Phase 3 PR 32 — Multi-driver integration test. Closes LMX follow-up #6 with Server.Tests/MultipleDriverInstancesIntegrationTests.cs: registers two StubDriver instances (alpha + beta) with distinct DriverInstanceIds on one DriverHost, boots the full OpcUaApplicationHost, and exercises three behaviors end-to-end via a real OPC UA client session. (1) Each driver's namespace URI resolves to a distinct index in the client's NamespaceUris (alpha → urn:OtOpcUa:alpha, beta → urn:OtOpcUa:beta) — proves DriverNodeManager's namespaceUris-per-driver base-ctor wiring actually lands two separate INodeManager registrations. (2) Browsing one subtree returns only that driver's folder; the other driver's folder does NOT leak into the wrong subtree. This is the test that catches a cross-driver routing regression the v1 single-driver code path couldn't surface — if a future refactor flattens both drivers into a shared namespace, the 'shouldNotContain' assertion fails cleanly. (3) Reads route to the owning driver by namespace — alpha's ReadAsync returns 42 while beta's returns 99; a misroute would surface as 99 showing up on an alpha node id or vice versa. StubDriver is parameterized on (DriverInstanceId, folderName, readValue) so the same class constructs both instances without copy-paste.

No production code changes — pure additive test. Server.Tests Integration: 3 new tests pass; existing OpcUaServerIntegrationTests stays green (single-driver case still exercised there). Full Server.Tests Unit still 43 / 0. Deferred: multi-driver alarm-event case (two drivers each raising a GalaxyAlarmEvent, assert each condition lands on its owning instance's condition node) — needs a stub IAlarmSource and is worth its own focused PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ZB.MOM.WW.OtOpcUa.slnx

@@ -24,6 +24,7 @@
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.E2E.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests.csproj"/>
         <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.UI.Tests/ZB.MOM.WW.OtOpcUa.Client.UI.Tests.csproj"/>

docs/security.md

@@ -348,6 +348,44 @@ The project uses [GLAuth](https://github.com/glauth/glauth) v2.4.0 as the LDAP s
 
 Enable LDAP in `appsettings.json` under `Authentication.Ldap`. See [Configuration Guide](Configuration.md) for the full property reference.
 
+### Active Directory configuration
+
+Production deployments typically point at Active Directory instead of GLAuth. Only four properties differ from the dev defaults: `Server`, `Port`, `UserNameAttribute`, and `ServiceAccountDn`. The same `GroupToRole` mechanism works — map your AD security groups to OPC UA roles.
+
+```json
+{
+  "OpcUaServer": {
+    "Ldap": {
+      "Enabled": true,
+      "Server": "dc01.corp.example.com",
+      "Port": 636,
+      "UseTls": true,
+      "AllowInsecureLdap": false,
+      "SearchBase": "DC=corp,DC=example,DC=com",
+      "ServiceAccountDn": "CN=OpcUaSvc,OU=Service Accounts,DC=corp,DC=example,DC=com",
+      "ServiceAccountPassword": "<from your secret store>",
+      "DisplayNameAttribute": "displayName",
+      "GroupAttribute": "memberOf",
+      "UserNameAttribute": "sAMAccountName",
+      "GroupToRole": {
+        "OPCUA-Operators": "WriteOperate",
+        "OPCUA-Engineers": "WriteConfigure",
+        "OPCUA-AlarmAck": "AlarmAck",
+        "OPCUA-Tuners": "WriteTune"
+      }
+    }
+  }
+}
+```
+
+Notes:
+
+- `UserNameAttribute: "sAMAccountName"` is the critical AD override — the default `uid` is not populated on AD user entries, so the user-DN lookup returns no results without it. Use `userPrincipalName` instead if operators log in with `user@corp.example.com` form.
+- `Port: 636` + `UseTls: true` is required under AD's LDAP-signing enforcement. AD increasingly rejects plain-LDAP bind; set `AllowInsecureLdap: false` to refuse fallback.
+- `ServiceAccountDn` should name a dedicated read-only service principal — not a privileged admin. The account needs read access to user and group entries in the search base.
+- `memberOf` values come back as full DNs like `CN=OPCUA-Operators,OU=OPC UA Security Groups,OU=Groups,DC=corp,DC=example,DC=com`. The authenticator strips the leading `CN=` RDN value so operators configure `GroupToRole` with readable group common-names.
+- Nested group membership is **not** expanded — assign users directly to the role-mapped groups, or pre-flatten membership in AD. `LDAP_MATCHING_RULE_IN_CHAIN` / `tokenGroups` expansion is an authenticator enhancement, not a config change.
+
 ### Security Considerations
 
 - LDAP credentials are transmitted in plaintext over the OPC UA channel unless transport security is enabled. Use `Basic256Sha256-SignAndEncrypt` for production deployments.

docs/v2/lmx-followups.md

@@ -58,18 +58,25 @@ Deferred: flipping `AutoAcceptUntrustedClientCertificates` to `false` as the
 deployment default. That's a production-hardening config change, not a code
 gap — the Admin UI is now ready to be the trust gate.
 
-## 4. Live-LDAP integration test
+## 4. Live-LDAP integration test — **DONE (PR 31)**
 
-**Status**: PR 19 unit-tested the auth-flow shape; the live bind path is
-exercised only by the pre-existing `Admin.Tests/LdapLiveBindTests.cs` which
-uses the same Novell library against a running GLAuth at `localhost:3893`.
+PR 31 shipped `Server.Tests/LdapUserAuthenticatorLiveTests.cs` — 6 live-bind
+tests against the dev GLAuth instance at `localhost:3893`, skipped cleanly
+when the port is unreachable. Covers: valid bind, wrong password, unknown
+user, empty credentials, single-group → WriteOperate mapping, multi-group
+admin user surfacing all mapped roles.
 
