Phase 3 PR 72 -- Multi-endpoint failover for OPC UA Client driver. Adds OpcUaClientDriverOptions.EndpointUrls ordered list + PerEndpointConnectTimeout knob. On InitializeAsync the driver walks the candidate list in order via ResolveEndpointCandidates and returns the session from the first endpoint that successfully connects. Captures per-URL failure reasons in a List<string> and, if every candidate fails, throws AggregateException whose message names every URL + its failure class (e.g. 'opc.tcp://primary:4840 -> TimeoutException: ...'). That's critical diag for field debugging -- without it 'failover picked the wrong one' surfaces as a mystery. Single-URL backwards compat: EndpointUrl field retained as a one-URL shortcut. When EndpointUrls is null or empty the driver falls through to a single-candidate list of [EndpointUrl], so every existing single-endpoint config keeps working without migration. When both are provided, EndpointUrls wins + EndpointUrl is ignored -- documented on the field xml-doc. Per-endpoint connect budget: PerEndpointConnectTimeout (default 3s) caps each attempt so a sweep over several dead servers can't blow the overall init budget. Applied via CancellationTokenSource.CreateLinkedTokenSource + CancelAfter inside OpenSessionOnEndpointAsync (the extracted single-endpoint connect helper) so the cap is independent of the outer Options.Timeout which governs steady-state ops. BuildUserIdentity extracted out of InitializeAsync so the failover loop builds the UserIdentity ONCE and reuses it across every endpoint attempt -- generating it N times would re-unlock the user cert's private key N times, wasteful + keeps the password in memory longer. HostName now reflects the endpoint that actually connected via _connectedEndpointUrl instead of always returning opts.EndpointUrl -- so the Admin /hosts dashboard shows which of the configured endpoints is currently serving traffic (primary vs backup). Falls back to the first candidate pre-connect so the dashboard has a sensible identity before the first connect, and resets to null on ShutdownAsync. Use case: an OPC UA hot-standby server pair (primary 4840 + backup 4841) where either can serve the same address space. Operator configures EndpointUrls=[primary, backup]; driver tries primary first, falls over to backup on primary failure with a clean AggregateException describing both attempts if both are down. Unit tests (OpcUaClientFailoverTests, 5 facts): ResolveEndpointCandidates_prefers_EndpointUrls_when_provided (list trumps single), ResolveEndpointCandidates_falls_back_to_single_EndpointUrl_when_list_empty (legacy config compat), ResolveEndpointCandidates_empty_list_treated_as_fallback (explicit empty list also falls back -- otherwise we'd produce a zero-candidate sweep that throws with nothing tried), HostName_uses_first_candidate_before_connect (dashboard rendering pre-connect), Initialize_against_all_unreachable_endpoints_throws_AggregateException_listing_each (three loopback dead ports, asserts each URL appears in the aggregate message + driver flips to Faulted). 31/31 OpcUaClient.Tests pass. dotnet build clean. OPC UA Client driver security/auth/availability feature set now complete per driver-specs.md \u00A78: policy-filtered endpoint selection (PR 70), Anonymous+Username+Certificate auth (PR 71), multi-endpoint failover (this PR).

src/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient/OpcUaClientDriver.cs

@@ -59,6 +59,8 @@ public sealed class OpcUaClientDriver(OpcUaClientDriverOptions options, string d
 
     private DriverHealth _health = new(DriverState.Unknown, null, null);
     private bool _disposed;
+    /// <summary>URL of the endpoint the driver actually connected to. Exposed via <see cref="HostName"/>.</summary>
+    private string? _connectedEndpointUrl;
 
     public string DriverInstanceId => driverInstanceId;
     public string DriverType => "OpcUaClient";
@@ -69,58 +71,38 @@ public sealed class OpcUaClientDriver(OpcUaClientDriverOptions options, string d
         try
         {
             var appConfig = await BuildApplicationConfigurationAsync(cancellationToken).ConfigureAwait(false);
+            var candidates = ResolveEndpointCandidates(_options);
 
