Phase 6.1 Stream E (data layer) — DriverInstanceResilienceStatus entity + DriverResilienceStatusTracker + EF migration

Ships the data + runtime layer of Stream E. The SignalR hub and Blazor /hosts
page refresh (E.2-E.3) are follow-up work paired with the visual-compliance
review per Phase 6.4 patterns — documented as a deferred follow-up below.

Configuration:
- New entity DriverInstanceResilienceStatus with:
  DriverInstanceId, HostName (composite PK),
  LastCircuitBreakerOpenUtc, ConsecutiveFailures, CurrentBulkheadDepth,
  LastRecycleUtc, BaselineFootprintBytes, CurrentFootprintBytes,
  LastSampledUtc.
- Separate from DriverHostStatus (per-host connectivity view) so a Running
  host that has tripped its breaker or is nearing its memory ceiling shows up
  distinctly on Admin /hosts. Admin page left-joins both for display.
- OtOpcUaConfigDbContext + Fluent-API config + IX_DriverResilience_LastSampled
  index for the stale-sample filter query.
- EF migration: 20260419124034_AddDriverInstanceResilienceStatus.

Core.Resilience:
- DriverResilienceStatusTracker — process-singleton in-memory tracker keyed on
  (DriverInstanceId, HostName). CapabilityInvoker + MemoryTracking +
  MemoryRecycle callers record failure/success/breaker-open/recycle/footprint
  events; a HostedService (Stream E.2 follow-up) samples this tracker every
  5 s and persists to the DB. Pure in-memory keeps tests fast + the core
  free of EF/SQL dependencies.

Tests:
- DriverResilienceStatusTrackerTests (9 new, all pass): tryget-before-write
  returns null; failures accumulate; success resets; breaker/recycle/footprint
  fields populate; per-host isolation; snapshot returns all pairs; concurrent
  writes don't lose counts.
- SchemaComplianceTests: expected-tables list updated to include the new
  DriverInstanceResilienceStatus table.

Full solution dotnet test: 1042 passing (baseline 906, +136 for Phase 6.1 so
far across Streams A/B/C/D/E.1). Pre-existing Client.CLI Subscribe flake
unchanged.

Deferred to follow-up PR (E.2/E.3):
- ResilienceStatusPublisher HostedService that samples DriverResilienceStatusTracker
  every 5 s + upserts DriverInstanceResilienceStatus rows.
- Admin FleetStatusHub SignalR hub pushing LastCircuitBreakerOpenUtc /
  CurrentBulkheadDepth / LastRecycleUtc on change.
- Admin /hosts Blazor column additions (red badge when
  ConsecutiveFailures > breakerThreshold / 2). Visual-compliance reviewer
  signoff alongside Phase 6.4 admin-ui patterns.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/DriverInstanceResilienceStatus.cs

@@ -0,0 +1,44 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Runtime resilience counters the CapabilityInvoker + MemoryTracking + MemoryRecycle
+///     surfaces for each <c>(DriverInstanceId, HostName)</c> pair. Separate from
+///     <see cref="DriverHostStatus"/> (which owns per-host <i>connectivity</i> state) so a
+///     host that's Running but has tripped its breaker or is approaching its memory ceiling
+///     shows up distinctly on Admin <c>/hosts</c>.
+/// </summary>
+/// <remarks>
+///     Per <c>docs/v2/implementation/phase-6-1-resilience-and-observability.md</c> §Stream E.1.
+///     The Admin UI left-joins this table on DriverHostStatus for display; rows are written
+///     by the runtime via a HostedService that samples the tracker at a configurable
+///     interval (default 5 s) — writes are non-critical, a missed sample is tolerated.
+/// </remarks>
+public sealed class DriverInstanceResilienceStatus
+{
+    public required string DriverInstanceId { get; set; }
+    public required string HostName { get; set; }
+
+    /// <summary>Most recent time the circuit breaker for this (instance, host) opened; null if never.</summary>
+    public DateTime? LastCircuitBreakerOpenUtc { get; set; }
+
+    /// <summary>Rolling count of consecutive Polly pipeline failures for this (instance, host).</summary>
+    public int ConsecutiveFailures { get; set; }
+
+    /// <summary>Current Polly bulkhead depth (in-flight calls) for this (instance, host).</summary>
+    public int CurrentBulkheadDepth { get; set; }
+
+    /// <summary>Most recent process recycle time (Tier C only; null for in-process tiers).</summary>
+    public DateTime? LastRecycleUtc { get; set; }
+
+    /// <summary>
+    ///     Post-init memory baseline captured by <c>MemoryTracking</c> (median of first
+    ///     BaselineWindow samples). Zero while still warming up.
+    /// </summary>
+    public long BaselineFootprintBytes { get; set; }
+
+    /// <summary>Most recent footprint sample the tracker saw (steady-state read).</summary>
+    public long CurrentFootprintBytes { get; set; }
+
+    /// <summary>Row last-write timestamp — advances on every sampling tick.</summary>
+    public DateTime LastSampledUtc { get; set; }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/LocalCache/GenerationSealedCache.cs

@@ -0,0 +1,170 @@
+using LiteDB;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
+
+/// <summary>
+///     Generation-sealed LiteDB cache per <c>docs/v2/plan.md</c> decision #148 and Phase 6.1
+///     Stream D.1. Each published generation writes one <b>read-only</b> LiteDB file under
+///     <c>&lt;cache-root&gt;/&lt;clusterId&gt;/&lt;generationId&gt;.db</c>. A per-cluster
+///     <c>CURRENT</c> text file holds the currently-active generation id; it is updated
+///     atomically (temp file + <see cref="File.Replace(string, string, string?)"/>) only after
+///     the sealed file is fully written.
+/// </summary>
+/// <remarks>
+///     <para>Mixed-generation reads are impossible: any read opens the single file pointed to
+///     by <c>CURRENT</c>, which is a coherent snapshot. Corruption of the CURRENT file or the
+///     sealed file surfaces as <see cref="GenerationCacheUnavailableException"/> — the reader
+///     fails closed rather than silently falling back to an older generation. Recovery path
+///     is to re-fetch from the central DB (and the Phase 6.1 Stream C <c>UsingStaleConfig</c>
+///     flag goes true until that succeeds).</para>
+///
+///     <para>This cache is the read-path fallback when the central DB is unreachable. The
+///     write path (draft edits, publish) bypasses the cache and fails hard on DB outage per
+///     Stream D.2 — inconsistent writes are worse than a temporary inability to edit.</para>
+/// </remarks>
+public sealed class GenerationSealedCache
+{
+    private const string CollectionName = "generation";
+    private const string CurrentPointerFileName = "CURRENT";
+    private readonly string _cacheRoot;
+
+    /// <summary>Root directory for all clusters' sealed caches.</summary>
+    public string CacheRoot => _cacheRoot;
+
+    public GenerationSealedCache(string cacheRoot)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(cacheRoot);
+        _cacheRoot = cacheRoot;
+        Directory.CreateDirectory(_cacheRoot);
+    }
+
+    /// <summary>
+    ///     Seal a generation: write the snapshot to <c>&lt;cluster&gt;/&lt;generationId&gt;.db</c>,
+    ///     mark the file read-only, then atomically publish the <c>CURRENT</c> pointer. Existing
+    ///     sealed files for prior generations are preserved (prune separately).
+    /// </summary>
+    public async Task SealAsync(GenerationSnapshot snapshot, CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(snapshot);
+        ct.ThrowIfCancellationRequested();
+
+        var clusterDir = Path.Combine(_cacheRoot, snapshot.ClusterId);
+        Directory.CreateDirectory(clusterDir);
+        var sealedPath = Path.Combine(clusterDir, $"{snapshot.GenerationId}.db");
+
+        if (File.Exists(sealedPath))
+        {
+            // Already sealed — idempotent. Treat as no-op + update pointer in case an earlier
+            // seal succeeded but the pointer update failed (crash recovery).
+            WritePointerAtomically(clusterDir, snapshot.GenerationId);
+            return;
+        }
+
+        var tmpPath = sealedPath + ".tmp";
+        try
+        {
+            using (var db = new LiteDatabase(new ConnectionString { Filename = tmpPath, Upgrade = false }))
+            {
+                var col = db.GetCollection<GenerationSnapshot>(CollectionName);
+                col.Insert(snapshot);
+            }
+
+            File.Move(tmpPath, sealedPath);
+            File.SetAttributes(sealedPath, File.GetAttributes(sealedPath) | FileAttributes.ReadOnly);
+            WritePointerAtomically(clusterDir, snapshot.GenerationId);
+        }
+        catch
+        {
+            try { if (File.Exists(tmpPath)) File.Delete(tmpPath); } catch { /* best-effort */ }
+            throw;
+        }
+
+        await Task.CompletedTask;
+    }
+
+    /// <summary>
+    ///     Read the current sealed snapshot for <paramref name="clusterId"/>. Throws
+    ///     <see cref="GenerationCacheUnavailableException"/> when the pointer is missing
+    ///     (first-boot-no-snapshot case) or when the sealed file is corrupt. Never silently
+    ///     falls back to a prior generation.
+    /// </summary>
+    public Task<GenerationSnapshot> ReadCurrentAsync(string clusterId, CancellationToken ct = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(clusterId);
+        ct.ThrowIfCancellationRequested();
+
+        var clusterDir = Path.Combine(_cacheRoot, clusterId);
+        var pointerPath = Path.Combine(clusterDir, CurrentPointerFileName);
+        if (!File.Exists(pointerPath))
+            throw new GenerationCacheUnavailableException(
+                $"No sealed generation for cluster '{clusterId}' at '{clusterDir}'. First-boot case: the central DB must be reachable at least once before cache fallback is possible.");
+
+        long generationId;
+        try
+        {
+            var text = File.ReadAllText(pointerPath).Trim();
+            generationId = long.Parse(text, System.Globalization.CultureInfo.InvariantCulture);
+        }
+        catch (Exception ex)
+        {
+            throw new GenerationCacheUnavailableException(
+                $"CURRENT pointer at '{pointerPath}' is corrupt or unreadable.", ex);
+        }
+
+        var sealedPath = Path.Combine(clusterDir, $"{generationId}.db");
+        if (!File.Exists(sealedPath))
+            throw new GenerationCacheUnavailableException(
+                $"CURRENT points at generation {generationId} but '{sealedPath}' is missing — fails closed rather than serving an older generation.");
+
+        try
+        {
+            using var db = new LiteDatabase(new ConnectionString { Filename = sealedPath, ReadOnly = true });
+            var col = db.GetCollection<GenerationSnapshot>(CollectionName);
+            var snapshot = col.FindAll().FirstOrDefault()
+                ?? throw new GenerationCacheUnavailableException(
+                    $"Sealed file '{sealedPath}' contains no snapshot row — file is corrupt.");
+            return Task.FromResult(snapshot);
+        }
+        catch (GenerationCacheUnavailableException) { throw; }
+        catch (Exception ex) when (ex is LiteException or InvalidDataException or IOException
+                                      or NotSupportedException or FormatException)
+        {
+            throw new GenerationCacheUnavailableException(
+                $"Sealed file '{sealedPath}' is corrupt or unreadable — fails closed rather than falling back to an older generation.", ex);
+        }
+    }
+
+    /// <summary>Return the generation id the <c>CURRENT</c> pointer points at, or null if no pointer exists.</summary>
+    public long? TryGetCurrentGenerationId(string clusterId)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(clusterId);
+        var pointerPath = Path.Combine(_cacheRoot, clusterId, CurrentPointerFileName);
+        if (!File.Exists(pointerPath)) return null;
+        try
+        {
+            return long.Parse(File.ReadAllText(pointerPath).Trim(), System.Globalization.CultureInfo.InvariantCulture);
+        }
+        catch
+        {
+            return null;
+        }
+    }
+
+    private static void WritePointerAtomically(string clusterDir, long generationId)
+    {
+        var pointerPath = Path.Combine(clusterDir, CurrentPointerFileName);
+        var tmpPath = pointerPath + ".tmp";
+        File.WriteAllText(tmpPath, generationId.ToString(System.Globalization.CultureInfo.InvariantCulture));
+        if (File.Exists(pointerPath))
+            File.Replace(tmpPath, pointerPath, destinationBackupFileName: null);
+        else
+            File.Move(tmpPath, pointerPath);
+    }
+}
+
+/// <summary>Sealed cache is unreachable — caller must fail closed.</summary>
+public sealed class GenerationCacheUnavailableException : Exception
+{
+    public GenerationCacheUnavailableException(string message) : base(message) { }
+    public GenerationCacheUnavailableException(string message, Exception inner) : base(message, inner) { }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/LocalCache/ResilientConfigReader.cs

