Phase 3 PR 34 — Host-status publisher (Server) + /hosts drill-down page (Admin). Closes LMX follow-up #7 by wiring together the data layer from PR 33. Server.HostStatusPublisher is a BackgroundService that walks every driver registered in DriverHost every 10 seconds, skips drivers that don't implement IHostConnectivityProbe, calls GetHostStatuses() on each probe-capable driver, and upserts one DriverHostStatus row per (NodeId, DriverInstanceId, HostName) into the central config DB. Upsert path: SingleOrDefaultAsync on the composite PK; if no row exists, Add a new one; if a row exists, LastSeenUtc advances unconditionally (heartbeat) and State + StateChangedUtc update only on transitions so Admin UI can distinguish 'still reporting, still Running' from 'freshly transitioned to Running'. MapState translates Core.Abstractions.HostState to Configuration.Enums.DriverHostState (intentional duplicate enum — Configuration project stays free of driver-runtime deps per PR 33's choice). If a driver's GetHostStatuses throws, log warning and skip that driver this tick — never take down the Server on a publisher failure. If the DB is unreachable, log warning + retry next heartbeat (no buffering — next tick's current-state snapshot is more useful than replaying stale transitions after a long outage). 2-second startup delay so NodeBootstrap's RegisterAsync calls land before the first publish tick, then tick runs immediately so a freshly-started Server surfaces its host topology in the Admin UI without waiting a full interval.

Polling chosen over event-driven for initial scope: simpler, matches Admin UI consumer cadence, avoids DriverHost lifecycle-event plumbing that doesn't exist today. Event-driven push for sub-heartbeat latency is a straightforward follow-up.
Admin.Services.HostStatusService left-joins DriverHostStatus against ClusterNode on NodeId so rows persist even when the ClusterNode entry doesn't exist yet (first-boot bootstrap case). StaleThreshold = 30s — covers one missed publisher heartbeat plus a generous buffer for clock skew and GC pauses. Admin Components/Pages/Hosts.razor — FleetAdmin-visible page grouped by cluster (handles the '(unassigned)' case for rows without a matching ClusterNode). Four summary cards (Hosts / Running / Stale / Faulted); per-cluster table with Node / Driver / Host / State + Stale-badge / Last-transition / Last-seen / Detail columns; 10s auto-refresh via IServiceScopeFactory timer pattern matching FleetStatusPoller + Fleet dashboard (PR 27). Row-class highlighting: Faulted → table-danger, Stale → table-warning, else default. State badge maps DriverHostState enum to bootstrap color classes. Sidebar link added between 'Fleet status' and 'Clusters'.
Server csproj adds Microsoft.EntityFrameworkCore.SqlServer 10.0.0 + registers OtOpcUaConfigDbContext in Program.cs scoped via NodeOptions.ConfigDbConnectionString (no Admin-style manual SQL raw — the DbContext is the only access path, keeps migrations owner-of-record).
Tests — HostStatusPublisherTests (4 new Integration cases, uses per-run throwaway DB matching the FleetStatusPollerTests pattern): publisher upserts one row per host from each probe-capable driver and skips non-probe drivers; second tick advances LastSeenUtc without creating duplicate rows (upsert pattern verified end-to-end); state change between ticks updates State AND StateChangedUtc (datetime2(3) rounds to millisecond precision so comparison uses 1ms tolerance — documented inline); MapState translates every HostState enum member. Server.Tests Integration: 4 new tests pass. Admin build clean, Admin.Tests Unit still 23 / 0. docs/v2/lmx-followups.md item #7 marked DONE with three explicit deferred items (event-driven push, failure-count column, SignalR fan-out).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/security.md

@@ -348,6 +348,44 @@ The project uses [GLAuth](https://github.com/glauth/glauth) v2.4.0 as the LDAP s
 
 Enable LDAP in `appsettings.json` under `Authentication.Ldap`. See [Configuration Guide](Configuration.md) for the full property reference.
 
+### Active Directory configuration
+
+Production deployments typically point at Active Directory instead of GLAuth. Only four properties differ from the dev defaults: `Server`, `Port`, `UserNameAttribute`, and `ServiceAccountDn`. The same `GroupToRole` mechanism works — map your AD security groups to OPC UA roles.
+
+```json
+{
+  "OpcUaServer": {
+    "Ldap": {
+      "Enabled": true,
+      "Server": "dc01.corp.example.com",
+      "Port": 636,
+      "UseTls": true,
+      "AllowInsecureLdap": false,
+      "SearchBase": "DC=corp,DC=example,DC=com",
+      "ServiceAccountDn": "CN=OpcUaSvc,OU=Service Accounts,DC=corp,DC=example,DC=com",
+      "ServiceAccountPassword": "<from your secret store>",
+      "DisplayNameAttribute": "displayName",
+      "GroupAttribute": "memberOf",
+      "UserNameAttribute": "sAMAccountName",
+      "GroupToRole": {
+        "OPCUA-Operators": "WriteOperate",
+        "OPCUA-Engineers": "WriteConfigure",
+        "OPCUA-AlarmAck": "AlarmAck",
+        "OPCUA-Tuners": "WriteTune"
+      }
+    }
+  }
+}
+```
+
+Notes:
+
+- `UserNameAttribute: "sAMAccountName"` is the critical AD override — the default `uid` is not populated on AD user entries, so the user-DN lookup returns no results without it. Use `userPrincipalName` instead if operators log in with `user@corp.example.com` form.
+- `Port: 636` + `UseTls: true` is required under AD's LDAP-signing enforcement. AD increasingly rejects plain-LDAP bind; set `AllowInsecureLdap: false` to refuse fallback.
+- `ServiceAccountDn` should name a dedicated read-only service principal — not a privileged admin. The account needs read access to user and group entries in the search base.
+- `memberOf` values come back as full DNs like `CN=OPCUA-Operators,OU=OPC UA Security Groups,OU=Groups,DC=corp,DC=example,DC=com`. The authenticator strips the leading `CN=` RDN value so operators configure `GroupToRole` with readable group common-names.
+- Nested group membership is **not** expanded — assign users directly to the role-mapped groups, or pre-flatten membership in AD. `LDAP_MATCHING_RULE_IN_CHAIN` / `tokenGroups` expansion is an authenticator enhancement, not a config change.
+
 ### Security Considerations
 
 - LDAP credentials are transmitted in plaintext over the OPC UA channel unless transport security is enabled. Use `Basic256Sha256-SignAndEncrypt` for production deployments.

docs/v2/lmx-followups.md

@@ -58,18 +58,25 @@ Deferred: flipping `AutoAcceptUntrustedClientCertificates` to `false` as the
 deployment default. That's a production-hardening config change, not a code
 gap — the Admin UI is now ready to be the trust gate.
 
-## 4. Live-LDAP integration test
+## 4. Live-LDAP integration test — **DONE (PR 31)**
 
-**Status**: PR 19 unit-tested the auth-flow shape; the live bind path is
-exercised only by the pre-existing `Admin.Tests/LdapLiveBindTests.cs` which
-uses the same Novell library against a running GLAuth at `localhost:3893`.
+PR 31 shipped `Server.Tests/LdapUserAuthenticatorLiveTests.cs` — 6 live-bind
+tests against the dev GLAuth instance at `localhost:3893`, skipped cleanly
+when the port is unreachable. Covers: valid bind, wrong password, unknown
+user, empty credentials, single-group → WriteOperate mapping, multi-group
+admin user surfacing all mapped roles.
 
-**To do**:
-- Add `OpcUaServerIntegrationTests.Valid_username_authenticates_against_live_ldap`
-  with the same skip-when-unreachable guard.
-- Assert `session.Identity` on the server side carries the expected role
-  after bind — requires exposing a test hook or reading identity from a
-  new `IHostConnectivityProbe`-style "whoami" variable in the address space.
+Also added `UserNameAttribute` to `LdapOptions` (default `uid` for RFC 2307
+compat) so Active Directory deployments can configure `sAMAccountName` /
+`userPrincipalName` without code changes. `LdapUserAuthenticatorAdCompatTests`
+(5 unit guards) pins the AD-shape DN parsing + filter escape behaviors. See
+`docs/security.md` §"Active Directory configuration" for the AD appsettings
+snippet.
+
+Deferred: asserting `session.Identity` end-to-end on the server side (i.e.
+drive a full OPC UA session with username/password, then read an
+`IHostConnectivityProbe`-style "whoami" node to verify the role surfaced).
+That needs a test-only address-space node and is a separate PR.
 
 ## 5. Full Galaxy live-service smoke test against the merged v2 stack
 
@@ -84,26 +91,47 @@ no single end-to-end smoke test.
   subscribes to one of its attributes, writes a value back, and asserts the
   write round-tripped through MXAccess. Skip when ArchestrA isn't running.
 
-## 6. Second driver instance on the same server
+## 6. Second driver instance on the same server — **DONE (PR 32)**
 
-**Status**: `DriverHost.RegisterAsync` supports multiple drivers; the OPC UA
-server creates one `DriverNodeManager` per driver and isolates their
-subtrees under distinct namespace URIs. Not proven with two active
-`GalaxyProxyDriver` instances pointing at different Galaxies.
+`Server.Tests/MultipleDriverInstancesIntegrationTests.cs` registers two
+drivers with distinct `DriverInstanceId`s on one `DriverHost`, spins up the
+full OPC UA server, and asserts three behaviors: (1) each driver's namespace
+URI (`urn:OtOpcUa:{id}`) resolves to a distinct index in the client's
+NamespaceUris, (2) browsing one subtree returns that driver's folder and
+does NOT leak the other driver's folder, (3) reads route to the correct
+driver — the alpha instance returns 42 while beta returns 99, so a misroute
+would surface at the assertion layer.
 
