AB CIP PR 4 — IWritable implementation. LibplctagTagRuntime.EncodeValue fills in the switch for every atomic Logix type the driver currently surfaces — Bool (standalone BOOL via SetInt8 0/1), SInt/USInt (SetInt8/SetUInt8), Int/UInt (SetInt16/SetUInt16), DInt/UDInt (SetInt32/SetUInt32), LInt/ULInt (SetInt64/SetUInt64), Real (SetFloat32), LReal (SetFloat64), String (SetString 0), Dt (epoch DINT via SetInt32). BOOL-within-DINT writes throw NotSupportedException with a code comment matching the Modbus BitInRegister pattern at ModbusDriver.cs line 640 — the read-modify-write logic + lock-per-DINT discipline is a follow-up PR rather than squeezing it into the initial wire plumbing. Structure writes throw NotSupportedException pointing at PR 6 when UDT support lands. AbCipDriver now implements IWritable. WriteAsync iterates writes preserving order, short-circuits on unknown reference → BadNodeIdUnknown, on non-writable tag definition → BadNotWritable, on unknown device → BadNodeIdUnknown. Happy path materialises the cached runtime via EnsureTagRuntimeAsync (shares PR 3's lazy-init path so read+write on the same tag hits one native handle), EncodeValue into the tag's buffer, WriteAsync flushes, GetStatus confirms the wire status, maps libplctag error codes via AbCipStatusMapper.MapLibplctagStatus, sets health Healthy on success. Per plan decisions #44 , #45 , #143 the driver does NOT auto-retry writes — that's a resilience-layer concern (Polly pipeline sitting above) keyed on the tag's WriteIdempotent flag. Exception-mapping table — OperationCanceledException rethrows (honors cancellation), NotSupportedException → BadNotSupported (bit-in-DINT, Structure, future unsupported types), FormatException → BadTypeMismatch (Convert.ToInt32 of a non-numeric string), InvalidCastException → BadTypeMismatch (caller passed an object incompatible with the conversion target), OverflowException → BadOutOfRange (value exceeds target type range, e.g. Int16 write of 1_000_000), any other Exception → BadCommunicationError (wire drop, libplctag-internal failure). Health surface updates Degraded on every non-Cancellation exception path, Healthy on success. Introduces AbCipStatusMapper.BadTypeMismatch (0x80730000). 10 new unit tests in AbCipDriverWriteTests covering — unknown ref → BadNodeIdUnknown, non-writable tag → BadNotWritable, successful DInt write encodes + flushes the value + marks WriteCount=1, BOOL-in-DINT rejected as BadNotSupported (separate ThrowingBoolBitFake mirrors LibplctagTagRuntime's runtime check), non-zero libplctag status after write mapped via AbCipStatusMapper (timeout -5 → BadTimeout), FormatException from non-numeric-string write → BadTypeMismatch (RealConvertFake exercises real Convert.ToInt32), OverflowException from Int16 write of 1_000_000 → BadOutOfRange, generic exception during write → BadCommunicationError + health Degraded, batch with mixed success+failure preserves order across four request types, cancellation propagates as OperationCanceledException. FakeAbCipTag's test-fake base class methods made virtual so override hooks work correctly through the IAbCipTagRuntime interface (new-shadow was silently falling through to the base implementation). Total AbCip unit tests now 98/98 passing; Modbus + other existing tests untouched; full solution builds 0 errors.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge pull request (#110 ) - AbCip IReadable
2026-04-19 16:57:52 -04:00 · 2026-04-19 16:41:02 -04:00 · 2026-04-19 16:38:54 -04:00 · 2026-04-19 16:00:28 -04:00 · 2026-04-19 15:58:15 -04:00 · 2026-04-19 15:51:11 -04:00
70 changed files with 9322 additions and 158 deletions
--- a/ZB.MOM.WW.OtOpcUa.slnx
+++ b/ZB.MOM.WW.OtOpcUa.slnx
@@ -10,6 +10,7 @@
        <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.csproj"/>
        <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ZB.MOM.WW.OtOpcUa.Driver.Modbus.csproj"/>
        <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.S7/ZB.MOM.WW.OtOpcUa.Driver.S7.csproj"/>
+        <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/ZB.MOM.WW.OtOpcUa.Driver.AbCip.csproj"/>
        <Project Path="src/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.csproj"/>
        <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.Shared/ZB.MOM.WW.OtOpcUa.Client.Shared.csproj"/>
        <Project Path="src/ZB.MOM.WW.OtOpcUa.Client.CLI/ZB.MOM.WW.OtOpcUa.Client.CLI.csproj"/>
@@ -29,6 +30,8 @@
        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.Tests.csproj"/>
        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.Modbus.IntegrationTests.csproj"/>
        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.S7.Tests/ZB.MOM.WW.OtOpcUa.Driver.S7.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests.csproj"/>
+        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests.csproj"/>
        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.Tests/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient.Tests.csproj"/>
        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests.csproj"/>
        <Project Path="tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests/ZB.MOM.WW.OtOpcUa.Client.CLI.Tests.csproj"/>
--- a/docs/v2/implementation/phase-6-4-admin-ui-completion.md
+++ b/docs/v2/implementation/phase-6-4-admin-ui-completion.md
@@ -1,6 +1,14 @@
 # Phase 6.4 — Admin UI Completion