-            // Endpoint selection: let the stack pick the best matching endpoint for the
-            // requested security policy/mode so the driver doesn't have to hand-validate.
-            // UseSecurity=false when SecurityMode=None shortcuts around cert validation
-            // entirely and is the typical dev-bench configuration.
-            var useSecurity = _options.SecurityMode != OpcUaSecurityMode.None;
-            // The non-obsolete SelectEndpointAsync overloads all require an ITelemetryContext
-            // parameter. Passing null is valid — the SDK falls through to its built-in default
-            // trace sink. Plumbing a telemetry context through every driver surface is out of
-            // scope; the driver emits its own logs via the health surface anyway.
-            var selected = await CoreClientUtils.SelectEndpointAsync(
-                appConfig, _options.EndpointUrl, useSecurity,
-                telemetry: null!,
-                ct: cancellationToken).ConfigureAwait(false);
-            var endpointConfig = EndpointConfiguration.Create(appConfig);
-            endpointConfig.OperationTimeout = (int)_options.Timeout.TotalMilliseconds;
-            var endpoint = new ConfiguredEndpoint(null, selected, endpointConfig);
+            var identity = BuildUserIdentity(_options);
 
-            var identity = _options.AuthType switch
+            // Failover sweep: try each endpoint in order, return the session from the first
+            // one that successfully connects. Per-endpoint failures are captured so the final
+            // aggregate exception names every URL that was tried and why — critical diag for
+            // operators debugging 'why did the failover pick #3?'.
+            var attemptErrors = new List<string>(candidates.Count);
+            ISession? session = null;
+            string? connectedUrl = null;
+            foreach (var url in candidates)
             {
-                OpcUaAuthType.Anonymous => new UserIdentity(new AnonymousIdentityToken()),
-                // The UserIdentity(string, string) overload was removed in favour of
-                // (string, byte[]) to make the password encoding explicit. UTF-8 is the
-                // overwhelmingly common choice for Basic256Sha256-secured sessions.
-                OpcUaAuthType.Username => new UserIdentity(
-                    _options.Username ?? string.Empty,
-                    System.Text.Encoding.UTF8.GetBytes(_options.Password ?? string.Empty)),
-                OpcUaAuthType.Certificate => throw new NotSupportedException(
-                    "Certificate authentication lands in a follow-up PR; for now use Anonymous or Username"),
-                _ => new UserIdentity(new AnonymousIdentityToken()),
-            };
+                try
+                {
+                    session = await OpenSessionOnEndpointAsync(
+                        appConfig, url, _options.SecurityPolicy, _options.SecurityMode,
+                        identity, cancellationToken).ConfigureAwait(false);
+                    connectedUrl = url;
+                    break;
+                }
+                catch (Exception ex)
+                {
+                    attemptErrors.Add($"{url} -> {ex.GetType().Name}: {ex.Message}");
+                }
+            }
 
-            // All Session.Create* static methods are marked [Obsolete] in SDK 1.5.378; the
-            // non-obsolete path is DefaultSessionFactory.Instance.CreateAsync (which is the
-            // 8-arg signature matching our driver config — ApplicationConfiguration +
-            // ConfiguredEndpoint, no transport-waiting-connection or reverse-connect-manager
-            // required for the standard opc.tcp direct-connect case).
-            // DefaultSessionFactory's parameterless ctor is also obsolete in 1.5.378; the
-            // current constructor requires an ITelemetryContext. Passing null is tolerated —
-            // the factory falls back to its internal default sink, same as the telemetry:null
-            // on SelectEndpointAsync above.
-            var session = await new DefaultSessionFactory(telemetry: null!).CreateAsync(
-                appConfig,
-                endpoint,
-                false,                                              // updateBeforeConnect
-                _options.SessionName,
-                (uint)_options.SessionTimeout.TotalMilliseconds,
-                identity,
-                null,                                               // preferredLocales
-                cancellationToken).ConfigureAwait(false);
-
-            session.KeepAliveInterval = (int)_options.KeepAliveInterval.TotalMilliseconds;
+            if (session is null)
+                throw new AggregateException(
+                    "OPC UA Client failed to connect to any of the configured endpoints. " +
+                    "Tried:\n  " + string.Join("\n  ", attemptErrors),
+                    attemptErrors.Select(e => new InvalidOperationException(e)));
 
             // Wire the session's keep-alive channel into HostState. OPC UA keep-alives are
             // authoritative for session liveness: the SDK pings on KeepAliveInterval and sets
@@ -135,6 +117,7 @@ public sealed class OpcUaClientDriver(OpcUaClientDriverOptions options, string d
             session.KeepAlive += _keepAliveHandler;
 