@@ -0,0 +1,90 @@
+using Microsoft.Extensions.Logging;
+using Polly;
+using Polly.Retry;
+using Polly.Timeout;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
+
+/// <summary>
+///     Wraps a central-DB fetch function with Phase 6.1 Stream D.2 resilience:
+///     <b>timeout 2 s → retry 3× jittered → fallback to sealed cache</b>. Maintains the
+///     <see cref="StaleConfigFlag"/> — fresh on central-DB success, stale on cache fallback.
+/// </summary>
+/// <remarks>
+///     <para>Read-path only per plan. The write path (draft save, publish) bypasses this
+///     wrapper entirely and fails hard on DB outage so inconsistent writes never land.</para>
+///
+///     <para>Fallback is triggered by <b>any exception</b> the fetch raises (central-DB
+///     unreachable, SqlException, timeout). If the sealed cache also fails (no pointer,
+///     corrupt file, etc.), <see cref="GenerationCacheUnavailableException"/> surfaces — caller
+///     must fail the current request (InitializeAsync for a driver, etc.).</para>
+/// </remarks>
+public sealed class ResilientConfigReader
+{
+    private readonly GenerationSealedCache _cache;
+    private readonly StaleConfigFlag _staleFlag;
+    private readonly ResiliencePipeline _pipeline;
+    private readonly ILogger<ResilientConfigReader> _logger;
+
+    public ResilientConfigReader(
+        GenerationSealedCache cache,
+        StaleConfigFlag staleFlag,
+        ILogger<ResilientConfigReader> logger,
+        TimeSpan? timeout = null,
+        int retryCount = 3)
+    {
+        _cache = cache;
+        _staleFlag = staleFlag;
+        _logger = logger;
+        var builder = new ResiliencePipelineBuilder()
+            .AddTimeout(new TimeoutStrategyOptions { Timeout = timeout ?? TimeSpan.FromSeconds(2) });
+
+        if (retryCount > 0)
+        {
+            builder.AddRetry(new RetryStrategyOptions
+            {
+                MaxRetryAttempts = retryCount,
+                BackoffType = DelayBackoffType.Exponential,
+                UseJitter = true,
+                Delay = TimeSpan.FromMilliseconds(100),
+                MaxDelay = TimeSpan.FromSeconds(1),
+                ShouldHandle = new PredicateBuilder().Handle<Exception>(ex => ex is not OperationCanceledException),
+            });
+        }
+
+        _pipeline = builder.Build();
+    }
+
+    /// <summary>
+    ///     Execute <paramref name="centralFetch"/> through the resilience pipeline. On full failure
+    ///     (post-retry), reads the sealed cache for <paramref name="clusterId"/> and passes the
+    ///     snapshot to <paramref name="fromSnapshot"/> to extract the requested shape.
+    /// </summary>
+    public async ValueTask<T> ReadAsync<T>(
+        string clusterId,
+        Func<CancellationToken, ValueTask<T>> centralFetch,
+        Func<GenerationSnapshot, T> fromSnapshot,
+        CancellationToken cancellationToken)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(clusterId);
+        ArgumentNullException.ThrowIfNull(centralFetch);
+        ArgumentNullException.ThrowIfNull(fromSnapshot);
+
+        try
+        {
+            var result = await _pipeline.ExecuteAsync(centralFetch, cancellationToken).ConfigureAwait(false);
+            _staleFlag.MarkFresh();
+            return result;
+        }
+        catch (Exception ex) when (ex is not OperationCanceledException)
+        {
+            _logger.LogWarning(ex, "Central-DB read failed after retries; falling back to sealed cache for cluster {ClusterId}", clusterId);
+            // GenerationCacheUnavailableException surfaces intentionally — fails the caller's
+            // operation. StaleConfigFlag stays unchanged; the flag only flips when we actually
+            // served a cache snapshot.
+            var snapshot = await _cache.ReadCurrentAsync(clusterId, cancellationToken).ConfigureAwait(false);
+            _staleFlag.MarkStale();
+            return fromSnapshot(snapshot);
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/LocalCache/StaleConfigFlag.cs

@@ -0,0 +1,20 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
+
+/// <summary>
+///     Thread-safe <c>UsingStaleConfig</c> signal per Phase 6.1 Stream D.3. Flips true whenever
+///     a read falls back to a sealed cache snapshot; flips false on the next successful central-DB
+///     round-trip. Surfaced on <c>/healthz</c> body and on the Admin <c>/hosts</c> page.
+/// </summary>
+public sealed class StaleConfigFlag
+{
+    private int _stale;
+
+    /// <summary>True when the last config read was served from the sealed cache, not the central DB.</summary>
+    public bool IsStale => Volatile.Read(ref _stale) != 0;
+
+    /// <summary>Mark the current config as stale (a read fell back to the cache).</summary>
+    public void MarkStale() => Volatile.Write(ref _stale, 1);
+
+    /// <summary>Mark the current config as fresh (a central-DB read succeeded).</summary>
+    public void MarkFresh() => Volatile.Write(ref _stale, 0);
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260419124034_AddDriverInstanceResilienceStatus.cs

@@ -0,0 +1,46 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddDriverInstanceResilienceStatus : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "DriverInstanceResilienceStatus",
+                columns: table => new
+                {
+                    DriverInstanceId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    HostName = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: false),
+                    LastCircuitBreakerOpenUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: true),
+                    ConsecutiveFailures = table.Column<int>(type: "int", nullable: false),
+                    CurrentBulkheadDepth = table.Column<int>(type: "int", nullable: false),
+                    LastRecycleUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: true),
+                    BaselineFootprintBytes = table.Column<long>(type: "bigint", nullable: false),
+                    CurrentFootprintBytes = table.Column<long>(type: "bigint", nullable: false),
+                    LastSampledUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_DriverInstanceResilienceStatus", x => new { x.DriverInstanceId, x.HostName });
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_DriverResilience_LastSampled",
+                table: "DriverInstanceResilienceStatus",
+                column: "LastSampledUtc");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "DriverInstanceResilienceStatus");
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/OtOpcUaConfigDbContextModelSnapshot.cs

@@ -434,6 +434,45 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
                         });
                 });
 
+            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.DriverInstanceResilienceStatus", b =>
+                {
+                    b.Property<string>("DriverInstanceId")
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("HostName")
+                        .HasMaxLength(256)
+                        .HasColumnType("nvarchar(256)");
+
+                    b.Property<long>("BaselineFootprintBytes")
+                        .HasColumnType("bigint");
+
+                    b.Property<int>("ConsecutiveFailures")
+                        .HasColumnType("int");
+
+                    b.Property<int>("CurrentBulkheadDepth")
+                        .HasColumnType("int");
+
+                    b.Property<long>("CurrentFootprintBytes")
+                        .HasColumnType("bigint");
+
+                    b.Property<DateTime?>("LastCircuitBreakerOpenUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.Property<DateTime?>("LastRecycleUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.Property<DateTime>("LastSampledUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.HasKey("DriverInstanceId", "HostName");
+
+                    b.HasIndex("LastSampledUtc")
+                        .HasDatabaseName("IX_DriverResilience_LastSampled");
+
+                    b.ToTable("DriverInstanceResilienceStatus", (string)null);
+                });
+
             modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.Equipment", b =>
                 {
                     b.Property<Guid>("EquipmentRowId")

src/ZB.MOM.WW.OtOpcUa.Configuration/OtOpcUaConfigDbContext.cs

@@ -28,6 +28,7 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
     public DbSet<ConfigAuditLog> ConfigAuditLogs => Set<ConfigAuditLog>();
     public DbSet<ExternalIdReservation> ExternalIdReservations => Set<ExternalIdReservation>();
     public DbSet<DriverHostStatus> DriverHostStatuses => Set<DriverHostStatus>();
+    public DbSet<DriverInstanceResilienceStatus> DriverInstanceResilienceStatuses => Set<DriverInstanceResilienceStatus>();
 
     protected override void OnModelCreating(ModelBuilder modelBuilder)
     {
@@ -49,6 +50,7 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
         ConfigureConfigAuditLog(modelBuilder);
         ConfigureExternalIdReservation(modelBuilder);
         ConfigureDriverHostStatus(modelBuilder);
+        ConfigureDriverInstanceResilienceStatus(modelBuilder);
     }
 