-> **Status**: DRAFT — Phase 1 Stream E shipped the Admin scaffold + core pages; several feature-completeness items from its completion checklist (`phase-1-configuration-and-admin-scaffold.md` §Stream E) never landed. This phase closes them.
+> **Status**: **SHIPPED (data layer)** 2026-04-19 — Stream A.2 (UnsImpactAnalyzer + DraftRevisionToken) and Stream B.1 (EquipmentCsvImporter parser) merged to `v2` in PR #91. Exit gate in PR #92.
+>
+> Deferred follow-ups (Blazor UI + staging tables + address-space wiring):
+> - Stream A UI — UnsTab MudBlazor drag/drop + 409 concurrent-edit modal + Playwright smoke (task #153).
+> - Stream B follow-up — EquipmentImportBatch staging + FinaliseImportBatch transaction + CSV import UI (task #155).
+> - Stream C — DiffViewer refactor into base + 6 section plugins + 1000-row cap + SignalR paging (task #156).
+> - Stream D — IdentificationFields.razor + DriverNodeManager OPC 40010 sub-folder exposure (task #157).
+>
+> Baseline pre-Phase-6.4: 1137 solution tests → post-Phase-6.4 data layer: 1159 passing (+22).
 >
 > **Branch**: `v2/phase-6-4-admin-ui-completion`
 > **Estimated duration**: 2 weeks
--- a/docs/v2/v2-release-readiness.md
+++ b/docs/v2/v2-release-readiness.md
@@ -0,0 +1,109 @@
+# v2 Release Readiness
+
+> **Last updated**: 2026-04-19 (all three release blockers CLOSED — Phase 6.3 Streams A/C core shipped)
+> **Status**: **RELEASE-READY (code-path)** for v2 GA — all three code-path release blockers are closed. Remaining work is manual (client interop matrix, deployment checklist signoff, OPC UA CTT pass) + hardening follow-ups; see exit-criteria checklist below.
+
+This doc is the single view of where v2 stands against its release criteria. Update it whenever a deferred follow-up closes or a new release blocker is discovered.
+
+## Release-readiness dashboard
+
+| Phase | Shipped | Status |
+|---|---|---|
+| Phase 0 — Rename + entry gate | ✓ | Shipped |
+| Phase 1 — Configuration + Admin scaffold | ✓ | Shipped (some UI items deferred to 6.4) |
+| Phase 2 — Galaxy driver split (Proxy/Host/Shared) | ✓ | Shipped |
+| Phase 3 — OPC UA server + LDAP + security profiles | ✓ | Shipped |
+| Phase 4 — Redundancy scaffold (entities + endpoints) | ✓ | Shipped (runtime closes in 6.3) |
+| Phase 5 — Drivers | ⚠ partial | Galaxy / Modbus / S7 / OpcUaClient shipped; AB CIP / AB Legacy / TwinCAT / FOCAS deferred (task #120) |
+| Phase 6.1 — Resilience & Observability | ✓ | **SHIPPED** (PRs #78–83) |
+| Phase 6.2 — Authorization runtime | ◐ core | **SHIPPED (core)** (PRs #84–88); dispatch wiring + Admin UI deferred |
+| Phase 6.3 — Redundancy runtime | ◐ core | **SHIPPED (core)** (PRs #89–90); coordinator + UA-node wiring + Admin UI + interop deferred |
+| Phase 6.4 — Admin UI completion | ◐ data layer | **SHIPPED (data layer)** (PRs #91–92); Blazor UI + OPC 40010 address-space wiring deferred |
+
+**Aggregate test counts:** 906 baseline (pre-Phase-6) → **1159 passing** across Phase 6. One pre-existing Client.CLI `SubscribeCommandTests.Execute_PrintsSubscriptionMessage` flake tracked separately.
+
+## Release blockers (must close before v2 GA)
+
+Ordered by severity + impact on production fitness.
+
+### ~~Security — Phase 6.2 dispatch wiring~~ (task #143 — **CLOSED** 2026-04-19, PR #94)
+
+**Closed**. `AuthorizationGate` + `NodeScopeResolver` now thread through `OpcUaApplicationHost → OtOpcUaServer → DriverNodeManager`. `OnReadValue` + `OnWriteValue` + all four HistoryRead paths call `gate.IsAllowed(identity, operation, scope)` before the invoker. Production deployments activate enforcement by constructing `OpcUaApplicationHost` with an `AuthorizationGate(StrictMode: true)` + populating the `NodeAcl` table.
+
+Additional Stream C surfaces (not release-blocking, hardening only):
+
+- Browse + TranslateBrowsePathsToNodeIds gating with ancestor-visibility logic per `acl-design.md` §Browse.
+- CreateMonitoredItems + TransferSubscriptions gating with per-item `(AuthGenerationId, MembershipVersion)` stamp so revoked grants surface `BadUserAccessDenied` within one publish cycle (decision #153).
+- Alarm Acknowledge / Confirm / Shelve gating.
+- Call (method invocation) gating.
+- Finer-grained scope resolution — current `NodeScopeResolver` returns a flat cluster-level scope. Joining against the live Configuration DB to populate UnsArea / UnsLine / Equipment path is tracked as Stream C.12.
+- 3-user integration matrix covering every operation × allow/deny.
+
+These are additional hardening — the three highest-value surfaces (Read / Write / HistoryRead) are now gated, which covers the base-security gap for v2 GA.
+
+### ~~Config fallback — Phase 6.1 Stream D wiring~~ (task #136 — **CLOSED** 2026-04-19, PR #96)
+
+**Closed**. `SealedBootstrap` consumes `ResilientConfigReader` + `GenerationSealedCache` + `StaleConfigFlag` end-to-end: bootstrap calls go through the timeout → retry → fallback-to-sealed pipeline; every central-DB success writes a fresh sealed snapshot so the next cache-miss has a known-good fallback; `StaleConfigFlag.IsStale` is now consumed by `HealthEndpointsHost.usingStaleConfig` so `/healthz` body reports reality.
+
+Production activation: Program.cs switches `NodeBootstrap → SealedBootstrap` + constructs `OpcUaApplicationHost` with the `StaleConfigFlag` as an optional ctor parameter.
+
+Remaining follow-ups (hardening, not release-blocking):
+
+- A `HostedService` that polls `sp_GetCurrentGenerationForCluster` periodically so peer-published generations land in this node's cache without a restart.
+- Richer snapshot payload via `sp_GetGenerationContent` so fallback can serve the full generation content (DriverInstance enumeration, ACL rows, etc.) from the sealed cache alone.
+
+### ~~Redundancy — Phase 6.3 Streams A/C core~~ (tasks #145 + #147 — **CLOSED** 2026-04-19, PRs #98–99)
+
+**Closed**. The runtime orchestration layer now exists end-to-end:
+
+- `RedundancyCoordinator` reads `ClusterNode` + peer list at startup (Stream A shipped in PR #98). Invariants enforced: 1-2 nodes (decision #83), unique ApplicationUri (#86), ≤1 Primary in Warm/Hot (#84). Startup fails fast on violation; runtime refresh logs + flips `IsTopologyValid=false` so the calculator falls to band 2 without tearing down.
+- `RedundancyStatePublisher` orchestrates topology + apply lease + recovery state + peer reachability through `ServiceLevelCalculator` + emits `OnStateChanged` / `OnServerUriArrayChanged` edge-triggered events (Stream C core shipped in PR #99). The OPC UA `ServiceLevel` Byte variable + `ServerUriArray` String[] variable subscribe to these events.
+
+Remaining Phase 6.3 surfaces (hardening, not release-blocking):
+
+- `PeerHttpProbeLoop` + `PeerUaProbeLoop` HostedServices that poll the peer + write to `PeerReachabilityTracker` on each tick. Without these the publisher sees `PeerReachability.Unknown` for every peer → Isolated-Primary band (230) even when the peer is up. Safe default (retains authority) but not the full non-transparent-redundancy UX.
+- OPC UA variable-node wiring layer: bind the `ServiceLevel` Byte node + `ServerUriArray` String[] node to the publisher's events via `BaseDataVariable.OnReadValue` / direct value push. Scoped follow-up on the Opc.Ua.Server stack integration.
+- `sp_PublishGeneration` wraps its apply in `await using var lease = coordinator.BeginApplyLease(...)` so the `PrimaryMidApply` band (200) fires during actual publishes (task #148 part 2).
+- Client interop matrix validation — Ignition / Kepware / Aveva OI Gateway (Stream F, task #150). Manual + doc-only work; doesn't block code ship.
+
+### Remaining drivers (task #120)
+
+AB CIP, AB Legacy, TwinCAT ADS, FOCAS drivers are planned but unshipped. Decision pending on whether these are release-blocking for v2 GA or can slip to a v2.1 follow-up.
+
+## Nice-to-haves (not release-blocking)
+
+- **Admin UI** — Phase 6.1 Stream E.2/E.3 (`/hosts` column refresh), Phase 6.2 Stream D (`RoleGrantsTab` + `AclsTab` Probe), Phase 6.3 Stream E (`RedundancyTab`), Phase 6.4 Streams A/B UI pieces, Stream C DiffViewer, Stream D `IdentificationFields.razor`. Tasks #134, #144, #149, #153, #155, #156, #157.
+- **Background services** — Phase 6.1 Stream B.4 `ScheduledRecycleScheduler` HostedService (task #137), Phase 6.1 Stream A analyzer (task #135 — Roslyn analyzer asserting every capability surface routes through `CapabilityInvoker`).
+- **Multi-host dispatch** — Phase 6.1 Stream A follow-up (task #135). Currently every driver gets a single pipeline keyed on `driver.DriverInstanceId`; multi-host drivers (Modbus with N PLCs) need per-PLC host resolution so failing PLCs trip per-PLC breakers without poisoning siblings. Decision #144 requires this but we haven't wired it yet.
+
+## Running the release-readiness check
+
+```bash
+pwsh ./scripts/compliance/phase-6-all.ps1
+```
+
+This meta-runner invokes each `phase-6-N-compliance.ps1` script in sequence and reports an aggregate PASS/FAIL. It is the single-command verification that what we claim is shipped still compiles + tests pass + the plan-level invariants are still satisfied.
+
+Exit 0 = every phase passes its compliance checks + no test-count regression.
+
+## Release-readiness exit criteria
+
+v2 GA requires all of the following:
+
+- [ ] All four Phase 6.N compliance scripts exit 0.
+- [ ] `dotnet test ZB.MOM.WW.OtOpcUa.slnx` passes with ≤ 1 known-flake failure.
+- [ ] Release blockers listed above all closed (or consciously deferred to v2.1 with a written decision).
+- [ ] Production deployment checklist (separate doc) signed off by Fleet Admin.
+- [ ] At least one end-to-end integration run against the live Galaxy on the dev box succeeds.
+- [ ] OPC UA conformance test (CTT or UA Compliance Test Tool) passes against the live endpoint.
+- [ ] Non-transparent redundancy cutover validated with at least one production client (Ignition 8.3 recommended — see decision #85).
+
+## Change log
+
+- **2026-04-19** — Release blocker #3 **closed** (PRs #98–99). Phase 6.3 Streams A + C core shipped: `ClusterTopologyLoader` + `RedundancyCoordinator` + `RedundancyStatePublisher` + `PeerReachabilityTracker`. Code-path release blockers all closed; remaining Phase 6.3 surfaces (peer-probe HostedServices, OPC UA variable-node binding, sp_PublishGeneration lease wrap, client interop matrix) are hardening follow-ups.
+- **2026-04-19** — Release blocker #2 **closed** (PR #96). `SealedBootstrap` consumes `ResilientConfigReader` + `GenerationSealedCache` + `StaleConfigFlag`; `/healthz` now surfaces the stale flag. Remaining follow-ups (periodic poller + richer snapshot payload) downgraded to hardening.
+- **2026-04-19** — Release blocker #1 **closed** (PR #94). `AuthorizationGate` wired into `DriverNodeManager` Read / Write / HistoryRead dispatch. Remaining Stream C surfaces (Browse / Subscribe / Alarm / Call + finer-grained scope resolution) downgraded to hardening follow-ups — no longer release-blocking.
+- **2026-04-19** — Phase 6.4 data layer merged (PRs #91–92). Phase 6 core complete. Capstone doc created.
+- **2026-04-19** — Phase 6.3 core merged (PRs #89–90). `ServiceLevelCalculator` + `RecoveryStateManager` + `ApplyLeaseRegistry` land as pure logic; coordinator / UA-node wiring / Admin UI / interop deferred.
+- **2026-04-19** — Phase 6.2 core merged (PRs #84–88). `AuthorizationGate` + `TriePermissionEvaluator` + `LdapGroupRoleMapping` land; dispatch wiring + Admin UI deferred.
+- **2026-04-19** — Phase 6.1 shipped (PRs #78–83). Polly resilience + Tier A/B/C stability + health endpoints + LiteDB generation-sealed cache + Admin `/hosts` data layer all live.
--- a/scripts/compliance/phase-6-4-compliance.ps1
+++ b/scripts/compliance/phase-6-4-compliance.ps1
@@ -1,82 +1,95 @@
 <#
 .SYNOPSIS
-    Phase 6.4 exit-gate compliance check — stub. Each `Assert-*` either passes
-    (Write-Host green) or throws. Non-zero exit = fail.
+    Phase 6.4 exit-gate compliance check. Each check either passes or records a
+    failure; non-zero exit = fail.