-**To do**:
-- Add `OpcUaServerIntegrationTests.Valid_username_authenticates_against_live_ldap`
-  with the same skip-when-unreachable guard.
-- Assert `session.Identity` on the server side carries the expected role
-  after bind — requires exposing a test hook or reading identity from a
-  new `IHostConnectivityProbe`-style "whoami" variable in the address space.
+Also added `UserNameAttribute` to `LdapOptions` (default `uid` for RFC 2307
+compat) so Active Directory deployments can configure `sAMAccountName` /
+`userPrincipalName` without code changes. `LdapUserAuthenticatorAdCompatTests`
+(5 unit guards) pins the AD-shape DN parsing + filter escape behaviors. See
+`docs/security.md` §"Active Directory configuration" for the AD appsettings
+snippet.
+
+Deferred: asserting `session.Identity` end-to-end on the server side (i.e.
+drive a full OPC UA session with username/password, then read an
+`IHostConnectivityProbe`-style "whoami" node to verify the role surfaced).
+That needs a test-only address-space node and is a separate PR.
 
 ## 5. Full Galaxy live-service smoke test against the merged v2 stack
 
@@ -84,18 +91,22 @@ no single end-to-end smoke test.
   subscribes to one of its attributes, writes a value back, and asserts the
   write round-tripped through MXAccess. Skip when ArchestrA isn't running.
 
-## 6. Second driver instance on the same server
+## 6. Second driver instance on the same server — **DONE (PR 32)**
 
-**Status**: `DriverHost.RegisterAsync` supports multiple drivers; the OPC UA
-server creates one `DriverNodeManager` per driver and isolates their
-subtrees under distinct namespace URIs. Not proven with two active
-`GalaxyProxyDriver` instances pointing at different Galaxies.
+`Server.Tests/MultipleDriverInstancesIntegrationTests.cs` registers two
+drivers with distinct `DriverInstanceId`s on one `DriverHost`, spins up the
+full OPC UA server, and asserts three behaviors: (1) each driver's namespace
+URI (`urn:OtOpcUa:{id}`) resolves to a distinct index in the client's
+NamespaceUris, (2) browsing one subtree returns that driver's folder and
+does NOT leak the other driver's folder, (3) reads route to the correct
+driver — the alpha instance returns 42 while beta returns 99, so a misroute
+would surface at the assertion layer.
 
-**To do**:
-- Integration test that registers two driver instances, each with a distinct
-  `DriverInstanceId` + endpoint in its own session, asserts nodes from both
-  appear under the correct subtrees, alarm events land on the correct
-  instance's condition nodes.
+Deferred: the alarm-event multi-driver parity case (two drivers each raising
+a `GalaxyAlarmEvent`, assert each condition lands on its owning instance's
+condition node). Alarm tracking already has its own integration test
+(`AlarmSubscription*`); the multi-driver alarm case would need a stub
+`IAlarmSource` that's worth its own focused PR.
 
 ## 7. Host-status per-AppEngine granularity → Admin UI dashboard
 

docs/v2/modbus-test-plan.md

@@ -6,8 +6,10 @@ routing against a textbook Modbus server. That's necessary but not sufficient: r
 populations disagree with the spec in small, device-specific ways, and a driver that
 passes textbook tests can still misbehave against actual equipment.
 
-This doc is the harness-and-quirks playbook. It's what gets wired up in the
-`tests/Driver.Modbus.IntegrationTests` project when we ship that (PR 26 candidate).
+This doc is the harness-and-quirks playbook. The project it describes lives at
+`tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/` — scaffolded in PR 30 with
+the simulator fixture, DL205 profile stub, and one write/read smoke test. Each
+confirmed DL205 quirk lands in a follow-up PR as a named test in that project.
 
 ## Harness
 
@@ -94,10 +96,13 @@ vendors get promoted into driver defaults or opt-in options:
 
 ## Next concrete PRs
 
-- **PR 26 — Integration test project + DL205 profile scaffold**: creates
-  `tests/Driver.Modbus.IntegrationTests`, imports the ModbusPal profile (or
-  generates it from JSON), adds the fixture with skip-when-unreachable, plus
-  one smoke test that reads a register. No DL205-specific assertions yet — that
-  waits for the user to validate each quirk.
-- **PR 27+**: one PR per confirmed DL205 quirk, landing the named test + any
-  driver-side adjustment (e.g., retry on dropped TxId) needed to pass it.
+- **PR 30 — Integration test project + DL205 profile scaffold** — **DONE**.
+  Shipped `tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` with
+  `ModbusSimulatorFixture` (TCP-probe, skips with a clear `SkipReason` when the
+  endpoint is unreachable), `DL205/DL205Profile.cs` (tag map stub — one
+  writable holding register at address 100), and `DL205/DL205SmokeTests.cs`
+  (write-then-read round-trip). `ModbusPal/` directory holds the README
+  pointing at the to-be-committed `DL205.xmpp` profile.
+- **PR 31+**: one PR per confirmed DL205 quirk, landing the named test + any
+  driver-side adjustment (e.g., retry on dropped TxId) needed to pass it. Drop
+  the `DL205.xmpp` profile into `ModbusPal/` alongside the first quirk PR.

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor

@@ -15,7 +15,7 @@
             <AuthorizeView>
                 <Authorized>
                     <div class="small text-light">
-                        Signed in as <strong>@context.User.Identity?.Name</strong>
+                        Signed in as <a class="text-light" href="/account"><strong>@context.User.Identity?.Name</strong></a>
                     </div>
                     <div class="small text-muted">
                         @string.Join(", ", context.User.Claims.Where(c => c.Type.EndsWith("/role")).Select(c => c.Value))