     private static void ConfigureServerCluster(ModelBuilder modelBuilder)
@@ -512,4 +514,21 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
             e.HasIndex(x => x.LastSeenUtc).HasDatabaseName("IX_DriverHostStatus_LastSeen");
         });
     }
+
+    private static void ConfigureDriverInstanceResilienceStatus(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<DriverInstanceResilienceStatus>(e =>
+        {
+            e.ToTable("DriverInstanceResilienceStatus");
+            e.HasKey(x => new { x.DriverInstanceId, x.HostName });
+            e.Property(x => x.DriverInstanceId).HasMaxLength(64);
+            e.Property(x => x.HostName).HasMaxLength(256);
+            e.Property(x => x.LastCircuitBreakerOpenUtc).HasColumnType("datetime2(3)");
+            e.Property(x => x.LastRecycleUtc).HasColumnType("datetime2(3)");
+            e.Property(x => x.LastSampledUtc).HasColumnType("datetime2(3)");
+            // LastSampledUtc drives the Admin UI's stale-sample filter same way DriverHostStatus's
+            // LastSeenUtc index does for connectivity rows.
+            e.HasIndex(x => x.LastSampledUtc).HasDatabaseName("IX_DriverResilience_LastSampled");
+        });
+    }
 }

src/ZB.MOM.WW.OtOpcUa.Configuration/ZB.MOM.WW.OtOpcUa.Configuration.csproj

@@ -19,7 +19,9 @@
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
         <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.0"/>
+        <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0"/>
         <PackageReference Include="LiteDB" Version="5.0.21"/>
+        <PackageReference Include="Polly.Core" Version="8.6.6"/>
     </ItemGroup>
 
     <ItemGroup>

src/ZB.MOM.WW.OtOpcUa.Core/Observability/DriverHealthReport.cs

@@ -0,0 +1,86 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Observability;
+
+/// <summary>
+///     Domain-layer health aggregation for Phase 6.1 Stream C. Pure functions over the driver
+///     fleet — given each driver's <see cref="DriverState"/>, produce a <see cref="ReadinessVerdict"/>
+///     that maps to HTTP status codes at the endpoint layer.
+/// </summary>
+/// <remarks>
+///     State matrix per <c>docs/v2/implementation/phase-6-1-resilience-and-observability.md</c>
+///     §Stream C.1:
+///     <list type="bullet">
+///         <item><see cref="DriverState.Unknown"/> / <see cref="DriverState.Initializing"/>
+///             → /readyz 503 (not yet ready).</item>
+///         <item><see cref="DriverState.Healthy"/> → /readyz 200.</item>
+///         <item><see cref="DriverState.Degraded"/> → /readyz 200 with flagged driver IDs.</item>
+///         <item><see cref="DriverState.Faulted"/> → /readyz 503.</item>
+///     </list>
+///     The overall verdict is computed across the fleet: any Faulted → Faulted; any
+///     Unknown/Initializing → NotReady; any Degraded → Degraded; else Healthy. An empty fleet
+///     is Healthy (nothing to degrade).
+/// </remarks>
+public static class DriverHealthReport
+{
+    /// <summary>Compute the fleet-wide readiness verdict from per-driver states.</summary>
+    public static ReadinessVerdict Aggregate(IReadOnlyList<DriverHealthSnapshot> drivers)
+    {
+        ArgumentNullException.ThrowIfNull(drivers);
+        if (drivers.Count == 0) return ReadinessVerdict.Healthy;
+
+        var anyFaulted = drivers.Any(d => d.State == DriverState.Faulted);
+        if (anyFaulted) return ReadinessVerdict.Faulted;
+
+        var anyInitializing = drivers.Any(d =>
+            d.State == DriverState.Unknown || d.State == DriverState.Initializing);
+        if (anyInitializing) return ReadinessVerdict.NotReady;
+
+        // Reconnecting = driver alive but not serving live data; report as Degraded so /readyz
+        // stays 200 (the fleet can still serve cached / last-good data) while operators see the
+        // affected driver in the body.
+        var anyDegraded = drivers.Any(d =>
+            d.State == DriverState.Degraded || d.State == DriverState.Reconnecting);
+        if (anyDegraded) return ReadinessVerdict.Degraded;
+
+        return ReadinessVerdict.Healthy;
+    }
+
+    /// <summary>
+    ///     Map a <see cref="ReadinessVerdict"/> to the HTTP status the /readyz endpoint should
+    ///     return per the Stream C.1 state matrix.
+    /// </summary>
+    public static int HttpStatus(ReadinessVerdict verdict) => verdict switch
+    {
+        ReadinessVerdict.Healthy => 200,
+        ReadinessVerdict.Degraded => 200,
+        ReadinessVerdict.NotReady => 503,
+        ReadinessVerdict.Faulted => 503,
+        _ => 500,
+    };
+}
+
+/// <summary>Per-driver snapshot fed into <see cref="DriverHealthReport.Aggregate"/>.</summary>
+/// <param name="DriverInstanceId">Driver instance identifier (from <c>IDriver.DriverInstanceId</c>).</param>
+/// <param name="State">Current <see cref="DriverState"/> from <c>IDriver.GetHealth</c>.</param>
+/// <param name="DetailMessage">Optional driver-supplied detail (e.g. "primary PLC unreachable").</param>
+public sealed record DriverHealthSnapshot(
+    string DriverInstanceId,
+    DriverState State,
+    string? DetailMessage = null);
+
+/// <summary>Overall fleet readiness — derived from driver states by <see cref="DriverHealthReport.Aggregate"/>.</summary>
+public enum ReadinessVerdict
+{
+    /// <summary>All drivers Healthy (or fleet is empty).</summary>
+    Healthy,
+
+    /// <summary>At least one driver Degraded; none Faulted / NotReady.</summary>
+    Degraded,
+
+    /// <summary>At least one driver Unknown / Initializing; none Faulted.</summary>
+    NotReady,
+
+    /// <summary>At least one driver Faulted.</summary>
+    Faulted,
+}

src/ZB.MOM.WW.OtOpcUa.Core/Observability/LogContextEnricher.cs

@@ -0,0 +1,53 @@
+using Serilog.Context;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Observability;
+
+/// <summary>
+///     Convenience wrapper around Serilog <see cref="LogContext"/> — attaches the set of
+///     structured properties a capability call should carry (DriverInstanceId, DriverType,
+///     CapabilityName, CorrelationId). Callers wrap their call-site body in a <c>using</c>
+///     block; inner <c>Log.Information</c> / <c>Log.Warning</c> calls emit the context
+///     automatically via the Serilog enricher chain.
+/// </summary>
+/// <remarks>
+///     Per <c>docs/v2/implementation/phase-6-1-resilience-and-observability.md</c> §Stream C.2.
+///     The correlation ID should be the OPC UA <c>RequestHeader.RequestHandle</c> when in-flight;
+///     otherwise a short random GUID. Callers supply whichever is available.
+/// </remarks>
+public static class LogContextEnricher
+{
+    /// <summary>Attach the capability-call property set. Dispose the returned scope to pop.</summary>
+    public static IDisposable Push(string driverInstanceId, string driverType, DriverCapability capability, string correlationId)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverInstanceId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverType);
+        ArgumentException.ThrowIfNullOrWhiteSpace(correlationId);
+
+        var a = LogContext.PushProperty("DriverInstanceId", driverInstanceId);
+        var b = LogContext.PushProperty("DriverType", driverType);
+        var c = LogContext.PushProperty("CapabilityName", capability.ToString());
+        var d = LogContext.PushProperty("CorrelationId", correlationId);
+        return new CompositeScope(a, b, c, d);
+    }
+
+    /// <summary>
+    ///     Generate a short correlation ID when no OPC UA RequestHandle is available.
+    ///     12-hex-char slice of a GUID — long enough for log correlation, short enough to
+    ///     scan visually.
+    /// </summary>
+    public static string NewCorrelationId() => Guid.NewGuid().ToString("N")[..12];
+
+    private sealed class CompositeScope : IDisposable
+    {
+        private readonly IDisposable[] _inner;
+        public CompositeScope(params IDisposable[] inner) => _inner = inner;
+
+        public void Dispose()
+        {
+            // Reverse-order disposal matches Serilog's stack semantics.
+            for (var i = _inner.Length - 1; i >= 0; i--)
+                _inner[i].Dispose();
+        }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Core/Resilience/CapabilityInvoker.cs

@@ -1,5 +1,6 @@
 using Polly;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Observability;
 
 namespace ZB.MOM.WW.OtOpcUa.Core.Resilience;
 
@@ -19,6 +20,7 @@ public sealed class CapabilityInvoker
 {
     private readonly DriverResiliencePipelineBuilder _builder;
     private readonly string _driverInstanceId;
+    private readonly string _driverType;
     private readonly Func<DriverResilienceOptions> _optionsAccessor;
 
     /// <summary>
@@ -30,16 +32,19 @@ public sealed class CapabilityInvoker
     ///     Snapshot accessor for the current resilience options. Invoked per call so Admin-edit +
     ///     pipeline-invalidate can take effect without restarting the invoker.
     /// </param>
+    /// <param name="driverType">Driver type name for structured-log enrichment (e.g. <c>"Modbus"</c>).</param>
     public CapabilityInvoker(
         DriverResiliencePipelineBuilder builder,
         string driverInstanceId,
-        Func<DriverResilienceOptions> optionsAccessor)
+        Func<DriverResilienceOptions> optionsAccessor,
+        string driverType = "Unknown")
     {
         ArgumentNullException.ThrowIfNull(builder);
         ArgumentNullException.ThrowIfNull(optionsAccessor);
 
         _builder = builder;
         _driverInstanceId = driverInstanceId;
+        _driverType = driverType;
         _optionsAccessor = optionsAccessor;
     }
 
@@ -54,7 +59,10 @@ public sealed class CapabilityInvoker
         ArgumentNullException.ThrowIfNull(callSite);
 
         var pipeline = ResolvePipeline(capability, hostName);
-        return await pipeline.ExecuteAsync(callSite, cancellationToken).ConfigureAwait(false);
+        using (LogContextEnricher.Push(_driverInstanceId, _driverType, capability, LogContextEnricher.NewCorrelationId()))
+        {
+            return await pipeline.ExecuteAsync(callSite, cancellationToken).ConfigureAwait(false);
+        }
     }
 