 .DESCRIPTION
-    Validates Phase 6.4 (Admin UI completion) completion. Checks enumerated in
+    Validates Phase 6.4 (Admin UI completion) progress. Checks enumerated in
    `docs/v2/implementation/phase-6-4-admin-ui-completion.md`
    §"Compliance Checks (run at exit gate)".

-    Current status: SCAFFOLD. Every check writes a TODO line and does NOT throw.
-    Each implementation task in Phase 6.4 is responsible for replacing its TODO
-    with a real check before closing that task.
-
 .NOTES
    Usage:  pwsh ./scripts/compliance/phase-6-4-compliance.ps1
-    Exit:   0 = all checks passed (or are still TODO); non-zero = explicit fail
+    Exit:   0 = all checks passed; non-zero = one or more FAILs
 #>
 [CmdletBinding()]
 param()

 $ErrorActionPreference = 'Stop'
 $script:failures = 0
+$repoRoot = (Resolve-Path (Join-Path $PSScriptRoot '..\..')).Path

-function Assert-Todo {
-    param([string]$Check, [string]$ImplementationTask)
-    Write-Host "  [TODO] $Check  (implement during $ImplementationTask)" -ForegroundColor Yellow
+function Assert-Pass { param([string]$C) Write-Host "  [PASS] $C" -ForegroundColor Green }
+function Assert-Fail { param([string]$C, [string]$R) Write-Host "  [FAIL] $C - $R" -ForegroundColor Red; $script:failures++ }
+function Assert-Deferred { param([string]$C, [string]$P) Write-Host "  [DEFERRED] $C  (follow-up: $P)" -ForegroundColor Yellow }
+
+function Assert-FileExists {
+    param([string]$C, [string]$P)
+    if (Test-Path (Join-Path $repoRoot $P)) { Assert-Pass "$C  ($P)" }
+    else { Assert-Fail $C "missing file: $P" }
 }

-function Assert-Pass {
-    param([string]$Check)
-    Write-Host "  [PASS] $Check" -ForegroundColor Green
-}
-
-function Assert-Fail {
-    param([string]$Check, [string]$Reason)
-    Write-Host "  [FAIL] $Check — $Reason" -ForegroundColor Red
-    $script:failures++
+function Assert-TextFound {
+    param([string]$C, [string]$Pat, [string[]]$Paths)
+    foreach ($p in $Paths) {
+        $full = Join-Path $repoRoot $p
+        if (-not (Test-Path $full)) { continue }
+        if (Select-String -Path $full -Pattern $Pat -Quiet) {
+            Assert-Pass "$C  (matched in $p)"
+            return
+        }
+    }
+    Assert-Fail $C "pattern '$Pat' not found in any of: $($Paths -join ', ')"
 }

 Write-Host ""
-Write-Host "=== Phase 6.4 compliance — Admin UI completion ===" -ForegroundColor Cyan
+Write-Host "=== Phase 6.4 compliance - Admin UI completion ===" -ForegroundColor Cyan
 Write-Host ""

-Write-Host "Stream A — UNS drag/move + impact preview"
-Assert-Todo "UNS drag/move — drag line across areas; modal shows correct impacted-equipment + tag counts" "Stream A.2"
-Assert-Todo "Concurrent-edit safety — session B saves draft mid-preview; session A Confirm returns 409" "Stream A.3 (DraftRevisionToken)"
-Assert-Todo "Cross-cluster drop disabled — actionable toast points to Export/Import" "Stream A.2"
-Assert-Todo "1000-node tree — drag-enter feedback < 100 ms" "Stream A.4"
+Write-Host "Stream A data layer - UnsImpactAnalyzer"
+Assert-FileExists "UnsImpactAnalyzer present" "src/ZB.MOM.WW.OtOpcUa.Admin/Services/UnsImpactAnalyzer.cs"
+Assert-TextFound "DraftRevisionToken present" "record DraftRevisionToken" @("src/ZB.MOM.WW.OtOpcUa.Admin/Services/UnsImpactAnalyzer.cs")
+Assert-TextFound "Cross-cluster move rejected per decision #82" "CrossClusterMoveRejectedException" @("src/ZB.MOM.WW.OtOpcUa.Admin/Services/UnsImpactAnalyzer.cs")
+Assert-TextFound "LineMove + AreaRename + LineMerge covered" "UnsMoveKind\.LineMerge" @("src/ZB.MOM.WW.OtOpcUa.Admin/Services/UnsImpactAnalyzer.cs")

 Write-Host ""
-Write-Host "Stream B — CSV import + staged-import + 5-identifier search"
-Assert-Todo "CSV header version — file missing '# OtOpcUaCsv v1' rejected pre-parse" "Stream B.1"
-Assert-Todo "CSV canonical identifier set — columns match decision #117 exactly" "Stream B.1"
-Assert-Todo "Staged-import atomicity — 10k-row FinaliseImportBatch < 30 s; user-scoped visibility; DropImportBatch rollback" "Stream B.3"
-Assert-Todo "Concurrent import + external reservation — finalize retries with conflict handling; no corruption" "Stream B.3"
-Assert-Todo "5-identifier search ranking — exact > prefix; published > draft for equal scores" "Stream B.4"
+Write-Host "Stream B data layer - EquipmentCsvImporter"
+Assert-FileExists "EquipmentCsvImporter present" "src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentCsvImporter.cs"
+Assert-TextFound "CSV header version marker '# OtOpcUaCsv v1'" "OtOpcUaCsv v1" @("src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentCsvImporter.cs")
+Assert-TextFound "Required columns match decision #117" "ZTag.+MachineCode.+SAPID.+EquipmentId.+EquipmentUuid" @("src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentCsvImporter.cs")
+Assert-TextFound "Optional columns match decision #139 (Manufacturer)" "Manufacturer" @("src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentCsvImporter.cs")
+Assert-TextFound "Optional columns include DeviceManualUri" "DeviceManualUri" @("src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentCsvImporter.cs")
+Assert-TextFound "Rejects duplicate ZTag within file" "Duplicate ZTag" @("src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentCsvImporter.cs")
+Assert-TextFound "Rejects unknown column" "unknown column" @("src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentCsvImporter.cs")