-**To do**:
-- Integration test that registers two driver instances, each with a distinct
-  `DriverInstanceId` + endpoint in its own session, asserts nodes from both
-  appear under the correct subtrees, alarm events land on the correct
-  instance's condition nodes.
+Deferred: the alarm-event multi-driver parity case (two drivers each raising
+a `GalaxyAlarmEvent`, assert each condition lands on its owning instance's
+condition node). Alarm tracking already has its own integration test
+(`AlarmSubscription*`); the multi-driver alarm case would need a stub
+`IAlarmSource` that's worth its own focused PR.
 
-## 7. Host-status per-AppEngine granularity → Admin UI dashboard
+## 7. Host-status per-AppEngine granularity → Admin UI dashboard — **DONE (PRs 33 + 34)**
 
-**Status**: PR 13 ships per-platform/per-AppEngine `ScanState` probing; PR 17
-surfaces the resulting `OnHostStatusChanged` events through OPC UA. Admin
-UI doesn't render a per-host dashboard yet.
+**PR 33** landed the data layer: `DriverHostStatus` entity + migration with
+composite key `(NodeId, DriverInstanceId, HostName)` and two query-supporting
+indexes (per-cluster drill-down on `NodeId`, stale-row detection on
+`LastSeenUtc`).
 
-**To do**:
-- SignalR hub push of `HostStatusChangedEventArgs` to the Admin UI.
-- Dashboard page showing each tracked host, current state, last transition
-  time, failure count.
+**PR 34** wired the publisher + consumer. `HostStatusPublisher` is a
+`BackgroundService` in the Server process that walks every registered
+`IHostConnectivityProbe`-capable driver every 10s, calls
+`GetHostStatuses()`, and upserts rows (`LastSeenUtc` advances each tick;
+`State` + `StateChangedUtc` update on transitions). Admin UI `/hosts` page
+groups by cluster, shows four summary cards (Hosts / Running / Stale /
+Faulted), and flags rows whose `LastSeenUtc` is older than 30s as Stale so
+operators see crashed Servers without waiting for a state change.
+
+Deferred as follow-ups:
+
+- Event-driven push (subscribe to `OnHostStatusChanged` per driver for
+  sub-heartbeat latency). Adds DriverHost lifecycle-event plumbing;
+  10s polling is fine for operator-scale use.
+- Failure-count column — needs the publisher to track a transition history
+  per host, not just current-state.
+- SignalR fan-out to the Admin page (currently the page polls the DB, not
+  a hub). The DB-polled version is fine at current cadence but a hub push
+  would eliminate the 10s race where a new row sits in the DB before the
+  Admin page notices.

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Layout/MainLayout.razor

@@ -6,6 +6,7 @@
         <ul class="nav flex-column">
             <li class="nav-item"><a class="nav-link text-light" href="/">Overview</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/fleet">Fleet status</a></li>
+            <li class="nav-item"><a class="nav-link text-light" href="/hosts">Host status</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/clusters">Clusters</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/reservations">Reservations</a></li>
             <li class="nav-item"><a class="nav-link text-light" href="/certificates">Certificates</a></li>

src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Hosts.razor

@@ -0,0 +1,160 @@
+@page "/hosts"
+@using Microsoft.EntityFrameworkCore
+@using ZB.MOM.WW.OtOpcUa.Admin.Services
+@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
+@inject IServiceScopeFactory ScopeFactory
+@implements IDisposable
+
+<h1 class="mb-4">Driver host status</h1>
+
+<div class="d-flex align-items-center mb-3 gap-2">
+    <button class="btn btn-sm btn-outline-primary" @onclick="RefreshAsync" disabled="@_refreshing">
+        @if (_refreshing) { <span class="spinner-border spinner-border-sm me-1" /> }
+        Refresh
+    </button>
+    <span class="text-muted small">
+        Auto-refresh every @RefreshIntervalSeconds s. Last updated: @(_lastRefreshUtc?.ToString("HH:mm:ss 'UTC'") ?? "—")
+    </span>
+</div>
+
+<div class="alert alert-info small mb-4">
+    Each row is one host reported by a driver instance on a server node. Galaxy drivers report
+    per-Platform / per-AppEngine entries; Modbus drivers report the PLC endpoint. Rows age out
+    of the Server's publisher on every 10-second heartbeat — rows whose LastSeen is older than
+    30s are flagged Stale, which usually means the owning Server process has crashed or lost
+    its DB connection.
+</div>
+
+@if (_rows is null)
+{
+    <p>Loading…</p>
+}
+else if (_rows.Count == 0)
+{
+    <div class="alert alert-secondary">
+        No host-status rows yet. The Server publishes its first tick 2s after startup; if this list stays empty, check that the Server is running and the driver implements <code>IHostConnectivityProbe</code>.
+    </div>
+}
+else
+{
+    <div class="row g-3 mb-4">
+        <div class="col-md-3"><div class="card"><div class="card-body">
+            <h6 class="text-muted mb-1">Hosts</h6>
+            <div class="fs-3">@_rows.Count</div>
+        </div></div></div>
+        <div class="col-md-3"><div class="card border-success"><div class="card-body">
+            <h6 class="text-muted mb-1">Running</h6>
+            <div class="fs-3 text-success">@_rows.Count(r => r.State == DriverHostState.Running && !HostStatusService.IsStale(r))</div>
+        </div></div></div>
+        <div class="col-md-3"><div class="card border-warning"><div class="card-body">
+            <h6 class="text-muted mb-1">Stale</h6>
+            <div class="fs-3 text-warning">@_rows.Count(HostStatusService.IsStale)</div>
+        </div></div></div>
+        <div class="col-md-3"><div class="card border-danger"><div class="card-body">
+            <h6 class="text-muted mb-1">Faulted</h6>
+            <div class="fs-3 text-danger">@_rows.Count(r => r.State == DriverHostState.Faulted)</div>
+        </div></div></div>
+    </div>
+
+    @foreach (var cluster in _rows.GroupBy(r => r.ClusterId ?? "(unassigned)").OrderBy(g => g.Key))
+    {
+        <h2 class="h5 mt-4">Cluster: <code>@cluster.Key</code></h2>
+        <table class="table table-sm table-hover align-middle">
+            <thead>
+                <tr>
+                    <th>Node</th>
+                    <th>Driver</th>
+                    <th>Host</th>
+                    <th>State</th>
+                    <th>Last transition</th>
+                    <th>Last seen</th>
+                    <th>Detail</th>
+                </tr>
+            </thead>
+            <tbody>
+            @foreach (var r in cluster)
+            {
+                <tr class="@RowClass(r)">
+                    <td><code>@r.NodeId</code></td>
+                    <td><code>@r.DriverInstanceId</code></td>
+                    <td>@r.HostName</td>
+                    <td>
+                        <span class="badge @StateBadge(r.State)">@r.State</span>
+                        @if (HostStatusService.IsStale(r))
+                        {
+                            <span class="badge bg-warning text-dark ms-1">Stale</span>
+                        }
+                    </td>
+                    <td class="small">@FormatAge(r.StateChangedUtc)</td>
+                    <td class="small @(HostStatusService.IsStale(r) ? "text-warning" : "")">@FormatAge(r.LastSeenUtc)</td>
+                    <td class="text-truncate small" style="max-width: 320px;" title="@r.Detail">@r.Detail</td>
+                </tr>
+            }
+            </tbody>
+        </table>
+    }
+}
+
+@code {
+    // Mirrors HostStatusPublisher.HeartbeatInterval — polling ahead of the broadcaster
+    // produces stale-looking rows mid-cycle.
+    private const int RefreshIntervalSeconds = 10;
+
+    private List<HostStatusRow>? _rows;
+    private bool _refreshing;
+    private DateTime? _lastRefreshUtc;
+    private Timer? _timer;
+
+    protected override async Task OnInitializedAsync()
+    {
+        await RefreshAsync();
+        _timer = new Timer(async _ => await InvokeAsync(RefreshAsync),
+            state: null,
+            dueTime: TimeSpan.FromSeconds(RefreshIntervalSeconds),
+            period: TimeSpan.FromSeconds(RefreshIntervalSeconds));
+    }
+
+    private async Task RefreshAsync()
+    {
+        if (_refreshing) return;
+        _refreshing = true;
+        try
+        {
+            using var scope = ScopeFactory.CreateScope();
+            var svc = scope.ServiceProvider.GetRequiredService<HostStatusService>();
+            _rows = (await svc.ListAsync()).ToList();
+            _lastRefreshUtc = DateTime.UtcNow;
+        }
+        finally
+        {
+            _refreshing = false;
+            StateHasChanged();
+        }
+    }
+
+    private static string RowClass(HostStatusRow r) => r.State switch
+    {
+        DriverHostState.Faulted => "table-danger",
+        _ when HostStatusService.IsStale(r) => "table-warning",
+        _ => "",
+    };
+
+    private static string StateBadge(DriverHostState s) => s switch
+    {
+        DriverHostState.Running => "bg-success",
+        DriverHostState.Stopped => "bg-secondary",
+        DriverHostState.Faulted => "bg-danger",
+        _ => "bg-secondary",
+    };
+
+    private static string FormatAge(DateTime t)
+    {
+        var age = DateTime.UtcNow - t;
+        if (age.TotalSeconds < 60) return $"{(int)age.TotalSeconds}s ago";
+        if (age.TotalMinutes < 60) return $"{(int)age.TotalMinutes}m ago";
+        if (age.TotalHours < 24) return $"{(int)age.TotalHours}h ago";
+        return t.ToString("yyyy-MM-dd HH:mm 'UTC'");
+    }
+
+    public void Dispose() => _timer?.Dispose();
+}

src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs

@@ -47,6 +47,7 @@ builder.Services.AddScoped<NodeAclService>();
 builder.Services.AddScoped<ReservationService>();
 builder.Services.AddScoped<DraftValidationService>();
 builder.Services.AddScoped<AuditLogService>();
+builder.Services.AddScoped<HostStatusService>();
 
