            // Wait for initial-value notification — typical < 1s on a hot Galaxy, give 5s.
+            await WaitForAsync(() => notifications.Count >= 1, TimeSpan.FromSeconds(5), cts.Token);
+            notifications.Count.ShouldBeGreaterThanOrEqualTo(1,
+                $"No initial-value OnDataChange for {fullRef} within 5s. " +
+                $"Either MXAccess subscription failed silently or the Engine hasn't scanned yet.");
+
+            // Drain the initial-value queue before writing so we count post-write deltas only.
+            var initialCount = notifications.Count;
+
+            // Write the toggled value. Engine scan + advisory fires the second callback.
+            var w = await fixture.Driver!.WriteAsync([new(fullRef, toWrite)], cts.Token);
+            w[0].StatusCode.ShouldBe(0u);
+
+            await WaitForAsync(() => notifications.Count > initialCount, TimeSpan.FromSeconds(8), cts.Token);
+            notifications.Count.ShouldBeGreaterThan(initialCount,
+                $"OnDataChange did not fire after writing {toWrite} to {fullRef} within 8s.");
+
+            // Find the post-write notification carrying the toggled value (initial value may
+            // appear multiple times before the write commits — search the tail).
+            var postWrite = notifications.ToArray().Reverse()
+                .FirstOrDefault(n => n.StatusCode == 0u && Convert.ToBoolean(n.Value ?? false) == toWrite);
+            postWrite.ShouldNotBe(default,
+                $"No OnDataChange carrying the toggled value {toWrite} appeared in the queue: " +
+                string.Join(",", notifications.Select(n => $"{n.Value}@{n.StatusCode:X8}")));
+        }
+        finally
+        {
+            fixture.Driver!.OnDataChange -= Handler;
+            if (handle is not null)
+            {
+                try { await fixture.Driver!.UnsubscribeAsync(handle, cts.Token); } catch { /* swallow */ }
+            }
+            // Restore baseline.
+            try { await fixture.Driver!.WriteAsync([new(fullRef, originalBool)], cts.Token); } catch { /* swallow */ }
+        }
+    }
+
+    private static async Task WaitForAsync(Func<bool> predicate, TimeSpan budget, CancellationToken ct)
+    {
+        var deadline = DateTime.UtcNow + budget;
+        while (DateTime.UtcNow < deadline)
+        {
+            if (predicate()) return;
+            await Task.Delay(100, ct);
+        }
+    }
+
+    /// <summary>
+    ///     Minimal <see cref="IAddressSpaceBuilder"/> implementation that captures every
+    ///     Variable() call into a flat list so tests can inspect what discovery produced
+    ///     without running the full OPC UA node-manager stack.
+    /// </summary>
+    private sealed class CapturingAddressSpaceBuilder : IAddressSpaceBuilder
+    {
+        public List<(string BrowseName, DriverAttributeInfo AttributeInfo)> Variables { get; } = [];
+
+        public IAddressSpaceBuilder Folder(string browseName, string displayName) => this;
+        public IVariableHandle Variable(string browseName, string displayName, DriverAttributeInfo attributeInfo)
+        {
+            Variables.Add((browseName, attributeInfo));
+            return new NoopHandle(attributeInfo.FullName);
+        }
+        public void AddProperty(string browseName, DriverDataType dataType, object? value) { }
+
+        private sealed class NoopHandle(string fullReference) : IVariableHandle
+        {
+            public string FullReference { get; } = fullReference;
+            public IAlarmConditionSink MarkAsAlarmCondition(AlarmConditionInfo info) => new NoopSink();
+            private sealed class NoopSink : IAlarmConditionSink
+            {
+                public void OnTransition(AlarmEventArgs args) { }
+            }
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests.csproj

@@ -22,6 +22,7 @@
     <ItemGroup>
         <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.csproj"/>
         <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.csproj"/>
     </ItemGroup>
 
     <ItemGroup>

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/AvevaPrerequisites.cs

@@ -0,0 +1,163 @@
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.Probes;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport;
+
+/// <summary>
+///     Entry point for live-AVEVA test fixtures. Runs every relevant probe and returns a
+///     <see cref="PrerequisiteReport"/> whose <c>SkipReason</c> feeds <c>Assert.Skip</c> when
+///     the environment isn't set up. Non-Windows hosts get a single aggregated Skip row per
+///     category instead of a flood of individual skips.
+/// </summary>
+/// <remarks>
+///     <para><b>Call shape</b>:</para>
+///     <code>
+///         var report = await AvevaPrerequisites.CheckAllAsync();
+///         if (report.SkipReason is not null) Assert.Skip(report.SkipReason);
+///     </code>
+///     <para><b>Categories in rough order of 'would I want to know first?'</b>:</para>
+///     <list type="number">
+///         <item>Environment — process bitness, OS platform, RPCSS up.</item>
+///         <item>AvevaInstall — Framework registry, install paths, no pending reboot.</item>
+///         <item>AvevaCoreService — aaBootstrap / aaGR / NmxSvc running.</item>
+///         <item>MxAccessCom — LMXProxy.LMXProxyServer ProgID → CLSID → file-on-disk.</item>
+///         <item>GalaxyRepository — SQL reachable, ZB exists, deployed-object count.</item>
+///         <item>OtOpcUaService — our two Windows services + GLAuth.</item>
+///         <item>AvevaSoftService — aaLogger etc., warn only.</item>
+///         <item>AvevaHistorian — aahClientAccessPoint etc., optional.</item>
+///     </list>
+///     <para><b>What's NOT checked here</b>: end-to-end subscribe / read / write against a real
+///     Galaxy tag. That's the job of the live-smoke tests this helper gates — the helper just
+///     tells them whether running is worthwhile.</para>
+/// </remarks>
+public static class AvevaPrerequisites
+{
+    // -------- Individual service lists (kept as data so tests can inspect / override) --------
+
+    /// <summary>Services whose absence means live-Galaxy tests can't run at all.</summary>
+    internal static readonly (string Name, string Purpose)[] CoreServices =
+    [
+        ("aaBootstrap", "master service that starts the Platform process + brokers aa* communication"),
+        ("aaGR", "Galaxy Repository host — mediates IDE / runtime access to ZB"),
+        ("NmxSvc", "Network Message Exchange — MXAccess + Bootstrap transport"),
+        ("MSSQLSERVER", "SQL Server instance that hosts the ZB database"),
+    ];
+
+    /// <summary>Warn-but-don't-fail AVEVA services.</summary>
+    internal static readonly (string Name, string Purpose)[] SoftServices =
+    [
+        ("aaLogger", "ArchestrA Logger — diagnostic log receiver; stack runs without it but error visibility suffers"),
+        ("aaUserValidator", "OS user/group auth for ArchestrA security; only required when Galaxy security mode isn't 'Open'"),
+        ("aaGlobalDataCacheMonitorSvr", "cross-platform global data cache; single-node dev boxes run fine without it"),
+    ];
+
+    /// <summary>Optional AVEVA Historian services — only required for HistoryRead IPC paths.</summary>
+    internal static readonly (string Name, string Purpose)[] HistorianServices =
+    [
+        ("aahClientAccessPoint", "AVEVA Historian Client Access Point — HistoryRead IPC endpoint"),
+        ("aahGateway", "AVEVA Historian Gateway"),
+    ];
+
+    /// <summary>OtOpcUa-stack Windows services + third-party deps we manage.</summary>
+    internal static readonly (string Name, string Purpose, bool HardRequired)[] OtOpcUaServices =
+    [
+        ("OtOpcUaGalaxyHost", "Galaxy.Host out-of-process service (net48 x86, STA + MXAccess)", true),
+        ("OtOpcUa", "Main OPC UA server service (hosts Proxy + DriverHost + Admin-facing DB publisher)", false),
+        ("GLAuth", "LDAP server (dev only) — glauth.exe on localhost:3893", false),
+    ];
+
+    // -------- Orchestrator --------
+
+    public static async Task<PrerequisiteReport> CheckAllAsync(
+        Options? options = null, CancellationToken ct = default)
+    {
+        options ??= new Options();
+        var checks = new List<PrerequisiteCheck>();
+
+        // Environment
+        checks.Add(MxAccessComProbe.CheckProcessBitness());
+
+        // AvevaInstall — registry + files
+        checks.Add(RegistryProbe.CheckFrameworkInstalled());
+        checks.Add(RegistryProbe.CheckPlatformDeployed());
+        checks.Add(RegistryProbe.CheckRebootPending());
+
+        // AvevaCoreService
+        foreach (var (name, purpose) in CoreServices)
+            checks.Add(ServiceProbe.Check(name, PrerequisiteCategory.AvevaCoreService, hardRequired: true, whatItDoes: purpose));
+
+        // MxAccessCom
+        checks.Add(MxAccessComProbe.Check());
+
+        // GalaxyRepository
+        checks.Add(await SqlProbe.CheckZbDatabaseAsync(options.SqlConnectionString, ct));
+        // Deployed-object count only makes sense if the DB check passed.
+        if (checks[checks.Count - 1].Status == PrerequisiteStatus.Pass)
+            checks.Add(await SqlProbe.CheckDeployedObjectCountAsync(options.SqlConnectionString, ct));
+
+        // OtOpcUaService
+        foreach (var (name, purpose, hard) in OtOpcUaServices)
+            checks.Add(ServiceProbe.Check(name, PrerequisiteCategory.OtOpcUaService, hardRequired: hard, whatItDoes: purpose));
+        if (options.CheckGalaxyHostPipe)
+            checks.Add(await NamedPipeProbe.CheckGalaxyHostPipeAsync(options.GalaxyHostPipeName, ct));
+
+        // AvevaSoftService
+        foreach (var (name, purpose) in SoftServices)
+            checks.Add(ServiceProbe.Check(name, PrerequisiteCategory.AvevaSoftService, hardRequired: false, whatItDoes: purpose));
+
+        // AvevaHistorian
+        if (options.CheckHistorian)
+        {
+            foreach (var (name, purpose) in HistorianServices)
+                checks.Add(ServiceProbe.Check(name, PrerequisiteCategory.AvevaHistorian, hardRequired: false, whatItDoes: purpose));
+        }
+
+        return new PrerequisiteReport(checks);
+    }
+
+    /// <summary>
+    ///     Narrower check for tests that only need the Galaxy Repository (SQL) path — don't
+    ///     pay the cost of probing every aa* service when the test only reads gobject rows.
+    /// </summary>
+    public static async Task<PrerequisiteReport> CheckRepositoryOnlyAsync(
+        string? sqlConnectionString = null, CancellationToken ct = default)
+    {
+        var checks = new List<PrerequisiteCheck>
+        {
+            await SqlProbe.CheckZbDatabaseAsync(sqlConnectionString, ct),
+        };
+        if (checks[0].Status == PrerequisiteStatus.Pass)
+            checks.Add(await SqlProbe.CheckDeployedObjectCountAsync(sqlConnectionString, ct));
+        return new PrerequisiteReport(checks);
+    }
+
+    /// <summary>
+    ///     Narrower check for the named-pipe endpoint — tests that drive the full Proxy
+    ///     against a live Galaxy.Host service don't need the SQL or AVEVA-internal probes
+    ///     (the Host does that work internally; we just need the pipe to accept).
+    /// </summary>
+    public static async Task<PrerequisiteReport> CheckGalaxyHostPipeOnlyAsync(
+        string? pipeName = null, CancellationToken ct = default)
+    {
+        var checks = new List<PrerequisiteCheck>
+        {
+            await NamedPipeProbe.CheckGalaxyHostPipeAsync(pipeName, ct),
+        };
+        return new PrerequisiteReport(checks);
+    }
+
+    /// <summary>Knobs for <see cref="CheckAllAsync"/>.</summary>
+    public sealed class Options
+    {
+        /// <summary>SQL Server connection string — defaults to Windows-auth <c>localhost\ZB</c>.</summary>
+        public string? SqlConnectionString { get; init; }
+
+        /// <summary>Named-pipe endpoint for OtOpcUaGalaxyHost — defaults to <c>OtOpcUaGalaxy</c>.</summary>
+        public string? GalaxyHostPipeName { get; init; }
+
+        /// <summary>Include the named-pipe probe. Off by default — it's a seconds-long TCP-like probe and some tests don't need it.</summary>
+        public bool CheckGalaxyHostPipe { get; init; } = true;
+
+        /// <summary>Include Historian service probes. Off by default — Historian is optional.</summary>
+        public bool CheckHistorian { get; init; } = false;
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/Net48Polyfills.cs

@@ -0,0 +1,26 @@
+#if NET48
+// Polyfills for C# 9+ language features that the helper uses but that net48 BCL doesn't
+// provide. Keeps the sources single-target-free at the language level — the same .cs files
+// build on both frameworks without preprocessor guards in the callsites.
+
+namespace System.Runtime.CompilerServices
+{
+    /// <summary>Required by C# 9 <c>init</c>-only setters and <c>record</c> types.</summary>
+    internal static class IsExternalInit { }
+}
+
+namespace System.Runtime.Versioning
+{
+    /// <summary>
+    ///     Minimal shim for the .NET 5+ <c>SupportedOSPlatformAttribute</c>. Pure marker for the
+    ///     compiler on net10; on net48 we still want the attribute to exist so the same
+    ///     <c>[SupportedOSPlatform("windows")]</c> source compiles. The attribute is internal
+    ///     and attribute-targets-everything to minimize surface.
+    /// </summary>
+    [AttributeUsage(AttributeTargets.All, Inherited = false, AllowMultiple = true)]
+    internal sealed class SupportedOSPlatformAttribute(string platformName) : Attribute
+    {
+        public string PlatformName { get; } = platformName;
+    }
+}
+#endif