 Write-Host ""
-Write-Host "Stream C — DiffViewer sections"
-Assert-Todo "Diff viewer section caps — 2000-row subtree-rename summary-only; 'Load full diff' paginates" "Stream C.2"
-
-Write-Host ""
-Write-Host "Stream D — Identification (OPC 40010)"
-Assert-Todo "OPC 40010 field list match — rendered fields match decision #139 exactly; no extras" "Stream D.1"
-Assert-Todo "OPC 40010 exposure — Identification sub-folder shows when non-null; absent when all null" "Stream D.3"
-Assert-Todo "ACL inheritance for Identification — Equipment-grant reads; no-grant denies both" "Stream D.4"
-
-Write-Host ""
-Write-Host "Visual compliance"
-Assert-Todo "Visual parity reviewer — FleetAdmin signoff vs admin-ui.md §Visual-Design; screenshot set checked in under docs/v2/visual-compliance/phase-6-4/" "Visual review"
+Write-Host "Deferred surfaces"
+Assert-Deferred "Stream A UI - UnsTab MudBlazor drag/drop + 409 modal + Playwright" "task #153"
+Assert-Deferred "Stream B follow-up - EquipmentImportBatch staging + FinaliseImportBatch + CSV import UI" "task #155"
+Assert-Deferred "Stream C - DiffViewer refactor + 6 section plugins + 1000-row cap" "task #156"
+Assert-Deferred "Stream D - IdentificationFields.razor + DriverNodeManager OPC 40010 sub-folder" "task #157"

 Write-Host ""
 Write-Host "Cross-cutting"
-Assert-Todo "Full solution dotnet test passes; no test-count regression vs pre-Phase-6.4 baseline" "Final exit-gate"
+Write-Host "  Running full solution test suite..." -ForegroundColor DarkGray
+$prevPref = $ErrorActionPreference
+$ErrorActionPreference = 'Continue'
+$testOutput = & dotnet test (Join-Path $repoRoot 'ZB.MOM.WW.OtOpcUa.slnx') --nologo 2>&1
+$ErrorActionPreference = $prevPref
+$passLine = $testOutput | Select-String 'Passed:\s+(\d+)' -AllMatches
+$failLine = $testOutput | Select-String 'Failed:\s+(\d+)' -AllMatches
+$passCount = 0; foreach ($m in $passLine.Matches) { $passCount += [int]$m.Groups[1].Value }
+$failCount = 0; foreach ($m in $failLine.Matches) { $failCount += [int]$m.Groups[1].Value }
+$baseline = 1137
+if ($passCount -ge $baseline) { Assert-Pass "No test-count regression ($passCount >= $baseline pre-Phase-6.4 baseline)" }
+else { Assert-Fail "Test-count regression" "passed $passCount < baseline $baseline" }
+
+if ($failCount -le 1) { Assert-Pass "No new failing tests (pre-existing CLI flake tolerated)" }
+else { Assert-Fail "New failing tests" "$failCount failures > 1 tolerated" }