     /// <summary>Execute a void-returning capability call, honoring the per-capability pipeline.</summary>
@@ -67,7 +75,10 @@ public sealed class CapabilityInvoker
         ArgumentNullException.ThrowIfNull(callSite);
 
         var pipeline = ResolvePipeline(capability, hostName);
-        await pipeline.ExecuteAsync(callSite, cancellationToken).ConfigureAwait(false);
+        using (LogContextEnricher.Push(_driverInstanceId, _driverType, capability, LogContextEnricher.NewCorrelationId()))
+        {
+            await pipeline.ExecuteAsync(callSite, cancellationToken).ConfigureAwait(false);
+        }
     }
 
     /// <summary>
@@ -95,7 +106,10 @@ public sealed class CapabilityInvoker
                 },
             };
             var pipeline = _builder.GetOrCreate(_driverInstanceId, $"{hostName}::non-idempotent", DriverCapability.Write, noRetryOptions);
-            return await pipeline.ExecuteAsync(callSite, cancellationToken).ConfigureAwait(false);
+            using (LogContextEnricher.Push(_driverInstanceId, _driverType, DriverCapability.Write, LogContextEnricher.NewCorrelationId()))
+            {
+                return await pipeline.ExecuteAsync(callSite, cancellationToken).ConfigureAwait(false);
+            }
         }
 
         return await ExecuteAsync(DriverCapability.Write, hostName, callSite, cancellationToken).ConfigureAwait(false);

src/ZB.MOM.WW.OtOpcUa.Core/Resilience/DriverResilienceStatusTracker.cs

@@ -0,0 +1,104 @@
+using System.Collections.Concurrent;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Resilience;
+
+/// <summary>
+///     Process-singleton tracker of live resilience counters per
+///     <c>(DriverInstanceId, HostName)</c>. Populated by the CapabilityInvoker and the
+///     MemoryTracking layer; consumed by a HostedService that periodically persists a
+///     snapshot to the <c>DriverInstanceResilienceStatus</c> table for Admin <c>/hosts</c>.
+/// </summary>
+/// <remarks>
+///     Per Phase 6.1 Stream E. No DB dependency here — the tracker is pure in-memory so
+///     tests can exercise it without EF Core or SQL Server. The HostedService that writes
+///     snapshots lives in the Server project (Stream E.2); the actual SignalR push + Blazor
+///     page refresh (E.3) lands in a follow-up visual-review PR.
+/// </remarks>
+public sealed class DriverResilienceStatusTracker
+{
+    private readonly ConcurrentDictionary<StatusKey, ResilienceStatusSnapshot> _status = new();
+
+    /// <summary>Record a Polly pipeline failure for <paramref name="hostName"/>.</summary>
+    public void RecordFailure(string driverInstanceId, string hostName, DateTime utcNow)
+    {
+        var key = new StatusKey(driverInstanceId, hostName);
+        _status.AddOrUpdate(key,
+            _ => new ResilienceStatusSnapshot { ConsecutiveFailures = 1, LastSampledUtc = utcNow },
+            (_, existing) => existing with
+            {
+                ConsecutiveFailures = existing.ConsecutiveFailures + 1,
+                LastSampledUtc = utcNow,
+            });
+    }
+
+    /// <summary>Reset the consecutive-failure count on a successful pipeline execution.</summary>
+    public void RecordSuccess(string driverInstanceId, string hostName, DateTime utcNow)
+    {
+        var key = new StatusKey(driverInstanceId, hostName);
+        _status.AddOrUpdate(key,
+            _ => new ResilienceStatusSnapshot { ConsecutiveFailures = 0, LastSampledUtc = utcNow },
+            (_, existing) => existing with
+            {
+                ConsecutiveFailures = 0,
+                LastSampledUtc = utcNow,
+            });
+    }
+
+    /// <summary>Record a circuit-breaker open event.</summary>
+    public void RecordBreakerOpen(string driverInstanceId, string hostName, DateTime utcNow)
+    {
+        var key = new StatusKey(driverInstanceId, hostName);
+        _status.AddOrUpdate(key,
+            _ => new ResilienceStatusSnapshot { LastBreakerOpenUtc = utcNow, LastSampledUtc = utcNow },
+            (_, existing) => existing with { LastBreakerOpenUtc = utcNow, LastSampledUtc = utcNow });
+    }
+
+    /// <summary>Record a process recycle event (Tier C only).</summary>
+    public void RecordRecycle(string driverInstanceId, string hostName, DateTime utcNow)
+    {
+        var key = new StatusKey(driverInstanceId, hostName);
+        _status.AddOrUpdate(key,
+            _ => new ResilienceStatusSnapshot { LastRecycleUtc = utcNow, LastSampledUtc = utcNow },
+            (_, existing) => existing with { LastRecycleUtc = utcNow, LastSampledUtc = utcNow });
+    }
+
+    /// <summary>Capture / update the MemoryTracking-supplied baseline + current footprint.</summary>
+    public void RecordFootprint(string driverInstanceId, string hostName, long baselineBytes, long currentBytes, DateTime utcNow)
+    {
+        var key = new StatusKey(driverInstanceId, hostName);
+        _status.AddOrUpdate(key,
+            _ => new ResilienceStatusSnapshot
+            {
+                BaselineFootprintBytes = baselineBytes,
+                CurrentFootprintBytes = currentBytes,
+                LastSampledUtc = utcNow,
+            },
+            (_, existing) => existing with
+            {
+                BaselineFootprintBytes = baselineBytes,
+                CurrentFootprintBytes = currentBytes,
+                LastSampledUtc = utcNow,
+            });
+    }
+
+    /// <summary>Snapshot of a specific (instance, host) pair; null if no counters recorded yet.</summary>
+    public ResilienceStatusSnapshot? TryGet(string driverInstanceId, string hostName) =>
+        _status.TryGetValue(new StatusKey(driverInstanceId, hostName), out var snapshot) ? snapshot : null;
+
+    /// <summary>Copy of every currently-tracked (instance, host, snapshot) triple. Safe under concurrent writes.</summary>
+    public IReadOnlyList<(string DriverInstanceId, string HostName, ResilienceStatusSnapshot Snapshot)> Snapshot() =>
+        _status.Select(kvp => (kvp.Key.DriverInstanceId, kvp.Key.HostName, kvp.Value)).ToList();
+
+    private readonly record struct StatusKey(string DriverInstanceId, string HostName);
+}
+
+/// <summary>Snapshot of the resilience counters for one <c>(DriverInstanceId, HostName)</c> pair.</summary>
+public sealed record ResilienceStatusSnapshot
+{
+    public int ConsecutiveFailures { get; init; }
+    public DateTime? LastBreakerOpenUtc { get; init; }
+    public DateTime? LastRecycleUtc { get; init; }
+    public long BaselineFootprintBytes { get; init; }
+    public long CurrentFootprintBytes { get; init; }
+    public DateTime LastSampledUtc { get; init; }
+}

src/ZB.MOM.WW.OtOpcUa.Core/ZB.MOM.WW.OtOpcUa.Core.csproj

@@ -18,6 +18,7 @@
 
     <ItemGroup>
         <PackageReference Include="Polly.Core" Version="8.6.6"/>
+        <PackageReference Include="Serilog" Version="4.3.0"/>
     </ItemGroup>
 