             Session = session;
+            _connectedEndpointUrl = connectedUrl;
             _health = new DriverHealth(DriverState.Healthy, DateTime.UtcNow, null);
             TransitionTo(HostState.Running);
         }
@@ -231,6 +214,165 @@ public sealed class OpcUaClientDriver(OpcUaClientDriverOptions options, string d
         return config;
     }
 
+    /// <summary>
+    ///     Resolve the ordered failover candidate list. <c>EndpointUrls</c> wins when
+    ///     non-empty; otherwise fall back to <c>EndpointUrl</c> as a single-URL shortcut so
+    ///     existing single-endpoint configs keep working without migration.
+    /// </summary>
+    internal static IReadOnlyList<string> ResolveEndpointCandidates(OpcUaClientDriverOptions opts)
+    {
+        if (opts.EndpointUrls is { Count: > 0 }) return opts.EndpointUrls;
+        return [opts.EndpointUrl];
+    }
+
+    /// <summary>
+    ///     Build the user-identity token from the driver options. Split out of
+    ///     <see cref="InitializeAsync"/> so the failover sweep reuses one identity across
+    ///     every endpoint attempt — generating it N times would re-unlock the user cert's
+    ///     private key N times, wasteful + keeps the password in memory longer.
+    /// </summary>
+    internal static UserIdentity BuildUserIdentity(OpcUaClientDriverOptions options) =>
+        options.AuthType switch
+        {
+            OpcUaAuthType.Anonymous => new UserIdentity(new AnonymousIdentityToken()),
+            OpcUaAuthType.Username => new UserIdentity(
+                options.Username ?? string.Empty,
+                System.Text.Encoding.UTF8.GetBytes(options.Password ?? string.Empty)),
+            OpcUaAuthType.Certificate => BuildCertificateIdentity(options),
+            _ => new UserIdentity(new AnonymousIdentityToken()),
+        };
+
+    /// <summary>
+    ///     Open a session against a single endpoint URL. Bounded by
+    ///     <see cref="OpcUaClientDriverOptions.PerEndpointConnectTimeout"/> so the failover
+    ///     sweep doesn't spend its full budget on one dead server. Moved out of
+    ///     <see cref="InitializeAsync"/> so the failover loop body stays readable.
+    /// </summary>
+    private async Task<ISession> OpenSessionOnEndpointAsync(
+        ApplicationConfiguration appConfig,
+        string endpointUrl,
+        OpcUaSecurityPolicy policy,
+        OpcUaSecurityMode mode,
+        UserIdentity identity,
+        CancellationToken ct)
+    {
+        using var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+        cts.CancelAfter(_options.PerEndpointConnectTimeout);
+
+        var selected = await SelectMatchingEndpointAsync(
+            appConfig, endpointUrl, policy, mode, cts.Token).ConfigureAwait(false);
+        var endpointConfig = EndpointConfiguration.Create(appConfig);
+        endpointConfig.OperationTimeout = (int)_options.Timeout.TotalMilliseconds;
+        var endpoint = new ConfiguredEndpoint(null, selected, endpointConfig);
+
+        var session = await new DefaultSessionFactory(telemetry: null!).CreateAsync(
+            appConfig,
+            endpoint,
+            false,                                              // updateBeforeConnect
+            _options.SessionName,
+            (uint)_options.SessionTimeout.TotalMilliseconds,
+            identity,
+            null,                                               // preferredLocales
+            cts.Token).ConfigureAwait(false);
+
+        session.KeepAliveInterval = (int)_options.KeepAliveInterval.TotalMilliseconds;
+        return session;
+    }
+
+    /// <summary>
+    ///     Select the remote endpoint matching both the requested <paramref name="policy"/>
+    ///     and <paramref name="mode"/>. The SDK's <c>CoreClientUtils.SelectEndpointAsync</c>
+    ///     only honours a boolean "use security" flag; we need policy-aware matching so an
+    ///     operator asking for <c>Basic256Sha256</c> against a server that also offers
+    ///     <c>Basic128Rsa15</c> doesn't silently end up on the weaker cipher.
+    /// </summary>
+    private static async Task<EndpointDescription> SelectMatchingEndpointAsync(
+        ApplicationConfiguration appConfig,
+        string endpointUrl,
+        OpcUaSecurityPolicy policy,
+        OpcUaSecurityMode mode,
+        CancellationToken ct)
+    {
+        // GetEndpoints returns everything the server advertises; policy + mode filter is
+        // applied client-side so the selection is explicit and fails loudly if the operator
+        // asks for a combination the server doesn't publish. DiscoveryClient.CreateAsync