 // Cert-trust management — reads the OPC UA server's PKI store root so rejected client certs
 // can be promoted to trusted via the Admin UI. Singleton: no per-request state, just

src/ZB.MOM.WW.OtOpcUa.Admin/Services/HostStatusService.cs

@@ -0,0 +1,63 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     One row per <see cref="DriverHostStatus"/> record, enriched with the owning
+///     <c>ClusterNode.ClusterId</c> when available (left-join). The Admin <c>/hosts</c> page
+///     groups by cluster and renders a per-node → per-driver → per-host tree.
+/// </summary>
+public sealed record HostStatusRow(
+    string NodeId,
+    string? ClusterId,
+    string DriverInstanceId,
+    string HostName,
+    DriverHostState State,
+    DateTime StateChangedUtc,
+    DateTime LastSeenUtc,
+    string? Detail);
+
+/// <summary>
+///     Read-side service for the Admin UI's per-host drill-down. Loads
+///     <see cref="DriverHostStatus"/> rows (written by the Server process's
+///     <c>HostStatusPublisher</c>) and left-joins <c>ClusterNode</c> so each row knows which
+///     cluster it belongs to — the Admin UI groups by cluster for the fleet-wide view.
+/// </summary>
+/// <remarks>
+///     The publisher heartbeat is 10s (<c>HostStatusPublisher.HeartbeatInterval</c>). The
+///     Admin page also polls every ~10s and treats rows with <c>LastSeenUtc</c> older than
+///     <c>StaleThreshold</c> (30s) as stale — covers a missed heartbeat tolerance plus
+///     a generous buffer for clock skew and publisher GC pauses.
+/// </remarks>
+public sealed class HostStatusService(OtOpcUaConfigDbContext db)
+{
+    public static readonly TimeSpan StaleThreshold = TimeSpan.FromSeconds(30);
+
+    public async Task<IReadOnlyList<HostStatusRow>> ListAsync(CancellationToken ct = default)
+    {
+        // LEFT JOIN on NodeId so a row persists even when its owning ClusterNode row hasn't
+        // been created yet (first-boot bootstrap case — keeps the UI from losing sight of
+        // the reporting server).
+        var rows = await (from s in db.DriverHostStatuses.AsNoTracking()
+                          join n in db.ClusterNodes.AsNoTracking()
+                              on s.NodeId equals n.NodeId into nodeJoin
+                          from n in nodeJoin.DefaultIfEmpty()
+                          orderby s.NodeId, s.DriverInstanceId, s.HostName
+                          select new HostStatusRow(
+                              s.NodeId,
+                              n != null ? n.ClusterId : null,
+                              s.DriverInstanceId,
+                              s.HostName,
+                              s.State,
+                              s.StateChangedUtc,
+                              s.LastSeenUtc,
+                              s.Detail)).ToListAsync(ct);
+        return rows;
+    }
+
+    public static bool IsStale(HostStatusRow row) =>
+        DateTime.UtcNow - row.LastSeenUtc > StaleThreshold;
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/DriverHostStatus.cs

@@ -0,0 +1,61 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Per-host connectivity snapshot the Server publishes for each driver's
+///     <c>IHostConnectivityProbe.GetHostStatuses</c> entry. One row per
+///     (<see cref="NodeId"/>, <see cref="DriverInstanceId"/>, <see cref="HostName"/>) triple —
+///     a redundant 2-node cluster with one Galaxy driver reporting 3 platforms produces 6
+///     rows, not 3, because each server node owns its own runtime view.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Closes the data-layer piece of LMX follow-up #7 (per-AppEngine Admin dashboard
+///         drill-down). The publisher hosted service on the Server side subscribes to every
+///         registered driver's <c>OnHostStatusChanged</c> and upserts rows on transitions +
+///         periodic liveness heartbeats. <see cref="LastSeenUtc"/> advances on every
+///         heartbeat so the Admin UI can flag stale rows from a crashed Server.
+///     </para>
+///     <para>
+///         No foreign-key to <see cref="ClusterNode"/> — a Server may start reporting host
+///         status before its ClusterNode row exists (e.g. first-boot bootstrap), and we'd
+///         rather keep the status row than drop it. The Admin-side service left-joins on
+///         NodeId when presenting rows.
+///     </para>
+/// </remarks>
+public sealed class DriverHostStatus
+{
+    /// <summary>Server node that's running the driver.</summary>
+    public required string NodeId { get; set; }
+
+    /// <summary>Driver instance's stable id (matches <c>IDriver.DriverInstanceId</c>).</summary>
+    public required string DriverInstanceId { get; set; }
+
+    /// <summary>
+    ///     Driver-side host identifier — Galaxy Platform / AppEngine name, Modbus
+    ///     <c>host:port</c>, whatever the probe returns. Opaque to the Admin UI except as
+    ///     a display string.
+    /// </summary>
+    public required string HostName { get; set; }
+
+    public DriverHostState State { get; set; } = DriverHostState.Unknown;
+
+    /// <summary>Timestamp of the last state transition (not of the most recent heartbeat).</summary>
+    public DateTime StateChangedUtc { get; set; }
+
+    /// <summary>
+    ///     Advances on every publisher heartbeat — the Admin UI uses
+    ///     <c>now - LastSeenUtc &gt; threshold</c> to flag rows whose owning Server has
+    ///     stopped reporting (crashed, network-partitioned, etc.), independent of
+    ///     <see cref="State"/>.
+    /// </summary>
+    public DateTime LastSeenUtc { get; set; }
+
+    /// <summary>
+    ///     Optional human-readable detail populated when <see cref="State"/> is
+    ///     <see cref="DriverHostState.Faulted"/> — e.g. the exception message from the
+    ///     driver's probe. Null for Running / Stopped / Unknown transitions.
+    /// </summary>
+    public string? Detail { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Enums/DriverHostState.cs

@@ -0,0 +1,21 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+/// <summary>
+///     Persisted mirror of <c>Core.Abstractions.HostState</c> — the lifecycle state each
+///     <c>IHostConnectivityProbe</c>-capable driver reports for its per-host topology
+///     (Galaxy Platforms / AppEngines, Modbus PLC endpoints, future OPC UA gateway upstreams).
+///     Defined here instead of re-using <c>Core.Abstractions.HostState</c> so the
+///     Configuration project stays free of driver-runtime dependencies.
+/// </summary>
+/// <remarks>
+///     The server-side publisher (follow-up PR) translates
+///     <c>HostStatusChangedEventArgs.NewState</c> to this enum on every transition and
+///     upserts into <see cref="Entities.DriverHostStatus"/>. Admin UI reads from the DB.
+/// </remarks>
+public enum DriverHostState
+{
+    Unknown,
+    Running,
+    Stopped,
+    Faulted,
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260418193608_AddDriverHostStatus.cs

@@ -0,0 +1,49 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddDriverHostStatus : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "DriverHostStatus",
+                columns: table => new
+                {
+                    NodeId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    DriverInstanceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    HostName = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: false),
+                    State = table.Column<string>(type: "nvarchar(16)", maxLength: 16, nullable: false),
+                    StateChangedUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: false),
+                    LastSeenUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: false),
+                    Detail = table.Column<string>(type: "nvarchar(1024)", maxLength: 1024, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_DriverHostStatus", x => new { x.NodeId, x.DriverInstanceId, x.HostName });
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DriverHostStatus_LastSeen",
+                table: "DriverHostStatus",
+                column: "LastSeenUtc");
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DriverHostStatus_Node",
+                table: "DriverHostStatus",
+                column: "NodeId");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "DriverHostStatus");
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/OtOpcUaConfigDbContextModelSnapshot.cs

@@ -332,6 +332,46 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
                         });
                 });
 
+            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.DriverHostStatus", b =>
+                {
+                    b.Property<string>("NodeId")
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("DriverInstanceId")
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("HostName")
+                        .HasMaxLength(256)
+                        .HasColumnType("nvarchar(256)");
+
+                    b.Property<string>("Detail")
+                        .HasMaxLength(1024)
+                        .HasColumnType("nvarchar(1024)");
+
+                    b.Property<DateTime>("LastSeenUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.Property<string>("State")
+                        .IsRequired()
+                        .HasMaxLength(16)
+                        .HasColumnType("nvarchar(16)");
+
+                    b.Property<DateTime>("StateChangedUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.HasKey("NodeId", "DriverInstanceId", "HostName");
+
+                    b.HasIndex("LastSeenUtc")
+                        .HasDatabaseName("IX_DriverHostStatus_LastSeen");
+
+                    b.HasIndex("NodeId")
+                        .HasDatabaseName("IX_DriverHostStatus_Node");
+
+                    b.ToTable("DriverHostStatus", (string)null);
+                });
+
             modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.DriverInstance", b =>
                 {
                     b.Property<Guid>("DriverInstanceRowId")

src/ZB.MOM.WW.OtOpcUa.Configuration/OtOpcUaConfigDbContext.cs

@@ -27,6 +27,7 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
     public DbSet<ClusterNodeGenerationState> ClusterNodeGenerationStates => Set<ClusterNodeGenerationState>();
     public DbSet<ConfigAuditLog> ConfigAuditLogs => Set<ConfigAuditLog>();
     public DbSet<ExternalIdReservation> ExternalIdReservations => Set<ExternalIdReservation>();
+    public DbSet<DriverHostStatus> DriverHostStatuses => Set<DriverHostStatus>();
 