 Write-Host ""
 if ($script:failures -eq 0) {
-    Write-Host "Phase 6.4 compliance: scaffold-mode PASS (all checks TODO)" -ForegroundColor Green
+    Write-Host "Phase 6.4 compliance: PASS" -ForegroundColor Green
    exit 0
 }
 Write-Host "Phase 6.4 compliance: $script:failures FAIL(s)" -ForegroundColor Red
--- a/scripts/compliance/phase-6-all.ps1
+++ b/scripts/compliance/phase-6-all.ps1
@@ -0,0 +1,77 @@
+<#
+.SYNOPSIS
+    Meta-runner that invokes every per-phase Phase 6.x compliance script and
+    reports an aggregate verdict.
+
+.DESCRIPTION
+    Runs phase-6-1-compliance.ps1, phase-6-2, phase-6-3, phase-6-4 in sequence.
+    Each sub-script returns its own exit code; this wrapper aggregates them.
+    Useful before a v2 release tag + as the `dotnet test` companion in CI.
+
+.NOTES
+    Usage:  pwsh ./scripts/compliance/phase-6-all.ps1
+    Exit:   0 = every phase passed; 1 = one or more phases failed
+#>
+[CmdletBinding()]
+param()
+
+$ErrorActionPreference = 'Continue'
+
+$phases = @(
+    @{ Name = 'Phase 6.1 - Resilience & Observability'; Script = 'phase-6-1-compliance.ps1' },
+    @{ Name = 'Phase 6.2 - Authorization runtime';       Script = 'phase-6-2-compliance.ps1' },
+    @{ Name = 'Phase 6.3 - Redundancy runtime';          Script = 'phase-6-3-compliance.ps1' },
+    @{ Name = 'Phase 6.4 - Admin UI completion';         Script = 'phase-6-4-compliance.ps1' }
+)
+
+$results = @()
+$startedAt = Get-Date
+
+foreach ($phase in $phases) {
+    Write-Host ""
+    Write-Host ""
+    Write-Host "=============================================================" -ForegroundColor DarkGray
+    Write-Host ("Running {0}" -f $phase.Name) -ForegroundColor Cyan
+    Write-Host "=============================================================" -ForegroundColor DarkGray
+
+    $scriptPath = Join-Path $PSScriptRoot $phase.Script
+    if (-not (Test-Path $scriptPath)) {
+        Write-Host ("  [MISSING] {0}" -f $phase.Script) -ForegroundColor Red
+        $results += @{ Name = $phase.Name; Exit = 2 }
+        continue
+    }
+
+    # Invoke each sub-script in its own powershell.exe process so its local
+    # $ErrorActionPreference + exit-code semantics can't interfere with the meta-runner's
+    # state. Slower (one process spawn per phase) but makes aggregate PASS/FAIL match
+    # standalone runs exactly.
+    & powershell.exe -NoProfile -ExecutionPolicy Bypass -File $scriptPath
+    $exitCode = $LASTEXITCODE
+    $results += @{ Name = $phase.Name; Exit = $exitCode }
+}
+
+$elapsed = (Get-Date) - $startedAt
+
+Write-Host ""
+Write-Host ""
+Write-Host "=============================================================" -ForegroundColor DarkGray
+Write-Host "Phase 6 compliance aggregate" -ForegroundColor Cyan
+Write-Host "=============================================================" -ForegroundColor DarkGray
+
+$totalFailures = 0
+foreach ($r in $results) {
+    $colour = if ($r.Exit -eq 0) { 'Green' } else { 'Red' }
+    $tag    = if ($r.Exit -eq 0) { 'PASS' }     else { "FAIL (exit=$($r.Exit))" }
+    Write-Host ("  [{0}] {1}" -f $tag, $r.Name) -ForegroundColor $colour
+    if ($r.Exit -ne 0) { $totalFailures++ }
+}
+
+Write-Host ""
+Write-Host ("Elapsed: {0:N1} s" -f $elapsed.TotalSeconds) -ForegroundColor DarkGray
+
+if ($totalFailures -eq 0) {
+    Write-Host "Phase 6 aggregate: PASS" -ForegroundColor Green
+    exit 0
+}
+Write-Host ("Phase 6 aggregate: {0} phase(s) FAILED" -f $totalFailures) -ForegroundColor Red
+exit 1
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentImportBatchService.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/EquipmentImportBatchService.cs
@@ -0,0 +1,207 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Admin.Services;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Staged-import orchestrator per Phase 6.4 Stream B.2-B.4. Covers the four operator
+///     actions: CreateBatch → StageRows (chunked) → FinaliseBatch (atomic apply into
+///     <see cref="Equipment"/>) → DropBatch (rollback of pre-finalise state).
+/// </summary>
+/// <remarks>
+///     <para>FinaliseBatch runs inside one EF transaction + bulk-inserts accepted rows into
+///     <see cref="Equipment"/>. Rejected rows stay behind as audit evidence; the batch row
+///     gains <see cref="EquipmentImportBatch.FinalisedAtUtc"/> so future writes know it's
+///     archived. DropBatch removes the batch + its cascaded rows.</para>
+///
+///     <para>Idempotence: calling FinaliseBatch twice throws <see cref="ImportBatchAlreadyFinalisedException"/>
+///     rather than double-inserting. Operator refreshes the admin page to see the first
+///     finalise completed.</para>
+///
+///     <para>ExternalIdReservation merging (ZTag + SAPID uniqueness) is NOT done here — a
+///     narrower follow-up wires it once the concurrent-insert test matrix is green.</para>
+/// </remarks>
+public sealed class EquipmentImportBatchService(OtOpcUaConfigDbContext db)
+{
+    /// <summary>Create a new empty batch header. Returns the row with Id populated.</summary>
+    public async Task<EquipmentImportBatch> CreateBatchAsync(string clusterId, string createdBy, CancellationToken ct)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(clusterId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(createdBy);
+
+        var batch = new EquipmentImportBatch
+        {
+            Id = Guid.NewGuid(),
+            ClusterId = clusterId,
+            CreatedBy = createdBy,
+            CreatedAtUtc = DateTime.UtcNow,
+        };
+        db.EquipmentImportBatches.Add(batch);
+        await db.SaveChangesAsync(ct).ConfigureAwait(false);
+        return batch;
+    }
+
+    /// <summary>
+    ///     Stage one chunk of rows into the batch. Caller usually feeds
+    ///     <see cref="EquipmentCsvImporter.Parse"/> output here — each
+    ///     <see cref="EquipmentCsvRow"/> becomes one accepted <see cref="EquipmentImportRow"/>,
+    ///     each rejected parser error becomes one row with <see cref="EquipmentImportRow.IsAccepted"/> false.
+    /// </summary>
+    public async Task StageRowsAsync(
+        Guid batchId,
+        IReadOnlyList<EquipmentCsvRow> acceptedRows,
+        IReadOnlyList<EquipmentCsvRowError> rejectedRows,
+        CancellationToken ct)
+    {
+        var batch = await db.EquipmentImportBatches.FirstOrDefaultAsync(b => b.Id == batchId, ct).ConfigureAwait(false)
+                    ?? throw new ImportBatchNotFoundException($"Batch {batchId} not found.");
+
+        if (batch.FinalisedAtUtc is not null)
+            throw new ImportBatchAlreadyFinalisedException(
+                $"Batch {batchId} finalised at {batch.FinalisedAtUtc:o}; no more rows can be staged.");
+
+        foreach (var row in acceptedRows)
+        {
+            db.EquipmentImportRows.Add(new EquipmentImportRow
+            {
+                Id = Guid.NewGuid(),
+                BatchId = batchId,
+                IsAccepted = true,
+                ZTag = row.ZTag,
+                MachineCode = row.MachineCode,
+                SAPID = row.SAPID,
+                EquipmentId = row.EquipmentId,
+                EquipmentUuid = row.EquipmentUuid,
+                Name = row.Name,
+                UnsAreaName = row.UnsAreaName,
+                UnsLineName = row.UnsLineName,
+                Manufacturer = row.Manufacturer,
+                Model = row.Model,
+                SerialNumber = row.SerialNumber,
+                HardwareRevision = row.HardwareRevision,
+                SoftwareRevision = row.SoftwareRevision,
+                YearOfConstruction = row.YearOfConstruction,
+                AssetLocation = row.AssetLocation,
+                ManufacturerUri = row.ManufacturerUri,
+                DeviceManualUri = row.DeviceManualUri,
+            });
+        }
+
+        foreach (var error in rejectedRows)
+        {
+            db.EquipmentImportRows.Add(new EquipmentImportRow
+            {
+                Id = Guid.NewGuid(),
+                BatchId = batchId,
+                IsAccepted = false,
+                RejectReason = error.Reason,
+                LineNumberInFile = error.LineNumber,
+                // Required columns need values for EF; reject rows use sentinel placeholders.
+                ZTag = "", MachineCode = "", SAPID = "", EquipmentId = "", EquipmentUuid = "",
+                Name = "", UnsAreaName = "", UnsLineName = "",
+            });
+        }
+
+        batch.RowsStaged += acceptedRows.Count + rejectedRows.Count;
+        batch.RowsAccepted += acceptedRows.Count;
+        batch.RowsRejected += rejectedRows.Count;
+
+        await db.SaveChangesAsync(ct).ConfigureAwait(false);
+    }
+
+    /// <summary>Drop the batch (pre-finalise rollback). Cascaded row delete removes staged rows.</summary>
+    public async Task DropBatchAsync(Guid batchId, CancellationToken ct)
+    {
+        var batch = await db.EquipmentImportBatches.FirstOrDefaultAsync(b => b.Id == batchId, ct).ConfigureAwait(false);
+        if (batch is null) return;
+        if (batch.FinalisedAtUtc is not null)
+            throw new ImportBatchAlreadyFinalisedException(
+                $"Batch {batchId} already finalised at {batch.FinalisedAtUtc:o}; cannot drop.");
+
+        db.EquipmentImportBatches.Remove(batch);
+        await db.SaveChangesAsync(ct).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    ///     Atomic finalise. Inserts every accepted row into the live
+    ///     <see cref="Equipment"/> table under the target generation + stamps
+    ///     <see cref="EquipmentImportBatch.FinalisedAtUtc"/>. Failure rolls the whole tx
+    ///     back — <see cref="Equipment"/> never partially mutates.
+    /// </summary>
+    public async Task FinaliseBatchAsync(
+        Guid batchId, long generationId, string driverInstanceIdForRows, string unsLineIdForRows, CancellationToken ct)
+    {
+        var batch = await db.EquipmentImportBatches
+            .Include(b => b.Rows)
+            .FirstOrDefaultAsync(b => b.Id == batchId, ct)
+            .ConfigureAwait(false)
+            ?? throw new ImportBatchNotFoundException($"Batch {batchId} not found.");
+
+        if (batch.FinalisedAtUtc is not null)
+            throw new ImportBatchAlreadyFinalisedException(
+                $"Batch {batchId} already finalised at {batch.FinalisedAtUtc:o}.");
+
+        // EF InMemory provider doesn't honour BeginTransaction; SQL Server provider does.
+        // Tests run the happy path under in-memory; production SQL Server runs the atomic tx.
+        var supportsTx = db.Database.IsRelational();
+        Microsoft.EntityFrameworkCore.Storage.IDbContextTransaction? tx = null;
+        if (supportsTx)
+            tx = await db.Database.BeginTransactionAsync(ct).ConfigureAwait(false);
+
+        try
+        {
+            foreach (var row in batch.Rows.Where(r => r.IsAccepted))
+            {
+                db.Equipment.Add(new Equipment
+                {
+                    EquipmentRowId = Guid.NewGuid(),
+                    GenerationId = generationId,
+                    EquipmentId = row.EquipmentId,
+                    EquipmentUuid = Guid.TryParse(row.EquipmentUuid, out var u) ? u : Guid.NewGuid(),
+                    DriverInstanceId = driverInstanceIdForRows,
+                    UnsLineId = unsLineIdForRows,
+                    Name = row.Name,
+                    MachineCode = row.MachineCode,
+                    ZTag = row.ZTag,
+                    SAPID = row.SAPID,
+                    Manufacturer = row.Manufacturer,
+                    Model = row.Model,
+                    SerialNumber = row.SerialNumber,
+                    HardwareRevision = row.HardwareRevision,
+                    SoftwareRevision = row.SoftwareRevision,
+                    YearOfConstruction = short.TryParse(row.YearOfConstruction, out var y) ? y : null,
+                    AssetLocation = row.AssetLocation,
+                    ManufacturerUri = row.ManufacturerUri,
+                    DeviceManualUri = row.DeviceManualUri,
+                });
+            }
+
+            batch.FinalisedAtUtc = DateTime.UtcNow;
+            await db.SaveChangesAsync(ct).ConfigureAwait(false);
+            if (tx is not null) await tx.CommitAsync(ct).ConfigureAwait(false);
+        }
+        catch
+        {
+            if (tx is not null) await tx.RollbackAsync(ct).ConfigureAwait(false);
+            throw;
+        }
+        finally
+        {
+            if (tx is not null) await tx.DisposeAsync().ConfigureAwait(false);
+        }
+    }
+
+    /// <summary>List batches created by the given user. Finalised batches are archived; include them on demand.</summary>
+    public async Task<IReadOnlyList<EquipmentImportBatch>> ListByUserAsync(string createdBy, bool includeFinalised, CancellationToken ct)
+    {
+        var query = db.EquipmentImportBatches.AsNoTracking().Where(b => b.CreatedBy == createdBy);
+        if (!includeFinalised)
+            query = query.Where(b => b.FinalisedAtUtc == null);
+        return await query.OrderByDescending(b => b.CreatedAtUtc).ToListAsync(ct).ConfigureAwait(false);
+    }
+}
+
+public sealed class ImportBatchNotFoundException(string message) : Exception(message);
+public sealed class ImportBatchAlreadyFinalisedException(string message) : Exception(message);
--- a/src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/DriverInstance.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/DriverInstance.cs
@@ -27,6 +27,24 @@ public sealed class DriverInstance
    /// <summary>Schemaless per-driver-type JSON config. Validated against registered JSON schema at draft-publish time (decision #91).</summary>
    public required string DriverConfig { get; set; }