+        // is the non-obsolete path in SDK 1.5.378; the synchronous Create(..) variants are
+        // all deprecated.
+        using var client = await DiscoveryClient.CreateAsync(
+            appConfig, new Uri(endpointUrl), Opc.Ua.DiagnosticsMasks.None, ct).ConfigureAwait(false);
+        var all = await client.GetEndpointsAsync(null, ct).ConfigureAwait(false);
+
+        var wantedPolicyUri = MapSecurityPolicy(policy);
+        var wantedMode = mode switch
+        {
+            OpcUaSecurityMode.None => MessageSecurityMode.None,
+            OpcUaSecurityMode.Sign => MessageSecurityMode.Sign,
+            OpcUaSecurityMode.SignAndEncrypt => MessageSecurityMode.SignAndEncrypt,
+            _ => throw new ArgumentOutOfRangeException(nameof(mode)),
+        };
+
+        var match = all.FirstOrDefault(e =>
+            e.SecurityPolicyUri == wantedPolicyUri && e.SecurityMode == wantedMode);
+
+        if (match is null)
+        {
+            var advertised = string.Join(", ", all
+                .Select(e => $"{ShortPolicyName(e.SecurityPolicyUri)}/{e.SecurityMode}"));
+            throw new InvalidOperationException(
+                $"No endpoint at '{endpointUrl}' matches SecurityPolicy={policy} + SecurityMode={mode}. " +
+                $"Server advertises: {advertised}");
+        }
+        return match;
+    }
+
+    /// <summary>
+    ///     Build a <see cref="UserIdentity"/> carrying a client user-authentication
+    ///     certificate loaded from <see cref="OpcUaClientDriverOptions.UserCertificatePath"/>.
+    ///     Used when the remote server's endpoint advertises Certificate-type user tokens.
+    ///     Fails fast if the path is missing, the file doesn't exist, or the certificate
+    ///     lacks a private key (the private key is required to sign the user-token
+    ///     challenge during session activation).
+    /// </summary>
+    internal static UserIdentity BuildCertificateIdentity(OpcUaClientDriverOptions options)
+    {
+        if (string.IsNullOrWhiteSpace(options.UserCertificatePath))
+            throw new InvalidOperationException(
+                "OpcUaAuthType.Certificate requires OpcUaClientDriverOptions.UserCertificatePath to be set.");
+        if (!System.IO.File.Exists(options.UserCertificatePath))
+            throw new System.IO.FileNotFoundException(
+                $"User certificate not found at '{options.UserCertificatePath}'.",
+                options.UserCertificatePath);
+
+        // X509CertificateLoader (new in .NET 9) is the only non-obsolete way to load a PFX
+        // since the legacy X509Certificate2 ctors are marked obsolete on net10. Passes the
+        // password through verbatim; PEM files with external keys fall back to
+        // LoadCertificateFromFile which picks up the adjacent .key if present.
+        var cert = System.Security.Cryptography.X509Certificates.X509CertificateLoader
+            .LoadPkcs12FromFile(options.UserCertificatePath, options.UserCertificatePassword);
+
+        if (!cert.HasPrivateKey)
+            throw new InvalidOperationException(
+                $"User certificate at '{options.UserCertificatePath}' has no private key — " +
+                "the private key is required to sign the OPC UA user-token challenge at session activation.");
+
+        return new UserIdentity(cert);
+    }
+
+    /// <summary>Convert a driver <see cref="OpcUaSecurityPolicy"/> to the OPC UA policy URI.</summary>
+    internal static string MapSecurityPolicy(OpcUaSecurityPolicy policy) => policy switch
+    {
+        OpcUaSecurityPolicy.None => SecurityPolicies.None,
+        OpcUaSecurityPolicy.Basic128Rsa15 => SecurityPolicies.Basic128Rsa15,
+        OpcUaSecurityPolicy.Basic256 => SecurityPolicies.Basic256,
+        OpcUaSecurityPolicy.Basic256Sha256 => SecurityPolicies.Basic256Sha256,
+        OpcUaSecurityPolicy.Aes128_Sha256_RsaOaep => SecurityPolicies.Aes128_Sha256_RsaOaep,
+        OpcUaSecurityPolicy.Aes256_Sha256_RsaPss => SecurityPolicies.Aes256_Sha256_RsaPss,
+        _ => throw new ArgumentOutOfRangeException(nameof(policy), policy, null),
+    };
+
+    private static string ShortPolicyName(string policyUri) =>
+        policyUri?.Substring(policyUri.LastIndexOf('#') + 1) ?? "(null)";
+
     public async Task ReinitializeAsync(string driverConfigJson, CancellationToken cancellationToken)
     {
         await ShutdownAsync(cancellationToken).ConfigureAwait(false);
@@ -260,6 +402,7 @@ public sealed class OpcUaClientDriver(OpcUaClientDriverOptions options, string d
         catch { /* best-effort */ }
         try { Session?.Dispose(); } catch { }
         Session = null;
+        _connectedEndpointUrl = null;
 