     protected override void OnModelCreating(ModelBuilder modelBuilder)
     {
@@ -47,6 +48,7 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
         ConfigureClusterNodeGenerationState(modelBuilder);
         ConfigureConfigAuditLog(modelBuilder);
         ConfigureExternalIdReservation(modelBuilder);
+        ConfigureDriverHostStatus(modelBuilder);
     }
 
     private static void ConfigureServerCluster(ModelBuilder modelBuilder)
@@ -484,4 +486,30 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
             e.HasIndex(x => x.EquipmentUuid).HasDatabaseName("IX_ExternalIdReservation_Equipment");
         });
     }
+
+    private static void ConfigureDriverHostStatus(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<DriverHostStatus>(e =>
+        {
+            e.ToTable("DriverHostStatus");
+            // Composite key — one row per (server node, driver instance, probe-reported host).
+            // A redundant 2-node cluster with one Galaxy driver reporting 3 platforms produces
+            // 6 rows because each server node owns its own runtime view; the composite key is
+            // what lets both views coexist without shadowing each other.
+            e.HasKey(x => new { x.NodeId, x.DriverInstanceId, x.HostName });
+            e.Property(x => x.NodeId).HasMaxLength(64);
+            e.Property(x => x.DriverInstanceId).HasMaxLength(64);
+            e.Property(x => x.HostName).HasMaxLength(256);
+            e.Property(x => x.State).HasConversion<string>().HasMaxLength(16);
+            e.Property(x => x.StateChangedUtc).HasColumnType("datetime2(3)");
+            e.Property(x => x.LastSeenUtc).HasColumnType("datetime2(3)");
+            e.Property(x => x.Detail).HasMaxLength(1024);
+
+            // NodeId-only index drives the Admin UI's per-cluster drill-down (select all host
+            // statuses for the nodes of a specific cluster via join on ClusterNode.ClusterId).
+            e.HasIndex(x => x.NodeId).HasDatabaseName("IX_DriverHostStatus_Node");
+            // LastSeenUtc index powers the Admin UI's stale-row query (now - LastSeen > N).
+            e.HasIndex(x => x.LastSeenUtc).HasDatabaseName("IX_DriverHostStatus_LastSeen");
+        });
+    }
 }

src/ZB.MOM.WW.OtOpcUa.Server/HostStatusPublisher.cs

@@ -0,0 +1,143 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Server;
+
+/// <summary>
+///     Walks every registered driver once per heartbeat interval, asks each
+///     <see cref="IHostConnectivityProbe"/>-capable driver for its current
+///     <see cref="HostConnectivityStatus"/> list, and upserts one
+///     <see cref="DriverHostStatus"/> row per (NodeId, DriverInstanceId, HostName) into the
+///     central config DB. Powers the Admin UI's per-host drill-down page (LMX follow-up #7).
+/// </summary>
+/// <remarks>
+///     <para>
+///         Polling rather than event-driven: simpler, and matches the cadence the Admin UI
+///         consumes. An event-subscription optimization (push on <c>OnHostStatusChanged</c> for
+///         immediate reflection) is a straightforward follow-up but adds lifecycle complexity
+///         — drivers can be registered after the publisher starts, and subscribing to each
+///         one's event on register + unsubscribing on unregister requires DriverHost to expose
+///         lifecycle events it doesn't today.
+///     </para>
+///     <para>
+///         <see cref="DriverHostStatus.LastSeenUtc"/> advances every heartbeat so the Admin UI
+///         can flag stale rows from a crashed Server process independent of
+///         <see cref="DriverHostStatus.State"/> — a Faulted publisher that stops heartbeating
+///         stays Faulted in the DB but its LastSeenUtc ages out, which is the signal
+///         operators actually want.
+///     </para>
+///     <para>
+///         If the DB is unreachable on a given tick, the publisher logs and moves on — it
+///         does not retry or buffer. The next heartbeat picks up the current-state snapshot,
+///         which is more useful than replaying stale transitions after a long outage.
+///     </para>
+/// </remarks>
+public sealed class HostStatusPublisher(
+    DriverHost driverHost,
+    NodeOptions nodeOptions,
+    IServiceScopeFactory scopeFactory,
+    ILogger<HostStatusPublisher> logger) : BackgroundService
+{
+    internal static readonly TimeSpan HeartbeatInterval = TimeSpan.FromSeconds(10);
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        // Wait a short moment at startup so NodeBootstrap's RegisterAsync calls have had a
+        // chance to land. First tick runs immediately after so a freshly-started Server
+        // surfaces its host topology in the Admin UI without waiting a full interval.
+        try { await Task.Delay(TimeSpan.FromSeconds(2), stoppingToken); }
+        catch (OperationCanceledException) { return; }
+
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            try { await PublishOnceAsync(stoppingToken); }
+            catch (OperationCanceledException) { return; }
+            catch (Exception ex)
+            {
+                // Never take down the Server on a publisher failure. Log and continue —
+                // stale-row detection on the Admin side will surface the outage.
+                logger.LogWarning(ex, "Host-status publisher tick failed — will retry next heartbeat");
+            }
+
+            try { await Task.Delay(HeartbeatInterval, stoppingToken); }
+            catch (OperationCanceledException) { return; }
+        }
+    }
+
+    internal async Task PublishOnceAsync(CancellationToken ct)
+    {
+        var driverIds = driverHost.RegisteredDriverIds;
+        if (driverIds.Count == 0) return;
+
+        var now = DateTime.UtcNow;
+        using var scope = scopeFactory.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+
+        foreach (var driverId in driverIds)
+        {
+            var driver = driverHost.GetDriver(driverId);
+            if (driver is not IHostConnectivityProbe probe) continue;
+
+            IReadOnlyList<HostConnectivityStatus> statuses;
+            try { statuses = probe.GetHostStatuses(); }
+            catch (Exception ex)
+            {
+                logger.LogWarning(ex, "Driver {DriverId} GetHostStatuses threw — skipping this tick", driverId);
+                continue;
+            }
+
+            foreach (var status in statuses)
+            {
+                await UpsertAsync(db, driverId, status, now, ct);
+            }
+        }
+
+        await db.SaveChangesAsync(ct);
+    }
+
+    private async Task UpsertAsync(OtOpcUaConfigDbContext db, string driverId,
+        HostConnectivityStatus status, DateTime now, CancellationToken ct)
+    {
+        var mapped = MapState(status.State);
+        var existing = await db.DriverHostStatuses.SingleOrDefaultAsync(r =>
+            r.NodeId == nodeOptions.NodeId
+            && r.DriverInstanceId == driverId
+            && r.HostName == status.HostName, ct);
+
+        if (existing is null)
+        {
+            db.DriverHostStatuses.Add(new DriverHostStatus
+            {
+                NodeId = nodeOptions.NodeId,
+                DriverInstanceId = driverId,
+                HostName = status.HostName,
+                State = mapped,
+                StateChangedUtc = status.LastChangedUtc,
+                LastSeenUtc = now,
+            });
+            return;
+        }
+
+        existing.LastSeenUtc = now;
+        if (existing.State != mapped)
+        {
+            existing.State = mapped;
+            existing.StateChangedUtc = status.LastChangedUtc;
+        }
+    }
+
+    internal static DriverHostState MapState(HostState state) => state switch
+    {
+        HostState.Running => DriverHostState.Running,
+        HostState.Stopped => DriverHostState.Stopped,
+        HostState.Faulted => DriverHostState.Faulted,
+        _ => DriverHostState.Unknown,
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Server/Program.cs

@@ -1,8 +1,10 @@
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Serilog;
+using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Server;
@@ -72,5 +74,11 @@ builder.Services.AddSingleton<NodeBootstrap>();
 builder.Services.AddSingleton<OpcUaApplicationHost>();
 builder.Services.AddHostedService<OpcUaServerService>();
 
+// Central-config DB access for the host-status publisher (LMX follow-up #7). Scoped context
+// so per-heartbeat change-tracking stays isolated; publisher opens one scope per tick.
+builder.Services.AddDbContext<OtOpcUaConfigDbContext>(opt =>
+    opt.UseSqlServer(options.ConfigDbConnectionString));
+builder.Services.AddHostedService<HostStatusPublisher>();
+
 var host = builder.Build();
 await host.RunAsync();

src/ZB.MOM.WW.OtOpcUa.Server/Security/LdapOptions.cs

@@ -2,11 +2,37 @@ namespace ZB.MOM.WW.OtOpcUa.Server.Security;
 