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/PrerequisiteCheck.cs

@@ -0,0 +1,44 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport;
+
+/// <summary>One prerequisite probe's outcome. <see cref="AvevaPrerequisites"/> returns many of these.</summary>
+/// <param name="Name">Short diagnostic id — e.g. <c>service:aaBootstrap</c>, <c>sql:ZB</c>, <c>registry:ArchestrA.Framework</c>.</param>
+/// <param name="Category">Which subsystem the probe belongs to — lets callers filter (e.g. "Historian warns don't gate the core Galaxy smoke").</param>
+/// <param name="Status">Outcome.</param>
+/// <param name="Detail">One-line specific message an operator can act on — <c>"aaGR not installed — install the Galaxy Repository role from the System Platform setup"</c> beats <c>"failed"</c>.</param>
+public sealed record PrerequisiteCheck(
+    string Name,
+    PrerequisiteCategory Category,
+    PrerequisiteStatus Status,
+    string Detail);
+
+public enum PrerequisiteStatus
+{
+    /// <summary>Prerequisite is met; no action needed.</summary>
+    Pass,
+    /// <summary>Soft dependency missing — stack still runs but some feature (e.g. logging) is degraded.</summary>
+    Warn,
+    /// <summary>Hard dependency missing — live tests can't proceed; <see cref="PrerequisiteReport.SkipReason"/> surfaces this.</summary>
+    Fail,
+    /// <summary>Probe wasn't applicable in this environment (e.g. non-Windows host, Historian not installed).</summary>
+    Skip,
+}
+
+public enum PrerequisiteCategory
+{
+    /// <summary>Platform sanity — process bitness, OS platform, DCOM/RPCSS.</summary>
+    Environment,
+    /// <summary>Hard-required AVEVA Windows services (aaBootstrap, aaGR, NmxSvc).</summary>
+    AvevaCoreService,
+    /// <summary>Soft-required AVEVA Windows services (aaLogger, aaUserValidator) — warn only.</summary>
+    AvevaSoftService,
+    /// <summary>ArchestrA Framework install markers (registry + files).</summary>
+    AvevaInstall,
+    /// <summary>MXAccess COM server registration + file on disk.</summary>
+    MxAccessCom,
+    /// <summary>SQL Server reachability + ZB database presence + deployed-object count.</summary>
+    GalaxyRepository,
+    /// <summary>Historian services (optional — only required for HistoryRead IPC paths).</summary>
+    AvevaHistorian,
+    /// <summary>OtOpcUa-side services (OtOpcUa, OtOpcUaGalaxyHost) + third-party deps (GLAuth).</summary>
+    OtOpcUaService,
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/PrerequisiteReport.cs

@@ -0,0 +1,94 @@
+using System.Text;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport;
+
+/// <summary>
+///     Aggregated result of an <see cref="AvevaPrerequisites.CheckAll"/> run. Test fixtures
+///     typically call <see cref="SkipReason"/> to produce the argument for xUnit's
+///     <c>Assert.Skip</c> when any hard dependency failed.
+/// </summary>
+public sealed class PrerequisiteReport
+{
+    public IReadOnlyList<PrerequisiteCheck> Checks { get; }
+
+    public PrerequisiteReport(IEnumerable<PrerequisiteCheck> checks)
+    {
+        Checks = [.. checks];
+    }
+
+    /// <summary>True when every probe is Pass / Warn / Skip — no Fail entries.</summary>
+    public bool IsLivetestReady => !Checks.Any(c => c.Status == PrerequisiteStatus.Fail);
+
+    /// <summary>
+    ///     True when only the AVEVA-side probes pass — ignores failures in the
+    ///     <see cref="PrerequisiteCategory.OtOpcUaService"/> category. Lets a live-test gate
+    ///     say "AVEVA is ready even if the v2 services aren't installed yet" without
+    ///     conflating the two. Useful for tests that exercise Galaxy directly (e.g.
+    ///     <see cref="GalaxyRepositoryLiveSmokeTests"/>) rather than through our stack.
+    /// </summary>
+    public bool IsAvevaSideReady =>
+        !Checks.Any(c => c.Status == PrerequisiteStatus.Fail && c.Category != PrerequisiteCategory.OtOpcUaService);
+
+    /// <summary>
+    ///     Multi-line message for <c>Assert.Skip</c> when a hard dependency isn't met. Returns
+    ///     null when <see cref="IsLivetestReady"/> is true.
+    /// </summary>
+    public string? SkipReason
+    {
+        get
+        {
+            var fails = Checks.Where(c => c.Status == PrerequisiteStatus.Fail).ToList();
+            if (fails.Count == 0) return null;
+
+            var sb = new StringBuilder();
+            sb.AppendLine($"Live-AVEVA prerequisites not met ({fails.Count} failed):");
+            foreach (var f in fails)
+                sb.AppendLine($"  • [{f.Category}] {f.Name} — {f.Detail}");
+            sb.Append("Run `Get-Service aa*` / `sqlcmd -S localhost -d ZB -E -Q \"SELECT 1\"` to triage.");
+            return sb.ToString();
+        }
+    }
+
+    /// <summary>
+    ///     Human-readable summary of warnings — caller decides whether to log or ignore. Useful
+    ///     when a live test does pass but an operator should know their environment is degraded.
+    /// </summary>
+    public string? Warnings
+    {
+        get
+        {
+            var warns = Checks.Where(c => c.Status == PrerequisiteStatus.Warn).ToList();
+            if (warns.Count == 0) return null;
+
+            var sb = new StringBuilder();
+            sb.AppendLine($"AVEVA prerequisites with warnings ({warns.Count}):");
+            foreach (var w in warns)
+                sb.AppendLine($"  • [{w.Category}] {w.Name} — {w.Detail}");
+            return sb.ToString();
+        }
+    }
+
+    /// <summary>
+    ///     Throw <see cref="InvalidOperationException"/> if any <paramref name="categories"/>
+    ///     contain a Fail — useful when a specific test needs, say, Galaxy Repository but doesn't
+    ///     care about Historian. Call before <c>Assert.Skip</c> if you want to be strict.
+    /// </summary>
+    public void RequireCategories(params PrerequisiteCategory[] categories)
+    {
+        var set = categories.ToHashSet();
+        var fails = Checks.Where(c => c.Status == PrerequisiteStatus.Fail && set.Contains(c.Category)).ToList();
+        if (fails.Count == 0) return;
+
+        var detail = string.Join("; ", fails.Select(f => $"{f.Name}: {f.Detail}"));
+        throw new InvalidOperationException($"Required prerequisite categories failed: {detail}");
+    }
+
+    public override string ToString()
+    {
+        var sb = new StringBuilder();
+        sb.AppendLine($"PrerequisiteReport: {Checks.Count} checks");
+        foreach (var c in Checks)
+            sb.AppendLine($"  [{c.Status,-4}] {c.Category}/{c.Name}: {c.Detail}");
+        return sb.ToString();
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/Probes/MxAccessComProbe.cs

@@ -0,0 +1,102 @@
+using System.Runtime.InteropServices;
+using System.Runtime.Versioning;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.Probes;
+
+/// <summary>
+///     Confirms MXAccess COM server registration by resolving the
+///     <c>LMXProxy.LMXProxyServer</c> ProgID to its CLSID, then checking that the CLSID's
+///     32-bit <c>InprocServer32</c> entry points at a file that exists on disk.
+/// </summary>
+/// <remarks>
+///     A common failure mode on partial installs: ProgID is registered but the CLSID
+///     InprocServer32 DLL is missing (previous install uninstalled but registry orphan remains).
+///     This probe surfaces that case with an actionable message instead of the
+///     <c>0x80040154 REGDB_E_CLASSNOTREG</c> you'd see from a late COM activation failure.
+/// </remarks>
+public static class MxAccessComProbe
+{
+    public const string ProgId = "LMXProxy.LMXProxyServer";
+    public const string VersionedProgId = "LMXProxy.LMXProxyServer.1";
+
+    public static PrerequisiteCheck Check()
+    {
+        if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+        {
+            return new PrerequisiteCheck("com:LMXProxy", PrerequisiteCategory.MxAccessCom,
+                PrerequisiteStatus.Skip, "COM registration probes only run on Windows.");
+        }
+        return CheckWindows();
+    }
+
+    [SupportedOSPlatform("windows")]
+    private static PrerequisiteCheck CheckWindows()
+    {
+        try
+        {
+            var (clsid, dll) = RegistryProbe.ResolveProgIdToInproc(ProgId);
+            if (clsid is null)
+            {
+                return new PrerequisiteCheck("com:LMXProxy", PrerequisiteCategory.MxAccessCom,
+                    PrerequisiteStatus.Fail,
+                    $"ProgID {ProgId} not registered — MXAccess COM server isn't installed. " +
+                    $"Install System Platform's MXAccess component and re-run.");
+            }
+
+            if (string.IsNullOrWhiteSpace(dll))
+            {
+                return new PrerequisiteCheck("com:LMXProxy", PrerequisiteCategory.MxAccessCom,
+                    PrerequisiteStatus.Fail,
+                    $"ProgID {ProgId} → CLSID {clsid} but InprocServer32 is empty. " +
+                    $"Registry is orphaned; re-register with: regsvr32 /s LmxProxy.dll (from an elevated cmd in the Framework bin dir).");
+            }
+
+            // Resolve the recorded path — sometimes registered as a bare filename that the COM
+            // runtime resolves via the current process's DLL-search path. Accept either an
+            // absolute path that exists, or a bare filename whose resolution we can't verify
+            // without loading it (treat as Pass-with-note).
+            if (Path.IsPathRooted(dll))
+            {
+                if (!File.Exists(dll))
+                {
+                    return new PrerequisiteCheck("com:LMXProxy", PrerequisiteCategory.MxAccessCom,
+                        PrerequisiteStatus.Fail,
+                        $"ProgID {ProgId} → CLSID {clsid} → InprocServer32 {dll}, but the file is missing. " +
+                        $"Re-install the Framework or restore from backup.");
+                }
+                return new PrerequisiteCheck("com:LMXProxy", PrerequisiteCategory.MxAccessCom,
+                    PrerequisiteStatus.Pass,
+                    $"ProgID {ProgId} → {dll} (file exists).");
+            }
+
+            return new PrerequisiteCheck("com:LMXProxy", PrerequisiteCategory.MxAccessCom,
+                PrerequisiteStatus.Pass,
+                $"ProgID {ProgId} → {dll} (bare filename — relies on PATH resolution at COM activation time).");
+        }
+        catch (Exception ex)
+        {
+            return new PrerequisiteCheck("com:LMXProxy", PrerequisiteCategory.MxAccessCom,
+                PrerequisiteStatus.Warn,
+                $"Probe failed: {ex.GetType().Name}: {ex.Message}");
+        }
+    }
+
+    /// <summary>
+    ///     Warn when running as a 64-bit process — MXAccess COM activation will fail with
+    ///     <c>0x80040154</c> regardless of registration state. The production drivers run net48
+    ///     x86; xunit hosts run 64-bit by default so this often surfaces first.
+    /// </summary>
+    public static PrerequisiteCheck CheckProcessBitness()
+    {
+        if (Environment.Is64BitProcess)
+        {
+            return new PrerequisiteCheck("env:ProcessBitness", PrerequisiteCategory.Environment,
+                PrerequisiteStatus.Warn,
+                "Test host is 64-bit. Direct MXAccess COM activation would fail with REGDB_E_CLASSNOTREG (0x80040154); " +
+                "the production driver workaround is to run Galaxy.Host as a 32-bit process. Tests that only " +
+                "talk to the Host service over the named pipe aren't affected.");
+        }
+        return new PrerequisiteCheck("env:ProcessBitness", PrerequisiteCategory.Environment,
+            PrerequisiteStatus.Pass, "Test host is 32-bit.");
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/Probes/NamedPipeProbe.cs

@@ -0,0 +1,59 @@
+using System.IO.Pipes;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.Probes;
+
+/// <summary>
+///     Verifies the <c>OtOpcUaGalaxyHost</c> named-pipe endpoint is accepting connections —
+///     the handshake the Proxy performs at boot. A clean pipe connect without sending any
+///     framed message proves the Host service is listening; we disconnect immediately so we
+///     don't consume a session slot.
+/// </summary>
+/// <remarks>
+///     Default pipe name matches the installer script's <c>OTOPCUA_GALAXY_PIPE</c> default.
+///     Override when the Host service was installed with a non-default name (custom deployments).
+/// </remarks>
+public static class NamedPipeProbe
+{
+    public const string DefaultGalaxyHostPipeName = "OtOpcUaGalaxy";
+
+    public static async Task<PrerequisiteCheck> CheckGalaxyHostPipeAsync(
+        string? pipeName = null, CancellationToken ct = default)
+    {
+        pipeName ??= DefaultGalaxyHostPipeName;
+        try
+        {
+            using var client = new NamedPipeClientStream(
+                serverName: ".",
+                pipeName: pipeName,
+                direction: PipeDirection.InOut,
+                options: PipeOptions.Asynchronous);
+            using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+            cts.CancelAfter(TimeSpan.FromSeconds(2));
+            await client.ConnectAsync(cts.Token);
+
+            return new PrerequisiteCheck("pipe:OtOpcUaGalaxyHost", PrerequisiteCategory.OtOpcUaService,
+                PrerequisiteStatus.Pass,
+                $@"Pipe \\.\pipe\{pipeName} accepted a connection — OtOpcUaGalaxyHost is listening.");
+        }
+        catch (OperationCanceledException)
+        {
+            return new PrerequisiteCheck("pipe:OtOpcUaGalaxyHost", PrerequisiteCategory.OtOpcUaService,
+                PrerequisiteStatus.Fail,
+                $@"Pipe \\.\pipe\{pipeName} not connectable within 2s — OtOpcUaGalaxyHost service isn't running. " +
+                "Start with: sc.exe start OtOpcUaGalaxyHost");
+        }
+        catch (TimeoutException)
+        {
+            return new PrerequisiteCheck("pipe:OtOpcUaGalaxyHost", PrerequisiteCategory.OtOpcUaService,
+                PrerequisiteStatus.Fail,
+                $@"Pipe \\.\pipe\{pipeName} connect timed out — service may be starting or stuck. " +
+                "Check: sc.exe query OtOpcUaGalaxyHost");
+        }
+        catch (Exception ex)
+        {
+            return new PrerequisiteCheck("pipe:OtOpcUaGalaxyHost", PrerequisiteCategory.OtOpcUaService,
+                PrerequisiteStatus.Fail,
+                $@"Pipe \\.\pipe\{pipeName} connect failed: {ex.GetType().Name}: {ex.Message}");
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/Probes/RegistryProbe.cs