         TransitionTo(HostState.Unknown);
         _health = new DriverHealth(DriverState.Unknown, _health.LastSuccessfulRead, null);
@@ -631,8 +774,16 @@ public sealed class OpcUaClientDriver(OpcUaClientDriverOptions options, string d
 
     // ---- IHostConnectivityProbe ----
 
-    /// <summary>Endpoint-URL-keyed host identity for the Admin /hosts dashboard.</summary>
-    public string HostName => _options.EndpointUrl;
+    /// <summary>
+    ///     Endpoint-URL-keyed host identity for the Admin /hosts dashboard. Reflects the
+    ///     endpoint the driver actually connected to after the failover sweep — not the
+    ///     first URL in the candidate list — so operators see which of the configured
+    ///     endpoints is currently serving traffic. Falls back to the first configured URL
+    ///     pre-init so the dashboard has something to render before the first connect.
+    /// </summary>
+    public string HostName => _connectedEndpointUrl
+        ?? ResolveEndpointCandidates(_options).FirstOrDefault()
+        ?? _options.EndpointUrl;
 
     public IReadOnlyList<HostConnectivityStatus> GetHostStatuses()
     {

src/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient/OpcUaClientDriverOptions.cs

@@ -13,11 +13,42 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient;
 /// </remarks>
 public sealed class OpcUaClientDriverOptions
 {
-    /// <summary>Remote OPC UA endpoint URL, e.g. <c>opc.tcp://plc.internal:4840</c>.</summary>
+    /// <summary>
+    ///     Remote OPC UA endpoint URL, e.g. <c>opc.tcp://plc.internal:4840</c>. Convenience
+    ///     shortcut for a single-endpoint deployment — equivalent to setting
+    ///     <see cref="EndpointUrls"/> to a list with this one URL. When both are provided,
+    ///     the list wins and <see cref="EndpointUrl"/> is ignored.
+    /// </summary>
     public string EndpointUrl { get; init; } = "opc.tcp://localhost:4840";
 
-    /// <summary>Security policy. One of <c>None</c>, <c>Basic256Sha256</c>, <c>Aes128_Sha256_RsaOaep</c>.</summary>
-    public string SecurityPolicy { get; init; } = "None";
+    /// <summary>
+    ///     Ordered list of candidate endpoint URLs for failover. The driver tries each in
+    ///     order at <see cref="OpcUaClientDriver.InitializeAsync"/> and on session drop;
+    ///     the first URL that successfully connects wins. Typical use-case: an OPC UA server
+    ///     pair running in hot-standby (primary 4840 + backup 4841) where either can serve
+    ///     the same address space. Leave unset (or empty) to use <see cref="EndpointUrl"/>
+    ///     as a single-URL shortcut.
+    /// </summary>
+    public IReadOnlyList<string> EndpointUrls { get; init; } = [];
+
+    /// <summary>
+    ///     Per-endpoint connect-attempt timeout during the failover sweep. Short enough that
+    ///     cycling through several dead servers doesn't blow the overall init budget, long
+    ///     enough to tolerate a slow TLS handshake on a healthy server. Applied independently
+    ///     of <see cref="Timeout"/> which governs steady-state operations.
+    /// </summary>
+    public TimeSpan PerEndpointConnectTimeout { get; init; } = TimeSpan.FromSeconds(3);
+
+    /// <summary>
+    ///     Security policy to require when selecting an endpoint. Either a
+    ///     <see cref="OpcUaSecurityPolicy"/> enum constant or a free-form string (for
+    ///     forward-compatibility with future OPC UA policies not yet in the enum).
+    ///     Matched against <c>EndpointDescription.SecurityPolicyUri</c> suffix — the driver
+    ///     connects to the first endpoint whose policy name matches AND whose mode matches
+    ///     <see cref="SecurityMode"/>. When set to <see cref="OpcUaSecurityPolicy.None"/>
+    ///     the driver picks any unsecured endpoint regardless of policy string.
+    /// </summary>
+    public OpcUaSecurityPolicy SecurityPolicy { get; init; } = OpcUaSecurityPolicy.None;
 