 /// <summary>
 ///     LDAP settings for the OPC UA server's UserName token validator. Bound from
-///     <c>appsettings.json</c> <c>OpcUaServer:Ldap</c>. Defaults match the GLAuth dev instance
-///     (localhost:3893, dc=lmxopcua,dc=local). Production deployments set <see cref="UseTls"/>
-///     true, populate <see cref="ServiceAccountDn"/> for search-then-bind, and maintain
-///     <see cref="GroupToRole"/> with the real LDAP group names.
+///     <c>appsettings.json</c> <c>OpcUaServer:Ldap</c>. Defaults target the GLAuth dev instance
+///     (localhost:3893, <c>dc=lmxopcua,dc=local</c>) for the stock inner-loop setup. Production
+///     deployments are expected to point at Active Directory; see <see cref="UserNameAttribute"/>
+///     and the per-field xml-docs for the AD-specific overrides.
 /// </summary>
+/// <remarks>
+///     <para><b>Active Directory cheat-sheet</b>:</para>
+///     <list type="bullet">
+///         <item><see cref="Server"/>: one of the domain controllers, or the domain FQDN (will round-robin DCs).</item>
+///         <item><see cref="Port"/>: <c>389</c> (LDAP) or <c>636</c> (LDAPS); use 636 + <see cref="UseTls"/> in production.</item>
+///         <item><see cref="UseTls"/>: <c>true</c>. AD increasingly rejects plain-LDAP bind under LDAP-signing enforcement.</item>
+///         <item><see cref="AllowInsecureLdap"/>: <c>false</c>. Dev escape hatch only.</item>
+///         <item><see cref="SearchBase"/>: <c>DC=corp,DC=example,DC=com</c> — your domain's base DN.</item>
+///         <item><see cref="ServiceAccountDn"/>: a dedicated service principal with read access to user + group entries
+///         (e.g. <c>CN=OpcUaSvc,OU=Service Accounts,DC=corp,DC=example,DC=com</c>). Never a privileged admin.</item>
+///         <item><see cref="UserNameAttribute"/>: <c>sAMAccountName</c> (classic login name) or <c>userPrincipalName</c>
+///         (user@domain form). Default is <c>uid</c> which AD does <b>not</b> populate, so this override is required.</item>
+///         <item><see cref="DisplayNameAttribute"/>: <c>displayName</c> gives the human name; <c>cn</c> works too but is less rich.</item>
+///         <item><see cref="GroupAttribute"/>: <c>memberOf</c> — matches AD's default. Values are full DNs
+///         (<c>CN=&lt;Group&gt;,OU=...,DC=...</c>); the authenticator strips the leading <c>CN=</c> RDN value and uses
+///         that as the lookup key in <see cref="GroupToRole"/>.</item>
+///         <item><see cref="GroupToRole"/>: maps your AD group common-names to OPC UA roles — e.g.
+///         <c>{"OPCUA-Operators" : "WriteOperate", "OPCUA-Engineers" : "WriteConfigure"}</c>.</item>
+///     </list>
+///     <para>
+///         Nested groups are <b>not</b> expanded — AD's <c>tokenGroups</c> / <c>LDAP_MATCHING_RULE_IN_CHAIN</c>
+///         membership-chain filter isn't used. Assign users directly to the role-mapped groups, or pre-flatten
+///         membership in your directory. If nested expansion becomes a requirement, it's an authenticator
+///         enhancement (not a config change).
+///     </para>
+/// </remarks>
 public sealed class LdapOptions
 {
     public bool Enabled { get; init; } = false;
@@ -23,6 +49,20 @@ public sealed class LdapOptions
     public string DisplayNameAttribute { get; init; } = "cn";
     public string GroupAttribute { get; init; } = "memberOf";
 
+    /// <summary>
+    ///     LDAP attribute used to match a login name against user entries in the directory.
+    ///     Defaults to <c>uid</c> (RFC 2307). Common overrides:
+    ///     <list type="bullet">
+    ///         <item><c>sAMAccountName</c> — Active Directory, classic NT-style login names (e.g. <c>jdoe</c>).</item>
+    ///         <item><c>userPrincipalName</c> — Active Directory, email-style (e.g. <c>jdoe@corp.example.com</c>).</item>
+    ///         <item><c>cn</c> — GLAuth + some OpenLDAP deployments where users are keyed by common-name.</item>
+    ///     </list>
+    ///     Used only when <see cref="ServiceAccountDn"/> is non-empty (search-then-bind path) —
+    ///     direct-bind fallback constructs the DN as <c>cn=&lt;name&gt;,&lt;SearchBase&gt;</c>
+    ///     regardless of this setting and is not a production-grade path against AD.
+    /// </summary>
+    public string UserNameAttribute { get; init; } = "uid";
+
     /// <summary>
     ///     LDAP group → OPC UA role. Each authenticated user gets every role whose source group
     ///     is in their membership list. Recognized role names (CLAUDE.md): <c>ReadOnly</c> (browse

src/ZB.MOM.WW.OtOpcUa.Server/Security/LdapUserAuthenticator.cs

@@ -106,7 +106,7 @@ public sealed class LdapUserAuthenticator(LdapOptions options, ILogger<LdapUserA
         {
             await Task.Run(() => conn.Bind(options.ServiceAccountDn, options.ServiceAccountPassword), ct);
 
-            var filter = $"(uid={EscapeLdapFilter(username)})";
+            var filter = $"({options.UserNameAttribute}={EscapeLdapFilter(username)})";
             var results = await Task.Run(() =>
                 conn.Search(options.SearchBase, LdapConnection.ScopeSub, filter, ["dn"], false), ct);
 

src/ZB.MOM.WW.OtOpcUa.Server/ZB.MOM.WW.OtOpcUa.Server.csproj

@@ -24,6 +24,7 @@
         <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Server" Version="1.5.374.126"/>
         <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Configuration" Version="1.5.374.126"/>
         <PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.6.0"/>
+        <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="10.0.0"/>
     </ItemGroup>
 
     <ItemGroup>

tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests/DriverHostStatusTests.cs

@@ -0,0 +1,128 @@
+using Microsoft.EntityFrameworkCore;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Tests;
+
+/// <summary>
+///     End-to-end round-trip through the DB for the <see cref="DriverHostStatus"/> entity
+///     added in PR 33 — exercises the composite primary key (NodeId, DriverInstanceId,
+///     HostName), string-backed <c>DriverHostState</c> conversion, and the two indexes the
+///     Admin UI's drill-down queries will scan (NodeId, LastSeenUtc).
+/// </summary>
+[Trait("Category", "SchemaCompliance")]
+[Collection(nameof(SchemaComplianceCollection))]
+public sealed class DriverHostStatusTests(SchemaComplianceFixture fixture)
+{
+    [Fact]
+    public async Task Composite_key_allows_same_host_across_different_nodes_or_drivers()
+    {
+        await using var ctx = NewContext();
+
+        // Same HostName + DriverInstanceId across two different server nodes — classic 2-node
+        // redundancy case. Both rows must be insertable because each server node owns its own
+        // runtime view of the shared host.
+        var now = DateTime.UtcNow;
+        ctx.DriverHostStatuses.Add(new DriverHostStatus
+        {
+            NodeId = "node-a", DriverInstanceId = "galaxy-1", HostName = "GRPlatform",
+            State = DriverHostState.Running,
+            StateChangedUtc = now, LastSeenUtc = now,
+        });
+        ctx.DriverHostStatuses.Add(new DriverHostStatus
+        {
+            NodeId = "node-b", DriverInstanceId = "galaxy-1", HostName = "GRPlatform",
+            State = DriverHostState.Stopped,
+            StateChangedUtc = now, LastSeenUtc = now,
+            Detail = "secondary hasn't taken over yet",
+        });
+        // Same server node + host, different driver instance — second driver doesn't clobber.
+        ctx.DriverHostStatuses.Add(new DriverHostStatus
+        {
+            NodeId = "node-a", DriverInstanceId = "modbus-plc1", HostName = "GRPlatform",
+            State = DriverHostState.Running,
+            StateChangedUtc = now, LastSeenUtc = now,
+        });
+        await ctx.SaveChangesAsync();
+
+        var rows = await ctx.DriverHostStatuses.AsNoTracking()
+            .Where(r => r.HostName == "GRPlatform").ToListAsync();
+
+        rows.Count.ShouldBe(3);
+        rows.ShouldContain(r => r.NodeId == "node-a" && r.DriverInstanceId == "galaxy-1");
+        rows.ShouldContain(r => r.NodeId == "node-b" && r.State == DriverHostState.Stopped && r.Detail == "secondary hasn't taken over yet");
+        rows.ShouldContain(r => r.NodeId == "node-a" && r.DriverInstanceId == "modbus-plc1");
+    }
+
+    [Fact]
+    public async Task Upsert_pattern_for_same_key_updates_in_place()
+    {
+        // The publisher hosted service (follow-up PR) upserts on every transition +
+        // heartbeat. This test pins the two-step pattern it will use: check-then-add-or-update
+        // keyed on the composite PK. If the composite key ever changes, this test breaks
+        // loudly so the publisher gets a synchronized update.
+        await using var ctx = NewContext();
+        var t0 = DateTime.UtcNow;
+        ctx.DriverHostStatuses.Add(new DriverHostStatus
+        {
+            NodeId = "upsert-node", DriverInstanceId = "upsert-driver", HostName = "upsert-host",
+            State = DriverHostState.Running,
+            StateChangedUtc = t0, LastSeenUtc = t0,
+        });
+        await ctx.SaveChangesAsync();
+
+        var t1 = t0.AddSeconds(30);
+        await using (var ctx2 = NewContext())
+        {
+            var existing = await ctx2.DriverHostStatuses.SingleAsync(r =>
+                r.NodeId == "upsert-node" && r.DriverInstanceId == "upsert-driver" && r.HostName == "upsert-host");
+            existing.State = DriverHostState.Faulted;
+            existing.StateChangedUtc = t1;
+            existing.LastSeenUtc = t1;
+            existing.Detail = "transport reset by peer";
+            await ctx2.SaveChangesAsync();
+        }
+
+        await using var ctx3 = NewContext();
+        var final = await ctx3.DriverHostStatuses.AsNoTracking().SingleAsync(r =>
+            r.NodeId == "upsert-node" && r.HostName == "upsert-host");
+        final.State.ShouldBe(DriverHostState.Faulted);
+        final.Detail.ShouldBe("transport reset by peer");
+        // Only one row — a naive "always insert" would have created a duplicate PK and thrown.
+        (await ctx3.DriverHostStatuses.CountAsync(r => r.NodeId == "upsert-node")).ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Enum_persists_as_string_not_int()
+    {
+        // Fluent config sets HasConversion<string>() on State — the DB stores 'Running' /
+        // 'Stopped' / 'Faulted' / 'Unknown' as nvarchar(16). Verify by reading the raw
+        // string back via ADO; if someone drops the conversion the column will contain '1'
+        // / '2' / '3' and this assertion fails. Matters because DBAs inspecting the table
+        // directly should see readable state names, not enum ordinals.
+        await using var ctx = NewContext();
+        ctx.DriverHostStatuses.Add(new DriverHostStatus
+        {
+            NodeId = "enum-node", DriverInstanceId = "enum-driver", HostName = "enum-host",
+            State = DriverHostState.Faulted,
+            StateChangedUtc = DateTime.UtcNow, LastSeenUtc = DateTime.UtcNow,
+        });
+        await ctx.SaveChangesAsync();
+
+        await using var conn = fixture.OpenConnection();
+        using var cmd = conn.CreateCommand();
+        cmd.CommandText = "SELECT [State] FROM DriverHostStatus WHERE NodeId = 'enum-node'";
+        var rawValue = (string?)await cmd.ExecuteScalarAsync();
+        rawValue.ShouldBe("Faulted");
+    }
+
+    private OtOpcUaConfigDbContext NewContext()
+    {
+        var options = new DbContextOptionsBuilder<OtOpcUaConfigDbContext>()
+            .UseSqlServer(fixture.ConnectionString)
+            .Options;
+        return new OtOpcUaConfigDbContext(options);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests/SchemaComplianceTests.cs