+    /// <summary>
+    ///     Optional per-instance overrides for the Phase 6.1 shared Polly resilience pipeline.
+    ///     Null = use the driver's tier defaults (decision #143). When populated, expected shape:
+    ///     <code>
+    ///     {
+    ///       "bulkheadMaxConcurrent": 16,
+    ///       "bulkheadMaxQueue": 64,
+    ///       "capabilityPolicies": {
+    ///         "Read":  { "timeoutSeconds": 5, "retryCount": 5, "breakerFailureThreshold": 3 },
+    ///         "Write": { "timeoutSeconds": 5, "retryCount": 0, "breakerFailureThreshold": 5 }
+    ///       }
+    ///     }
+    ///     </code>
+    ///     Parsed at startup by <c>DriverResilienceOptionsParser</c>; every key is optional +
+    ///     unrecognised keys are ignored so future shapes land without a migration.
+    /// </summary>
+    public string? ResilienceConfig { get; set; }
+
    public ConfigGeneration? Generation { get; set; }
    public ServerCluster? Cluster { get; set; }
 }
--- a/src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/EquipmentImportBatch.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Configuration/Entities/EquipmentImportBatch.cs
@@ -0,0 +1,68 @@
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+
+/// <summary>
+///     Staged equipment-import batch per Phase 6.4 Stream B.2. Rows land in the child
+///     <see cref="EquipmentImportRow"/> table under a batch header; operator reviews + either
+///     drops (via <c>DropImportBatch</c>) or finalises (via <c>FinaliseImportBatch</c>) in one
+///     bounded transaction. The live <c>Equipment</c> table never sees partial state.
+/// </summary>
+/// <remarks>
+///     <para>User-scoped visibility: the preview modal only shows batches where
+///     <see cref="CreatedBy"/> equals the current operator. Prevents accidental
+///     cross-operator finalise during concurrent imports. An admin finalise / drop surface
+///     can override this — tracked alongside the UI follow-up.</para>
+///
+///     <para><see cref="FinalisedAtUtc"/> stamps the moment the batch promoted from staging
+///     into <c>Equipment</c>. Null = still in staging; non-null = archived / finalised.</para>
+/// </remarks>
+public sealed class EquipmentImportBatch
+{
+    public Guid Id { get; set; }
+    public required string ClusterId { get; set; }
+    public required string CreatedBy { get; set; }
+    public DateTime CreatedAtUtc { get; set; }
+    public int RowsStaged { get; set; }
+    public int RowsAccepted { get; set; }
+    public int RowsRejected { get; set; }
+    public DateTime? FinalisedAtUtc { get; set; }
+
+    public ICollection<EquipmentImportRow> Rows { get; set; } = [];
+}
+
+/// <summary>
+///     One staged row under an <see cref="EquipmentImportBatch"/>. Mirrors the decision #117
+///     + decision #139 columns from the CSV importer's output + an
+///     <see cref="IsAccepted"/> flag + a <see cref="RejectReason"/> string the preview modal
+///     renders.
+/// </summary>
+public sealed class EquipmentImportRow
+{
+    public Guid Id { get; set; }
+    public Guid BatchId { get; set; }
+    public int LineNumberInFile { get; set; }
+    public bool IsAccepted { get; set; }
+    public string? RejectReason { get; set; }
+
+    // Required (decision #117)
+    public required string ZTag { get; set; }
+    public required string MachineCode { get; set; }
+    public required string SAPID { get; set; }
+    public required string EquipmentId { get; set; }
+    public required string EquipmentUuid { get; set; }
+    public required string Name { get; set; }
+    public required string UnsAreaName { get; set; }
+    public required string UnsLineName { get; set; }
+
+    // Optional (decision #139 — OPC 40010 Identification)
+    public string? Manufacturer { get; set; }
+    public string? Model { get; set; }
+    public string? SerialNumber { get; set; }
+    public string? HardwareRevision { get; set; }
+    public string? SoftwareRevision { get; set; }
+    public string? YearOfConstruction { get; set; }
+    public string? AssetLocation { get; set; }
+    public string? ManufacturerUri { get; set; }
+    public string? DeviceManualUri { get; set; }
+
+    public EquipmentImportBatch? Batch { get; set; }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260419161932_AddDriverInstanceResilienceConfig.Designer.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260419161932_AddDriverInstanceResilienceConfig.Designer.cs
--- a/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260419161932_AddDriverInstanceResilienceConfig.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260419161932_AddDriverInstanceResilienceConfig.cs
@@ -0,0 +1,37 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddDriverInstanceResilienceConfig : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<string>(
+                name: "ResilienceConfig",
+                table: "DriverInstance",
+                type: "nvarchar(max)",
+                nullable: true);
+
+            migrationBuilder.AddCheckConstraint(
+                name: "CK_DriverInstance_ResilienceConfig_IsJson",
+                table: "DriverInstance",
+                sql: "ResilienceConfig IS NULL OR ISJSON(ResilienceConfig) = 1");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropCheckConstraint(
+                name: "CK_DriverInstance_ResilienceConfig_IsJson",
+                table: "DriverInstance");
+
+            migrationBuilder.DropColumn(
+                name: "ResilienceConfig",
+                table: "DriverInstance");
+        }
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260419185124_AddEquipmentImportBatch.Designer.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260419185124_AddEquipmentImportBatch.Designer.cs
--- a/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260419185124_AddEquipmentImportBatch.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260419185124_AddEquipmentImportBatch.cs
@@ -0,0 +1,91 @@
+using System;
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
+{
+    /// <inheritdoc />
+    public partial class AddEquipmentImportBatch : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "EquipmentImportBatch",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uniqueidentifier", nullable: false),
+                    ClusterId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    CreatedBy = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    CreatedAtUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: false),
+                    RowsStaged = table.Column<int>(type: "int", nullable: false),
+                    RowsAccepted = table.Column<int>(type: "int", nullable: false),
+                    RowsRejected = table.Column<int>(type: "int", nullable: false),
+                    FinalisedAtUtc = table.Column<DateTime>(type: "datetime2(3)", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_EquipmentImportBatch", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "EquipmentImportRow",
+                columns: table => new
+                {
+                    Id = table.Column<Guid>(type: "uniqueidentifier", nullable: false),
+                    BatchId = table.Column<Guid>(type: "uniqueidentifier", nullable: false),
+                    LineNumberInFile = table.Column<int>(type: "int", nullable: false),
+                    IsAccepted = table.Column<bool>(type: "bit", nullable: false),
+                    RejectReason = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true),
+                    ZTag = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    MachineCode = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    SAPID = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    EquipmentId = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    EquipmentUuid = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Name = table.Column<string>(type: "nvarchar(128)", maxLength: 128, nullable: false),
+                    UnsAreaName = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    UnsLineName = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: false),
+                    Manufacturer = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: true),
+                    Model = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: true),
+                    SerialNumber = table.Column<string>(type: "nvarchar(256)", maxLength: 256, nullable: true),
+                    HardwareRevision = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    SoftwareRevision = table.Column<string>(type: "nvarchar(64)", maxLength: 64, nullable: true),
+                    YearOfConstruction = table.Column<string>(type: "nvarchar(8)", maxLength: 8, nullable: true),
+                    AssetLocation = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true),
+                    ManufacturerUri = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true),
+                    DeviceManualUri = table.Column<string>(type: "nvarchar(512)", maxLength: 512, nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_EquipmentImportRow", x => x.Id);
+                    table.ForeignKey(
+                        name: "FK_EquipmentImportRow_EquipmentImportBatch_BatchId",
+                        column: x => x.BatchId,
+                        principalTable: "EquipmentImportBatch",
+                        principalColumn: "Id",
+                        onDelete: ReferentialAction.Cascade);
+                });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_EquipmentImportBatch_Creator_Finalised",
+                table: "EquipmentImportBatch",
+                columns: new[] { "CreatedBy", "FinalisedAtUtc" });
+
+            migrationBuilder.CreateIndex(
+                name: "IX_EquipmentImportRow_Batch",
+                table: "EquipmentImportRow",
+                column: "BatchId");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "EquipmentImportRow");
+
+            migrationBuilder.DropTable(
+                name: "EquipmentImportBatch");
+        }
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/OtOpcUaConfigDbContextModelSnapshot.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/OtOpcUaConfigDbContextModelSnapshot.cs
@@ -413,6 +413,9 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
                        .HasMaxLength(64)
                        .HasColumnType("nvarchar(64)");