     /// <summary>Security mode.</summary>
     public OpcUaSecurityMode SecurityMode { get; init; } = OpcUaSecurityMode.None;
@@ -31,6 +62,23 @@ public sealed class OpcUaClientDriverOptions
     /// <summary>Password (required only for <see cref="OpcUaAuthType.Username"/>).</summary>
     public string? Password { get; init; }
 
+    /// <summary>
+    ///     Filesystem path to the user-identity certificate (PFX/PEM). Required when
+    ///     <see cref="AuthType"/> is <see cref="OpcUaAuthType.Certificate"/>. The driver
+    ///     loads the cert + private key, which the remote server validates against its
+    ///     <c>TrustedUserCertificates</c> store to authenticate the session's user token.
+    ///     Leave unset to use the driver's application-instance certificate as the user
+    ///     token (not typical — most deployments have a separate user cert).
+    /// </summary>
+    public string? UserCertificatePath { get; init; }
+
+    /// <summary>
+    ///     Optional password that unlocks <see cref="UserCertificatePath"/> when the PFX is
+    ///     protected. PEM files generally have their password on the adjacent key file; this
+    ///     knob only applies to password-locked PFX.
+    /// </summary>
+    public string? UserCertificatePassword { get; init; }
+
     /// <summary>Server-negotiated session timeout. Default 120s per driver-specs.md §8.</summary>
     public TimeSpan SessionTimeout { get; init; } = TimeSpan.FromSeconds(120);
 
@@ -96,6 +144,33 @@ public enum OpcUaSecurityMode
     SignAndEncrypt,
 }
 
+/// <summary>
+///     OPC UA security policies recognized by the driver. Maps to the standard
+///     <c>http://opcfoundation.org/UA/SecurityPolicy#</c> URI suffixes the SDK uses for
+///     endpoint matching.
+/// </summary>
+/// <remarks>
+///     <see cref="Basic128Rsa15"/> and <see cref="Basic256"/> are <b>deprecated</b> per OPC UA
+///     spec v1.04 — they remain in the enum only for brownfield interop with older servers.
+///     Prefer <see cref="Basic256Sha256"/>, <see cref="Aes128_Sha256_RsaOaep"/>, or
+///     <see cref="Aes256_Sha256_RsaPss"/> for new deployments.
+/// </remarks>
+public enum OpcUaSecurityPolicy
+{
+    /// <summary>No security. Unsigned, unencrypted wire.</summary>
+    None,
+    /// <summary>Deprecated (OPC UA 1.04). Retained for legacy server interop.</summary>
+    Basic128Rsa15,
+    /// <summary>Deprecated (OPC UA 1.04). Retained for legacy server interop.</summary>
+    Basic256,
+    /// <summary>Recommended baseline for current deployments.</summary>
+    Basic256Sha256,
+    /// <summary>Current OPC UA policy; AES-128 + SHA-256 + RSA-OAEP.</summary>
+    Aes128_Sha256_RsaOaep,
+    /// <summary>Current OPC UA policy; AES-256 + SHA-256 + RSA-PSS.</summary>
+    Aes256_Sha256_RsaPss,
+}
+
 /// <summary>User authentication type sent to the remote server.</summary>
 public enum OpcUaAuthType
 {

tests/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.Tests/OpcUaClientCertAuthTests.cs