@@ -0,0 +1,162 @@
+using System.Runtime.InteropServices;
+using System.Runtime.Versioning;
+using Microsoft.Win32;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.Probes;
+
+/// <summary>
+///     Reads HKLM registry keys to confirm ArchestrA Framework / System Platform install
+///     markers. Matches the registered paths documented in
+///     <c>docs/v2/implementation/</c> — System Platform is 32-bit so keys live under
+///     <c>HKLM\SOFTWARE\WOW6432Node\ArchestrA\...</c>.
+/// </summary>
+public static class RegistryProbe
+{
+    // Canonical install roots per the research on our dev box (System Platform 2020 R2).
+    public const string ArchestrARootKey = @"SOFTWARE\WOW6432Node\ArchestrA";
+    public const string FrameworkKey = @"SOFTWARE\WOW6432Node\ArchestrA\Framework";
+    public const string PlatformKey = @"SOFTWARE\WOW6432Node\ArchestrA\Framework\Platform";
+    public const string MsiInstallKey = @"SOFTWARE\WOW6432Node\ArchestrA\MSIInstall";
+
+    public static PrerequisiteCheck CheckFrameworkInstalled()
+    {
+        if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+        {
+            return new PrerequisiteCheck("registry:ArchestrA.Framework", PrerequisiteCategory.AvevaInstall,
+                PrerequisiteStatus.Skip, "Registry probes only run on Windows.");
+        }
+        return FrameworkInstalledWindows();
+    }
+
+    public static PrerequisiteCheck CheckPlatformDeployed()
+    {
+        if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+        {
+            return new PrerequisiteCheck("registry:ArchestrA.Platform", PrerequisiteCategory.AvevaInstall,
+                PrerequisiteStatus.Skip, "Registry probes only run on Windows.");
+        }
+        return PlatformDeployedWindows();
+    }
+
+    public static PrerequisiteCheck CheckRebootPending()
+    {
+        if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+        {
+            return new PrerequisiteCheck("registry:ArchestrA.RebootPending", PrerequisiteCategory.AvevaInstall,
+                PrerequisiteStatus.Skip, "Registry probes only run on Windows.");
+        }
+        return RebootPendingWindows();
+    }
+
+    [SupportedOSPlatform("windows")]
+    private static PrerequisiteCheck FrameworkInstalledWindows()
+    {
+        try
+        {
+            using var key = Registry.LocalMachine.OpenSubKey(FrameworkKey);
+            if (key is null)
+            {
+                return new PrerequisiteCheck("registry:ArchestrA.Framework", PrerequisiteCategory.AvevaInstall,
+                    PrerequisiteStatus.Fail,
+                    $"Missing {FrameworkKey} — ArchestrA Framework isn't installed. Install AVEVA System Platform from the setup media.");
+            }
+
+            var installPath = key.GetValue("InstallPath") as string;
+            var rootPath = key.GetValue("RootPath") as string;
+            if (string.IsNullOrWhiteSpace(installPath) || string.IsNullOrWhiteSpace(rootPath))
+            {
+                return new PrerequisiteCheck("registry:ArchestrA.Framework", PrerequisiteCategory.AvevaInstall,
+                    PrerequisiteStatus.Warn,
+                    $"Framework key exists but InstallPath/RootPath values missing — install may be incomplete.");
+            }
+
+            return new PrerequisiteCheck("registry:ArchestrA.Framework", PrerequisiteCategory.AvevaInstall,
+                PrerequisiteStatus.Pass,
+                $"Installed at {installPath} (RootPath {rootPath}).");
+        }
+        catch (Exception ex)
+        {
+            return new PrerequisiteCheck("registry:ArchestrA.Framework", PrerequisiteCategory.AvevaInstall,
+                PrerequisiteStatus.Warn,
+                $"Probe failed: {ex.GetType().Name}: {ex.Message}");
+        }
+    }
+
+    [SupportedOSPlatform("windows")]
+    private static PrerequisiteCheck PlatformDeployedWindows()
+    {
+        try
+        {
+            using var key = Registry.LocalMachine.OpenSubKey(PlatformKey);
+            var pfeConfig = key?.GetValue("PfeConfigOptions") as string;
+            if (string.IsNullOrWhiteSpace(pfeConfig))
+            {
+                return new PrerequisiteCheck("registry:ArchestrA.Platform.Deployed", PrerequisiteCategory.AvevaInstall,
+                    PrerequisiteStatus.Warn,
+                    $"No Platform object deployed locally (Platform\\PfeConfigOptions empty). MXAccess will connect but subscriptions will fail. Deploy a Platform from the IDE.");
+            }
+
+            // PfeConfigOptions format: "PlatformId=N,EngineId=N,EngineName=...,..."
+            // A non-deployed state leaves PlatformId=0 or the key empty.
+            if (pfeConfig.Contains("PlatformId=0,", StringComparison.OrdinalIgnoreCase))
+            {
+                return new PrerequisiteCheck("registry:ArchestrA.Platform.Deployed", PrerequisiteCategory.AvevaInstall,
+                    PrerequisiteStatus.Warn,
+                    $"Platform never deployed (PfeConfigOptions has PlatformId=0). Deploy a Platform from the IDE before running live tests.");
+            }
+
+            return new PrerequisiteCheck("registry:ArchestrA.Platform.Deployed", PrerequisiteCategory.AvevaInstall,
+                PrerequisiteStatus.Pass,
+                $"Platform deployed ({pfeConfig}).");
+        }
+        catch (Exception ex)
+        {
+            return new PrerequisiteCheck("registry:ArchestrA.Platform.Deployed", PrerequisiteCategory.AvevaInstall,
+                PrerequisiteStatus.Warn,
+                $"Probe failed: {ex.GetType().Name}: {ex.Message}");
+        }
+    }
+
+    [SupportedOSPlatform("windows")]
+    private static PrerequisiteCheck RebootPendingWindows()
+    {
+        try
+        {
+            using var key = Registry.LocalMachine.OpenSubKey(MsiInstallKey);
+            var rebootRequired = key?.GetValue("RebootRequired") as string;
+            if (string.Equals(rebootRequired, "True", StringComparison.OrdinalIgnoreCase))
+            {
+                return new PrerequisiteCheck("registry:ArchestrA.RebootPending", PrerequisiteCategory.AvevaInstall,
+                    PrerequisiteStatus.Warn,
+                    "An ArchestrA patch has been installed but the machine hasn't rebooted. Post-patch behavior is undefined until a reboot.");
+            }
+            return new PrerequisiteCheck("registry:ArchestrA.RebootPending", PrerequisiteCategory.AvevaInstall,
+                PrerequisiteStatus.Pass,
+                "No pending reboot flagged.");
+        }
+        catch (Exception ex)
+        {
+            return new PrerequisiteCheck("registry:ArchestrA.RebootPending", PrerequisiteCategory.AvevaInstall,
+                PrerequisiteStatus.Warn,
+                $"Probe failed: {ex.GetType().Name}: {ex.Message}");
+        }
+    }
+
+    /// <summary>
+    ///     Read the registered <see cref="ComProgIdCheck"/> CLSID for the given ProgID and
+    ///     resolve the 32-bit <c>InprocServer32</c> file path. Returns null when either is missing.
+    /// </summary>
+    [SupportedOSPlatform("windows")]
+    internal static (string? Clsid, string? InprocDllPath) ResolveProgIdToInproc(string progId)
+    {
+        using var progIdKey = Registry.ClassesRoot.OpenSubKey($@"{progId}\CLSID");
+        var clsid = progIdKey?.GetValue(null) as string;
+        if (string.IsNullOrWhiteSpace(clsid)) return (null, null);
+
+        // 32-bit COM server under Wow6432Node\CLSID\{guid}\InprocServer32 default value.
+        using var inproc = Registry.LocalMachine.OpenSubKey(
+            $@"SOFTWARE\Classes\WOW6432Node\CLSID\{clsid}\InprocServer32");
+        var dll = inproc?.GetValue(null) as string;
+        return (clsid, dll);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/Probes/ServiceProbe.cs

@@ -0,0 +1,85 @@
+using System.Runtime.InteropServices;
+using System.Runtime.Versioning;
+using System.ServiceProcess;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.Probes;
+
+/// <summary>
+///     Queries the Windows Service Control Manager to report whether a named service is
+///     installed, its current state, and its start type. Non-Windows hosts return Skip.
+/// </summary>
+public static class ServiceProbe
+{
+    public static PrerequisiteCheck Check(
+        string serviceName,
+        PrerequisiteCategory category,
+        bool hardRequired,
+        string whatItDoes)
+    {
+        if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+        {
+            return new PrerequisiteCheck(
+                Name: $"service:{serviceName}",
+                Category: category,
+                Status: PrerequisiteStatus.Skip,
+                Detail: "Service probes only run on Windows.");
+        }
+
+        return CheckWindows(serviceName, category, hardRequired, whatItDoes);
+    }
+
+    [SupportedOSPlatform("windows")]
+    private static PrerequisiteCheck CheckWindows(
+        string serviceName, PrerequisiteCategory category, bool hardRequired, string whatItDoes)
+    {
+        try
+        {
+            using var sc = new ServiceController(serviceName);
+            // Touch the Status to force the SCM lookup; if the service doesn't exist, this throws
+            // InvalidOperationException with message "Service ... was not found on computer.".
+            var status = sc.Status;
+            var startType = sc.StartType;
+
+            return status switch
+            {
+                ServiceControllerStatus.Running => new PrerequisiteCheck(
+                    $"service:{serviceName}", category, PrerequisiteStatus.Pass,
+                    $"Running ({whatItDoes})"),
+
+                // DemandStart services (like NmxSvc) that are Stopped are not necessarily a
+                // failure — the master service (aaBootstrap) brings them up on demand. Treat
+                // Stopped+Demand as Warn so operators know the situation but tests still proceed.
+                ServiceControllerStatus.Stopped when startType == ServiceStartMode.Manual =>
+                    new PrerequisiteCheck(
+                        $"service:{serviceName}", category, PrerequisiteStatus.Warn,
+                        $"Installed but Stopped (start type Manual — {whatItDoes}). " +
+                        "Will be pulled up on demand by the master service; fine for tests."),
+
+                ServiceControllerStatus.Stopped => Fail(
+                    $"Installed but Stopped. Start with: sc.exe start {serviceName}  ({whatItDoes})"),
+
+                _ => new PrerequisiteCheck(
+                    $"service:{serviceName}", category, PrerequisiteStatus.Warn,
+                    $"Transitional state {status} ({whatItDoes}) — try again in a few seconds."),
+            };
+
+            PrerequisiteCheck Fail(string detail) => new(
+                $"service:{serviceName}", category,
+                hardRequired ? PrerequisiteStatus.Fail : PrerequisiteStatus.Warn,
+                detail);
+        }
+        catch (InvalidOperationException ex) when (ex.Message.Contains("was not found", StringComparison.OrdinalIgnoreCase))
+        {
+            return new PrerequisiteCheck(
+                $"service:{serviceName}", category,
+                hardRequired ? PrerequisiteStatus.Fail : PrerequisiteStatus.Warn,
+                $"Not installed ({whatItDoes}). Install the relevant System Platform component and retry.");
+        }
+        catch (Exception ex)
+        {
+            return new PrerequisiteCheck(
+                $"service:{serviceName}", category, PrerequisiteStatus.Warn,
+                $"Probe failed ({ex.GetType().Name}: {ex.Message}) — treat as unknown.");
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/Probes/SqlProbe.cs