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Account.razor

@@ -0,0 +1,129 @@
+@page "/account"
+@attribute [Microsoft.AspNetCore.Authorization.Authorize]
+@using System.Security.Claims
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+
+<h1 class="mb-4">My account</h1>
+
+<AuthorizeView>
+    <Authorized>
+        @{
+            var username = context.User.FindFirst(ClaimTypes.NameIdentifier)?.Value ?? "—";
+            var displayName = context.User.Identity?.Name ?? "—";
+            var roles = context.User.Claims
+                .Where(c => c.Type == ClaimTypes.Role).Select(c => c.Value).ToList();
+            var ldapGroups = context.User.Claims
+                .Where(c => c.Type == "ldap_group").Select(c => c.Value).ToList();
+        }
+
+        <div class="row g-4">
+            <div class="col-md-6">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Identity</h5>
+                        <dl class="row mb-0">
+                            <dt class="col-sm-4">Username</dt><dd class="col-sm-8"><code>@username</code></dd>
+                            <dt class="col-sm-4">Display name</dt><dd class="col-sm-8">@displayName</dd>
+                        </dl>
+                    </div>
+                </div>
+            </div>
+
+            <div class="col-md-6">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Admin roles</h5>
+                        @if (roles.Count == 0)
+                        {
+                            <p class="text-muted mb-0">No Admin roles mapped — sign-in would have been blocked, so if you're seeing this, the session claim is likely stale.</p>
+                        }
+                        else
+                        {
+                            <div class="mb-2">
+                                @foreach (var r in roles)
+                                {
+                                    <span class="badge bg-primary me-1">@r</span>
+                                }
+                            </div>
+                            <small class="text-muted">LDAP groups: @(ldapGroups.Count == 0 ? "(none surfaced)" : string.Join(", ", ldapGroups))</small>
+                        }
+                    </div>
+                </div>
+            </div>
+
+            <div class="col-12">
+                <div class="card">
+                    <div class="card-body">
+                        <h5 class="card-title">Capabilities</h5>
+                        <p class="text-muted small">
+                            Each Admin role grants a fixed capability set per <code>admin-ui.md</code> §Admin Roles.
+                            Pages below reflect what this session can access; the route's <code>[Authorize]</code> guard
+                            is the ground truth — this table mirrors it for readability.
+                        </p>
+                        <table class="table table-sm align-middle mb-0">
+                            <thead>
+                                <tr>
+                                    <th>Capability</th>
+                                    <th>Required role(s)</th>
+                                    <th class="text-end">You have it?</th>
+                                </tr>
+                            </thead>
+                            <tbody>
+                            @foreach (var cap in Capabilities)
+                            {
+                                var has = cap.RequiredRoles.Any(r => roles.Contains(r, StringComparer.OrdinalIgnoreCase));
+                                <tr>
+                                    <td>@cap.Name<br /><small class="text-muted">@cap.Description</small></td>
+                                    <td>@string.Join(" or ", cap.RequiredRoles)</td>
+                                    <td class="text-end">
+                                        @if (has)
+                                        {
+                                            <span class="badge bg-success">Yes</span>
+                                        }
+                                        else
+                                        {
+                                            <span class="badge bg-secondary">No</span>
+                                        }
+                                    </td>
+                                </tr>
+                            }
+                            </tbody>
+                        </table>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div class="mt-4">
+            <form method="post" action="/auth/logout">
+                <button class="btn btn-outline-danger" type="submit">Sign out</button>
+            </form>
+        </div>
+    </Authorized>
+</AuthorizeView>
+
+@code {
+    private sealed record Capability(string Name, string Description, string[] RequiredRoles);
+
+    // Kept in sync with Program.cs authorization policies + each page's [Authorize] attribute.
+    // When a new page or policy is added, extend this list so operators can self-service check
+    // whether their session has access without trial-and-error navigation.
+    private static readonly IReadOnlyList<Capability> Capabilities =
+    [
+        new("View clusters + fleet status",
+            "Read-only access to the cluster list, fleet dashboard, and generation history.",
+            [AdminRoles.ConfigViewer, AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+        new("Edit configuration drafts",
+            "Create and edit draft generations, manage namespace bindings and node ACLs. CanEdit policy.",
+            [AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+        new("Publish generations",
+            "Promote a draft to Published — triggers node roll-out. CanPublish policy.",
+            [AdminRoles.FleetAdmin]),
+        new("Manage certificate trust",
+            "Trust rejected client certs + revoke trust. FleetAdmin-only because the trust decision gates OPC UA client access.",
+            [AdminRoles.FleetAdmin]),
+        new("Manage external-ID reservations",
+            "Reserve / release external IDs that map into Galaxy contained names.",
+            [AdminRoles.ConfigEditor, AdminRoles.FleetAdmin]),
+    ];
+}

src/ZB.MOM.WW.OtOpcUa.Server/Security/LdapOptions.cs

@@ -2,11 +2,37 @@ namespace ZB.MOM.WW.OtOpcUa.Server.Security;
 
 /// <summary>
 ///     LDAP settings for the OPC UA server's UserName token validator. Bound from
-///     <c>appsettings.json</c> <c>OpcUaServer:Ldap</c>. Defaults match the GLAuth dev instance
-///     (localhost:3893, dc=lmxopcua,dc=local). Production deployments set <see cref="UseTls"/>
-///     true, populate <see cref="ServiceAccountDn"/> for search-then-bind, and maintain
-///     <see cref="GroupToRole"/> with the real LDAP group names.
+///     <c>appsettings.json</c> <c>OpcUaServer:Ldap</c>. Defaults target the GLAuth dev instance
+///     (localhost:3893, <c>dc=lmxopcua,dc=local</c>) for the stock inner-loop setup. Production
+///     deployments are expected to point at Active Directory; see <see cref="UserNameAttribute"/>
+///     and the per-field xml-docs for the AD-specific overrides.
 /// </summary>
+/// <remarks>
+///     <para><b>Active Directory cheat-sheet</b>:</para>
+///     <list type="bullet">
+///         <item><see cref="Server"/>: one of the domain controllers, or the domain FQDN (will round-robin DCs).</item>
+///         <item><see cref="Port"/>: <c>389</c> (LDAP) or <c>636</c> (LDAPS); use 636 + <see cref="UseTls"/> in production.</item>
+///         <item><see cref="UseTls"/>: <c>true</c>. AD increasingly rejects plain-LDAP bind under LDAP-signing enforcement.</item>
+///         <item><see cref="AllowInsecureLdap"/>: <c>false</c>. Dev escape hatch only.</item>
+///         <item><see cref="SearchBase"/>: <c>DC=corp,DC=example,DC=com</c> — your domain's base DN.</item>
+///         <item><see cref="ServiceAccountDn"/>: a dedicated service principal with read access to user + group entries
+///         (e.g. <c>CN=OpcUaSvc,OU=Service Accounts,DC=corp,DC=example,DC=com</c>). Never a privileged admin.</item>
+///         <item><see cref="UserNameAttribute"/>: <c>sAMAccountName</c> (classic login name) or <c>userPrincipalName</c>
+///         (user@domain form). Default is <c>uid</c> which AD does <b>not</b> populate, so this override is required.</item>
+///         <item><see cref="DisplayNameAttribute"/>: <c>displayName</c> gives the human name; <c>cn</c> works too but is less rich.</item>
+///         <item><see cref="GroupAttribute"/>: <c>memberOf</c> — matches AD's default. Values are full DNs
+///         (<c>CN=&lt;Group&gt;,OU=...,DC=...</c>); the authenticator strips the leading <c>CN=</c> RDN value and uses
+///         that as the lookup key in <see cref="GroupToRole"/>.</item>
+///         <item><see cref="GroupToRole"/>: maps your AD group common-names to OPC UA roles — e.g.
+///         <c>{"OPCUA-Operators" : "WriteOperate", "OPCUA-Engineers" : "WriteConfigure"}</c>.</item>
+///     </list>
+///     <para>
+///         Nested groups are <b>not</b> expanded — AD's <c>tokenGroups</c> / <c>LDAP_MATCHING_RULE_IN_CHAIN</c>
+///         membership-chain filter isn't used. Assign users directly to the role-mapped groups, or pre-flatten
+///         membership in your directory. If nested expansion becomes a requirement, it's an authenticator
+///         enhancement (not a config change).
+///     </para>
+/// </remarks>
 public sealed class LdapOptions
 {
     public bool Enabled { get; init; } = false;
@@ -23,6 +49,20 @@ public sealed class LdapOptions
     public string DisplayNameAttribute { get; init; } = "cn";
     public string GroupAttribute { get; init; } = "memberOf";
 