@@ -28,6 +28,7 @@ public sealed class SchemaComplianceTests
             "Namespace", "UnsArea", "UnsLine",
             "DriverInstance", "Device", "Equipment", "Tag", "PollGroup",
             "NodeAcl", "ExternalIdReservation",
+            "DriverHostStatus",
         };
 
         var actual = QueryStrings(@"

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/HostStatusPublisherTests.cs

@@ -0,0 +1,197 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Integration")]
+public sealed class HostStatusPublisherTests : IDisposable
+{
+    private const string DefaultServer = "localhost,14330";
+    private const string DefaultSaPassword = "OtOpcUaDev_2026!";
+
+    private readonly string _databaseName = $"OtOpcUaPublisher_{Guid.NewGuid():N}";
+    private readonly string _connectionString;
+    private readonly ServiceProvider _sp;
+
+    public HostStatusPublisherTests()
+    {
+        var server = Environment.GetEnvironmentVariable("OTOPCUA_CONFIG_TEST_SERVER") ?? DefaultServer;
+        var password = Environment.GetEnvironmentVariable("OTOPCUA_CONFIG_TEST_SA_PASSWORD") ?? DefaultSaPassword;
+        _connectionString =
+            $"Server={server};Database={_databaseName};User Id=sa;Password={password};TrustServerCertificate=True;Encrypt=False;";
+
+        var services = new ServiceCollection();
+        services.AddLogging();
+        services.AddDbContext<OtOpcUaConfigDbContext>(o => o.UseSqlServer(_connectionString));
+        _sp = services.BuildServiceProvider();
+
+        using var scope = _sp.CreateScope();
+        scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>().Database.Migrate();
+    }
+
+    public void Dispose()
+    {
+        _sp.Dispose();
+        using var conn = new Microsoft.Data.SqlClient.SqlConnection(
+            new Microsoft.Data.SqlClient.SqlConnectionStringBuilder(_connectionString) { InitialCatalog = "master" }.ConnectionString);
+        conn.Open();
+        using var cmd = conn.CreateCommand();
+        cmd.CommandText = $@"
+IF DB_ID(N'{_databaseName}') IS NOT NULL
+BEGIN
+    ALTER DATABASE [{_databaseName}] SET SINGLE_USER WITH ROLLBACK IMMEDIATE;
+    DROP DATABASE [{_databaseName}];
+END";
+        cmd.ExecuteNonQuery();
+    }
+
+    [Fact]
+    public async Task Publisher_upserts_one_row_per_host_reported_by_each_probe_driver()
+    {
+        var driverHost = new DriverHost();
+        await driverHost.RegisterAsync(new ProbeStubDriver("driver-a",
+            new HostConnectivityStatus("HostA1", HostState.Running, DateTime.UtcNow),
+            new HostConnectivityStatus("HostA2", HostState.Stopped, DateTime.UtcNow)),
+            "{}", CancellationToken.None);
+        await driverHost.RegisterAsync(new NonProbeStubDriver("driver-no-probe"), "{}", CancellationToken.None);
+
+        var nodeOptions = NewNodeOptions("node-a");
+        var publisher = new HostStatusPublisher(driverHost, nodeOptions, _sp.GetRequiredService<IServiceScopeFactory>(),
+            NullLogger<HostStatusPublisher>.Instance);
+
+        await publisher.PublishOnceAsync(CancellationToken.None);
+
+        using var scope = _sp.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+        var rows = await db.DriverHostStatuses.AsNoTracking().ToListAsync();
+
+        rows.Count.ShouldBe(2, "driver-no-probe doesn't implement IHostConnectivityProbe — no rows for it");
+        rows.ShouldContain(r => r.HostName == "HostA1" && r.State == DriverHostState.Running && r.DriverInstanceId == "driver-a");
+        rows.ShouldContain(r => r.HostName == "HostA2" && r.State == DriverHostState.Stopped && r.DriverInstanceId == "driver-a");
+        rows.ShouldAllBe(r => r.NodeId == "node-a");
+    }
+
+    [Fact]
+    public async Task Second_tick_updates_LastSeenUtc_without_creating_duplicate_rows()
+    {
+        var driver = new ProbeStubDriver("driver-x",
+            new HostConnectivityStatus("HostX", HostState.Running, DateTime.UtcNow));
+        var driverHost = new DriverHost();
+        await driverHost.RegisterAsync(driver, "{}", CancellationToken.None);
+
+        var publisher = new HostStatusPublisher(driverHost, NewNodeOptions("node-x"),
+            _sp.GetRequiredService<IServiceScopeFactory>(),
+            NullLogger<HostStatusPublisher>.Instance);
+
+        await publisher.PublishOnceAsync(CancellationToken.None);
+        var firstSeen = await SingleRowAsync("node-x", "driver-x", "HostX");
+        await Task.Delay(50); // guarantee a later wall-clock value so LastSeenUtc advances
+        await publisher.PublishOnceAsync(CancellationToken.None);
+        var secondSeen = await SingleRowAsync("node-x", "driver-x", "HostX");
+
+        secondSeen.LastSeenUtc.ShouldBeGreaterThan(firstSeen.LastSeenUtc,
+            "heartbeat advances LastSeenUtc so Admin can stale-flag rows from crashed Servers");
+
+        // Still exactly one row — a naive Add-every-tick would have thrown or duplicated.
+        using var scope = _sp.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+        (await db.DriverHostStatuses.CountAsync(r => r.NodeId == "node-x")).ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task State_change_between_ticks_updates_State_and_StateChangedUtc()
+    {
+        var driver = new ProbeStubDriver("driver-y",
+            new HostConnectivityStatus("HostY", HostState.Running, DateTime.UtcNow.AddSeconds(-10)));
+        var driverHost = new DriverHost();
+        await driverHost.RegisterAsync(driver, "{}", CancellationToken.None);
+
+        var publisher = new HostStatusPublisher(driverHost, NewNodeOptions("node-y"),
+            _sp.GetRequiredService<IServiceScopeFactory>(),
+            NullLogger<HostStatusPublisher>.Instance);
+
+        await publisher.PublishOnceAsync(CancellationToken.None);
+        var before = await SingleRowAsync("node-y", "driver-y", "HostY");
+
+        // Swap the driver's reported state to Faulted with a newer transition timestamp.
+        var newChange = DateTime.UtcNow;
+        driver.Statuses = [new HostConnectivityStatus("HostY", HostState.Faulted, newChange)];
+        await publisher.PublishOnceAsync(CancellationToken.None);
+
+        var after = await SingleRowAsync("node-y", "driver-y", "HostY");
+        after.State.ShouldBe(DriverHostState.Faulted);
+        // datetime2(3) has millisecond precision — DateTime.UtcNow carries up to 100ns ticks,
+        // so the stored value rounds down. Compare at millisecond granularity to stay clean.
+        after.StateChangedUtc.ShouldBe(newChange, tolerance: TimeSpan.FromMilliseconds(1));
+        after.StateChangedUtc.ShouldBeGreaterThan(before.StateChangedUtc,
+            "StateChangedUtc must advance when the state actually changed");
+        before.State.ShouldBe(DriverHostState.Running);
+    }
+
+    [Fact]
+    public void MapState_translates_every_HostState_member()
+    {
+        HostStatusPublisher.MapState(HostState.Running).ShouldBe(DriverHostState.Running);
+        HostStatusPublisher.MapState(HostState.Stopped).ShouldBe(DriverHostState.Stopped);
+        HostStatusPublisher.MapState(HostState.Faulted).ShouldBe(DriverHostState.Faulted);
+        HostStatusPublisher.MapState(HostState.Unknown).ShouldBe(DriverHostState.Unknown);
+    }
+
+    private async Task<Configuration.Entities.DriverHostStatus> SingleRowAsync(string node, string driver, string host)
+    {
+        using var scope = _sp.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+        return await db.DriverHostStatuses.AsNoTracking()
+            .SingleAsync(r => r.NodeId == node && r.DriverInstanceId == driver && r.HostName == host);
+    }
+
+    private static NodeOptions NewNodeOptions(string nodeId) => new()
+    {
+        NodeId = nodeId,
+        ClusterId = "cluster-t",
+        ConfigDbConnectionString = "unused-publisher-gets-db-from-scope",
+    };
+
+    private sealed class ProbeStubDriver(string id, params HostConnectivityStatus[] initial)
+        : IDriver, IHostConnectivityProbe
+    {
+        public HostConnectivityStatus[] Statuses { get; set; } = initial;
+        public string DriverInstanceId => id;
+        public string DriverType => "ProbeStub";
+
+        public event EventHandler<HostStatusChangedEventArgs>? OnHostStatusChanged;
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public IReadOnlyList<HostConnectivityStatus> GetHostStatuses() => Statuses;
+
+        // Keeps the compiler happy — event is part of the interface contract even if unused here.
+        internal void Raise(HostStatusChangedEventArgs e) => OnHostStatusChanged?.Invoke(this, e);
+    }
+
+    private sealed class NonProbeStubDriver(string id) : IDriver
+    {
+        public string DriverInstanceId => id;
+        public string DriverType => "NonProbeStub";
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/LdapUserAuthenticatorAdCompatTests.cs