@@ -0,0 +1,88 @@
+using Microsoft.Data.SqlClient;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.Probes;
+
+/// <summary>
+///     Verifies the Galaxy Repository SQL side: SQL Server reachable, <c>ZB</c> database
+///     present, and at least one deployed object exists (so live tests have something to read).
+///     Reuses the Windows-auth connection string the repo code defaults to.
+/// </summary>
+public static class SqlProbe
+{
+    public const string DefaultConnectionString =
+        "Server=localhost;Database=ZB;Integrated Security=True;TrustServerCertificate=True;Encrypt=False;Connect Timeout=3;";
+
+    public static async Task<PrerequisiteCheck> CheckZbDatabaseAsync(
+        string? connectionString = null, CancellationToken ct = default)
+    {
+        connectionString ??= DefaultConnectionString;
+        try
+        {
+            using var conn = new SqlConnection(connectionString);
+            await conn.OpenAsync(ct);
+
+            // DB_ID returns null when the database doesn't exist on the connected server — distinct
+            // failure mode from "server unreachable", deserves a distinct message.
+            using var cmd = conn.CreateCommand();
+            cmd.CommandText = "SELECT DB_ID('ZB')";
+            var dbIdObj = await cmd.ExecuteScalarAsync(ct);
+            if (dbIdObj is null || dbIdObj is DBNull)
+            {
+                return new PrerequisiteCheck("sql:ZB", PrerequisiteCategory.GalaxyRepository,
+                    PrerequisiteStatus.Fail,
+                    "SQL Server reachable but database ZB does not exist. " +
+                    "Create the Galaxy from the IDE or restore a .cab backup.");
+            }
+
+            return new PrerequisiteCheck("sql:ZB", PrerequisiteCategory.GalaxyRepository,
+                PrerequisiteStatus.Pass, "Connected; ZB database exists.");
+        }
+        catch (SqlException ex)
+        {
+            return new PrerequisiteCheck("sql:ZB", PrerequisiteCategory.GalaxyRepository,
+                PrerequisiteStatus.Fail,
+                $"SQL Server unreachable: {ex.Message}. Ensure MSSQLSERVER service is running (sc.exe start MSSQLSERVER) and TCP 1433 is open.");
+        }
+        catch (Exception ex)
+        {
+            return new PrerequisiteCheck("sql:ZB", PrerequisiteCategory.GalaxyRepository,
+                PrerequisiteStatus.Fail,
+                $"Unexpected probe error: {ex.GetType().Name}: {ex.Message}");
+        }
+    }
+
+    /// <summary>
+    ///     Returns the count of deployed Galaxy objects (<c>deployed_version &gt; 0</c>). Zero
+    ///     isn't a hard failure — lets someone boot a fresh Galaxy and still get meaningful
+    ///     test-suite output — but it IS a warning because any live-read smoke will have
+    ///     nothing to read.
+    /// </summary>
+    public static async Task<PrerequisiteCheck> CheckDeployedObjectCountAsync(
+        string? connectionString = null, CancellationToken ct = default)
+    {
+        connectionString ??= DefaultConnectionString;
+        try
+        {
+            using var conn = new SqlConnection(connectionString);
+            await conn.OpenAsync(ct);
+            using var cmd = conn.CreateCommand();
+            cmd.CommandText = "SELECT COUNT(*) FROM gobject WHERE deployed_version > 0";
+            var countObj = await cmd.ExecuteScalarAsync(ct);
+            var count = countObj is int i ? i : 0;
+
+            return count > 0
+                ? new PrerequisiteCheck("sql:ZB.deployedObjects", PrerequisiteCategory.GalaxyRepository,
+                    PrerequisiteStatus.Pass, $"{count} objects deployed — live reads have data to return.")
+                : new PrerequisiteCheck("sql:ZB.deployedObjects", PrerequisiteCategory.GalaxyRepository,
+                    PrerequisiteStatus.Warn,
+                    "ZB contains no deployed objects. Discovery smoke tests will return empty hierarchies; " +
+                    "deploy at least a Platform + AppEngine from the IDE to exercise the read path.");
+        }
+        catch (Exception ex)
+        {
+            return new PrerequisiteCheck("sql:ZB.deployedObjects", PrerequisiteCategory.GalaxyRepository,
+                PrerequisiteStatus.Warn,
+                $"Couldn't count deployed objects: {ex.GetType().Name}: {ex.Message}");
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport.csproj

@@ -0,0 +1,38 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <!-- Multi-target: net10.0 for modern consumer projects (Galaxy.Proxy.Tests, E2E, Admin.Tests),
+             net48 for the Galaxy.Host.Tests project that has to stay on .NET Framework x86 for its
+             MXAccess-COM parent project. The helper uses no OS-level APIs that differ between the
+             two frameworks (registry / SQL / ServiceController are surface-compatible). -->
+        <TargetFrameworks>net10.0;net48</TargetFrameworks>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <LangVersion>latest</LangVersion>
+        <IsPackable>false</IsPackable>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup Condition="'$(TargetFramework)' == 'net10.0'">
+        <!-- System.ServiceProcess.ServiceController + Microsoft.Win32.Registry are cross-platform
+             assemblies that throw PlatformNotSupportedException on non-Windows; the probes in
+             this project guard with RuntimeInformation.IsOSPlatform(OSPlatform.Windows) so they
+             return Skip on Linux/macOS rather than crashing the test host. -->
+        <PackageReference Include="System.ServiceProcess.ServiceController" Version="10.0.0"/>
+        <PackageReference Include="Microsoft.Win32.Registry" Version="5.0.0"/>
+        <PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.1"/>
+    </ItemGroup>
+
+    <ItemGroup Condition="'$(TargetFramework)' == 'net48'">
+        <!-- net48 ships System.ServiceProcess + Microsoft.Win32 in-box via BCL references. -->
+        <Reference Include="System.ServiceProcess"/>
+        <!-- Microsoft.Data.SqlClient v6 supports net462+; single-target for consistency. -->
+        <PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.1"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+</Project>

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205Profile.cs

@@ -0,0 +1,45 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
+
+/// <summary>
+///     Tag map for the AutomationDirect DL205 device class. Mirrors what the ModbusPal
+///     <c>.xmpp</c> profile in <c>ModbusPal/DL205.xmpp</c> exposes (or the real PLC, when
+///     <see cref="ModbusSimulatorFixture"/> is pointed at one).
+/// </summary>
+/// <remarks>
+///     This is the scaffold — each tag is deliberately generic so the smoke test has stable
+///     addresses to read. Device-specific quirk tests (word order, max-register, register-zero
+///     access, etc.) will land in their own test classes alongside this profile as the user
+///     validates each behavior in ModbusPal; see <c>docs/v2/modbus-test-plan.md</c> §per-device
+///     quirk catalog for the checklist.
+/// </remarks>
+public static class DL205Profile
+{
+    /// <summary>Holding register the smoke test reads. Address 100 sidesteps the DL205
+    /// register-zero quirk (pending confirmation) — see modbus-test-plan.md.</summary>
+    public const ushort SmokeHoldingRegister = 100;
+
+    /// <summary>Expected value the ModbusPal profile seeds into register 100. When running
+    /// against a real DL205 (or a ModbusPal profile where this register is writable), the smoke
+    /// test seeds this value first, then reads it back.</summary>
+    public const short SmokeHoldingValue = 1234;
+
+    public static ModbusDriverOptions BuildOptions(string host, int port) => new()
+    {
+        Host = host,
+        Port = port,
+        UnitId = 1,
+        Timeout = TimeSpan.FromSeconds(2),
+        Tags =
+        [
+            new ModbusTagDefinition(
+                Name: "DL205_Smoke_HReg100",
+                Region: ModbusRegion.HoldingRegisters,
+                Address: SmokeHoldingRegister,
+                DataType: ModbusDataType.Int16,
+                Writable: true),
+        ],
+        // Disable the background probe loop — integration tests drive reads explicitly and
+        // the probe would race with assertions.
+        Probe = new ModbusProbeOptions { Enabled = false },
+    };
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205SmokeTests.cs

@@ -0,0 +1,53 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
+
+/// <summary>
+///     End-to-end smoke against the DL205 ModbusPal profile (or a real DL205 when
+///     <c>MODBUS_SIM_ENDPOINT</c> points at one). Drives the full <see cref="ModbusDriver"/>
+///     + real <see cref="ModbusTcpTransport"/> stack — no fake transport. Success proves the
+///     driver can initialize against the simulator, write a known value, and read it back
+///     with the correct status and value, which is the baseline every device-quirk test
+///     builds on.
+/// </summary>
+/// <remarks>
+///     Device-specific quirk tests (word order, max-register, register-zero access, exception
+///     code translation, etc.) land as separate test classes in this directory as each quirk
+///     is validated in ModbusPal. Keep this smoke test deliberately narrow — any deviation
+///     the driver hits beyond "happy-path FC16 + FC03 round-trip" belongs in its own named
+///     test so filtering by device class (<c>--filter DisplayName~DL205</c>) surfaces the
+///     quirk-specific failure mode.
+/// </remarks>
+[Collection(ModbusSimulatorCollection.Name)]
+[Trait("Category", "Integration")]
+[Trait("Device", "DL205")]
+public sealed class DL205SmokeTests(ModbusSimulatorFixture sim)
+{
+    [Fact]
+    public async Task DL205_roundtrip_write_then_read_of_holding_register()
+    {
+        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
+
+        var options = DL205Profile.BuildOptions(sim.Host, sim.Port);
+        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-smoke");
+        await driver.InitializeAsync(driverConfigJson: "{}", TestContext.Current.CancellationToken);
+
+        // Write first so the test is self-contained — ModbusPal's default register bank is
+        // zeroed at simulator start, and tests must not depend on prior-test state per the
+        // test-plan conventions.
+        var writeResults = await driver.WriteAsync(
+            [new(FullReference: "DL205_Smoke_HReg100", Value: (short)DL205Profile.SmokeHoldingValue)],
+            TestContext.Current.CancellationToken);
+        writeResults.Count.ShouldBe(1);
+        writeResults[0].StatusCode.ShouldBe(0u, "write must succeed against the ModbusPal DL205 profile");
+
+        var readResults = await driver.ReadAsync(
+            ["DL205_Smoke_HReg100"],
+            TestContext.Current.CancellationToken);
+        readResults.Count.ShouldBe(1);
+        readResults[0].StatusCode.ShouldBe(0u);
+        readResults[0].Value.ShouldBe((short)DL205Profile.SmokeHoldingValue);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusPal/README.md

@@ -0,0 +1,30 @@
+# ModbusPal simulator profiles
+
+Drop device-specific `.xmpp` profiles here. The integration tests connect to the
+endpoint in `MODBUS_SIM_ENDPOINT` (default `localhost:502`) and expect the
+simulator to already be running — tests do not launch ModbusPal themselves,
+because its Java GUI + JRE requirement is heavier than the harness is worth.
+
+## Getting started
+
+1. Download ModbusPal from SourceForge (`modbuspal.jar`).
+2. `java -jar modbuspal.jar` to launch the GUI.
+3. Load a profile from this directory (or configure one manually) and start the
+   simulator on TCP port 502.
+4. `dotnet test tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` — tests
+   auto-skip with a clear `SkipReason` if the TCP probe at the configured
+   endpoint fails within 2 seconds.
+
+## Profile files
+
+- `DL205.xmpp` — _to be added_ — register map reflecting the AutomationDirect
+  DL205 quirks tracked in `docs/v2/modbus-test-plan.md`. The scaffolded smoke
+  test in `DL205/DL205SmokeTests.cs` needs holding register 100 writable and
+  present; a minimal ModbusPal profile with a single holding-register bank at
+  address 100 is sufficient.
+
+## Environment variables
+
+- `MODBUS_SIM_ENDPOINT` — override the simulator endpoint. Accepts `host:port`;
+  defaults to `localhost:502`. Useful when pointing the suite at a real PLC on
+  the bench.

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusSimulatorFixture.cs

@@ -0,0 +1,66 @@
+using System.Net.Sockets;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests;
+
+/// <summary>
+///     Reachability probe for a Modbus TCP simulator (ModbusPal or a real PLC). Parses
+///     <c>MODBUS_SIM_ENDPOINT</c> (default <c>localhost:502</c>) and TCP-connects once at
+///     fixture construction. Each test checks <see cref="SkipReason"/> and calls
+///     <c>Assert.Skip</c> when the endpoint was unreachable, so a dev box without a running
+///     simulator still passes `dotnet test` cleanly — matches the Galaxy live-smoke pattern in
+///     <c>GalaxyRepositoryLiveSmokeTests</c>.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Do NOT keep the probe socket open for the life of the fixture. The probe is a
+///         one-shot liveness check; tests open their own transports (the real
+///         <see cref="ModbusTcpTransport"/>) against the same endpoint. Sharing a socket
+///         across tests would serialize them on a single TCP stream.
+///     </para>
+///     <para>
+///         The fixture is a collection fixture so the reachability probe runs once per test
+///         session, not per test — checking every test would waste several seconds against a
+///         firewalled endpoint that times out each attempt.
+///     </para>
+/// </remarks>
+public sealed class ModbusSimulatorFixture : IAsyncDisposable
+{
+    private const string DefaultEndpoint = "localhost:502";
+    private const string EndpointEnvVar = "MODBUS_SIM_ENDPOINT";
+
+    public string Host { get; }
+    public int Port { get; }
+    public string? SkipReason { get; }
+
+    public ModbusSimulatorFixture()
+    {
+        var raw = Environment.GetEnvironmentVariable(EndpointEnvVar) ?? DefaultEndpoint;
+        var parts = raw.Split(':', 2);
+        Host = parts[0];
+        Port = parts.Length == 2 && int.TryParse(parts[1], out var p) ? p : 502;
+
+        try
+        {
+            using var client = new TcpClient();
+            var task = client.ConnectAsync(Host, Port);
+            if (!task.Wait(TimeSpan.FromSeconds(2)) || !client.Connected)
+            {
+                SkipReason = $"Modbus simulator at {Host}:{Port} did not accept a TCP connection within 2s. " +
+                             $"Start ModbusPal (or override {EndpointEnvVar}) and re-run.";
+            }
+        }
+        catch (Exception ex)
+        {
+            SkipReason = $"Modbus simulator at {Host}:{Port} unreachable: {ex.GetType().Name}: {ex.Message}. " +
+                         $"Start ModbusPal (or override {EndpointEnvVar}) and re-run.";
+        }
+    }
+
+    public ValueTask DisposeAsync() => ValueTask.CompletedTask;
+}
+
+[Xunit.CollectionDefinition(Name)]
+public sealed class ModbusSimulatorCollection : Xunit.ICollectionFixture<ModbusSimulatorFixture>
+{
+    public const string Name = "ModbusSimulator";
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.csproj

@@ -0,0 +1,36 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <IsPackable>false</IsPackable>
+        <IsTestProject>true</IsTestProject>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="xunit.v3" Version="1.1.0"/>
+        <PackageReference Include="Shouldly" Version="4.3.0"/>
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
+        <PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
+            <PrivateAssets>all</PrivateAssets>
+            <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+    </ItemGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Driver.Modbus\ZB.MOM.WW.OtOpcUa.Driver.Modbus.csproj"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <None Update="ModbusPal\**\*" CopyToOutputDirectory="PreserveNewest"/>
+        <None Update="DL205\**\*" CopyToOutputDirectory="PreserveNewest"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+</Project>

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/DriverNodeManagerHistoryMappingTests.cs