+    /// <summary>
+    ///     LDAP attribute used to match a login name against user entries in the directory.
+    ///     Defaults to <c>uid</c> (RFC 2307). Common overrides:
+    ///     <list type="bullet">
+    ///         <item><c>sAMAccountName</c> — Active Directory, classic NT-style login names (e.g. <c>jdoe</c>).</item>
+    ///         <item><c>userPrincipalName</c> — Active Directory, email-style (e.g. <c>jdoe@corp.example.com</c>).</item>
+    ///         <item><c>cn</c> — GLAuth + some OpenLDAP deployments where users are keyed by common-name.</item>
+    ///     </list>
+    ///     Used only when <see cref="ServiceAccountDn"/> is non-empty (search-then-bind path) —
+    ///     direct-bind fallback constructs the DN as <c>cn=&lt;name&gt;,&lt;SearchBase&gt;</c>
+    ///     regardless of this setting and is not a production-grade path against AD.
+    /// </summary>
+    public string UserNameAttribute { get; init; } = "uid";
+
     /// <summary>
     ///     LDAP group → OPC UA role. Each authenticated user gets every role whose source group
     ///     is in their membership list. Recognized role names (CLAUDE.md): <c>ReadOnly</c> (browse

src/ZB.MOM.WW.OtOpcUa.Server/Security/LdapUserAuthenticator.cs

@@ -106,7 +106,7 @@ public sealed class LdapUserAuthenticator(LdapOptions options, ILogger<LdapUserA
         {
             await Task.Run(() => conn.Bind(options.ServiceAccountDn, options.ServiceAccountPassword), ct);
 
-            var filter = $"(uid={EscapeLdapFilter(username)})";
+            var filter = $"({options.UserNameAttribute}={EscapeLdapFilter(username)})";
             var results = await Task.Run(() =>
                 conn.Search(options.SearchBase, LdapConnection.ScopeSub, filter, ["dn"], false), ct);
 

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205Profile.cs

@@ -0,0 +1,45 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
+
+/// <summary>
+///     Tag map for the AutomationDirect DL205 device class. Mirrors what the ModbusPal
+///     <c>.xmpp</c> profile in <c>ModbusPal/DL205.xmpp</c> exposes (or the real PLC, when
+///     <see cref="ModbusSimulatorFixture"/> is pointed at one).
+/// </summary>
+/// <remarks>
+///     This is the scaffold — each tag is deliberately generic so the smoke test has stable
+///     addresses to read. Device-specific quirk tests (word order, max-register, register-zero
+///     access, etc.) will land in their own test classes alongside this profile as the user
+///     validates each behavior in ModbusPal; see <c>docs/v2/modbus-test-plan.md</c> §per-device
+///     quirk catalog for the checklist.
+/// </remarks>
+public static class DL205Profile
+{
+    /// <summary>Holding register the smoke test reads. Address 100 sidesteps the DL205
+    /// register-zero quirk (pending confirmation) — see modbus-test-plan.md.</summary>
+    public const ushort SmokeHoldingRegister = 100;
+
+    /// <summary>Expected value the ModbusPal profile seeds into register 100. When running
+    /// against a real DL205 (or a ModbusPal profile where this register is writable), the smoke
+    /// test seeds this value first, then reads it back.</summary>
+    public const short SmokeHoldingValue = 1234;
+
+    public static ModbusDriverOptions BuildOptions(string host, int port) => new()
+    {
+        Host = host,
+        Port = port,
+        UnitId = 1,
+        Timeout = TimeSpan.FromSeconds(2),
+        Tags =
+        [
+            new ModbusTagDefinition(
+                Name: "DL205_Smoke_HReg100",
+                Region: ModbusRegion.HoldingRegisters,
+                Address: SmokeHoldingRegister,
+                DataType: ModbusDataType.Int16,
+                Writable: true),
+        ],
+        // Disable the background probe loop — integration tests drive reads explicitly and
+        // the probe would race with assertions.
+        Probe = new ModbusProbeOptions { Enabled = false },
+    };
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/DL205/DL205SmokeTests.cs