+                    b.Property<string>("ResilienceConfig")
+                        .HasColumnType("nvarchar(max)");
+
                    b.HasKey("DriverInstanceRowId");

                    b.HasIndex("ClusterId");
@@ -431,6 +434,8 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
                    b.ToTable("DriverInstance", null, t =>
                        {
                            t.HasCheckConstraint("CK_DriverInstance_DriverConfig_IsJson", "ISJSON(DriverConfig) = 1");
+
+                            t.HasCheckConstraint("CK_DriverInstance_ResilienceConfig_IsJson", "ResilienceConfig IS NULL OR ISJSON(ResilienceConfig) = 1");
                        });
                });

@@ -599,6 +604,148 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
                    b.ToTable("Equipment", (string)null);
                });

+            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.EquipmentImportBatch", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uniqueidentifier");
+
+                    b.Property<string>("ClusterId")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<DateTime>("CreatedAtUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.Property<string>("CreatedBy")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("nvarchar(128)");
+
+                    b.Property<DateTime?>("FinalisedAtUtc")
+                        .HasColumnType("datetime2(3)");
+
+                    b.Property<int>("RowsAccepted")
+                        .HasColumnType("int");
+
+                    b.Property<int>("RowsRejected")
+                        .HasColumnType("int");
+
+                    b.Property<int>("RowsStaged")
+                        .HasColumnType("int");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("CreatedBy", "FinalisedAtUtc")
+                        .HasDatabaseName("IX_EquipmentImportBatch_Creator_Finalised");
+
+                    b.ToTable("EquipmentImportBatch", (string)null);
+                });
+
+            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.EquipmentImportRow", b =>
+                {
+                    b.Property<Guid>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("uniqueidentifier");
+
+                    b.Property<string>("AssetLocation")
+                        .HasMaxLength(512)
+                        .HasColumnType("nvarchar(512)");
+
+                    b.Property<Guid>("BatchId")
+                        .HasColumnType("uniqueidentifier");
+
+                    b.Property<string>("DeviceManualUri")
+                        .HasMaxLength(512)
+                        .HasColumnType("nvarchar(512)");
+
+                    b.Property<string>("EquipmentId")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("EquipmentUuid")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("HardwareRevision")
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<bool>("IsAccepted")
+                        .HasColumnType("bit");
+
+                    b.Property<int>("LineNumberInFile")
+                        .HasColumnType("int");
+
+                    b.Property<string>("MachineCode")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("nvarchar(128)");
+
+                    b.Property<string>("Manufacturer")
+                        .HasMaxLength(256)
+                        .HasColumnType("nvarchar(256)");
+
+                    b.Property<string>("ManufacturerUri")
+                        .HasMaxLength(512)
+                        .HasColumnType("nvarchar(512)");
+
+                    b.Property<string>("Model")
+                        .HasMaxLength(256)
+                        .HasColumnType("nvarchar(256)");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("nvarchar(128)");
+
+                    b.Property<string>("RejectReason")
+                        .HasMaxLength(512)
+                        .HasColumnType("nvarchar(512)");
+
+                    b.Property<string>("SAPID")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("nvarchar(128)");
+
+                    b.Property<string>("SerialNumber")
+                        .HasMaxLength(256)
+                        .HasColumnType("nvarchar(256)");
+
+                    b.Property<string>("SoftwareRevision")
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("UnsAreaName")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("UnsLineName")
+                        .IsRequired()
+                        .HasMaxLength(64)
+                        .HasColumnType("nvarchar(64)");
+
+                    b.Property<string>("YearOfConstruction")
+                        .HasMaxLength(8)
+                        .HasColumnType("nvarchar(8)");
+
+                    b.Property<string>("ZTag")
+                        .IsRequired()
+                        .HasMaxLength(128)
+                        .HasColumnType("nvarchar(128)");
+
+                    b.HasKey("Id");
+
+                    b.HasIndex("BatchId")
+                        .HasDatabaseName("IX_EquipmentImportRow_Batch");
+
+                    b.ToTable("EquipmentImportRow", (string)null);
+                });
+
            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.ExternalIdReservation", b =>
                {
                    b.Property<Guid>("ReservationId")
@@ -1226,6 +1373,17 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
                    b.Navigation("Generation");
                });

+            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.EquipmentImportRow", b =>
+                {
+                    b.HasOne("ZB.MOM.WW.OtOpcUa.Configuration.Entities.EquipmentImportBatch", "Batch")
+                        .WithMany("Rows")
+                        .HasForeignKey("BatchId")
+                        .OnDelete(DeleteBehavior.Cascade)
+                        .IsRequired();
+
+                    b.Navigation("Batch");
+                });
+
            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.LdapGroupRoleMapping", b =>
                {
                    b.HasOne("ZB.MOM.WW.OtOpcUa.Configuration.Entities.ServerCluster", "Cluster")
@@ -1325,6 +1483,11 @@ namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
                    b.Navigation("GenerationState");
                });