@@ -0,0 +1,160 @@
+using System.Linq;
+using Opc.Ua;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Unit coverage for the static helpers <see cref="DriverNodeManager"/> exposes to bridge
+///     driver-side history data (<see cref="HistoricalEvent"/> + <see cref="DataValueSnapshot"/>)
+///     to the OPC UA on-wire shape (<c>HistoryData</c> / <c>HistoryEvent</c> wrapped in an
+///     <see cref="ExtensionObject"/>). Fast, framework-only — no server fixture.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class DriverNodeManagerHistoryMappingTests
+{
+    [Theory]
+    [InlineData(nameof(HistoryAggregateType.Average), HistoryAggregateType.Average)]
+    [InlineData(nameof(HistoryAggregateType.Minimum), HistoryAggregateType.Minimum)]
+    [InlineData(nameof(HistoryAggregateType.Maximum), HistoryAggregateType.Maximum)]
+    [InlineData(nameof(HistoryAggregateType.Total), HistoryAggregateType.Total)]
+    [InlineData(nameof(HistoryAggregateType.Count), HistoryAggregateType.Count)]
+    public void MapAggregate_translates_each_supported_OPC_UA_aggregate_NodeId(
+        string name, HistoryAggregateType expected)
+    {
+        // Resolve the ObjectIds.AggregateFunction_<name> constant via reflection so the test
+        // keeps working if the stack ever renames them — failure means the stack broke its
+        // naming convention, worth surfacing loudly.
+        var field = typeof(ObjectIds).GetField("AggregateFunction_" + name);
+        field.ShouldNotBeNull();
+        var nodeId = (NodeId)field!.GetValue(null)!;
+
+        DriverNodeManager.MapAggregate(nodeId).ShouldBe(expected);
+    }
+
+    [Fact]
+    public void MapAggregate_returns_null_for_unknown_aggregate()
+    {
+        // AggregateFunction_TimeAverage is a valid OPC UA aggregate but not one the driver
+        // surfaces. Null here means the service handler will translate to BadAggregateNotSupported
+        // — the right behavior per Part 13 when the requested aggregate isn't implemented.
+        DriverNodeManager.MapAggregate(ObjectIds.AggregateFunction_TimeAverage).ShouldBeNull();
+    }
+
+    [Fact]
+    public void MapAggregate_returns_null_for_null_input()
+    {
+        // Processed requests that omit the aggregate list (or pass a single null) must not crash.
+        DriverNodeManager.MapAggregate(null).ShouldBeNull();
+    }
+
+    [Fact]
+    public void BuildHistoryData_wraps_samples_as_HistoryData_extension_object()
+    {
+        var samples = new[]
+        {
+            new DataValueSnapshot(Value: 42, StatusCode: StatusCodes.Good,
+                SourceTimestampUtc: new DateTime(2024, 1, 1, 0, 0, 0, DateTimeKind.Utc),
+                ServerTimestampUtc: new DateTime(2024, 1, 1, 0, 0, 1, DateTimeKind.Utc)),
+            new DataValueSnapshot(Value: 99, StatusCode: StatusCodes.Good,
+                SourceTimestampUtc: new DateTime(2024, 1, 1, 0, 0, 5, DateTimeKind.Utc),
+                ServerTimestampUtc: new DateTime(2024, 1, 1, 0, 0, 6, DateTimeKind.Utc)),
+        };
+
+        var ext = DriverNodeManager.BuildHistoryData(samples);
+
+        ext.Body.ShouldBeOfType<HistoryData>();
+        var hd = (HistoryData)ext.Body;
+        hd.DataValues.Count.ShouldBe(2);
+        hd.DataValues[0].Value.ShouldBe(42);
+        hd.DataValues[1].Value.ShouldBe(99);
+        hd.DataValues[0].SourceTimestamp.ShouldBe(new DateTime(2024, 1, 1, 0, 0, 0, DateTimeKind.Utc));
+    }
+
+    [Fact]
+    public void BuildHistoryEvent_wraps_events_with_BaseEventType_field_ordering()
+    {
+        // BuildHistoryEvent populates a fixed field set in BaseEventType's conventional order:
+        // EventId, SourceName, Message, Severity, Time, ReceiveTime. Pinning this so a later
+        // "respect the client's SelectClauses" change can't silently break older clients that
+        // rely on the default layout.
+        var events = new[]
+        {
+            new HistoricalEvent(
+                EventId: "e-1",
+                SourceName: "Tank1.HiAlarm",
+                EventTimeUtc: new DateTime(2024, 1, 1, 12, 0, 0, DateTimeKind.Utc),
+                ReceivedTimeUtc: new DateTime(2024, 1, 1, 12, 0, 0, 5, DateTimeKind.Utc),
+                Message: "High level reached",
+                Severity: 750),
+        };
+
+        var ext = DriverNodeManager.BuildHistoryEvent(events);
+
+        ext.Body.ShouldBeOfType<HistoryEvent>();
+        var he = (HistoryEvent)ext.Body;
+        he.Events.Count.ShouldBe(1);
+        var fields = he.Events[0].EventFields;
+        fields.Count.ShouldBe(6);
+        fields[0].Value.ShouldBe("e-1");                    // EventId
+        fields[1].Value.ShouldBe("Tank1.HiAlarm");          // SourceName
+        ((LocalizedText)fields[2].Value).Text.ShouldBe("High level reached"); // Message
+        fields[3].Value.ShouldBe((ushort)750);              // Severity
+        ((DateTime)fields[4].Value).ShouldBe(new DateTime(2024, 1, 1, 12, 0, 0, DateTimeKind.Utc));
+        ((DateTime)fields[5].Value).ShouldBe(new DateTime(2024, 1, 1, 12, 0, 0, 5, DateTimeKind.Utc));
+    }
+
+    [Fact]
+    public void BuildHistoryEvent_substitutes_empty_string_for_null_SourceName_and_Message()
+    {
+        // Driver-side nulls are preserved through the wire contract by design (distinguishes
+        // "system event with no source" from "source unknown"), but OPC UA Variants of type
+        // String must not carry null — the stack serializes null-string as empty. This test
+        // pins the choice so a nullable-Variant refactor doesn't break clients that display
+        // the field without a null check.
+        var events = new[]
+        {
+            new HistoricalEvent("sys", null, DateTime.UtcNow, DateTime.UtcNow, null, 1),
+        };
+
+        var ext = DriverNodeManager.BuildHistoryEvent(events);
+        var fields = ((HistoryEvent)ext.Body).Events[0].EventFields;
+        fields[1].Value.ShouldBe(string.Empty);
+        ((LocalizedText)fields[2].Value).Text.ShouldBe(string.Empty);
+    }
+
+    [Fact]
+    public void ToDataValue_preserves_status_code_and_timestamps()
+    {
+        var snap = new DataValueSnapshot(
+            Value: 123.45,
+            StatusCode: StatusCodes.UncertainSubstituteValue,
+            SourceTimestampUtc: new DateTime(2024, 5, 1, 10, 0, 0, DateTimeKind.Utc),
+            ServerTimestampUtc: new DateTime(2024, 5, 1, 10, 0, 1, DateTimeKind.Utc));
+
+        var dv = DriverNodeManager.ToDataValue(snap);
+
+        dv.Value.ShouldBe(123.45);
+        dv.StatusCode.Code.ShouldBe(StatusCodes.UncertainSubstituteValue);
+        dv.SourceTimestamp.ShouldBe(new DateTime(2024, 5, 1, 10, 0, 0, DateTimeKind.Utc));
+        dv.ServerTimestamp.ShouldBe(new DateTime(2024, 5, 1, 10, 0, 1, DateTimeKind.Utc));
+    }
+
+    [Fact]
+    public void ToDataValue_leaves_SourceTimestamp_default_when_snapshot_has_no_source_time()
+    {
+        // Galaxy's raw-history rows often carry only a ServerTimestamp (the historian knows
+        // when it wrote the row, not when the process sampled it). The mapping must not
+        // synthesize a bogus SourceTimestamp from ServerTimestamp — that would lie to the
+        // client about the measurement's actual time.
+        var snap = new DataValueSnapshot(Value: 1, StatusCode: 0,
+            SourceTimestampUtc: null,
+            ServerTimestampUtc: new DateTime(2024, 5, 1, 10, 0, 1, DateTimeKind.Utc));
+
+        var dv = DriverNodeManager.ToDataValue(snap);
+        dv.SourceTimestamp.ShouldBe(default);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/HistoryReadIntegrationTests.cs