@@ -0,0 +1,53 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.DL205;
+
+/// <summary>
+///     End-to-end smoke against the DL205 ModbusPal profile (or a real DL205 when
+///     <c>MODBUS_SIM_ENDPOINT</c> points at one). Drives the full <see cref="ModbusDriver"/>
+///     + real <see cref="ModbusTcpTransport"/> stack — no fake transport. Success proves the
+///     driver can initialize against the simulator, write a known value, and read it back
+///     with the correct status and value, which is the baseline every device-quirk test
+///     builds on.
+/// </summary>
+/// <remarks>
+///     Device-specific quirk tests (word order, max-register, register-zero access, exception
+///     code translation, etc.) land as separate test classes in this directory as each quirk
+///     is validated in ModbusPal. Keep this smoke test deliberately narrow — any deviation
+///     the driver hits beyond "happy-path FC16 + FC03 round-trip" belongs in its own named
+///     test so filtering by device class (<c>--filter DisplayName~DL205</c>) surfaces the
+///     quirk-specific failure mode.
+/// </remarks>
+[Collection(ModbusSimulatorCollection.Name)]
+[Trait("Category", "Integration")]
+[Trait("Device", "DL205")]
+public sealed class DL205SmokeTests(ModbusSimulatorFixture sim)
+{
+    [Fact]
+    public async Task DL205_roundtrip_write_then_read_of_holding_register()
+    {
+        if (sim.SkipReason is not null) Assert.Skip(sim.SkipReason);
+
+        var options = DL205Profile.BuildOptions(sim.Host, sim.Port);
+        await using var driver = new ModbusDriver(options, driverInstanceId: "dl205-smoke");
+        await driver.InitializeAsync(driverConfigJson: "{}", TestContext.Current.CancellationToken);
+
+        // Write first so the test is self-contained — ModbusPal's default register bank is
+        // zeroed at simulator start, and tests must not depend on prior-test state per the
+        // test-plan conventions.
+        var writeResults = await driver.WriteAsync(
+            [new(FullReference: "DL205_Smoke_HReg100", Value: (short)DL205Profile.SmokeHoldingValue)],
+            TestContext.Current.CancellationToken);
+        writeResults.Count.ShouldBe(1);
+        writeResults[0].StatusCode.ShouldBe(0u, "write must succeed against the ModbusPal DL205 profile");
+
+        var readResults = await driver.ReadAsync(
+            ["DL205_Smoke_HReg100"],
+            TestContext.Current.CancellationToken);
+        readResults.Count.ShouldBe(1);
+        readResults[0].StatusCode.ShouldBe(0u);
+        readResults[0].Value.ShouldBe((short)DL205Profile.SmokeHoldingValue);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusPal/README.md

@@ -0,0 +1,30 @@
+# ModbusPal simulator profiles
+
+Drop device-specific `.xmpp` profiles here. The integration tests connect to the
+endpoint in `MODBUS_SIM_ENDPOINT` (default `localhost:502`) and expect the
+simulator to already be running — tests do not launch ModbusPal themselves,
+because its Java GUI + JRE requirement is heavier than the harness is worth.
+
+## Getting started
+
+1. Download ModbusPal from SourceForge (`modbuspal.jar`).
+2. `java -jar modbuspal.jar` to launch the GUI.
+3. Load a profile from this directory (or configure one manually) and start the
+   simulator on TCP port 502.
+4. `dotnet test tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests` — tests
+   auto-skip with a clear `SkipReason` if the TCP probe at the configured
+   endpoint fails within 2 seconds.
+
+## Profile files
+
+- `DL205.xmpp` — _to be added_ — register map reflecting the AutomationDirect
+  DL205 quirks tracked in `docs/v2/modbus-test-plan.md`. The scaffolded smoke
+  test in `DL205/DL205SmokeTests.cs` needs holding register 100 writable and
+  present; a minimal ModbusPal profile with a single holding-register bank at
+  address 100 is sufficient.
+
+## Environment variables
+
+- `MODBUS_SIM_ENDPOINT` — override the simulator endpoint. Accepts `host:port`;
+  defaults to `localhost:502`. Useful when pointing the suite at a real PLC on
+  the bench.

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ModbusSimulatorFixture.cs

@@ -0,0 +1,66 @@
+using System.Net.Sockets;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests;
+
+/// <summary>
+///     Reachability probe for a Modbus TCP simulator (ModbusPal or a real PLC). Parses
+///     <c>MODBUS_SIM_ENDPOINT</c> (default <c>localhost:502</c>) and TCP-connects once at
+///     fixture construction. Each test checks <see cref="SkipReason"/> and calls
+///     <c>Assert.Skip</c> when the endpoint was unreachable, so a dev box without a running
+///     simulator still passes `dotnet test` cleanly — matches the Galaxy live-smoke pattern in
+///     <c>GalaxyRepositoryLiveSmokeTests</c>.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Do NOT keep the probe socket open for the life of the fixture. The probe is a
+///         one-shot liveness check; tests open their own transports (the real
+///         <see cref="ModbusTcpTransport"/>) against the same endpoint. Sharing a socket
+///         across tests would serialize them on a single TCP stream.
+///     </para>
+///     <para>
+///         The fixture is a collection fixture so the reachability probe runs once per test
+///         session, not per test — checking every test would waste several seconds against a
+///         firewalled endpoint that times out each attempt.
+///     </para>
+/// </remarks>
+public sealed class ModbusSimulatorFixture : IAsyncDisposable
+{
+    private const string DefaultEndpoint = "localhost:502";
+    private const string EndpointEnvVar = "MODBUS_SIM_ENDPOINT";
+
+    public string Host { get; }
+    public int Port { get; }
+    public string? SkipReason { get; }
+
+    public ModbusSimulatorFixture()
+    {
+        var raw = Environment.GetEnvironmentVariable(EndpointEnvVar) ?? DefaultEndpoint;
+        var parts = raw.Split(':', 2);
+        Host = parts[0];
+        Port = parts.Length == 2 && int.TryParse(parts[1], out var p) ? p : 502;
+
+        try
+        {
+            using var client = new TcpClient();
+            var task = client.ConnectAsync(Host, Port);
+            if (!task.Wait(TimeSpan.FromSeconds(2)) || !client.Connected)
+            {
+                SkipReason = $"Modbus simulator at {Host}:{Port} did not accept a TCP connection within 2s. " +
+                             $"Start ModbusPal (or override {EndpointEnvVar}) and re-run.";
+            }
+        }
+        catch (Exception ex)
+        {
+            SkipReason = $"Modbus simulator at {Host}:{Port} unreachable: {ex.GetType().Name}: {ex.Message}. " +
+                         $"Start ModbusPal (or override {EndpointEnvVar}) and re-run.";
+        }
+    }
+
+    public ValueTask DisposeAsync() => ValueTask.CompletedTask;
+}
+
+[Xunit.CollectionDefinition(Name)]
+public sealed class ModbusSimulatorCollection : Xunit.ICollectionFixture<ModbusSimulatorFixture>
+{
+    public const string Name = "ModbusSimulator";
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.csproj