     <ItemGroup>

src/ZB.MOM.WW.OtOpcUa.Server/Observability/HealthEndpointsHost.cs

@@ -0,0 +1,181 @@
+using System.Net;
+using System.Text;
+using System.Text.Json;
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Core.Observability;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Observability;
+
+/// <summary>
+///     Standalone <see cref="HttpListener"/> host for <c>/healthz</c> and <c>/readyz</c>
+///     separate from the OPC UA binding. Per <c>docs/v2/implementation/phase-6-1-resilience-
+///     and-observability.md</c> §Stream C.1.
+/// </summary>
+/// <remarks>
+///     Binds to <c>http://localhost:4841</c> by default — loopback avoids the Windows URL-ACL
+///     elevation requirement that binding to <c>http://+:4841</c> (wildcard) would impose.
+///     When a deployment needs remote probing, a reverse proxy or explicit netsh urlacl grant
+///     is the expected path; documented in <c>docs/v2/Server-Deployment.md</c> in a follow-up.
+/// </remarks>
+public sealed class HealthEndpointsHost : IAsyncDisposable
+{
+    private readonly string _prefix;
+    private readonly DriverHost _driverHost;
+    private readonly Func<bool> _configDbHealthy;
+    private readonly Func<bool> _usingStaleConfig;
+    private readonly ILogger<HealthEndpointsHost> _logger;
+    private readonly HttpListener _listener = new();
+    private readonly DateTime _startedUtc = DateTime.UtcNow;
+    private CancellationTokenSource? _cts;
+    private Task? _acceptLoop;
+    private bool _disposed;
+
+    public HealthEndpointsHost(
+        DriverHost driverHost,
+        ILogger<HealthEndpointsHost> logger,
+        Func<bool>? configDbHealthy = null,
+        Func<bool>? usingStaleConfig = null,
+        string prefix = "http://localhost:4841/")
+    {
+        _driverHost = driverHost;
+        _logger = logger;
+        _configDbHealthy = configDbHealthy ?? (() => true);
+        _usingStaleConfig = usingStaleConfig ?? (() => false);
+        _prefix = prefix.EndsWith('/') ? prefix : prefix + "/";
+        _listener.Prefixes.Add(_prefix);
+    }
+
+    public void Start()
+    {
+        _listener.Start();
+        _cts = new CancellationTokenSource();
+        _acceptLoop = Task.Run(() => AcceptLoopAsync(_cts.Token));
+        _logger.LogInformation("Health endpoints listening on {Prefix}", _prefix);
+    }
+
+    private async Task AcceptLoopAsync(CancellationToken ct)
+    {
+        while (!ct.IsCancellationRequested)
+        {
+            HttpListenerContext ctx;
+            try
+            {
+                ctx = await _listener.GetContextAsync().ConfigureAwait(false);
+            }
+            catch (HttpListenerException) when (ct.IsCancellationRequested) { break; }
+            catch (ObjectDisposedException) { break; }
+
+            _ = Task.Run(() => HandleAsync(ctx), ct);
+        }
+    }
+
+    private async Task HandleAsync(HttpListenerContext ctx)
+    {
+        try
+        {
+            var path = ctx.Request.Url?.AbsolutePath ?? "/";
+            switch (path)
+            {
+                case "/healthz":
+                    await WriteHealthzAsync(ctx).ConfigureAwait(false);
+                    break;
+                case "/readyz":
+                    await WriteReadyzAsync(ctx).ConfigureAwait(false);
+                    break;
+                default:
+                    ctx.Response.StatusCode = 404;
+                    break;
+            }
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Health endpoint handler failure");
+            try { ctx.Response.StatusCode = 500; } catch { /* ignore */ }
+        }
+        finally
+        {
+            try { ctx.Response.Close(); } catch { /* ignore */ }
+        }
+    }
+
+    private async Task WriteHealthzAsync(HttpListenerContext ctx)
+    {
+        var configHealthy = _configDbHealthy();
+        var staleConfig = _usingStaleConfig();
+        // /healthz is 200 when process alive + (config DB reachable OR cache-warm).
+        // Stale-config still serves 200 so the process isn't flagged dead when the DB
+        // blips; the body surfaces the stale flag for operators.
+        var healthy = configHealthy || staleConfig;
+        ctx.Response.StatusCode = healthy ? 200 : 503;
+
+        var body = JsonSerializer.Serialize(new
+        {
+            status = healthy ? "healthy" : "unhealthy",
+            uptimeSeconds = (int)(DateTime.UtcNow - _startedUtc).TotalSeconds,
+            configDbReachable = configHealthy,
+            usingStaleConfig = staleConfig,
+        });
+        await WriteBodyAsync(ctx, body).ConfigureAwait(false);
+    }
+
+    private async Task WriteReadyzAsync(HttpListenerContext ctx)
+    {
+        var snapshots = BuildSnapshots();
+        var verdict = DriverHealthReport.Aggregate(snapshots);
+        ctx.Response.StatusCode = DriverHealthReport.HttpStatus(verdict);
+
+        var body = JsonSerializer.Serialize(new
+        {
+            verdict = verdict.ToString(),
+            uptimeSeconds = (int)(DateTime.UtcNow - _startedUtc).TotalSeconds,
+            drivers = snapshots.Select(d => new
+            {
+                id = d.DriverInstanceId,
+                state = d.State.ToString(),
+                detail = d.DetailMessage,
+            }).ToArray(),
+            degradedDrivers = snapshots
+                .Where(d => d.State == DriverState.Degraded || d.State == DriverState.Reconnecting)
+                .Select(d => d.DriverInstanceId)
+                .ToArray(),
+        });
+        await WriteBodyAsync(ctx, body).ConfigureAwait(false);
+    }
+
+    private IReadOnlyList<DriverHealthSnapshot> BuildSnapshots()
+    {
+        var list = new List<DriverHealthSnapshot>();
+        foreach (var id in _driverHost.RegisteredDriverIds)
+        {
+            var driver = _driverHost.GetDriver(id);
+            if (driver is null) continue;
+            var health = driver.GetHealth();
+            list.Add(new DriverHealthSnapshot(driver.DriverInstanceId, health.State, health.LastError));
+        }
+        return list;
+    }
+
+    private static async Task WriteBodyAsync(HttpListenerContext ctx, string body)
+    {
+        var bytes = Encoding.UTF8.GetBytes(body);
+        ctx.Response.ContentType = "application/json; charset=utf-8";
+        ctx.Response.ContentLength64 = bytes.LongLength;
+        await ctx.Response.OutputStream.WriteAsync(bytes).ConfigureAwait(false);
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_disposed) return;
+        _disposed = true;
+        _cts?.Cancel();
+        try { _listener.Stop(); } catch { /* ignore */ }
+        if (_acceptLoop is not null)
+        {
+            try { await _acceptLoop.ConfigureAwait(false); } catch { /* ignore */ }
+        }
+        _listener.Close();
+        _cts?.Dispose();
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OpcUaApplicationHost.cs

@@ -4,6 +4,7 @@ using Opc.Ua.Configuration;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Core.OpcUa;
 using ZB.MOM.WW.OtOpcUa.Core.Resilience;
+using ZB.MOM.WW.OtOpcUa.Server.Observability;
 using ZB.MOM.WW.OtOpcUa.Server.Security;
 
 namespace ZB.MOM.WW.OtOpcUa.Server.OpcUa;
@@ -26,6 +27,7 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
     private readonly ILogger<OpcUaApplicationHost> _logger;
     private ApplicationInstance? _application;
     private OtOpcUaServer? _server;
+    private HealthEndpointsHost? _healthHost;
     private bool _disposed;
 
     public OpcUaApplicationHost(OpcUaServerOptions options, DriverHost driverHost,
@@ -68,6 +70,17 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
         _logger.LogInformation("OPC UA server started — endpoint={Endpoint} driverCount={Count}",
             _options.EndpointUrl, _server.DriverNodeManagers.Count);
 
+        // Phase 6.1 Stream C: health endpoints on :4841 (loopback by default — see
+        // HealthEndpointsHost remarks for the Windows URL-ACL tradeoff).
+        if (_options.HealthEndpointsEnabled)
+        {
+            _healthHost = new HealthEndpointsHost(
+                _driverHost,
+                _loggerFactory.CreateLogger<HealthEndpointsHost>(),
+                prefix: _options.HealthEndpointsPrefix);
+            _healthHost.Start();
+        }
+
         // Drive each driver's discovery through its node manager. The node manager IS the
         // IAddressSpaceBuilder; GenericDriverNodeManager captures alarm-condition sinks into
         // its internal map and wires OnAlarmEvent → sink routing.
@@ -221,6 +234,12 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
         {
             _logger.LogWarning(ex, "OPC UA server stop threw during dispose");
         }
+
+        if (_healthHost is not null)
+        {
+            try { await _healthHost.DisposeAsync().ConfigureAwait(false); }
+            catch (Exception ex) { _logger.LogWarning(ex, "Health endpoints host dispose threw"); }
+        }
         await Task.CompletedTask;
     }
 }

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OpcUaServerOptions.cs

@@ -58,6 +58,20 @@ public sealed class OpcUaServerOptions
     /// </summary>
     public bool AutoAcceptUntrustedClientCertificates { get; init; } = true;
 
+    /// <summary>
+    ///     Whether to start the Phase 6.1 Stream C <c>/healthz</c> + <c>/readyz</c> HTTP listener.
+    ///     Defaults to <c>true</c>; set false in embedded deployments that don't need HTTP
+    ///     (e.g. tests that only exercise the OPC UA surface).
+    /// </summary>
+    public bool HealthEndpointsEnabled { get; init; } = true;
+
+    /// <summary>
+    ///     URL prefix the health endpoints bind to. Default <c>http://localhost:4841/</c> — loopback
+    ///     avoids Windows URL-ACL elevation. Production deployments that need remote probing should
+    ///     either reverse-proxy or use <c>http://+:4841/</c> with netsh urlacl granted.
+    /// </summary>
+    public string HealthEndpointsPrefix { get; init; } = "http://localhost:4841/";
+
     /// <summary>
     ///     Security profile advertised on the endpoint. Default <see cref="OpcUaSecurityProfile.None"/>
     ///     preserves the PR 17 endpoint shape; set to <see cref="OpcUaSecurityProfile.Basic256Sha256SignAndEncrypt"/>

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OtOpcUaServer.cs

@@ -57,7 +57,7 @@ public sealed class OtOpcUaServer : StandardServer
             // per-type tiers into DriverTypeRegistry. Read ResilienceConfig JSON from the
             // DriverInstance row in a follow-up PR; for now every driver gets Tier A defaults.
             var options = new DriverResilienceOptions { Tier = DriverTier.A };
-            var invoker = new CapabilityInvoker(_pipelineBuilder, driver.DriverInstanceId, () => options);
+            var invoker = new CapabilityInvoker(_pipelineBuilder, driver.DriverInstanceId, () => options, driver.DriverType);
             var manager = new DriverNodeManager(server, configuration, driver, invoker, logger);
             _driverNodeManagers.Add(manager);
         }

src/ZB.MOM.WW.OtOpcUa.Server/Program.cs

@@ -4,6 +4,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Serilog;
+using Serilog.Formatting.Compact;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
@@ -13,11 +14,25 @@ using ZB.MOM.WW.OtOpcUa.Server.Security;
 
 var builder = Host.CreateApplicationBuilder(args);
 
-Log.Logger = new LoggerConfiguration()
+// Per Phase 6.1 Stream C.3: SIEMs (Splunk, Datadog) ingest the JSON file without a
+// regex parser. Plain-text rolling file stays on by default for human readability;
+// JSON file is opt-in via appsetting `Serilog:WriteJson = true`.
+var writeJson = builder.Configuration.GetValue<bool>("Serilog:WriteJson");
+var loggerBuilder = new LoggerConfiguration()
     .ReadFrom.Configuration(builder.Configuration)
+    .Enrich.FromLogContext()
     .WriteTo.Console()
-    .WriteTo.File("logs/otopcua-.log", rollingInterval: RollingInterval.Day)
-    .CreateLogger();
+    .WriteTo.File("logs/otopcua-.log", rollingInterval: RollingInterval.Day);
+
+if (writeJson)
+{
+    loggerBuilder = loggerBuilder.WriteTo.File(
+        new CompactJsonFormatter(),
+        "logs/otopcua-.json.log",
+        rollingInterval: RollingInterval.Day);
+}
+
+Log.Logger = loggerBuilder.CreateLogger();
 
 builder.Services.AddSerilog();
 builder.Services.AddWindowsService(o => o.ServiceName = "OtOpcUa");

src/ZB.MOM.WW.OtOpcUa.Server/ZB.MOM.WW.OtOpcUa.Server.csproj

@@ -21,6 +21,7 @@
         <PackageReference Include="Serilog.Settings.Configuration" Version="9.0.0"/>
         <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0"/>
         <PackageReference Include="Serilog.Sinks.File" Version="7.0.0"/>
+        <PackageReference Include="Serilog.Formatting.Compact" Version="3.0.0"/>
         <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Server" Version="1.5.374.126"/>
         <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Configuration" Version="1.5.374.126"/>
         <PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.6.0"/>

tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests/GenerationSealedCacheTests.cs