@@ -0,0 +1,356 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua;
+using Opc.Ua.Client;
+using Opc.Ua.Configuration;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+// Core.Abstractions.HistoryReadResult (driver-side samples) collides with Opc.Ua.HistoryReadResult
+// (service-layer per-node result). Alias the driver type so the stub's interface implementations
+// are unambiguous.
+using DriverHistoryReadResult = ZB.MOM.WW.OtOpcUa.Core.Abstractions.HistoryReadResult;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     End-to-end test that a real OPC UA client's HistoryRead service reaches a fake driver's
+///     <see cref="IHistoryProvider"/> via <see cref="DriverNodeManager"/>'s
+///     <c>HistoryReadRawModified</c> / <c>HistoryReadProcessed</c> / <c>HistoryReadAtTime</c> /
+///     <c>HistoryReadEvents</c> overrides. Boots the full OPC UA stack + a stub
+///     <see cref="IHistoryProvider"/> driver, opens a client session, issues each HistoryRead
+///     variant, and asserts the client receives the expected per-kind payload.
+/// </summary>
+[Trait("Category", "Integration")]
+public sealed class HistoryReadIntegrationTests : IAsyncLifetime
+{
+    private static readonly int Port = 48600 + Random.Shared.Next(0, 99);
+    private readonly string _endpoint = $"opc.tcp://localhost:{Port}/OtOpcUaHistoryTest";
+    private readonly string _pkiRoot = Path.Combine(Path.GetTempPath(), $"otopcua-history-test-{Guid.NewGuid():N}");
+
+    private DriverHost _driverHost = null!;
+    private OpcUaApplicationHost _server = null!;
+    private HistoryDriver _driver = null!;
+
+    public async ValueTask InitializeAsync()
+    {
+        _driverHost = new DriverHost();
+        _driver = new HistoryDriver();
+        await _driverHost.RegisterAsync(_driver, "{}", CancellationToken.None);
+
+        var options = new OpcUaServerOptions
+        {
+            EndpointUrl = _endpoint,
+            ApplicationName = "OtOpcUaHistoryTest",
+            ApplicationUri = "urn:OtOpcUa:Server:HistoryTest",
+            PkiStoreRoot = _pkiRoot,
+            AutoAcceptUntrustedClientCertificates = true,
+        };
+
+        _server = new OpcUaApplicationHost(options, _driverHost, new DenyAllUserAuthenticator(),
+            NullLoggerFactory.Instance, NullLogger<OpcUaApplicationHost>.Instance);
+        await _server.StartAsync(CancellationToken.None);
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        await _server.DisposeAsync();
+        await _driverHost.DisposeAsync();
+        try { Directory.Delete(_pkiRoot, recursive: true); } catch { /* best-effort */ }
+    }
+
+    [Fact]
+    public async Task HistoryReadRaw_round_trips_driver_samples_to_the_client()
+    {
+        using var session = await OpenSessionAsync();
+        var nsIndex = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:history-driver");
+        var nodeId = new NodeId("raw.var", nsIndex);
+
+        // The Opc.Ua client exposes HistoryRead via Session.HistoryRead. We construct a
+        // ReadRawModifiedDetails (IsReadModified=false → raw path) and a single
+        // HistoryReadValueId targeting the driver-backed variable.
+        var details = new ReadRawModifiedDetails
+        {
+            StartTime = new DateTime(2024, 1, 1, 0, 0, 0, DateTimeKind.Utc),
+            EndTime = new DateTime(2024, 1, 1, 0, 0, 10, DateTimeKind.Utc),
+            NumValuesPerNode = 100,
+            IsReadModified = false,
+            ReturnBounds = false,
+        };
+        var extObj = new ExtensionObject(details);
+        var nodesToRead = new HistoryReadValueIdCollection { new() { NodeId = nodeId } };
+
+        session.HistoryRead(null, extObj, TimestampsToReturn.Both, false, nodesToRead,
+            out var results, out _);
+
+        results.Count.ShouldBe(1);
+        results[0].StatusCode.Code.ShouldBe(StatusCodes.Good, $"HistoryReadRaw returned {results[0].StatusCode}");
+        var hd = (HistoryData)ExtensionObject.ToEncodeable(results[0].HistoryData);
+        hd.DataValues.Count.ShouldBe(_driver.RawSamplesReturned, "one DataValue per driver sample");
+        hd.DataValues[0].Value.ShouldBe(_driver.FirstRawValue);
+    }
+
+    [Fact]
+    public async Task HistoryReadProcessed_maps_Average_aggregate_and_routes_to_ReadProcessedAsync()
+    {
+        using var session = await OpenSessionAsync();
+        var nsIndex = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:history-driver");
+        var nodeId = new NodeId("proc.var", nsIndex);
+
+        var details = new ReadProcessedDetails
+        {
+            StartTime = new DateTime(2024, 1, 1, 0, 0, 0, DateTimeKind.Utc),
+            EndTime = new DateTime(2024, 1, 1, 0, 1, 0, DateTimeKind.Utc),
+            ProcessingInterval = 10_000, // 10s buckets
+            AggregateType = [ObjectIds.AggregateFunction_Average],
+        };
+        var extObj = new ExtensionObject(details);
+        var nodesToRead = new HistoryReadValueIdCollection { new() { NodeId = nodeId } };
+
+        session.HistoryRead(null, extObj, TimestampsToReturn.Both, false, nodesToRead,
+            out var results, out _);
+
+        results[0].StatusCode.Code.ShouldBe(StatusCodes.Good);
+        _driver.LastProcessedAggregate.ShouldBe(HistoryAggregateType.Average,
+            "MapAggregate must translate ObjectIds.AggregateFunction_Average → driver enum");
+        _driver.LastProcessedInterval.ShouldBe(TimeSpan.FromSeconds(10));
+    }
+
+    [Fact]
+    public async Task HistoryReadProcessed_returns_BadAggregateNotSupported_for_unmapped_aggregate()
+    {
+        using var session = await OpenSessionAsync();
+        var nsIndex = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:history-driver");
+        var nodeId = new NodeId("proc.var", nsIndex);
+
+        var details = new ReadProcessedDetails
+        {
+            StartTime = new DateTime(2024, 1, 1, 0, 0, 0, DateTimeKind.Utc),
+            EndTime = new DateTime(2024, 1, 1, 0, 1, 0, DateTimeKind.Utc),
+            ProcessingInterval = 10_000,
+            // TimeAverage is a valid OPC UA aggregate NodeId but not one the driver implements —
+            // the override returns BadAggregateNotSupported per Part 13 rather than coercing.
+            AggregateType = [ObjectIds.AggregateFunction_TimeAverage],
+        };
+        var extObj = new ExtensionObject(details);
+        var nodesToRead = new HistoryReadValueIdCollection { new() { NodeId = nodeId } };
+
+        session.HistoryRead(null, extObj, TimestampsToReturn.Both, false, nodesToRead,
+            out var results, out _);
+
+        results[0].StatusCode.Code.ShouldBe(StatusCodes.BadAggregateNotSupported);
+    }
+
+    [Fact]
+    public async Task HistoryReadAtTime_forwards_timestamp_list_to_driver()
+    {
+        using var session = await OpenSessionAsync();
+        var nsIndex = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:history-driver");
+        var nodeId = new NodeId("atTime.var", nsIndex);
+
+        var t1 = new DateTime(2024, 3, 1, 10, 0, 0, DateTimeKind.Utc);
+        var t2 = new DateTime(2024, 3, 1, 10, 0, 30, DateTimeKind.Utc);
+        var details = new ReadAtTimeDetails { ReqTimes = new DateTimeCollection { t1, t2 } };
+        var extObj = new ExtensionObject(details);
+        var nodesToRead = new HistoryReadValueIdCollection { new() { NodeId = nodeId } };
+
+        session.HistoryRead(null, extObj, TimestampsToReturn.Both, false, nodesToRead,
+            out var results, out _);
+
+        results[0].StatusCode.Code.ShouldBe(StatusCodes.Good);
+        _driver.LastAtTimeRequestedTimes.ShouldNotBeNull();
+        _driver.LastAtTimeRequestedTimes!.Count.ShouldBe(2);
+        _driver.LastAtTimeRequestedTimes[0].ShouldBe(t1);
+        _driver.LastAtTimeRequestedTimes[1].ShouldBe(t2);
+    }
+
+    [Fact]
+    public async Task HistoryReadEvents_returns_HistoryEvent_with_BaseEventType_field_list()
+    {
+        using var session = await OpenSessionAsync();
+        // Events target the driver-root notifier (not a specific variable) which is the
+        // conventional pattern for alarm-history browse.
+        var nsIndex = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:history-driver");
+        var nodeId = new NodeId("history-driver", nsIndex);
+
+        // EventFilter must carry at least one SelectClause or the stack rejects it as
+        // BadEventFilterInvalid before our override runs — empty filters are spec-forbidden.
+        // We populate the standard BaseEventType selectors any real client would send; my
+        // override's BuildHistoryEvent ignores the specific clauses and emits the canonical
+        // field list anyway (the richer "respect exact SelectClauses" behavior is on the PR 38
+        // follow-up list).
+        var filter = new EventFilter();
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.EventId);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.SourceName);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.Message);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.Severity);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.Time);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.ReceiveTime);
+
+        var details = new ReadEventDetails
+        {
+            StartTime = new DateTime(2024, 1, 1, 0, 0, 0, DateTimeKind.Utc),
+            EndTime = new DateTime(2024, 12, 31, 0, 0, 0, DateTimeKind.Utc),
+            NumValuesPerNode = 10,
+            Filter = filter,
+        };
+        var extObj = new ExtensionObject(details);
+        var nodesToRead = new HistoryReadValueIdCollection { new() { NodeId = nodeId } };
+
+        session.HistoryRead(null, extObj, TimestampsToReturn.Both, false, nodesToRead,
+            out var results, out _);
+
+        results[0].StatusCode.Code.ShouldBe(StatusCodes.Good);
+        var he = (HistoryEvent)ExtensionObject.ToEncodeable(results[0].HistoryData);
+        he.Events.Count.ShouldBe(_driver.EventsReturned);
+        he.Events[0].EventFields.Count.ShouldBe(6, "BaseEventType default field layout is 6 entries");
+    }
+
+    private async Task<ISession> OpenSessionAsync()
+    {
+        var cfg = new ApplicationConfiguration
+        {
+            ApplicationName = "OtOpcUaHistoryTestClient",
+            ApplicationUri = "urn:OtOpcUa:HistoryTestClient",
+            ApplicationType = ApplicationType.Client,
+            SecurityConfiguration = new SecurityConfiguration
+            {
+                ApplicationCertificate = new CertificateIdentifier
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_pkiRoot, "client-own"),
+                    SubjectName = "CN=OtOpcUaHistoryTestClient",
+                },
+                TrustedIssuerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-issuers") },
+                TrustedPeerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-trusted") },
+                RejectedCertificateStore = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-rejected") },
+                AutoAcceptUntrustedCertificates = true,
+                AddAppCertToTrustedStore = true,
+            },
+            TransportConfigurations = new TransportConfigurationCollection(),
+            TransportQuotas = new TransportQuotas { OperationTimeout = 15000 },
+            ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = 60000 },
+        };
+        await cfg.Validate(ApplicationType.Client);
+        cfg.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;
+
+        var instance = new ApplicationInstance { ApplicationConfiguration = cfg, ApplicationType = ApplicationType.Client };
+        await instance.CheckApplicationInstanceCertificate(true, CertificateFactory.DefaultKeySize);
+
+        var selected = CoreClientUtils.SelectEndpoint(cfg, _endpoint, useSecurity: false);
+        var endpointConfig = EndpointConfiguration.Create(cfg);
+        var configuredEndpoint = new ConfiguredEndpoint(null, selected, endpointConfig);
+
+        return await Session.Create(cfg, configuredEndpoint, false, "OtOpcUaHistoryTestClientSession", 60000,
+            new UserIdentity(new AnonymousIdentityToken()), null);
+    }
+
+    /// <summary>
+    ///     Stub driver that implements <see cref="IHistoryProvider"/> so the service dispatch
+    ///     can be verified without bringing up a real Galaxy or Historian. Captures the last-
+    ///     seen arguments so tests can assert what the service handler forwarded.
+    /// </summary>
+    private sealed class HistoryDriver : IDriver, ITagDiscovery, IReadable, IHistoryProvider
+    {
+        public string DriverInstanceId => "history-driver";
+        public string DriverType => "HistoryStub";
+
+        public int RawSamplesReturned => 3;
+        public int FirstRawValue => 100;
+        public int EventsReturned => 2;
+
+        public HistoryAggregateType? LastProcessedAggregate { get; private set; }
+        public TimeSpan? LastProcessedInterval { get; private set; }
+        public IReadOnlyList<DateTime>? LastAtTimeRequestedTimes { get; private set; }
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public Task DiscoverAsync(IAddressSpaceBuilder builder, CancellationToken ct)
+        {
+            // Every variable must be Historized for HistoryRead to route — the node-manager's
+            // stack base class checks the bit before dispatching.
+            builder.Variable("raw", "raw",
+                new DriverAttributeInfo("raw.var", DriverDataType.Int32, false, null,
+                    SecurityClassification.FreeAccess, IsHistorized: true, IsAlarm: false));
+            builder.Variable("proc", "proc",
+                new DriverAttributeInfo("proc.var", DriverDataType.Float64, false, null,
+                    SecurityClassification.FreeAccess, IsHistorized: true, IsAlarm: false));
+            builder.Variable("atTime", "atTime",
+                new DriverAttributeInfo("atTime.var", DriverDataType.Int32, false, null,
+                    SecurityClassification.FreeAccess, IsHistorized: true, IsAlarm: false));
+            return Task.CompletedTask;
+        }
+
+        public Task<IReadOnlyList<DataValueSnapshot>> ReadAsync(
+            IReadOnlyList<string> fullReferences, CancellationToken cancellationToken)
+        {
+            var now = DateTime.UtcNow;
+            IReadOnlyList<DataValueSnapshot> r =
+                [.. fullReferences.Select(_ => new DataValueSnapshot(0, 0u, now, now))];
+            return Task.FromResult(r);
+        }
+
+        public Task<DriverHistoryReadResult> ReadRawAsync(
+            string fullReference, DateTime startUtc, DateTime endUtc, uint maxValuesPerNode,
+            CancellationToken cancellationToken)
+        {
+            var samples = new List<DataValueSnapshot>();
+            for (var i = 0; i < RawSamplesReturned; i++)
+            {
+                samples.Add(new DataValueSnapshot(
+                    Value: FirstRawValue + i,
+                    StatusCode: StatusCodes.Good,
+                    SourceTimestampUtc: startUtc.AddSeconds(i),
+                    ServerTimestampUtc: startUtc.AddSeconds(i)));
+            }
+            return Task.FromResult(new DriverHistoryReadResult(samples, null));
+        }
+
+        public Task<DriverHistoryReadResult> ReadProcessedAsync(
+            string fullReference, DateTime startUtc, DateTime endUtc, TimeSpan interval,
+            HistoryAggregateType aggregate, CancellationToken cancellationToken)
+        {
+            LastProcessedAggregate = aggregate;
+            LastProcessedInterval = interval;
+            return Task.FromResult(new DriverHistoryReadResult(
+                [new DataValueSnapshot(1.0, StatusCodes.Good, startUtc, startUtc)],
+                null));
+        }
+
+        public Task<DriverHistoryReadResult> ReadAtTimeAsync(
+            string fullReference, IReadOnlyList<DateTime> timestampsUtc,
+            CancellationToken cancellationToken)
+        {
+            LastAtTimeRequestedTimes = timestampsUtc;
+            var samples = timestampsUtc
+                .Select(t => new DataValueSnapshot(42, StatusCodes.Good, t, t))
+                .ToArray();
+            return Task.FromResult(new DriverHistoryReadResult(samples, null));
+        }
+
+        public Task<HistoricalEventsResult> ReadEventsAsync(
+            string? sourceName, DateTime startUtc, DateTime endUtc, int maxEvents,
+            CancellationToken cancellationToken)
+        {
+            var events = new List<HistoricalEvent>();
+            for (var i = 0; i < EventsReturned; i++)
+            {
+                events.Add(new HistoricalEvent(
+                    EventId: $"e{i}",
+                    SourceName: sourceName,
+                    EventTimeUtc: startUtc.AddHours(i),
+                    ReceivedTimeUtc: startUtc.AddHours(i).AddSeconds(1),
+                    Message: $"Event {i}",
+                    Severity: (ushort)(500 + i)));
+            }
+            return Task.FromResult(new HistoricalEventsResult(events, null));
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/HostStatusPublisherTests.cs