@@ -0,0 +1,59 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using Shouldly;
+using Xunit;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class OpcUaClientCertAuthTests
+{
+    [Fact]
+    public void BuildCertificateIdentity_rejects_missing_path()
+    {
+        var opts = new OpcUaClientDriverOptions { AuthType = OpcUaAuthType.Certificate };
+        Should.Throw<InvalidOperationException>(() => OpcUaClientDriver.BuildCertificateIdentity(opts))
+            .Message.ShouldContain("UserCertificatePath");
+    }
+
+    [Fact]
+    public void BuildCertificateIdentity_rejects_nonexistent_file()
+    {
+        var opts = new OpcUaClientDriverOptions
+        {
+            AuthType = OpcUaAuthType.Certificate,
+            UserCertificatePath = Path.Combine(Path.GetTempPath(), $"does-not-exist-{Guid.NewGuid():N}.pfx"),
+        };
+        Should.Throw<FileNotFoundException>(() => OpcUaClientDriver.BuildCertificateIdentity(opts));
+    }
+
+    [Fact]
+    public void BuildCertificateIdentity_loads_a_valid_PFX_with_private_key()
+    {
+        // Generate a self-signed cert on the fly so the test doesn't ship a static PFX.
+        // The driver doesn't care about the issuer — just needs a cert with a private key.
+        using var rsa = RSA.Create(2048);
+        var req = new CertificateRequest("CN=OpcUaClientCertAuthTests", rsa,
+            HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        var cert = req.CreateSelfSigned(DateTimeOffset.UtcNow.AddMinutes(-5), DateTimeOffset.UtcNow.AddHours(1));
+
+        var tmpPath = Path.Combine(Path.GetTempPath(), $"opcua-cert-test-{Guid.NewGuid():N}.pfx");
+        File.WriteAllBytes(tmpPath, cert.Export(X509ContentType.Pfx, "testpw"));
+        try
+        {
+            var opts = new OpcUaClientDriverOptions
+            {
+                AuthType = OpcUaAuthType.Certificate,
+                UserCertificatePath = tmpPath,
+                UserCertificatePassword = "testpw",
+            };
+            var identity = OpcUaClientDriver.BuildCertificateIdentity(opts);
+            identity.ShouldNotBeNull();
+            identity.TokenType.ShouldBe(Opc.Ua.UserTokenType.Certificate);
+        }
+        finally
+        {
+            try { File.Delete(tmpPath); } catch { /* best-effort */ }
+        }
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.Tests/OpcUaClientDriverScaffoldTests.cs

@@ -18,6 +18,7 @@ public sealed class OpcUaClientDriverScaffoldTests
         var opts = new OpcUaClientDriverOptions();
         opts.EndpointUrl.ShouldBe("opc.tcp://localhost:4840", "4840 is the IANA-assigned OPC UA port");
         opts.SecurityMode.ShouldBe(OpcUaSecurityMode.None);
+        opts.SecurityPolicy.ShouldBe(OpcUaSecurityPolicy.None);
         opts.AuthType.ShouldBe(OpcUaAuthType.Anonymous);
         opts.AutoAcceptCertificates.ShouldBeFalse("production default must reject untrusted server certs");
     }

tests/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.Tests/OpcUaClientFailoverTests.cs