@@ -0,0 +1,157 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class GenerationSealedCacheTests : IDisposable
+{
+    private readonly string _root = Path.Combine(Path.GetTempPath(), $"otopcua-sealed-{Guid.NewGuid():N}");
+
+    public void Dispose()
+    {
+        try
+        {
+            if (!Directory.Exists(_root)) return;
+            // Remove ReadOnly attribute first so Directory.Delete can clean sealed files.
+            foreach (var f in Directory.EnumerateFiles(_root, "*", SearchOption.AllDirectories))
+                File.SetAttributes(f, FileAttributes.Normal);
+            Directory.Delete(_root, recursive: true);
+        }
+        catch { /* best-effort cleanup */ }
+    }
+
+    private GenerationSnapshot MakeSnapshot(string clusterId, long generationId, string payload = "{\"sample\":true}") =>
+        new()
+        {
+            ClusterId = clusterId,
+            GenerationId = generationId,
+            CachedAt = DateTime.UtcNow,
+            PayloadJson = payload,
+        };
+
+    [Fact]
+    public async Task FirstBoot_NoSnapshot_ReadThrows()
+    {
+        var cache = new GenerationSealedCache(_root);
+
+        await Should.ThrowAsync<GenerationCacheUnavailableException>(
+            () => cache.ReadCurrentAsync("cluster-a"));
+    }
+
+    [Fact]
+    public async Task SealThenRead_RoundTrips()
+    {
+        var cache = new GenerationSealedCache(_root);
+        var snapshot = MakeSnapshot("cluster-a", 42, "{\"hello\":\"world\"}");
+
+        await cache.SealAsync(snapshot);
+
+        var read = await cache.ReadCurrentAsync("cluster-a");
+        read.GenerationId.ShouldBe(42);
+        read.ClusterId.ShouldBe("cluster-a");
+        read.PayloadJson.ShouldBe("{\"hello\":\"world\"}");
+    }
+
+    [Fact]
+    public async Task SealedFile_IsReadOnly_OnDisk()
+    {
+        var cache = new GenerationSealedCache(_root);
+        await cache.SealAsync(MakeSnapshot("cluster-a", 5));
+
+        var sealedPath = Path.Combine(_root, "cluster-a", "5.db");
+        File.Exists(sealedPath).ShouldBeTrue();
+        var attrs = File.GetAttributes(sealedPath);
+        attrs.HasFlag(FileAttributes.ReadOnly).ShouldBeTrue("sealed file must be read-only");
+    }
+
+    [Fact]
+    public async Task SealingTwoGenerations_PointerAdvances_ToLatest()
+    {
+        var cache = new GenerationSealedCache(_root);
+        await cache.SealAsync(MakeSnapshot("cluster-a", 1));
+        await cache.SealAsync(MakeSnapshot("cluster-a", 2));
+
+        cache.TryGetCurrentGenerationId("cluster-a").ShouldBe(2);
+        var read = await cache.ReadCurrentAsync("cluster-a");
+        read.GenerationId.ShouldBe(2);
+    }
+
+    [Fact]
+    public async Task PriorGenerationFile_Survives_AfterNewSeal()
+    {
+        var cache = new GenerationSealedCache(_root);
+        await cache.SealAsync(MakeSnapshot("cluster-a", 1));
+        await cache.SealAsync(MakeSnapshot("cluster-a", 2));
+
+        File.Exists(Path.Combine(_root, "cluster-a", "1.db")).ShouldBeTrue(
+            "prior generations preserved for audit; pruning is separate");
+        File.Exists(Path.Combine(_root, "cluster-a", "2.db")).ShouldBeTrue();
+    }
+
+    [Fact]
+    public async Task CorruptSealedFile_ReadFailsClosed()
+    {
+        var cache = new GenerationSealedCache(_root);
+        await cache.SealAsync(MakeSnapshot("cluster-a", 7));
+
+        // Corrupt the sealed file: clear read-only, truncate, leave pointer intact.
+        var sealedPath = Path.Combine(_root, "cluster-a", "7.db");
+        File.SetAttributes(sealedPath, FileAttributes.Normal);
+        File.WriteAllBytes(sealedPath, [0x00, 0x01, 0x02]);
+
+        await Should.ThrowAsync<GenerationCacheUnavailableException>(
+            () => cache.ReadCurrentAsync("cluster-a"));
+    }
+
+    [Fact]
+    public async Task MissingSealedFile_ReadFailsClosed()
+    {
+        var cache = new GenerationSealedCache(_root);
+        await cache.SealAsync(MakeSnapshot("cluster-a", 3));
+
+        // Delete the sealed file but leave the pointer — corruption scenario.
+        var sealedPath = Path.Combine(_root, "cluster-a", "3.db");
+        File.SetAttributes(sealedPath, FileAttributes.Normal);
+        File.Delete(sealedPath);
+
+        await Should.ThrowAsync<GenerationCacheUnavailableException>(
+            () => cache.ReadCurrentAsync("cluster-a"));
+    }
+
+    [Fact]
+    public async Task CorruptPointerFile_ReadFailsClosed()
+    {
+        var cache = new GenerationSealedCache(_root);
+        await cache.SealAsync(MakeSnapshot("cluster-a", 9));
+
+        var pointerPath = Path.Combine(_root, "cluster-a", "CURRENT");
+        File.WriteAllText(pointerPath, "not-a-number");
+
+        await Should.ThrowAsync<GenerationCacheUnavailableException>(
+            () => cache.ReadCurrentAsync("cluster-a"));
+    }
+
+    [Fact]
+    public async Task SealSameGenerationTwice_IsIdempotent()
+    {
+        var cache = new GenerationSealedCache(_root);
+        await cache.SealAsync(MakeSnapshot("cluster-a", 11));
+        await cache.SealAsync(MakeSnapshot("cluster-a", 11, "{\"v\":2}"));
+
+        var read = await cache.ReadCurrentAsync("cluster-a");
+        read.PayloadJson.ShouldBe("{\"sample\":true}", "sealed file is immutable; second seal no-ops");
+    }
+
+    [Fact]
+    public async Task IndependentClusters_DoNotInterfere()
+    {
+        var cache = new GenerationSealedCache(_root);
+        await cache.SealAsync(MakeSnapshot("cluster-a", 1));
+        await cache.SealAsync(MakeSnapshot("cluster-b", 10));
+
+        (await cache.ReadCurrentAsync("cluster-a")).GenerationId.ShouldBe(1);
+        (await cache.ReadCurrentAsync("cluster-b")).GenerationId.ShouldBe(10);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests/ResilientConfigReaderTests.cs

@@ -0,0 +1,154 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class ResilientConfigReaderTests : IDisposable
+{
+    private readonly string _root = Path.Combine(Path.GetTempPath(), $"otopcua-reader-{Guid.NewGuid():N}");
+
+    public void Dispose()
+    {
+        try
+        {
+            if (!Directory.Exists(_root)) return;
+            foreach (var f in Directory.EnumerateFiles(_root, "*", SearchOption.AllDirectories))
+                File.SetAttributes(f, FileAttributes.Normal);
+            Directory.Delete(_root, recursive: true);
+        }
+        catch { /* best-effort */ }
+    }
+
+    [Fact]
+    public async Task CentralDbSucceeds_ReturnsValue_MarksFresh()
+    {
+        var cache = new GenerationSealedCache(_root);
+        var flag = new StaleConfigFlag { };
+        flag.MarkStale(); // pre-existing stale state
+        var reader = new ResilientConfigReader(cache, flag, NullLogger<ResilientConfigReader>.Instance);
+
+        var result = await reader.ReadAsync(
+            "cluster-a",
+            _ => ValueTask.FromResult("fresh-from-db"),
+            _ => "from-cache",
+            CancellationToken.None);
+
+        result.ShouldBe("fresh-from-db");
+        flag.IsStale.ShouldBeFalse("successful central-DB read clears stale flag");
+    }
+
+    [Fact]
+    public async Task CentralDbFails_ExhaustsRetries_FallsBackToCache_MarksStale()
+    {
+        var cache = new GenerationSealedCache(_root);
+        await cache.SealAsync(new GenerationSnapshot
+        {
+            ClusterId = "cluster-a", GenerationId = 99, CachedAt = DateTime.UtcNow,
+            PayloadJson = "{\"cached\":true}",
+        });
+        var flag = new StaleConfigFlag();
+        var reader = new ResilientConfigReader(cache, flag, NullLogger<ResilientConfigReader>.Instance,
+            timeout: TimeSpan.FromSeconds(10), retryCount: 2);
+        var attempts = 0;
+
+        var result = await reader.ReadAsync(
+            "cluster-a",
+            _ =>
+            {
+                attempts++;
+                throw new InvalidOperationException("SQL dead");
+#pragma warning disable CS0162
+                return ValueTask.FromResult("never");
+#pragma warning restore CS0162
+            },
+            snap => snap.PayloadJson,
+            CancellationToken.None);
+
+        attempts.ShouldBe(3, "1 initial + 2 retries = 3 attempts");
+        result.ShouldBe("{\"cached\":true}");
+        flag.IsStale.ShouldBeTrue("cache fallback flips stale flag true");
+    }
+
+    [Fact]
+    public async Task CentralDbFails_AndCacheAlsoUnavailable_Throws()
+    {
+        var cache = new GenerationSealedCache(_root);
+        var flag = new StaleConfigFlag();
+        var reader = new ResilientConfigReader(cache, flag, NullLogger<ResilientConfigReader>.Instance,
+            timeout: TimeSpan.FromSeconds(10), retryCount: 0);
+
+        await Should.ThrowAsync<GenerationCacheUnavailableException>(async () =>
+        {
+            await reader.ReadAsync<string>(
+                "cluster-a",
+                _ => throw new InvalidOperationException("SQL dead"),
+                _ => "never",
+                CancellationToken.None);
+        });
+
+        flag.IsStale.ShouldBeFalse("no snapshot ever served, so flag stays whatever it was");
+    }
+
+    [Fact]
+    public async Task Cancellation_NotRetried()
+    {
+        var cache = new GenerationSealedCache(_root);
+        var flag = new StaleConfigFlag();
+        var reader = new ResilientConfigReader(cache, flag, NullLogger<ResilientConfigReader>.Instance,
+            timeout: TimeSpan.FromSeconds(10), retryCount: 5);
+        using var cts = new CancellationTokenSource();
+        cts.Cancel();
+        var attempts = 0;
+
+        await Should.ThrowAsync<OperationCanceledException>(async () =>
+        {
+            await reader.ReadAsync<string>(
+                "cluster-a",
+                ct =>
+                {
+                    attempts++;
+                    ct.ThrowIfCancellationRequested();
+                    return ValueTask.FromResult("ok");
+                },
+                _ => "cache",
+                cts.Token);
+        });
+
+        attempts.ShouldBeLessThanOrEqualTo(1);
+    }
+}
+
+[Trait("Category", "Unit")]
+public sealed class StaleConfigFlagTests
+{
+    [Fact]
+    public void Default_IsFresh()
+    {
+        new StaleConfigFlag().IsStale.ShouldBeFalse();
+    }
+
+    [Fact]
+    public void MarkStale_ThenFresh_Toggles()
+    {
+        var flag = new StaleConfigFlag();
+        flag.MarkStale();
+        flag.IsStale.ShouldBeTrue();
+        flag.MarkFresh();
+        flag.IsStale.ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ConcurrentWrites_Converge()
+    {
+        var flag = new StaleConfigFlag();
+        Parallel.For(0, 1000, i =>
+        {
+            if (i % 2 == 0) flag.MarkStale(); else flag.MarkFresh();
+        });
+        flag.MarkFresh();
+        flag.IsStale.ShouldBeFalse();
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests/SchemaComplianceTests.cs