@@ -0,0 +1,67 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Deterministic guards for Active Directory compatibility of the internal helpers
+///     <see cref="LdapUserAuthenticator"/> relies on. We can't live-bind against AD in unit
+///     tests — instead, we pin the behaviors AD depends on (DN-parsing of AD-style
+///     <c>memberOf</c> values, filter escaping with case-preserving RDN extraction) so a
+///     future refactor can't silently break the AD path while the GLAuth live-smoke stays
+///     green.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class LdapUserAuthenticatorAdCompatTests
+{
+    [Fact]
+    public void ExtractFirstRdnValue_parses_AD_memberOf_group_name_from_CN_dn()
+    {
+        // AD's memberOf values use uppercase CN=… and full domain paths. The extractor
+        // returns the first RDN's value regardless of attribute-type case, so operators'
+        // GroupToRole keys stay readable ("OPCUA-Operators" not "CN=OPCUA-Operators,...").
+        var dn = "CN=OPCUA-Operators,OU=OPC UA Security Groups,OU=Groups,DC=corp,DC=example,DC=com";
+        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe("OPCUA-Operators");
+    }
+
+    [Fact]
+    public void ExtractFirstRdnValue_handles_mixed_case_and_spaces_in_group_name()
+    {
+        var dn = "CN=Domain Users,CN=Users,DC=corp,DC=example,DC=com";
+        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe("Domain Users");
+    }
+
+    [Fact]
+    public void ExtractFirstRdnValue_also_works_for_OpenLDAP_ou_style_memberOf()
+    {
+        // GLAuth + some OpenLDAP deployments expose memberOf as ou=<group>,ou=groups,...
+        // The authenticator needs one extractor that tolerates both shapes since directories
+        // in the field mix them depending on schema.
+        var dn = "ou=WriteOperate,ou=groups,dc=lmxopcua,dc=local";
+        LdapUserAuthenticator.ExtractFirstRdnValue(dn).ShouldBe("WriteOperate");
+    }
+
+    [Fact]
+    public void EscapeLdapFilter_prevents_injection_via_samaccountname_lookup()
+    {
+        // AD login names can contain characters that are meaningful to LDAP filter syntax
+        // (parens, backslashes). The authenticator builds filters as
+        // ($"({UserNameAttribute}={EscapeLdapFilter(username)})") so injection attempts must
+        // not break out of the filter. The RFC 4515 escape set is: \ → \5c, * → \2a, ( → \28,
+        // ) → \29, \0 → \00.
+        LdapUserAuthenticator.EscapeLdapFilter("admin)(cn=*")
+            .ShouldBe("admin\\29\\28cn=\\2a");
+        LdapUserAuthenticator.EscapeLdapFilter("domain\\user")
+            .ShouldBe("domain\\5cuser");
+    }
+
+    [Fact]
+    public void LdapOptions_default_UserNameAttribute_is_uid_for_rfc2307_compat()
+    {
+        // Regression guard: PR 31 introduced UserNameAttribute with a default of "uid" so
+        // existing deployments (pre-AD config) keep working. Changing the default breaks
+        // everyone's config silently; require an explicit review.
+        new LdapOptions().UserNameAttribute.ShouldBe("uid");
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/LdapUserAuthenticatorLiveTests.cs

@@ -0,0 +1,154 @@
+using System.Net.Sockets;
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Live-service tests against the dev GLAuth instance at <c>localhost:3893</c>. Skipped
+///     when the port is unreachable so the test suite stays portable on boxes without a
+///     running directory. Closes LMX follow-up #4 — the server-side <see cref="LdapUserAuthenticator"/>
+///     is exercised end-to-end against a real LDAP server (same one the Admin process uses),
+///     not just the flow-shape unit tests from PR 19.
+/// </summary>
+/// <remarks>
+///     The <c>Admin.Tests</c> project already has a live-bind test for its own
+///     <c>LdapAuthService</c>; this pair catches divergence between the two bind paths — the
+///     Server authenticator has to work even when the Server process is on a machine that
+///     doesn't have the Admin assemblies loaded, and the two share no code by design
+///     (cross-app dependency avoidance). If one side drifts past the other on LDAP filter
+///     construction, DN resolution, or memberOf parsing, these tests surface it.
+/// </remarks>
+[Trait("Category", "LiveLdap")]
+public sealed class LdapUserAuthenticatorLiveTests
+{
+    private const string GlauthHost = "localhost";
+    private const int GlauthPort = 3893;
+
+    private static bool GlauthReachable()
+    {
+        try
+        {
+            using var client = new TcpClient();
+            var task = client.ConnectAsync(GlauthHost, GlauthPort);
+            return task.Wait(TimeSpan.FromSeconds(1)) && client.Connected;
+        }
+        catch { return false; }
+    }
+
+    // GLAuth dev directory groups are named identically to the OPC UA roles
+    // (ReadOnly / WriteOperate / WriteTune / WriteConfigure / AlarmAck), so the map is an
+    // identity translation. The authenticator still exercises every step of the pipeline —
+    // bind, memberOf lookup, group-name extraction, GroupToRole lookup — against real LDAP
+    // data; the identity map just means the assertion is phrased with no surprise rename
+    // in the middle.
+    private static LdapOptions GlauthOptions() => new()
+    {
+        Enabled = true,
+        Server = GlauthHost,
+        Port = GlauthPort,
+        UseTls = false,
+        AllowInsecureLdap = true,
+        SearchBase = "dc=lmxopcua,dc=local",
+        // Search-then-bind: service account resolves the user's full DN (cn=<user> lives
+        // under ou=<primary-group>,ou=users), the authenticator binds that DN with the
+        // user's password, then stays on the service-account session for memberOf lookup.
+        // Without this path, GLAuth ACLs block the authenticated user from reading their
+        // own entry in full — a plain self-search returns zero results and the role list
+        // ends up empty.
+        ServiceAccountDn = "cn=serviceaccount,dc=lmxopcua,dc=local",
+        ServiceAccountPassword = "serviceaccount123",
+        DisplayNameAttribute = "cn",
+        GroupAttribute = "memberOf",
+        UserNameAttribute = "cn", // GLAuth keys users by cn — see LdapOptions xml-doc.
+        GroupToRole = new(StringComparer.OrdinalIgnoreCase)
+        {
+            ["ReadOnly"] = "ReadOnly",
+            ["WriteOperate"] = WriteAuthzPolicy.RoleWriteOperate,
+            ["WriteTune"] = WriteAuthzPolicy.RoleWriteTune,
+            ["WriteConfigure"] = WriteAuthzPolicy.RoleWriteConfigure,
+            ["AlarmAck"] = "AlarmAck",
+        },
+    };
+
+    private static LdapUserAuthenticator NewAuthenticator() =>
+        new(GlauthOptions(), NullLogger<LdapUserAuthenticator>.Instance);
+
+    [Fact]
+    public async Task Valid_credentials_bind_and_return_success()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("readonly", "readonly123", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeTrue(result.Error);
+        result.DisplayName.ShouldNotBeNullOrEmpty();
+    }
+
+    [Fact]
+    public async Task Writeop_user_gets_WriteOperate_role_from_group_mapping()
+    {
+        // Drives end-to-end: bind as writeop, memberOf lists the WriteOperate group, the
+        // authenticator surfaces WriteOperate via GroupToRole. If this test fails,
+        // WriteAuthzPolicy.IsAllowed for an Operate-tier write would also fail
+        // (WriteOperate is the exact string the policy checks for), so the failure mode is
+        // concrete, not abstract.
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("writeop", "writeop123", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeTrue(result.Error);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteOperate);
+    }
+
+    [Fact]
+    public async Task Admin_user_gets_multiple_roles_from_multiple_groups()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        // 'admin' has primarygroup=ReadOnly and othergroups=[WriteOperate, AlarmAck,
+        // WriteTune, WriteConfigure] per the GLAuth dev config — the authenticator must
+        // surface every mapped role, not just the primary group. Guards against a regression
+        // where the memberOf parsing stops after the first match or misses the primary-group
+        // fallback.
+        var result = await NewAuthenticator().AuthenticateAsync("admin", "admin123", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeTrue(result.Error);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteOperate);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteTune);
+        result.Roles.ShouldContain(WriteAuthzPolicy.RoleWriteConfigure);
+        result.Roles.ShouldContain("AlarmAck");
+    }
+
+    [Fact]
+    public async Task Wrong_password_returns_failure()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("readonly", "wrong-pw", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeFalse();
+        result.Error.ShouldNotBeNullOrEmpty();
+    }
+
+    [Fact]
+    public async Task Unknown_user_returns_failure()
+    {
+        if (!GlauthReachable()) Assert.Skip("GLAuth unreachable at localhost:3893 — start the dev directory to run this test.");
+
+        var result = await NewAuthenticator().AuthenticateAsync("no-such-user-42", "whatever", TestContext.Current.CancellationToken);
+
+        result.Success.ShouldBeFalse();
+    }
+
+    [Fact]
+    public async Task Empty_credentials_fail_without_touching_the_directory()
+    {
+        // Pre-flight guard — doesn't require GLAuth.
+        var result = await NewAuthenticator().AuthenticateAsync("", "", TestContext.Current.CancellationToken);
+        result.Success.ShouldBeFalse();
+        result.Error.ShouldContain("Credentials", Case.Insensitive);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/MultipleDriverInstancesIntegrationTests.cs