@@ -0,0 +1,81 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class OpcUaClientFailoverTests
+{
+    [Fact]
+    public void ResolveEndpointCandidates_prefers_EndpointUrls_when_provided()
+    {
+        var opts = new OpcUaClientDriverOptions
+        {
+            EndpointUrl = "opc.tcp://fallback:4840",
+            EndpointUrls = ["opc.tcp://primary:4840", "opc.tcp://backup:4841"],
+        };
+        var list = OpcUaClientDriver.ResolveEndpointCandidates(opts);
+        list.Count.ShouldBe(2);
+        list[0].ShouldBe("opc.tcp://primary:4840");
+        list[1].ShouldBe("opc.tcp://backup:4841");
+    }
+
+    [Fact]
+    public void ResolveEndpointCandidates_falls_back_to_single_EndpointUrl_when_list_empty()
+    {
+        var opts = new OpcUaClientDriverOptions { EndpointUrl = "opc.tcp://only:4840" };
+        var list = OpcUaClientDriver.ResolveEndpointCandidates(opts);
+        list.Count.ShouldBe(1);
+        list[0].ShouldBe("opc.tcp://only:4840");
+    }
+
+    [Fact]
+    public void ResolveEndpointCandidates_empty_list_treated_as_fallback_to_EndpointUrl()
+    {
+        // Explicit empty list should still fall back to the single-URL shortcut rather than
+        // producing a zero-candidate sweep that would immediately throw with no URLs tried.
+        var opts = new OpcUaClientDriverOptions
+        {
+            EndpointUrl = "opc.tcp://single:4840",
+            EndpointUrls = [],
+        };
+        OpcUaClientDriver.ResolveEndpointCandidates(opts).Count.ShouldBe(1);
+    }
+
+    [Fact]
+    public void HostName_uses_first_candidate_before_connect()
+    {
+        var opts = new OpcUaClientDriverOptions
+        {
+            EndpointUrls = ["opc.tcp://primary:4840", "opc.tcp://backup:4841"],
+        };
+        using var drv = new OpcUaClientDriver(opts, "opcua-host");
+        drv.HostName.ShouldBe("opc.tcp://primary:4840",
+            "pre-connect the dashboard should show the first candidate URL so operators can link back");
+    }
+
+    [Fact]
+    public async Task Initialize_against_all_unreachable_endpoints_throws_AggregateException_listing_each()
+    {
+        // Port 1 + port 2 + port 3 on loopback are all guaranteed closed (TCP RST immediate).
+        // Failover sweep should attempt all three and throw AggregateException naming each URL
+        // so operators see exactly which candidates were tried.
+        var opts = new OpcUaClientDriverOptions
+        {
+            EndpointUrls = ["opc.tcp://127.0.0.1:1", "opc.tcp://127.0.0.1:2", "opc.tcp://127.0.0.1:3"],
+            PerEndpointConnectTimeout = TimeSpan.FromMilliseconds(500),
+            Timeout = TimeSpan.FromMilliseconds(500),
+            AutoAcceptCertificates = true,
+        };
+        using var drv = new OpcUaClientDriver(opts, "opcua-failover");
+
+        var ex = await Should.ThrowAsync<AggregateException>(async () =>
+            await drv.InitializeAsync("{}", TestContext.Current.CancellationToken));
+
+        ex.Message.ShouldContain("127.0.0.1:1");
+        ex.Message.ShouldContain("127.0.0.1:2");
+        ex.Message.ShouldContain("127.0.0.1:3");
+        drv.GetHealth().State.ShouldBe(DriverState.Faulted);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.Tests/OpcUaClientSecurityPolicyTests.cs

@@ -0,0 +1,54 @@
+using Opc.Ua;
+using Shouldly;
+using Xunit;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class OpcUaClientSecurityPolicyTests
+{
+    [Theory]
+    [InlineData(OpcUaSecurityPolicy.None)]
+    [InlineData(OpcUaSecurityPolicy.Basic128Rsa15)]
+    [InlineData(OpcUaSecurityPolicy.Basic256)]
+    [InlineData(OpcUaSecurityPolicy.Basic256Sha256)]
+    [InlineData(OpcUaSecurityPolicy.Aes128_Sha256_RsaOaep)]
+    [InlineData(OpcUaSecurityPolicy.Aes256_Sha256_RsaPss)]
+    public void MapSecurityPolicy_returns_known_non_empty_uri_for_every_enum_value(OpcUaSecurityPolicy policy)
+    {
+        var uri = OpcUaClientDriver.MapSecurityPolicy(policy);
+        uri.ShouldNotBeNullOrEmpty();
+        // Each URI should end in the enum name (for the non-None policies) so a driver
+        // operator reading logs can correlate the URI back to the config value.
+        if (policy != OpcUaSecurityPolicy.None)
+            uri.ShouldContain(policy.ToString());
+    }
+
+    [Fact]
+    public void MapSecurityPolicy_None_matches_SDK_None_URI()
+    {
+        OpcUaClientDriver.MapSecurityPolicy(OpcUaSecurityPolicy.None)
+            .ShouldBe(SecurityPolicies.None);
+    }
+
+    [Fact]
+    public void MapSecurityPolicy_Basic256Sha256_matches_SDK_URI()
+    {
+        OpcUaClientDriver.MapSecurityPolicy(OpcUaSecurityPolicy.Basic256Sha256)
+            .ShouldBe(SecurityPolicies.Basic256Sha256);
+    }
+
+    [Fact]
+    public void MapSecurityPolicy_Aes256_Sha256_RsaPss_matches_SDK_URI()
+    {
+        OpcUaClientDriver.MapSecurityPolicy(OpcUaSecurityPolicy.Aes256_Sha256_RsaPss)
+            .ShouldBe(SecurityPolicies.Aes256_Sha256_RsaPss);
+    }
+
+    [Fact]
+    public void Every_enum_value_has_a_mapping()
+    {
+        foreach (OpcUaSecurityPolicy p in Enum.GetValues<OpcUaSecurityPolicy>())
+            Should.NotThrow(() => OpcUaClientDriver.MapSecurityPolicy(p));
+    }
+}