@@ -0,0 +1,36 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <IsPackable>false</IsPackable>
+        <IsTestProject>true</IsTestProject>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="xunit.v3" Version="1.1.0"/>
+        <PackageReference Include="Shouldly" Version="4.3.0"/>
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
+        <PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
+            <PrivateAssets>all</PrivateAssets>
+            <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+    </ItemGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Driver.Modbus\ZB.MOM.WW.OtOpcUa.Driver.Modbus.csproj"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <None Update="ModbusPal\**\*" CopyToOutputDirectory="PreserveNewest"/>
+        <None Update="DL205\**\*" CopyToOutputDirectory="PreserveNewest"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+</Project>

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/LdapUserAuthenticatorAdCompatTests.cs

@@ -0,0 +1,67 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Deterministic guards for Active Directory compatibility of the internal helpers
+///     <see cref="LdapUserAuthenticator"/> relies on. We can't live-bind against AD in unit
+///     tests — instead, we pin the behaviors AD depends on (DN-parsing of AD-style
+///     <c>memberOf</c> values, filter escaping with case-preserving RDN extraction) so a
+///     future refactor can't silently break the AD path while the GLAuth live-smoke stays
+///     green.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class LdapUserAuthenticatorAdCompatTests
+{
+    [Fact]
+    public void ExtractFirstRdnValue_parses_AD_memberOf_group_name_from_CN_dn()
+    {
+        // AD's memberOf values use uppercase CN=… and full domain paths. The extractor
+        // returns the first RDN's value regardless of attribute-type case, so operators'
+        // GroupToRole keys stay readable ("OPCUA-Operators" not "CN=OPCUA-Operators,...").
+        var dn = "CN=OPCUA-Operators,OU=OPC UA Security Groups,OU=Groups,DC=corp,DC=example,DC=com";
+        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe("OPCUA-Operators");
+    }
+
+    [Fact]
+    public void ExtractFirstRdnValue_handles_mixed_case_and_spaces_in_group_name()
+    {
+        var dn = "CN=Domain Users,CN=Users,DC=corp,DC=example,DC=com";
+        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe("Domain Users");
+    }
+
+    [Fact]
+    public void ExtractFirstRdnValue_also_works_for_OpenLDAP_ou_style_memberOf()
+    {
+        // GLAuth + some OpenLDAP deployments expose memberOf as ou=<group>,ou=groups,...
+        // The authenticator needs one extractor that tolerates both shapes since directories
+        // in the field mix them depending on schema.
+        var dn = "ou=WriteOperate,ou=groups,dc=lmxopcua,dc=local";
+        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe("WriteOperate");
+    }
+
+    [Fact]
+    public void EscapeLdapFilter_prevents_injection_via_samaccountname_lookup()
+    {
+        // AD login names can contain characters that are meaningful to LDAP filter syntax
+        // (parens, backslashes). The authenticator builds filters as
+        // ($"({UserNameAttribute}={EscapeLdapFilter(username)})") so injection attempts must
+        // not break out of the filter. The RFC 4515 escape set is: \ → \5c, * → \2a, ( → \28,
+        // ) → \29, \0 → \00.
+        LdapUserAuthenticator.EscapeLdapFilter("admin)(cn=*")
+            .ShouldBe("admin\\29\\28cn=\\2a");
+        LdapUserAuthenticator.EscapeLdapFilter("domain\\user")
+            .ShouldBe("domain\\5cuser");
+    }
+
+    [Fact]
+    public void LdapOptions_default_UserNameAttribute_is_uid_for_rfc2307_compat()
+    {
+        // Regression guard: PR 31 introduced UserNameAttribute with a default of "uid" so
+        // existing deployments (pre-AD config) keep working. Changing the default breaks
+        // everyone's config silently; require an explicit review.
+        new LdapOptions().UserNameAttribute.ShouldBe("uid");
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/LdapUserAuthenticatorLiveTests.cs