@@ -0,0 +1,197 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Integration")]
+public sealed class HostStatusPublisherTests : IDisposable
+{
+    private const string DefaultServer = "localhost,14330";
+    private const string DefaultSaPassword = "OtOpcUaDev_2026!";
+
+    private readonly string _databaseName = $"OtOpcUaPublisher_{Guid.NewGuid():N}";
+    private readonly string _connectionString;
+    private readonly ServiceProvider _sp;
+
+    public HostStatusPublisherTests()
+    {
+        var server = Environment.GetEnvironmentVariable("OTOPCUA_CONFIG_TEST_SERVER") ?? DefaultServer;
+        var password = Environment.GetEnvironmentVariable("OTOPCUA_CONFIG_TEST_SA_PASSWORD") ?? DefaultSaPassword;
+        _connectionString =
+            $"Server={server};Database={_databaseName};User Id=sa;Password={password};TrustServerCertificate=True;Encrypt=False;";
+
+        var services = new ServiceCollection();
+        services.AddLogging();
+        services.AddDbContext<OtOpcUaConfigDbContext>(o => o.UseSqlServer(_connectionString));
+        _sp = services.BuildServiceProvider();
+
+        using var scope = _sp.CreateScope();
+        scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>().Database.Migrate();
+    }
+
+    public void Dispose()
+    {
+        _sp.Dispose();
+        using var conn = new Microsoft.Data.SqlClient.SqlConnection(
+            new Microsoft.Data.SqlClient.SqlConnectionStringBuilder(_connectionString) { InitialCatalog = "master" }.ConnectionString);
+        conn.Open();
+        using var cmd = conn.CreateCommand();
+        cmd.CommandText = $@"
+IF DB_ID(N'{_databaseName}') IS NOT NULL
+BEGIN
+    ALTER DATABASE [{_databaseName}] SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
+    DROP DATABASE [{_databaseName}];
+END";
+        cmd.ExecuteNonQuery();
+    }
+
+    [Fact]
+    public async Task Publisher_upserts_one_row_per_host_reported_by_each_probe_driver()
+    {
+        var driverHost = new DriverHost();
+        await driverHost.RegisterAsync(new ProbeStubDriver("driver-a",
+            new HostConnectivityStatus("HostA1", HostState.Running, DateTime.UtcNow),
+            new HostConnectivityStatus("HostA2", HostState.Stopped, DateTime.UtcNow)),
+            "{}", CancellationToken.None);
+        await driverHost.RegisterAsync(new NonProbeStubDriver("driver-no-probe"), "{}", CancellationToken.None);
+
+        var nodeOptions = NewNodeOptions("node-a");
+        var publisher = new HostStatusPublisher(driverHost, nodeOptions, _sp.GetRequiredService<IServiceScopeFactory>(),
+            NullLogger<HostStatusPublisher>.Instance);
+
+        await publisher.PublishOnceAsync(CancellationToken.None);
+
+        using var scope = _sp.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+        var rows = await db.DriverHostStatuses.AsNoTracking().ToListAsync();
+
+        rows.Count.ShouldBe(2, "driver-no-probe doesn't implement IHostConnectivityProbe — no rows for it");
+        rows.ShouldContain(r => r.HostName == "HostA1" && r.State == DriverHostState.Running && r.DriverInstanceId == "driver-a");
+        rows.ShouldContain(r => r.HostName == "HostA2" && r.State == DriverHostState.Stopped && r.DriverInstanceId == "driver-a");
+        rows.ShouldAllBe(r => r.NodeId == "node-a");
+    }
+
+    [Fact]
+    public async Task Second_tick_updates_LastSeenUtc_without_creating_duplicate_rows()
+    {
+        var driver = new ProbeStubDriver("driver-x",
+            new HostConnectivityStatus("HostX", HostState.Running, DateTime.UtcNow));
+        var driverHost = new DriverHost();
+        await driverHost.RegisterAsync(driver, "{}", CancellationToken.None);
+
+        var publisher = new HostStatusPublisher(driverHost, NewNodeOptions("node-x"),
+            _sp.GetRequiredService<IServiceScopeFactory>(),
+            NullLogger<HostStatusPublisher>.Instance);
+
+        await publisher.PublishOnceAsync(CancellationToken.None);
+        var firstSeen = await SingleRowAsync("node-x", "driver-x", "HostX");
+        await Task.Delay(50); // guarantee a later wall-clock value so LastSeenUtc advances
+        await publisher.PublishOnceAsync(CancellationToken.None);
+        var secondSeen = await SingleRowAsync("node-x", "driver-x", "HostX");
+
+        secondSeen.LastSeenUtc.ShouldBeGreaterThan(firstSeen.LastSeenUtc,
+            "heartbeat advances LastSeenUtc so Admin can stale-flag rows from crashed Servers");
+
+        // Still exactly one row — a naive Add-every-tick would have thrown or duplicated.
+        using var scope = _sp.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+        (await db.DriverHostStatuses.CountAsync(r => r.NodeId == "node-x")).ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task State_change_between_ticks_updates_State_and_StateChangedUtc()
+    {
+        var driver = new ProbeStubDriver("driver-y",
+            new HostConnectivityStatus("HostY", HostState.Running, DateTime.UtcNow.AddSeconds(-10)));
+        var driverHost = new DriverHost();
+        await driverHost.RegisterAsync(driver, "{}", CancellationToken.None);
+
+        var publisher = new HostStatusPublisher(driverHost, NewNodeOptions("node-y"),
+            _sp.GetRequiredService<IServiceScopeFactory>(),
+            NullLogger<HostStatusPublisher>.Instance);
+
+        await publisher.PublishOnceAsync(CancellationToken.None);
+        var before = await SingleRowAsync("node-y", "driver-y", "HostY");
+
+        // Swap the driver's reported state to Faulted with a newer transition timestamp.
+        var newChange = DateTime.UtcNow;
+        driver.Statuses = [new HostConnectivityStatus("HostY", HostState.Faulted, newChange)];
+        await publisher.PublishOnceAsync(CancellationToken.None);
+
+        var after = await SingleRowAsync("node-y", "driver-y", "HostY");
+        after.State.ShouldBe(DriverHostState.Faulted);
+        // datetime2(3) has millisecond precision — DateTime.UtcNow carries up to 100ns ticks,
+        // so the stored value rounds down. Compare at millisecond granularity to stay clean.
+        after.StateChangedUtc.ShouldBe(newChange, tolerance: TimeSpan.FromMilliseconds(1));
+        after.StateChangedUtc.ShouldBeGreaterThan(before.StateChangedUtc,
+            "StateChangedUtc must advance when the state actually changed");
+        before.State.ShouldBe(DriverHostState.Running);
+    }
+
+    [Fact]
+    public void MapState_translates_every_HostState_member()
+    {
+        HostStatusPublisher.MapState(HostState.Running).ShouldBe(DriverHostState.Running);
+        HostStatusPublisher.MapState(HostState.Stopped).ShouldBe(DriverHostState.Stopped);
+        HostStatusPublisher.MapState(HostState.Faulted).ShouldBe(DriverHostState.Faulted);
+        HostStatusPublisher.MapState(HostState.Unknown).ShouldBe(DriverHostState.Unknown);
+    }
+
+    private async Task<Configuration.Entities.DriverHostStatus> SingleRowAsync(string node, string driver, string host)
+    {
+        using var scope = _sp.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+        return await db.DriverHostStatuses.AsNoTracking()
+            .SingleAsync(r => r.NodeId == node && r.DriverInstanceId == driver && r.HostName == host);
+    }
+
+    private static NodeOptions NewNodeOptions(string nodeId) => new()
+    {
+        NodeId = nodeId,
+        ClusterId = "cluster-t",
+        ConfigDbConnectionString = "unused-publisher-gets-db-from-scope",
+    };
+
+    private sealed class ProbeStubDriver(string id, params HostConnectivityStatus[] initial)
+        : IDriver, IHostConnectivityProbe
+    {
+        public HostConnectivityStatus[] Statuses { get; set; } = initial;
+        public string DriverInstanceId => id;
+        public string DriverType => "ProbeStub";
+
+        public event EventHandler<HostStatusChangedEventArgs>? OnHostStatusChanged;
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public IReadOnlyList<HostConnectivityStatus> GetHostStatuses() => Statuses;
+
+        // Keeps the compiler happy — event is part of the interface contract even if unused here.
+        internal void Raise(HostStatusChangedEventArgs e) => OnHostStatusChanged?.Invoke(this, e);
+    }
+
+    private sealed class NonProbeStubDriver(string id) : IDriver
+    {
+        public string DriverInstanceId => id;
+        public string DriverType => "NonProbeStub";
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/LdapUserAuthenticatorAdCompatTests.cs

@@ -0,0 +1,67 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Deterministic guards for Active Directory compatibility of the internal helpers
+///     <see cref="LdapUserAuthenticator"/> relies on. We can't live-bind against AD in unit
+///     tests — instead, we pin the behaviors AD depends on (DN-parsing of AD-style
+///     <c>memberOf</c> values, filter escaping with case-preserving RDN extraction) so a
+///     future refactor can't silently break the AD path while the GLAuth live-smoke stays
+///     green.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class LdapUserAuthenticatorAdCompatTests
+{
+    [Fact]
+    public void ExtractFirstRdnValue_parses_AD_memberOf_group_name_from_CN_dn()
+    {
+        // AD's memberOf values use uppercase CN=… and full domain paths. The extractor
+        // returns the first RDN's value regardless of attribute-type case, so operators'
+        // GroupToRole keys stay readable ("OPCUA-Operators" not "CN=OPCUA-Operators,...").
+        var dn = "CN=OPCUA-Operators,OU=OPC UA Security Groups,OU=Groups,DC=corp,DC=example,DC=com";
+        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe("OPCUA-Operators");
+    }
+
+    [Fact]
+    public void ExtractFirstRdnValue_handles_mixed_case_and_spaces_in_group_name()
+    {
+        var dn = "CN=Domain Users,CN=Users,DC=corp,DC=example,DC=com";
+        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe("Domain Users");
+    }
+
+    [Fact]
+    public void ExtractFirstRdnValue_also_works_for_OpenLDAP_ou_style_memberOf()
+    {
+        // GLAuth + some OpenLDAP deployments expose memberOf as ou=<group>,ou=groups,...
+        // The authenticator needs one extractor that tolerates both shapes since directories
+        // in the field mix them depending on schema.
+        var dn = "ou=WriteOperate,ou=groups,dc=lmxopcua,dc=local";
+        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe("WriteOperate");
+    }
+
+    [Fact]
+    public void EscapeLdapFilter_prevents_injection_via_samaccountname_lookup()
+    {
+        // AD login names can contain characters that are meaningful to LDAP filter syntax
+        // (parens, backslashes). The authenticator builds filters as
+        // ($"({UserNameAttribute}={EscapeLdapFilter(username)})") so injection attempts must
+        // not break out of the filter. The RFC 4515 escape set is: \ → \5c, * → \2a, ( → \28,
+        // ) → \29, \0 → \00.
+        LdapUserAuthenticator.EscapeLdapFilter("admin)(cn=*")
+            .ShouldBe("admin\\29\\28cn=\\2a");
+        LdapUserAuthenticator.EscapeLdapFilter("domain\\user")
+            .ShouldBe("domain\\5cuser");
+    }
+
+    [Fact]
+    public void LdapOptions_default_UserNameAttribute_is_uid_for_rfc2307_compat()
+    {
+        // Regression guard: PR 31 introduced UserNameAttribute with a default of "uid" so
+        // existing deployments (pre-AD config) keep working. Changing the default breaks
+        // everyone's config silently; require an explicit review.
+        new LdapOptions().UserNameAttribute.ShouldBe("uid");
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/LdapUserAuthenticatorLiveTests.cs

@@ -0,0 +1,154 @@
+using System.Net.Sockets;
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Live-service tests against the dev GLAuth instance at <c>localhost:3893</c>. Skipped
+///     when the port is unreachable so the test suite stays portable on boxes without a
+///     running directory. Closes LMX follow-up #4 — the server-side <see cref="LdapUserAuthenticator"/>
+///     is exercised end-to-end against a real LDAP server (same one the Admin process uses),
+///     not just the flow-shape unit tests from PR 19.
+/// </summary>
+/// <remarks>
+///     The <c>Admin.Tests</c> project already has a live-bind test for its own
+///     <c>LdapAuthService</c>; this pair catches divergence between the two bind paths — the
+///     Server authenticator has to work even when the Server process is on a machine that
+///     doesn't have the Admin assemblies loaded, and the two share no code by design
+///     (cross-app dependency avoidance). If one side drifts past the other on LDAP filter
+///     construction, DN resolution, or memberOf parsing, these tests surface it.
+/// </remarks>
+[Trait("Category", "LiveLdap")]
+public sealed class LdapUserAuthenticatorLiveTests
+{
+    private const string GlauthHost = "localhost";
+    private const int GlauthPort = 3893;
+
+    private static bool GlauthReachable()
+    {
+        try
+        {
+            using var client = new TcpClient();
+            var task = client.ConnectAsync(GlauthHost, GlauthPort);
+            return task.Wait(TimeSpan.FromSeconds(1)) && client.Connected;
+        }
+        catch { return false; }
+    }
+
+    // GLAuth dev directory groups are named identically to the OPC UA roles
+    // (ReadOnly / WriteOperate / WriteTune / WriteConfigure / AlarmAck), so the map is an
+    // identity translation. The authenticator still exercises every step of the pipeline —
+    // bind, memberOf lookup, group-name extraction, GroupToRole lookup — against real LDAP
+    // data; the identity map just means the assertion is phrased with no surprise rename
+    // in the middle.
+    private static LdapOptions GlauthOptions() => new()
+    {
+        Enabled = true,
+        Server = GlauthHost,
+        Port = GlauthPort,
+        UseTls = false,
+        AllowInsecureLdap = true,
+        SearchBase = "dc=lmxopcua,dc=local",
+        // Search-then-bind: service account resolves the user's full DN (cn=<user> lives
+        // under ou=<primary-group>,ou=users), the authenticator binds that DN with the
+        // user's password, then stays on the service-account session for memberOf lookup.
+        // Without this path, GLAuth ACLs block the authenticated user from reading their
+        // own entry in full — a plain self-search returns zero results and the role list
+        // ends up empty.
+        ServiceAccountDn = "cn=serviceaccount,dc=lmxopcua,dc=local",
+        ServiceAccountPassword = "serviceaccount123",
+        DisplayNameAttribute = "cn",
+        GroupAttribute = "memberOf",
+        UserNameAttribute = "cn", // GLAuth keys users by cn — see LdapOptions xml-doc.
+        GroupToRole = new(StringComparer.OrdinalIgnoreCase)
+        {
+            ["ReadOnly"] = "ReadOnly",
+            ["WriteOperate"] = WriteAuthzPolicy.RoleWriteOperate,
+            ["WriteTune"] = WriteAuthzPolicy.RoleWriteTune,
+            ["WriteConfigure"] = WriteAuthzPolicy.RoleWriteConfigure,
+            ["AlarmAck"] = "AlarmAck",
+        },
+    };
+
+    private static LdapUserAuthenticator NewAuthenticator() =>
+        new(GlauthOptions(), NullLogger<LdapUserAuthenticator>.Instance);
+
+    [Fact]
+    public async Task Valid_credentials_bind_and_return_success()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("readonly", "readonly123", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeTrue(result.Error);
+        result.DisplayName.ShouldNotBeNullOrEmpty();
+    }
+
+    [Fact]
+    public async Task Writeop_user_gets_WriteOperate_role_from_group_mapping()
+    {
+        // Drives end-to-end: bind as writeop, memberOf lists the WriteOperate group, the
+        // authenticator surfaces WriteOperate via GroupToRole. If this test fails,
+        // WriteAuthzPolicy.IsAllowed for an Operate-tier write would also fail
+        // (WriteOperate is the exact string the policy checks for), so the failure mode is
+        // concrete, not abstract.
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("writeop", "writeop123", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeTrue(result.Error);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteOperate);
+    }
+
+    [Fact]
+    public async Task Admin_user_gets_multiple_roles_from_multiple_groups()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        // 'admin' has primarygroup=ReadOnly and othergroups=[WriteOperate, AlarmAck,
+        // WriteTune, WriteConfigure] per the GLAuth dev config — the authenticator must
+        // surface every mapped role, not just the primary group. Guards against a regression
+        // where the memberOf parsing stops after the first match or misses the primary-group
+        // fallback.
+        var result = await NewAuthenticator().AuthenticateAsync("admin", "admin123", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeTrue(result.Error);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteOperate);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteTune);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteConfigure);
+        result.Roles.ShouldContain("AlarmAck");
+    }
+
+    [Fact]
+    public async Task Wrong_password_returns_failure()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("readonly", "wrong-pw", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeFalse();
+        result.Error.ShouldNotBeNullOrEmpty();
+    }
+
+    [Fact]
+    public async Task Unknown_user_returns_failure()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("no-such-user-42", "whatever", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeFalse();
+    }
+
+    [Fact]
+    public async Task Empty_credentials_fail_without_touching_the_directory()
+    {
+        // Pre-flight guard — doesn't require GLAuth.
+        var result = await NewAuthenticator().AuthenticateAsync("", "", TestContext.Current.CancellationToken);
+        result.Success.ShouldBeFalse();
+        result.Error.ShouldContain("Credentials", Case.Insensitive);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/MultipleDriverInstancesIntegrationTests.cs