@@ -29,6 +29,7 @@ public sealed class SchemaComplianceTests
             "DriverInstance", "Device", "Equipment", "Tag", "PollGroup",
             "NodeAcl", "ExternalIdReservation",
             "DriverHostStatus",
+            "DriverInstanceResilienceStatus",
         };
 
         var actual = QueryStrings(@"

tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Observability/CapabilityInvokerEnrichmentTests.cs

@@ -0,0 +1,72 @@
+using Serilog;
+using Serilog.Core;
+using Serilog.Events;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Resilience;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Tests.Observability;
+
+[Trait("Category", "Integration")]
+public sealed class CapabilityInvokerEnrichmentTests
+{
+    [Fact]
+    public async Task InvokerExecute_LogsInsideCallSite_CarryStructuredProperties()
+    {
+        var sink = new InMemorySink();
+        var logger = new LoggerConfiguration()
+            .Enrich.FromLogContext()
+            .WriteTo.Sink(sink)
+            .CreateLogger();
+
+        var invoker = new CapabilityInvoker(
+            new DriverResiliencePipelineBuilder(),
+            driverInstanceId: "drv-live",
+            optionsAccessor: () => new DriverResilienceOptions { Tier = DriverTier.A },
+            driverType: "Modbus");
+
+        await invoker.ExecuteAsync(
+            DriverCapability.Read,
+            "plc-1",
+            ct =>
+            {
+                logger.Information("inside call site");
+                return ValueTask.FromResult(42);
+            },
+            CancellationToken.None);
+
+        var evt = sink.Events.ShouldHaveSingleItem();
+        evt.Properties["DriverInstanceId"].ToString().ShouldBe("\"drv-live\"");
+        evt.Properties["DriverType"].ToString().ShouldBe("\"Modbus\"");
+        evt.Properties["CapabilityName"].ToString().ShouldBe("\"Read\"");
+        evt.Properties.ShouldContainKey("CorrelationId");
+    }
+
+    [Fact]
+    public async Task InvokerExecute_DoesNotLeak_ContextOutsideCallSite()
+    {
+        var sink = new InMemorySink();
+        var logger = new LoggerConfiguration()
+            .Enrich.FromLogContext()
+            .WriteTo.Sink(sink)
+            .CreateLogger();
+
+        var invoker = new CapabilityInvoker(
+            new DriverResiliencePipelineBuilder(),
+            driverInstanceId: "drv-a",
+            optionsAccessor: () => new DriverResilienceOptions { Tier = DriverTier.A });
+
+        await invoker.ExecuteAsync(DriverCapability.Read, "host", _ => ValueTask.FromResult(1), CancellationToken.None);
+        logger.Information("outside");
+
+        var outside = sink.Events.ShouldHaveSingleItem();
+        outside.Properties.ContainsKey("DriverInstanceId").ShouldBeFalse();
+    }
+
+    private sealed class InMemorySink : ILogEventSink
+    {
+        public List<LogEvent> Events { get; } = [];
+        public void Emit(LogEvent logEvent) => Events.Add(logEvent);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Observability/DriverHealthReportTests.cs

@@ -0,0 +1,70 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Observability;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Tests.Observability;
+
+[Trait("Category", "Unit")]
+public sealed class DriverHealthReportTests
+{
+    [Fact]
+    public void EmptyFleet_IsHealthy()
+    {
+        DriverHealthReport.Aggregate([]).ShouldBe(ReadinessVerdict.Healthy);
+    }
+
+    [Fact]
+    public void AllHealthy_Fleet_IsHealthy()
+    {
+        var verdict = DriverHealthReport.Aggregate([
+            new DriverHealthSnapshot("a", DriverState.Healthy),
+            new DriverHealthSnapshot("b", DriverState.Healthy),
+        ]);
+        verdict.ShouldBe(ReadinessVerdict.Healthy);
+    }
+
+    [Fact]
+    public void AnyFaulted_TrumpsEverything()
+    {
+        var verdict = DriverHealthReport.Aggregate([
+            new DriverHealthSnapshot("a", DriverState.Healthy),
+            new DriverHealthSnapshot("b", DriverState.Degraded),
+            new DriverHealthSnapshot("c", DriverState.Faulted),
+            new DriverHealthSnapshot("d", DriverState.Initializing),
+        ]);
+        verdict.ShouldBe(ReadinessVerdict.Faulted);
+    }
+
+    [Theory]
+    [InlineData(DriverState.Unknown)]
+    [InlineData(DriverState.Initializing)]
+    public void Any_NotReady_WithoutFaulted_IsNotReady(DriverState initializingState)
+    {
+        var verdict = DriverHealthReport.Aggregate([
+            new DriverHealthSnapshot("a", DriverState.Healthy),
+            new DriverHealthSnapshot("b", initializingState),
+        ]);
+        verdict.ShouldBe(ReadinessVerdict.NotReady);
+    }
+
+    [Fact]
+    public void Any_Degraded_WithoutFaultedOrNotReady_IsDegraded()
+    {
+        var verdict = DriverHealthReport.Aggregate([
+            new DriverHealthSnapshot("a", DriverState.Healthy),
+            new DriverHealthSnapshot("b", DriverState.Degraded),
+        ]);
+        verdict.ShouldBe(ReadinessVerdict.Degraded);
+    }
+
+    [Theory]
+    [InlineData(ReadinessVerdict.Healthy, 200)]
+    [InlineData(ReadinessVerdict.Degraded, 200)]
+    [InlineData(ReadinessVerdict.NotReady, 503)]
+    [InlineData(ReadinessVerdict.Faulted, 503)]
+    public void HttpStatus_MatchesStateMatrix(ReadinessVerdict verdict, int expected)
+    {
+        DriverHealthReport.HttpStatus(verdict).ShouldBe(expected);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Observability/LogContextEnricherTests.cs

@@ -0,0 +1,78 @@
+using Serilog;
+using Serilog.Core;
+using Serilog.Events;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Observability;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Tests.Observability;
+
+[Trait("Category", "Unit")]
+public sealed class LogContextEnricherTests
+{
+    [Fact]
+    public void Scope_Attaches_AllFour_Properties()
+    {
+        var captured = new InMemorySink();
+        var logger = new LoggerConfiguration()
+            .Enrich.FromLogContext()
+            .WriteTo.Sink(captured)
+            .CreateLogger();
+
+        using (LogContextEnricher.Push("drv-1", "Modbus", DriverCapability.Read, "abc123"))
+        {
+            logger.Information("test message");
+        }
+
+        var evt = captured.Events.ShouldHaveSingleItem();
+        evt.Properties["DriverInstanceId"].ToString().ShouldBe("\"drv-1\"");
+        evt.Properties["DriverType"].ToString().ShouldBe("\"Modbus\"");
+        evt.Properties["CapabilityName"].ToString().ShouldBe("\"Read\"");
+        evt.Properties["CorrelationId"].ToString().ShouldBe("\"abc123\"");
+    }
+
+    [Fact]
+    public void Scope_Dispose_Pops_Properties()
+    {
+        var captured = new InMemorySink();
+        var logger = new LoggerConfiguration()
+            .Enrich.FromLogContext()
+            .WriteTo.Sink(captured)
+            .CreateLogger();
+
+        using (LogContextEnricher.Push("drv-1", "Modbus", DriverCapability.Read, "abc123"))
+        {
+            logger.Information("inside");
+        }
+        logger.Information("outside");
+
+        captured.Events.Count.ShouldBe(2);
+        captured.Events[0].Properties.ContainsKey("DriverInstanceId").ShouldBeTrue();
+        captured.Events[1].Properties.ContainsKey("DriverInstanceId").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void NewCorrelationId_Returns_12_Hex_Chars()
+    {
+        var id = LogContextEnricher.NewCorrelationId();
+        id.Length.ShouldBe(12);
+        id.ShouldMatch("^[0-9a-f]{12}$");
+    }
+
+    [Theory]
+    [InlineData(null)]
+    [InlineData("")]
+    [InlineData("   ")]
+    public void Push_Throws_OnMissingDriverInstanceId(string? id)
+    {
+        Should.Throw<ArgumentException>(() =>
+            LogContextEnricher.Push(id!, "Modbus", DriverCapability.Read, "c"));
+    }
+
+    private sealed class InMemorySink : ILogEventSink
+    {
+        public List<LogEvent> Events { get; } = [];
+        public void Emit(LogEvent logEvent) => Events.Add(logEvent);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Resilience/DriverResilienceStatusTrackerTests.cs