@@ -0,0 +1,191 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua;
+using Opc.Ua.Client;
+using Opc.Ua.Configuration;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Closes LMX follow-up #6 — proves that two <see cref="IDriver"/> instances registered
+///     on the same <see cref="DriverHost"/> land in isolated namespaces and their reads
+///     route to the correct driver. The existing <see cref="OpcUaServerIntegrationTests"/>
+///     only exercises a single-driver topology; this sibling fixture registers two.
+/// </summary>
+/// <remarks>
+///     Each driver gets its own namespace URI of the form <c>urn:OtOpcUa:{DriverInstanceId}</c>
+///     (per <c>DriverNodeManager</c>'s base-class <c>namespaceUris</c> argument). A client
+///     that browses one namespace must see only that driver's subtree, and a read against a
+///     variable in one namespace must return that driver's value, not the other's — this is
+///     what stops a cross-driver routing regression from going unnoticed when the v1
+///     single-driver code path gets new knobs.
+/// </remarks>
+[Trait("Category", "Integration")]
+public sealed class MultipleDriverInstancesIntegrationTests : IAsyncLifetime
+{
+    private static readonly int Port = 48500 + Random.Shared.Next(0, 99);
+    private readonly string _endpoint = $"opc.tcp://localhost:{Port}/OtOpcUaMultiDriverTest";
+    private readonly string _pkiRoot = Path.Combine(Path.GetTempPath(), $"otopcua-multi-{Guid.NewGuid():N}");
+
+    private DriverHost _driverHost = null!;
+    private OpcUaApplicationHost _server = null!;
+
+    public async ValueTask InitializeAsync()
+    {
+        _driverHost = new DriverHost();
+        await _driverHost.RegisterAsync(new StubDriver("alpha", folderName: "AlphaFolder", readValue: 42),
+            "{}", CancellationToken.None);
+        await _driverHost.RegisterAsync(new StubDriver("beta", folderName: "BetaFolder", readValue: 99),
+            "{}", CancellationToken.None);
+
+        var options = new OpcUaServerOptions
+        {
+            EndpointUrl = _endpoint,
+            ApplicationName = "OtOpcUaMultiDriverTest",
+            ApplicationUri = "urn:OtOpcUa:Server:MultiDriverTest",
+            PkiStoreRoot = _pkiRoot,
+            AutoAcceptUntrustedClientCertificates = true,
+        };
+
+        _server = new OpcUaApplicationHost(options, _driverHost, new DenyAllUserAuthenticator(),
+            NullLoggerFactory.Instance, NullLogger<OpcUaApplicationHost>.Instance);
+        await _server.StartAsync(CancellationToken.None);
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        await _server.DisposeAsync();
+        await _driverHost.DisposeAsync();
+        try { Directory.Delete(_pkiRoot, recursive: true); } catch { /* best-effort */ }
+    }
+
+    [Fact]
+    public async Task Both_drivers_register_under_their_own_urn_namespace()
+    {
+        using var session = await OpenSessionAsync();
+
+        var alphaNs = session.NamespaceUris.GetIndex("urn:OtOpcUa:alpha");
+        var betaNs = session.NamespaceUris.GetIndex("urn:OtOpcUa:beta");
+
+        alphaNs.ShouldBeGreaterThanOrEqualTo(0, "DriverNodeManager for 'alpha' must register its namespace URI");
+        betaNs.ShouldBeGreaterThanOrEqualTo(0, "DriverNodeManager for 'beta' must register its namespace URI");
+        alphaNs.ShouldNotBe(betaNs, "each driver owns its own namespace");
+    }
+
+    [Fact]
+    public async Task Each_driver_subtree_exposes_only_its_own_folder()
+    {
+        using var session = await OpenSessionAsync();
+
+        var alphaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:alpha");
+        var betaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:beta");
+
+        var alphaRoot = new NodeId("alpha", alphaNs);
+        session.Browse(null, null, alphaRoot, 0, BrowseDirection.Forward, ReferenceTypeIds.HierarchicalReferences,
+            true, (uint)NodeClass.Object | (uint)NodeClass.Variable, out _, out var alphaRefs);
+        alphaRefs.ShouldContain(r => r.BrowseName.Name == "AlphaFolder",
+            "alpha's subtree must contain alpha's folder");
+        alphaRefs.ShouldNotContain(r => r.BrowseName.Name == "BetaFolder",
+            "alpha's subtree must NOT see beta's folder — cross-driver leak would hide subscription-routing bugs");
+
+        var betaRoot = new NodeId("beta", betaNs);
+        session.Browse(null, null, betaRoot, 0, BrowseDirection.Forward, ReferenceTypeIds.HierarchicalReferences,
+            true, (uint)NodeClass.Object | (uint)NodeClass.Variable, out _, out var betaRefs);
+        betaRefs.ShouldContain(r => r.BrowseName.Name == "BetaFolder");
+        betaRefs.ShouldNotContain(r => r.BrowseName.Name == "AlphaFolder");
+    }
+
+    [Fact]
+    public async Task Reads_route_to_the_correct_driver_by_namespace()
+    {
+        using var session = await OpenSessionAsync();
+
+        var alphaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:alpha");
+        var betaNs = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:beta");
+
+        var alphaValue = session.ReadValue(new NodeId("AlphaFolder.Var1", alphaNs));
+        var betaValue = session.ReadValue(new NodeId("BetaFolder.Var1", betaNs));
+
+        alphaValue.Value.ShouldBe(42, "alpha driver's ReadAsync returns 42 — a misroute would surface as 99");
+        betaValue.Value.ShouldBe(99, "beta driver's ReadAsync returns 99 — a misroute would surface as 42");
+    }
+
+    private async Task<ISession> OpenSessionAsync()
+    {
+        var cfg = new ApplicationConfiguration
+        {
+            ApplicationName = "OtOpcUaMultiDriverTestClient",
+            ApplicationUri = "urn:OtOpcUa:MultiDriverTestClient",
+            ApplicationType = ApplicationType.Client,
+            SecurityConfiguration = new SecurityConfiguration
+            {
+                ApplicationCertificate = new CertificateIdentifier
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_pkiRoot, "client-own"),
+                    SubjectName = "CN=OtOpcUaMultiDriverTestClient",
+                },
+                TrustedIssuerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-issuers") },
+                TrustedPeerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-trusted") },
+                RejectedCertificateStore = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-rejected") },
+                AutoAcceptUntrustedCertificates = true,
+                AddAppCertToTrustedStore = true,
+            },
+            TransportConfigurations = new TransportConfigurationCollection(),
+            TransportQuotas = new TransportQuotas { OperationTimeout = 15000 },
+            ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = 60000 },
+        };
+        await cfg.Validate(ApplicationType.Client);
+        cfg.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;
+
+        var instance = new ApplicationInstance { ApplicationConfiguration = cfg, ApplicationType = ApplicationType.Client };
+        await instance.CheckApplicationInstanceCertificate(true, CertificateFactory.DefaultKeySize);
+
+        var selected = CoreClientUtils.SelectEndpoint(cfg, _endpoint, useSecurity: false);
+        var endpointConfig = EndpointConfiguration.Create(cfg);
+        var configuredEndpoint = new ConfiguredEndpoint(null, selected, endpointConfig);
+
+        return await Session.Create(cfg, configuredEndpoint, false, "OtOpcUaMultiDriverTestClientSession", 60000,
+            new UserIdentity(new AnonymousIdentityToken()), null);
+    }
+
+    /// <summary>
+    ///     Driver stub that returns a caller-specified folder + variable + read value so two
+    ///     instances in the same server can be told apart at the assertion layer.
+    /// </summary>
+    private sealed class StubDriver(string driverInstanceId, string folderName, int readValue)
+        : IDriver, ITagDiscovery, IReadable
+    {
+        public string DriverInstanceId => driverInstanceId;
+        public string DriverType => "Stub";
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public Task DiscoverAsync(IAddressSpaceBuilder builder, CancellationToken ct)
+        {
+            var folder = builder.Folder(folderName, folderName);
+            folder.Variable("Var1", "Var1", new DriverAttributeInfo(
+                $"{folderName}.Var1", DriverDataType.Int32, false, null, SecurityClassification.FreeAccess, false, IsAlarm: false));
+            return Task.CompletedTask;
+        }
+
+        public Task<IReadOnlyList<DataValueSnapshot>> ReadAsync(
+            IReadOnlyList<string> fullReferences, CancellationToken cancellationToken)
+        {
+            var now = DateTime.UtcNow;
+            IReadOnlyList<DataValueSnapshot> result =
+                fullReferences.Select(_ => new DataValueSnapshot(readValue, 0u, now, now)).ToArray();
+            return Task.FromResult(result);
+        }
+    }
+}