@@ -0,0 +1,191 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua;
+using Opc.Ua.Client;
+using Opc.Ua.Configuration;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Closes LMX follow-up #6 — proves that two <see cref="IDriver"/> instances registered
+///     on the same <see cref="DriverHost"/> land in isolated namespaces and their reads
+///     route to the correct driver. The existing <see cref="OpcUaServerIntegrationTests"/>
+///     only exercises a single-driver topology; this sibling fixture registers two.
+/// </summary>
+/// <remarks>
+///     Each driver gets its own namespace URI of the form <c>urn:OtOpcUa:{DriverInstanceId}</c>
+///     (per <c>DriverNodeManager</c>'s base-class <c>namespaceUris</c> argument). A client
+///     that browses one namespace must see only that driver's subtree, and a read against a
+///     variable in one namespace must return that driver's value, not the other's — this is
+///     what stops a cross-driver routing regression from going unnoticed when the v1
+///     single-driver code path gets new knobs.
+/// </remarks>
+[Trait("Category", "Integration")]
+public sealed class MultipleDriverInstancesIntegrationTests : IAsyncLifetime
+{
+    private static readonly int Port = 48500 + Random.Shared.Next(0, 99);
+    private readonly string _endpoint = $"opc.tcp://localhost:{Port}/OtOpcUaMultiDriverTest";
+    private readonly string _pkiRoot = Path.Combine(Path.GetTempPath(), $"otopcua-multi-{Guid.NewGuid():N}");
+
+    private DriverHost _driverHost = null!;
+    private OpcUaApplicationHost _server = null!;
+
+    public async ValueTask InitializeAsync()
+    {
+        _driverHost = new DriverHost();
+        await _driverHost.RegisterAsync(new StubDriver("alpha", folderName: "AlphaFolder", readValue: 42),
+            "{}", CancellationToken.None);
+        await _driverHost.RegisterAsync(new StubDriver("beta", folderName: "BetaFolder", readValue: 99),
+            "{}", CancellationToken.None);
+
+        var options = new OpcUaServerOptions
+        {
+            EndpointUrl = _endpoint,
+            ApplicationName = "OtOpcUaMultiDriverTest",
+            ApplicationUri = "urn:OtOpcUa:Server:MultiDriverTest",
+            PkiStoreRoot = _pkiRoot,
+            AutoAcceptUntrustedClientCertificates = true,
+        };
+
+        _server = new OpcUaApplicationHost(options, _driverHost, new DenyAllUserAuthenticator(),
+            NullLoggerFactory.Instance, NullLogger<OpcUaApplicationHost>.Instance);
+        await _server.StartAsync(CancellationToken.None);
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        await _server.DisposeAsync();
+        await _driverHost.DisposeAsync();
+        try { Directory.Delete(_pkiRoot, recursive: true); } catch { /* best-effort */ }
+    }
+
+    [Fact]
+    public async Task Both_drivers_register_under_their_own_urn_namespace()
+    {
+        using var session = await OpenSessionAsync();
+
+        var alphaNs = session.NamespaceUris.GetIndex("urn:OtOpcUa:alpha");
+        var betaNs = session.NamespaceUris.GetIndex("urn:OtOpcUa:beta");
+
+        alphaNs.ShouldBeGreaterThanOrEqualTo(0, "DriverNodeManager for 'alpha' must register its namespace URI");
+        betaNs.ShouldBeGreaterThanOrEqualTo(0, "DriverNodeManager for 'beta' must register its namespace URI");
+        alphaNs.ShouldNotBe(betaNs, "each driver owns its own namespace");
+    }
+
+    [Fact]
+    public async Task Each_driver_subtree_exposes_only_its_own_folder()
+    {
+        using var session = await OpenSessionAsync();
+
+        var alphaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:alpha");
+        var betaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:beta");
+
+        var alphaRoot = new NodeId("alpha", alphaNs);
+        session.Browse(null, null, alphaRoot, 0, BrowseDirection.Forward, ReferenceTypeIds.HierarchicalReferences,
+            true, (uint)NodeClass.Object | (uint)NodeClass.Variable, out _, out var alphaRefs);
+        alphaRefs.ShouldContain(r => r.BrowseName.Name == "AlphaFolder",
+            "alpha's subtree must contain alpha's folder");
+        alphaRefs.ShouldNotContain(r => r.BrowseName.Name == "BetaFolder",
+            "alpha's subtree must NOT see beta's folder — cross-driver leak would hide subscription-routing bugs");
+
+        var betaRoot = new NodeId("beta", betaNs);
+        session.Browse(null, null, betaRoot, 0, BrowseDirection.Forward, ReferenceTypeIds.HierarchicalReferences,
+            true, (uint)NodeClass.Object | (uint)NodeClass.Variable, out _, out var betaRefs);
+        betaRefs.ShouldContain(r => r.BrowseName.Name == "BetaFolder");
+        betaRefs.ShouldNotContain(r => r.BrowseName.Name == "AlphaFolder");
+    }
+
+    [Fact]
+    public async Task Reads_route_to_the_correct_driver_by_namespace()
+    {
+        using var session = await OpenSessionAsync();
+
+        var alphaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:alpha");
+        var betaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:beta");
+
+        var alphaValue = session.ReadValue(new NodeId("AlphaFolder.Var1", alphaNs));
+        var betaValue = session.ReadValue(new NodeId("BetaFolder.Var1", betaNs));
+
+        alphaValue.Value.ShouldBe(42, "alpha driver's ReadAsync returns 42 — a misroute would surface as 99");
+        betaValue.Value.ShouldBe(99, "beta driver's ReadAsync returns 99 — a misroute would surface as 42");
+    }
+
+    private async Task<ISession> OpenSessionAsync()
+    {
+        var cfg = new ApplicationConfiguration
+        {
+            ApplicationName = "OtOpcUaMultiDriverTestClient",
+            ApplicationUri = "urn:OtOpcUa:MultiDriverTestClient",
+            ApplicationType = ApplicationType.Client,
+            SecurityConfiguration = new SecurityConfiguration
+            {
+                ApplicationCertificate = new CertificateIdentifier
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_pkiRoot, "client-own"),
+                    SubjectName = "CN=OtOpcUaMultiDriverTestClient",
+                },
+                TrustedIssuerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-issuers") },
+                TrustedPeerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-trusted") },
+                RejectedCertificateStore = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-rejected") },
+                AutoAcceptUntrustedCertificates = true,
+                AddAppCertToTrustedStore = true,
+            },
+            TransportConfigurations = new TransportConfigurationCollection(),
+            TransportQuotas = new TransportQuotas { OperationTimeout = 15000 },
+            ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = 60000 },
+        };
+        await cfg.Validate(ApplicationType.Client);
+        cfg.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;
+
+        var instance = new ApplicationInstance { ApplicationConfiguration = cfg, ApplicationType = ApplicationType.Client };
+        await instance.CheckApplicationInstanceCertificate(true, CertificateFactory.DefaultKeySize);
+
+        var selected = CoreClientUtils.SelectEndpoint(cfg, _endpoint, useSecurity: false);
+        var endpointConfig = EndpointConfiguration.Create(cfg);
+        var configuredEndpoint = new ConfiguredEndpoint(null, selected, endpointConfig);
+
+        return await Session.Create(cfg, configuredEndpoint, false, "OtOpcUaMultiDriverTestClientSession", 60000,
+            new UserIdentity(new AnonymousIdentityToken()), null);
+    }
+
+    /// <summary>
+    ///     Driver stub that returns a caller-specified folder + variable + read value so two
+    ///     instances in the same server can be told apart at the assertion layer.
+    /// </summary>
+    private sealed class StubDriver(string driverInstanceId, string folderName, int readValue)
+        : IDriver, ITagDiscovery, IReadable
+    {
+        public string DriverInstanceId => driverInstanceId;
+        public string DriverType => "Stub";
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public Task DiscoverAsync(IAddressSpaceBuilder builder, CancellationToken ct)
+        {
+            var folder = builder.Folder(folderName, folderName);
+            folder.Variable("Var1", "Var1", new DriverAttributeInfo(
+                $"{folderName}.Var1", DriverDataType.Int32, false, null, SecurityClassification.FreeAccess, false, IsAlarm: false));
+            return Task.CompletedTask;
+        }
+
+        public Task<IReadOnlyList<DataValueSnapshot>> ReadAsync(
+            IReadOnlyList<string> fullReferences, CancellationToken cancellationToken)
+        {
+            var now = DateTime.UtcNow;
+            IReadOnlyList<DataValueSnapshot> result =
+                fullReferences.Select(_ => new DataValueSnapshot(readValue, 0u, now, now)).ToArray();
+            return Task.FromResult(result);
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/WriteAuthzPolicyTests.cs

@@ -0,0 +1,134 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class WriteAuthzPolicyTests
+{
+    // --- FreeAccess and ViewOnly special-cases ---
+
+    [Fact]
+    public void FreeAccess_allows_write_even_for_empty_role_set()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.FreeAccess, []).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void FreeAccess_allows_write_for_arbitrary_roles()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.FreeAccess, ["SomeOtherRole"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void ViewOnly_denies_write_even_with_every_role()
+    {
+        var allRoles = new[] { "WriteOperate", "WriteTune", "WriteConfigure", "AlarmAck" };
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.ViewOnly, allRoles).ShouldBeFalse();
+    }
+
+    // --- Operate tier ---
+
+    [Fact]
+    public void Operate_requires_WriteOperate_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["WriteOperate"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Operate_role_match_is_case_insensitive()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["writeoperate"]).ShouldBeTrue();
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["WRITEOPERATE"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Operate_denies_empty_role_set()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, []).ShouldBeFalse();
+    }
+
+    [Fact]
+    public void Operate_denies_wrong_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Operate, ["ReadOnly"]).ShouldBeFalse();
+    }
+
+    [Fact]
+    public void SecuredWrite_maps_to_same_WriteOperate_requirement_as_Operate()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.SecuredWrite, ["WriteOperate"]).ShouldBeTrue();
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.SecuredWrite, ["WriteTune"]).ShouldBeFalse();
+    }
+
+    // --- Tune tier ---
+
+    [Fact]
+    public void Tune_requires_WriteTune_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Tune, ["WriteTune"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Tune_denies_WriteOperate_only_session()
+    {
+        // Important: role roles do NOT cascade — a session with WriteOperate can't write a Tune
+        // attribute. Operators escalate by adding WriteTune to the session's roles, not by a
+        // hierarchy the policy infers on its own.
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Tune, ["WriteOperate"]).ShouldBeFalse();
+    }
+
+    // --- Configure tier ---
+
+    [Fact]
+    public void Configure_requires_WriteConfigure_role()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Configure, ["WriteConfigure"]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void VerifiedWrite_maps_to_same_WriteConfigure_requirement_as_Configure()
+    {
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.VerifiedWrite, ["WriteConfigure"]).ShouldBeTrue();
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.VerifiedWrite, ["WriteOperate"]).ShouldBeFalse();
+    }
+
+    // --- Multi-role sessions ---
+
+    [Fact]
+    public void Session_with_multiple_roles_is_allowed_when_any_matches()
+    {
+        var roles = new[] { "ReadOnly", "WriteTune", "AlarmAck" };
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Tune, roles).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Session_with_only_unrelated_roles_is_denied()
+    {
+        var roles = new[] { "ReadOnly", "AlarmAck", "SomeCustomRole" };
+        WriteAuthzPolicy.IsAllowed(SecurityClassification.Configure, roles).ShouldBeFalse();
+    }
+
+    // --- Mapping table ---
+
+    [Theory]
+    [InlineData(SecurityClassification.Operate, WriteAuthzPolicy.RoleWriteOperate)]
+    [InlineData(SecurityClassification.SecuredWrite, WriteAuthzPolicy.RoleWriteOperate)]
+    [InlineData(SecurityClassification.Tune, WriteAuthzPolicy.RoleWriteTune)]
+    [InlineData(SecurityClassification.VerifiedWrite, WriteAuthzPolicy.RoleWriteConfigure)]
+    [InlineData(SecurityClassification.Configure, WriteAuthzPolicy.RoleWriteConfigure)]
+    public void RequiredRole_returns_expected_role_for_classification(SecurityClassification c, string expected)
+    {
+        WriteAuthzPolicy.RequiredRole(c).ShouldBe(expected);
+    }
+
+    [Theory]
+    [InlineData(SecurityClassification.FreeAccess)]
+    [InlineData(SecurityClassification.ViewOnly)]
+    public void RequiredRole_returns_null_for_special_classifications(SecurityClassification c)
+    {
+        WriteAuthzPolicy.RequiredRole(c).ShouldBeNull();
+    }
+}