@@ -0,0 +1,154 @@
+using System.Net.Sockets;
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Live-service tests against the dev GLAuth instance at <c>localhost:3893</c>. Skipped
+///     when the port is unreachable so the test suite stays portable on boxes without a
+///     running directory. Closes LMX follow-up #4 — the server-side <see cref="LdapUserAuthenticator"/>
+///     is exercised end-to-end against a real LDAP server (same one the Admin process uses),
+///     not just the flow-shape unit tests from PR 19.
+/// </summary>
+/// <remarks>
+///     The <c>Admin.Tests</c> project already has a live-bind test for its own
+///     <c>LdapAuthService</c>; this pair catches divergence between the two bind paths — the
+///     Server authenticator has to work even when the Server process is on a machine that
+///     doesn't have the Admin assemblies loaded, and the two share no code by design
+///     (cross-app dependency avoidance). If one side drifts past the other on LDAP filter
+///     construction, DN resolution, or memberOf parsing, these tests surface it.
+/// </remarks>
+[Trait("Category", "LiveLdap")]
+public sealed class LdapUserAuthenticatorLiveTests
+{
+    private const string GlauthHost = "localhost";
+    private const int GlauthPort = 3893;
+
+    private static bool GlauthReachable()
+    {
+        try
+        {
+            using var client = new TcpClient();
+            var task = client.ConnectAsync(GlauthHost, GlauthPort);
+            return task.Wait(TimeSpan.FromSeconds(1)) && client.Connected;
+        }
+        catch { return false; }
+    }
+
+    // GLAuth dev directory groups are named identically to the OPC UA roles
+    // (ReadOnly / WriteOperate / WriteTune / WriteConfigure / AlarmAck), so the map is an
+    // identity translation. The authenticator still exercises every step of the pipeline —
+    // bind, memberOf lookup, group-name extraction, GroupToRole lookup — against real LDAP
+    // data; the identity map just means the assertion is phrased with no surprise rename
+    // in the middle.
+    private static LdapOptions GlauthOptions() => new()
+    {
+        Enabled = true,
+        Server = GlauthHost,
+        Port = GlauthPort,
+        UseTls = false,
+        AllowInsecureLdap = true,
+        SearchBase = "dc=lmxopcua,dc=local",
+        // Search-then-bind: service account resolves the user's full DN (cn=<user> lives
+        // under ou=<primary-group>,ou=users), the authenticator binds that DN with the
+        // user's password, then stays on the service-account session for memberOf lookup.
+        // Without this path, GLAuth ACLs block the authenticated user from reading their
+        // own entry in full — a plain self-search returns zero results and the role list
+        // ends up empty.
+        ServiceAccountDn = "cn=serviceaccount,dc=lmxopcua,dc=local",
+        ServiceAccountPassword = "serviceaccount123",
+        DisplayNameAttribute = "cn",
+        GroupAttribute = "memberOf",
+        UserNameAttribute = "cn", // GLAuth keys users by cn — see LdapOptions xml-doc.
+        GroupToRole = new(StringComparer.OrdinalIgnoreCase)
+        {
+            ["ReadOnly"] = "ReadOnly",
+            ["WriteOperate"] = WriteAuthzPolicy.RoleWriteOperate,
+            ["WriteTune"] = WriteAuthzPolicy.RoleWriteTune,
+            ["WriteConfigure"] = WriteAuthzPolicy.RoleWriteConfigure,
+            ["AlarmAck"] = "AlarmAck",
+        },
+    };
+
+    private static LdapUserAuthenticator NewAuthenticator() =>
+        new(GlauthOptions(), NullLogger<LdapUserAuthenticator>.Instance);
+
+    [Fact]
+    public async Task Valid_credentials_bind_and_return_success()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("readonly", "readonly123", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeTrue(result.Error);
+        result.DisplayName.ShouldNotBeNullOrEmpty();
+    }
+
+    [Fact]
+    public async Task Writeop_user_gets_WriteOperate_role_from_group_mapping()
+    {
+        // Drives end-to-end: bind as writeop, memberOf lists the WriteOperate group, the
+        // authenticator surfaces WriteOperate via GroupToRole. If this test fails,
+        // WriteAuthzPolicy.IsAllowed for an Operate-tier write would also fail
+        // (WriteOperate is the exact string the policy checks for), so the failure mode is
+        // concrete, not abstract.
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("writeop", "writeop123", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeTrue(result.Error);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteOperate);
+    }
+
+    [Fact]
+    public async Task Admin_user_gets_multiple_roles_from_multiple_groups()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        // 'admin' has primarygroup=ReadOnly and othergroups=[WriteOperate, AlarmAck,
+        // WriteTune, WriteConfigure] per the GLAuth dev config — the authenticator must
+        // surface every mapped role, not just the primary group. Guards against a regression
+        // where the memberOf parsing stops after the first match or misses the primary-group
+        // fallback.
+        var result = await NewAuthenticator().AuthenticateAsync("admin", "admin123", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeTrue(result.Error);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteOperate);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteTune);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteConfigure);
+        result.Roles.ShouldContain("AlarmAck");
+    }
+
+    [Fact]
+    public async Task Wrong_password_returns_failure()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("readonly", "wrong-pw", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeFalse();
+        result.Error.ShouldNotBeNullOrEmpty();
+    }
+
+    [Fact]
+    public async Task Unknown_user_returns_failure()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("no-such-user-42", "whatever", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeFalse();
+    }
+
+    [Fact]
+    public async Task Empty_credentials_fail_without_touching_the_directory()
+    {
+        // Pre-flight guard — doesn't require GLAuth.
+        var result = await NewAuthenticator().AuthenticateAsync("", "", TestContext.Current.CancellationToken);
+        result.Success.ShouldBeFalse();
+        result.Error.ShouldContain("Credentials", Case.Insensitive);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/MultipleDriverInstancesIntegrationTests.cs