@@ -0,0 +1,110 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Resilience;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Tests.Resilience;
+
+[Trait("Category", "Unit")]
+public sealed class DriverResilienceStatusTrackerTests
+{
+    private static readonly DateTime Now = new(2026, 4, 19, 12, 0, 0, DateTimeKind.Utc);
+
+    [Fact]
+    public void TryGet_Returns_Null_Before_AnyWrite()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+
+        tracker.TryGet("drv", "host").ShouldBeNull();
+    }
+
+    [Fact]
+    public void RecordFailure_Accumulates_ConsecutiveFailures()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+
+        tracker.RecordFailure("drv", "host", Now);
+        tracker.RecordFailure("drv", "host", Now.AddSeconds(1));
+        tracker.RecordFailure("drv", "host", Now.AddSeconds(2));
+
+        tracker.TryGet("drv", "host")!.ConsecutiveFailures.ShouldBe(3);
+    }
+
+    [Fact]
+    public void RecordSuccess_Resets_ConsecutiveFailures()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        tracker.RecordFailure("drv", "host", Now);
+        tracker.RecordFailure("drv", "host", Now.AddSeconds(1));
+
+        tracker.RecordSuccess("drv", "host", Now.AddSeconds(2));
+
+        tracker.TryGet("drv", "host")!.ConsecutiveFailures.ShouldBe(0);
+    }
+
+    [Fact]
+    public void RecordBreakerOpen_Populates_LastBreakerOpenUtc()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+
+        tracker.RecordBreakerOpen("drv", "host", Now);
+
+        tracker.TryGet("drv", "host")!.LastBreakerOpenUtc.ShouldBe(Now);
+    }
+
+    [Fact]
+    public void RecordRecycle_Populates_LastRecycleUtc()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+
+        tracker.RecordRecycle("drv", "host", Now);
+
+        tracker.TryGet("drv", "host")!.LastRecycleUtc.ShouldBe(Now);
+    }
+
+    [Fact]
+    public void RecordFootprint_CapturesBaselineAndCurrent()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+
+        tracker.RecordFootprint("drv", "host", baselineBytes: 100_000_000, currentBytes: 150_000_000, Now);
+
+        var snap = tracker.TryGet("drv", "host")!;
+        snap.BaselineFootprintBytes.ShouldBe(100_000_000);
+        snap.CurrentFootprintBytes.ShouldBe(150_000_000);
+    }
+
+    [Fact]
+    public void DifferentHosts_AreIndependent()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+
+        tracker.RecordFailure("drv", "host-a", Now);
+        tracker.RecordFailure("drv", "host-b", Now);
+        tracker.RecordSuccess("drv", "host-a", Now.AddSeconds(1));
+
+        tracker.TryGet("drv", "host-a")!.ConsecutiveFailures.ShouldBe(0);
+        tracker.TryGet("drv", "host-b")!.ConsecutiveFailures.ShouldBe(1);
+    }
+
+    [Fact]
+    public void Snapshot_ReturnsAll_TrackedPairs()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        tracker.RecordFailure("drv-1", "host-a", Now);
+        tracker.RecordFailure("drv-1", "host-b", Now);
+        tracker.RecordFailure("drv-2", "host-a", Now);
+
+        var snapshot = tracker.Snapshot();
+
+        snapshot.Count.ShouldBe(3);
+    }
+
+    [Fact]
+    public void ConcurrentWrites_DoNotLose_Failures()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        Parallel.For(0, 500, _ => tracker.RecordFailure("drv", "host", Now));
+
+        tracker.TryGet("drv", "host")!.ConsecutiveFailures.ShouldBe(500);
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/HealthEndpointsHostTests.cs

@@ -0,0 +1,177 @@
+using System.Net.Http;
+using System.Text.Json;
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server.Observability;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Integration")]
+public sealed class HealthEndpointsHostTests : IAsyncLifetime
+{
+    private static int _portCounter = 48500 + Random.Shared.Next(0, 99);
+    private readonly int _port = Interlocked.Increment(ref _portCounter);
+    private string Prefix => $"http://localhost:{_port}/";
+    private readonly DriverHost _driverHost = new();
+    private HealthEndpointsHost _host = null!;
+    private HttpClient _client = null!;
+
+    public ValueTask InitializeAsync()
+    {
+        _client = new HttpClient { BaseAddress = new Uri(Prefix) };
+        return ValueTask.CompletedTask;
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        _client.Dispose();
+        if (_host is not null) await _host.DisposeAsync();
+    }
+
+    private HealthEndpointsHost Start(Func<bool>? configDbHealthy = null, Func<bool>? usingStaleConfig = null)
+    {
+        _host = new HealthEndpointsHost(
+            _driverHost,
+            NullLogger<HealthEndpointsHost>.Instance,
+            configDbHealthy,
+            usingStaleConfig,
+            prefix: Prefix);
+        _host.Start();
+        return _host;
+    }
+
+    [Fact]
+    public async Task Healthz_ReturnsHealthy_EmptyFleet()
+    {
+        Start();
+
+        var response = await _client.GetAsync("/healthz");
+
+        response.IsSuccessStatusCode.ShouldBeTrue();
+        var body = JsonDocument.Parse(await response.Content.ReadAsStringAsync()).RootElement;
+        body.GetProperty("status").GetString().ShouldBe("healthy");
+        body.GetProperty("configDbReachable").GetBoolean().ShouldBeTrue();
+        body.GetProperty("usingStaleConfig").GetBoolean().ShouldBeFalse();
+    }
+
+    [Fact]
+    public async Task Healthz_StaleConfig_Returns200_WithFlag()
+    {
+        Start(configDbHealthy: () => false, usingStaleConfig: () => true);
+
+        var response = await _client.GetAsync("/healthz");
+
+        response.StatusCode.ShouldBe(System.Net.HttpStatusCode.OK);
+        var body = JsonDocument.Parse(await response.Content.ReadAsStringAsync()).RootElement;
+        body.GetProperty("configDbReachable").GetBoolean().ShouldBeFalse();
+        body.GetProperty("usingStaleConfig").GetBoolean().ShouldBeTrue();
+    }
+
+    [Fact]
+    public async Task Healthz_UnreachableConfig_And_NoCache_Returns503()
+    {
+        Start(configDbHealthy: () => false, usingStaleConfig: () => false);
+
+        var response = await _client.GetAsync("/healthz");
+
+        response.StatusCode.ShouldBe(System.Net.HttpStatusCode.ServiceUnavailable);
+    }
+
+    [Fact]
+    public async Task Readyz_EmptyFleet_Is200_Healthy()
+    {
+        Start();
+
+        var response = await _client.GetAsync("/readyz");
+
+        response.StatusCode.ShouldBe(System.Net.HttpStatusCode.OK);
+        var body = JsonDocument.Parse(await response.Content.ReadAsStringAsync()).RootElement;
+        body.GetProperty("verdict").GetString().ShouldBe("Healthy");
+    }
+
+    [Fact]
+    public async Task Readyz_WithHealthyDriver_Is200()
+    {
+        await _driverHost.RegisterAsync(new StubDriver("drv-1", DriverState.Healthy), "{}", CancellationToken.None);
+        Start();
+
+        var response = await _client.GetAsync("/readyz");
+
+        response.StatusCode.ShouldBe(System.Net.HttpStatusCode.OK);
+        var body = JsonDocument.Parse(await response.Content.ReadAsStringAsync()).RootElement;
+        body.GetProperty("verdict").GetString().ShouldBe("Healthy");
+        body.GetProperty("drivers").GetArrayLength().ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Readyz_WithFaultedDriver_Is503()
+    {
+        await _driverHost.RegisterAsync(new StubDriver("dead", DriverState.Faulted), "{}", CancellationToken.None);
+        await _driverHost.RegisterAsync(new StubDriver("alive", DriverState.Healthy), "{}", CancellationToken.None);
+        Start();
+
+        var response = await _client.GetAsync("/readyz");
+
+        response.StatusCode.ShouldBe(System.Net.HttpStatusCode.ServiceUnavailable);
+        var body = JsonDocument.Parse(await response.Content.ReadAsStringAsync()).RootElement;
+        body.GetProperty("verdict").GetString().ShouldBe("Faulted");
+    }
+
+    [Fact]
+    public async Task Readyz_WithDegradedDriver_Is200_WithDegradedList()
+    {
+        await _driverHost.RegisterAsync(new StubDriver("drv-ok", DriverState.Healthy), "{}", CancellationToken.None);
+        await _driverHost.RegisterAsync(new StubDriver("drv-deg", DriverState.Degraded), "{}", CancellationToken.None);
+        Start();
+
+        var response = await _client.GetAsync("/readyz");
+
+        response.StatusCode.ShouldBe(System.Net.HttpStatusCode.OK);
+        var body = JsonDocument.Parse(await response.Content.ReadAsStringAsync()).RootElement;
+        body.GetProperty("verdict").GetString().ShouldBe("Degraded");
+        body.GetProperty("degradedDrivers").GetArrayLength().ShouldBe(1);
+        body.GetProperty("degradedDrivers")[0].GetString().ShouldBe("drv-deg");
+    }
+
+    [Fact]
+    public async Task Readyz_WithInitializingDriver_Is503()
+    {
+        await _driverHost.RegisterAsync(new StubDriver("init", DriverState.Initializing), "{}", CancellationToken.None);
+        Start();
+
+        var response = await _client.GetAsync("/readyz");
+
+        response.StatusCode.ShouldBe(System.Net.HttpStatusCode.ServiceUnavailable);
+    }
+
+    [Fact]
+    public async Task Unknown_Path_Returns404()
+    {
+        Start();
+
+        var response = await _client.GetAsync("/foo");
+
+        response.StatusCode.ShouldBe(System.Net.HttpStatusCode.NotFound);
+    }
+
+    private sealed class StubDriver : IDriver
+    {
+        private readonly DriverState _state;
+        public StubDriver(string id, DriverState state)
+        {
+            DriverInstanceId = id;
+            _state = state;
+        }
+        public string DriverInstanceId { get; }
+        public string DriverType => "Stub";
+        public Task InitializeAsync(string _, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string _, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(_state, null, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/HistoryReadIntegrationTests.cs

@@ -46,7 +46,7 @@ public sealed class HistoryReadIntegrationTests : IAsyncLifetime
             ApplicationName = "OtOpcUaHistoryTest",
             ApplicationUri = "urn:OtOpcUa:Server:HistoryTest",
             PkiStoreRoot = _pkiRoot,
-            AutoAcceptUntrustedClientCertificates = true,
+            AutoAcceptUntrustedClientCertificates = true, HealthEndpointsEnabled = false,
         };
 
         _server = new OpcUaApplicationHost(options, _driverHost, new DenyAllUserAuthenticator(),

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/MultipleDriverInstancesIntegrationTests.cs

@@ -49,7 +49,7 @@ public sealed class MultipleDriverInstancesIntegrationTests : IAsyncLifetime
             ApplicationName = "OtOpcUaMultiDriverTest",
             ApplicationUri = "urn:OtOpcUa:Server:MultiDriverTest",
             PkiStoreRoot = _pkiRoot,
-            AutoAcceptUntrustedClientCertificates = true,
+            AutoAcceptUntrustedClientCertificates = true, HealthEndpointsEnabled = false,
         };
 
         _server = new OpcUaApplicationHost(options, _driverHost, new DenyAllUserAuthenticator(),

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/OpcUaServerIntegrationTests.cs

@@ -36,7 +36,7 @@ public sealed class OpcUaServerIntegrationTests : IAsyncLifetime
             ApplicationName = "OtOpcUaTest",
             ApplicationUri = "urn:OtOpcUa:Server:Test",
             PkiStoreRoot = _pkiRoot,
-            AutoAcceptUntrustedClientCertificates = true,
+            AutoAcceptUntrustedClientCertificates = true, HealthEndpointsEnabled = false,
         };
 
         _server = new OpcUaApplicationHost(options, _driverHost, new DenyAllUserAuthenticator(),