@@ -0,0 +1,191 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua;
+using Opc.Ua.Client;
+using Opc.Ua.Configuration;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Closes LMX follow-up #6 — proves that two <see cref="IDriver"/> instances registered
+///     on the same <see cref="DriverHost"/> land in isolated namespaces and their reads
+///     route to the correct driver. The existing <see cref="OpcUaServerIntegrationTests"/>
+///     only exercises a single-driver topology; this sibling fixture registers two.
+/// </summary>
+/// <remarks>
+///     Each driver gets its own namespace URI of the form <c>urn:OtOpcUa:{DriverInstanceId}</c>
+///     (per <c>DriverNodeManager</c>'s base-class <c>namespaceUris</c> argument). A client
+///     that browses one namespace must see only that driver's subtree, and a read against a
+///     variable in one namespace must return that driver's value, not the other's — this is
+///     what stops a cross-driver routing regression from going unnoticed when the v1
+///     single-driver code path gets new knobs.
+/// </remarks>
+[Trait("Category", "Integration")]
+public sealed class MultipleDriverInstancesIntegrationTests : IAsyncLifetime
+{
+    private static readonly int Port = 48500 + Random.Shared.Next(0, 99);
+    private readonly string _endpoint = $"opc.tcp://localhost:{Port}/OtOpcUaMultiDriverTest";
+    private readonly string _pkiRoot = Path.Combine(Path.GetTempPath(), $"otopcua-multi-{Guid.NewGuid():N}");
+
+    private DriverHost _driverHost = null!;
+    private OpcUaApplicationHost _server = null!;
+
+    public async ValueTask InitializeAsync()
+    {
+        _driverHost = new DriverHost();
+        await _driverHost.RegisterAsync(new StubDriver("alpha", folderName: "AlphaFolder", readValue: 42),
+            "{}", CancellationToken.None);
+        await _driverHost.RegisterAsync(new StubDriver("beta", folderName: "BetaFolder", readValue: 99),
+            "{}", CancellationToken.None);
+
+        var options = new OpcUaServerOptions
+        {
+            EndpointUrl = _endpoint,
+            ApplicationName = "OtOpcUaMultiDriverTest",
+            ApplicationUri = "urn:OtOpcUa:Server:MultiDriverTest",
+            PkiStoreRoot = _pkiRoot,
+            AutoAcceptUntrustedClientCertificates = true,
+        };
+
+        _server = new OpcUaApplicationHost(options, _driverHost, new DenyAllUserAuthenticator(),
+            NullLoggerFactory.Instance, NullLogger<OpcUaApplicationHost>.Instance);
+        await _server.StartAsync(CancellationToken.None);
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        await _server.DisposeAsync();
+        await _driverHost.DisposeAsync();
+        try { Directory.Delete(_pkiRoot, recursive: true); } catch { /* best-effort */ }
+    }
+
+    [Fact]
+    public async Task Both_drivers_register_under_their_own_urn_namespace()
+    {
+        using var session = await OpenSessionAsync();
+
+        var alphaNs = session.NamespaceUris.GetIndex("urn:OtOpcUa:alpha");
+        var betaNs = session.NamespaceUris.GetIndex("urn:OtOpcUa:beta");
+
+        alphaNs.ShouldBeGreaterThanOrEqualTo(0, "DriverNodeManager for 'alpha' must register its namespace URI");
+        betaNs.ShouldBeGreaterThanOrEqualTo(0, "DriverNodeManager for 'beta' must register its namespace URI");
+        alphaNs.ShouldNotBe(betaNs, "each driver owns its own namespace");
+    }
+
+    [Fact]
+    public async Task Each_driver_subtree_exposes_only_its_own_folder()
+    {
+        using var session = await OpenSessionAsync();
+
+        var alphaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:alpha");
+        var betaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:beta");
+
+        var alphaRoot = new NodeId("alpha", alphaNs);
+        session.Browse(null, null, alphaRoot, 0, BrowseDirection.Forward, ReferenceTypeIds.HierarchicalReferences,
+            true, (uint)NodeClass.Object | (uint)NodeClass.Variable, out _, out var alphaRefs);
+        alphaRefs.ShouldContain(r => r.BrowseName.Name == "AlphaFolder",
+            "alpha's subtree must contain alpha's folder");
+        alphaRefs.ShouldNotContain(r => r.BrowseName.Name == "BetaFolder",
+            "alpha's subtree must NOT see beta's folder — cross-driver leak would hide subscription-routing bugs");
+
+        var betaRoot = new NodeId("beta", betaNs);
+        session.Browse(null, null, betaRoot, 0, BrowseDirection.Forward, ReferenceTypeIds.HierarchicalReferences,
+            true, (uint)NodeClass.Object | (uint)NodeClass.Variable, out _, out var betaRefs);
+        betaRefs.ShouldContain(r => r.BrowseName.Name == "BetaFolder");
+        betaRefs.ShouldNotContain(r => r.BrowseName.Name == "AlphaFolder");
+    }
+
+    [Fact]
+    public async Task Reads_route_to_the_correct_driver_by_namespace()
+    {
+        using var session = await OpenSessionAsync();
+
+        var alphaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:alpha");
+        var betaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:beta");
+
+        var alphaValue = session.ReadValue(new NodeId("AlphaFolder.Var1", alphaNs));
+        var betaValue = session.ReadValue(new NodeId("BetaFolder.Var1", betaNs));
+
+        alphaValue.Value.ShouldBe(42, "alpha driver's ReadAsync returns 42 — a misroute would surface as 99");
+        betaValue.Value.ShouldBe(99, "beta driver's ReadAsync returns 99 — a misroute would surface as 42");
+    }
+
+    private async Task<ISession> OpenSessionAsync()
+    {
+        var cfg = new ApplicationConfiguration
+        {
+            ApplicationName = "OtOpcUaMultiDriverTestClient",
+            ApplicationUri = "urn:OtOpcUa:MultiDriverTestClient",
+            ApplicationType = ApplicationType.Client,
+            SecurityConfiguration = new SecurityConfiguration
+            {
+                ApplicationCertificate = new CertificateIdentifier
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_pkiRoot, "client-own"),
+                    SubjectName = "CN=OtOpcUaMultiDriverTestClient",
+                },
+                TrustedIssuerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-issuers") },
+                TrustedPeerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-trusted") },
+                RejectedCertificateStore = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-rejected") },
+                AutoAcceptUntrustedCertificates = true,
+                AddAppCertToTrustedStore = true,
+            },
+            TransportConfigurations = new TransportConfigurationCollection(),
+            TransportQuotas = new TransportQuotas { OperationTimeout = 15000 },
+            ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = 60000 },
+        };
+        await cfg.Validate(ApplicationType.Client);
+        cfg.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;
+
+        var instance = new ApplicationInstance { ApplicationConfiguration = cfg, ApplicationType = ApplicationType.Client };
+        await instance.CheckApplicationInstanceCertificate(true, CertificateFactory.DefaultKeySize);
+
+        var selected = CoreClientUtils.SelectEndpoint(cfg, _endpoint, useSecurity: false);
+        var endpointConfig = EndpointConfiguration.Create(cfg);
+        var configuredEndpoint = new ConfiguredEndpoint(null, selected, endpointConfig);
+
+        return await Session.Create(cfg, configuredEndpoint, false, "OtOpcUaMultiDriverTestClientSession", 60000,
+            new UserIdentity(new AnonymousIdentityToken()), null);
+    }
+
+    /// <summary>
+    ///     Driver stub that returns a caller-specified folder + variable + read value so two
+    ///     instances in the same server can be told apart at the assertion layer.
+    /// </summary>
+    private sealed class StubDriver(string driverInstanceId, string folderName, int readValue)
+        : IDriver, ITagDiscovery, IReadable
+    {
+        public string DriverInstanceId => driverInstanceId;
+        public string DriverType => "Stub";
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public Task DiscoverAsync(IAddressSpaceBuilder builder, CancellationToken ct)
+        {
+            var folder = builder.Folder(folderName, folderName);
+            folder.Variable("Var1", "Var1", new DriverAttributeInfo(
+                $"{folderName}.Var1", DriverDataType.Int32, false, null, SecurityClassification.FreeAccess, false, IsAlarm: false));
+            return Task.CompletedTask;
+        }
+
+        public Task<IReadOnlyList<DataValueSnapshot>> ReadAsync(
+            IReadOnlyList<string> fullReferences, CancellationToken cancellationToken)
+        {
+            var now = DateTime.UtcNow;
+            IReadOnlyList<DataValueSnapshot> result =
+                fullReferences.Select(_ => new DataValueSnapshot(readValue, 0u, now, now)).ToArray();
+            return Task.FromResult(result);
+        }
+    }
+}