+            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.EquipmentImportBatch", b =>
+                {
+                    b.Navigation("Rows");
+                });
+
            modelBuilder.Entity("ZB.MOM.WW.OtOpcUa.Configuration.Entities.ServerCluster", b =>
                {
                    b.Navigation("Generations");
--- a/src/ZB.MOM.WW.OtOpcUa.Configuration/OtOpcUaConfigDbContext.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Configuration/OtOpcUaConfigDbContext.cs
@@ -30,6 +30,8 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
    public DbSet<DriverHostStatus> DriverHostStatuses => Set<DriverHostStatus>();
    public DbSet<DriverInstanceResilienceStatus> DriverInstanceResilienceStatuses => Set<DriverInstanceResilienceStatus>();
    public DbSet<LdapGroupRoleMapping> LdapGroupRoleMappings => Set<LdapGroupRoleMapping>();
+    public DbSet<EquipmentImportBatch> EquipmentImportBatches => Set<EquipmentImportBatch>();
+    public DbSet<EquipmentImportRow> EquipmentImportRows => Set<EquipmentImportRow>();

    protected override void OnModelCreating(ModelBuilder modelBuilder)
    {
@@ -53,6 +55,7 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
        ConfigureDriverHostStatus(modelBuilder);
        ConfigureDriverInstanceResilienceStatus(modelBuilder);
        ConfigureLdapGroupRoleMapping(modelBuilder);
+        ConfigureEquipmentImportBatch(modelBuilder);
    }

    private static void ConfigureServerCluster(ModelBuilder modelBuilder)
@@ -251,6 +254,8 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
            {
                t.HasCheckConstraint("CK_DriverInstance_DriverConfig_IsJson",
                    "ISJSON(DriverConfig) = 1");
+                t.HasCheckConstraint("CK_DriverInstance_ResilienceConfig_IsJson",
+                    "ResilienceConfig IS NULL OR ISJSON(ResilienceConfig) = 1");
            });
            e.HasKey(x => x.DriverInstanceRowId);
            e.Property(x => x.DriverInstanceRowId).HasDefaultValueSql("NEWSEQUENTIALID()");
@@ -260,6 +265,7 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
            e.Property(x => x.Name).HasMaxLength(128);
            e.Property(x => x.DriverType).HasMaxLength(32);
            e.Property(x => x.DriverConfig).HasColumnType("nvarchar(max)");
+            e.Property(x => x.ResilienceConfig).HasColumnType("nvarchar(max)");

            e.HasOne(x => x.Generation).WithMany().HasForeignKey(x => x.GenerationId).OnDelete(DeleteBehavior.Restrict);
            e.HasOne(x => x.Cluster).WithMany().HasForeignKey(x => x.ClusterId).OnDelete(DeleteBehavior.Restrict);
@@ -565,4 +571,52 @@ public sealed class OtOpcUaConfigDbContext(DbContextOptions<OtOpcUaConfigDbConte
            e.HasIndex(x => x.LdapGroup).HasDatabaseName("IX_LdapGroupRoleMapping_Group");
        });
    }
+
+    private static void ConfigureEquipmentImportBatch(ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<EquipmentImportBatch>(e =>
+        {
+            e.ToTable("EquipmentImportBatch");
+            e.HasKey(x => x.Id);
+            e.Property(x => x.ClusterId).HasMaxLength(64);
+            e.Property(x => x.CreatedBy).HasMaxLength(128);
+            e.Property(x => x.CreatedAtUtc).HasColumnType("datetime2(3)");
+            e.Property(x => x.FinalisedAtUtc).HasColumnType("datetime2(3)");
+
+            // Admin preview modal filters by user; finalise / drop both hit this index.
+            e.HasIndex(x => new { x.CreatedBy, x.FinalisedAtUtc })
+                .HasDatabaseName("IX_EquipmentImportBatch_Creator_Finalised");
+        });
+
+        modelBuilder.Entity<EquipmentImportRow>(e =>
+        {
+            e.ToTable("EquipmentImportRow");
+            e.HasKey(x => x.Id);
+            e.Property(x => x.ZTag).HasMaxLength(128);
+            e.Property(x => x.MachineCode).HasMaxLength(128);
+            e.Property(x => x.SAPID).HasMaxLength(128);
+            e.Property(x => x.EquipmentId).HasMaxLength(64);
+            e.Property(x => x.EquipmentUuid).HasMaxLength(64);
+            e.Property(x => x.Name).HasMaxLength(128);
+            e.Property(x => x.UnsAreaName).HasMaxLength(64);
+            e.Property(x => x.UnsLineName).HasMaxLength(64);
+            e.Property(x => x.Manufacturer).HasMaxLength(256);
+            e.Property(x => x.Model).HasMaxLength(256);
+            e.Property(x => x.SerialNumber).HasMaxLength(256);
+            e.Property(x => x.HardwareRevision).HasMaxLength(64);
+            e.Property(x => x.SoftwareRevision).HasMaxLength(64);
+            e.Property(x => x.YearOfConstruction).HasMaxLength(8);
+            e.Property(x => x.AssetLocation).HasMaxLength(512);
+            e.Property(x => x.ManufacturerUri).HasMaxLength(512);
+            e.Property(x => x.DeviceManualUri).HasMaxLength(512);
+            e.Property(x => x.RejectReason).HasMaxLength(512);
+
+            e.HasOne(x => x.Batch)
+                .WithMany(b => b.Rows)
+                .HasForeignKey(x => x.BatchId)
+                .OnDelete(DeleteBehavior.Cascade);
+
+            e.HasIndex(x => x.BatchId).HasDatabaseName("IX_EquipmentImportRow_Batch");
+        });
+    }
 }
--- a/src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/IPerCallHostResolver.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/IPerCallHostResolver.cs
@@ -0,0 +1,34 @@
+namespace ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+/// <summary>
+///     Optional driver capability that maps a per-tag full reference to the underlying host
+///     name responsible for serving it. Drivers with a one-host topology (Galaxy on one
+///     MXAccess endpoint, OpcUaClient against one remote server, S7 against one PLC) do NOT
+///     need to implement this — the dispatch layer falls back to
+///     <see cref="IDriver.DriverInstanceId"/> as a single-host key.
+/// </summary>
+/// <remarks>
+///     <para>Multi-host drivers (Modbus with N PLCs, hypothetical AB CIP across a rack, etc.)
+///     implement this so the Phase 6.1 resilience pipeline can be keyed on
+///     <c>(DriverInstanceId, ResolvedHostName, DriverCapability)</c> per decision #144. One
+///     dead PLC behind a multi-device Modbus driver then trips only its own breaker; healthy
+///     siblings keep serving.</para>
+///
+///     <para>Implementations must be fast + allocation-free on the hot path — <c>ReadAsync</c>
+///     / <c>WriteAsync</c> call this once per tag. A simple <c>Dictionary&lt;string, string&gt;</c>
+///     lookup is typical.</para>
+///
+///     <para>When the fullRef doesn't map to a known host (caller passes an unregistered
+///     reference, or the tag was removed mid-flight), implementations should return the
+///     driver's default-host string rather than throwing — the invoker falls back to a
+///     single-host pipeline for that call, which is safer than tearing down the request.</para>
+/// </remarks>
+public interface IPerCallHostResolver
+{
+    /// <summary>
+    ///     Resolve the host name for the given driver-side full reference. Returned value is
+    ///     used as the <c>hostName</c> argument to the Phase 6.1 <c>CapabilityInvoker</c> so
+    ///     per-host breaker isolation + per-host bulkhead accounting both kick in.
+    /// </summary>
+    string ResolveHost(string fullReference);
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/PollGroupEngine.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Core.Abstractions/PollGroupEngine.cs
@@ -0,0 +1,146 @@
+using System.Collections.Concurrent;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+/// <summary>
+///     Shared poll-based subscription engine for drivers whose underlying protocol has no
+///     native push model (Modbus, AB CIP, S7, FOCAS). Owns one background Task per subscription
+///     that periodically invokes the supplied reader, diffs each snapshot against the last
+///     known value, and dispatches a change callback per changed tag. Extracted from
+///     <c>ModbusDriver</c> (AB CIP PR 1) so poll-based drivers don't each re-ship the loop,
+///     floor logic, and lifecycle plumbing.
+/// </summary>
+/// <remarks>
+///     <para>The engine is read-path agnostic: it calls the supplied <c>reader</c> delegate
+///     and trusts the driver to map protocol errors into <see cref="DataValueSnapshot.StatusCode"/>.
+///     Callbacks fire on: (a) the first poll after subscribe (initial-data push per the OPC UA
+///     Part 4 convention), (b) any subsequent poll where the boxed value or status code differs
+///     from the previously-seen snapshot.</para>
+///
+///     <para>Exceptions thrown by the reader on the initial poll or any subsequent poll are
+///     swallowed — the loop continues on the next tick. The driver's own health surface is
+///     where transient poll failures should be reported; the engine intentionally does not
+///     double-book that responsibility.</para>
+/// </remarks>
+public sealed class PollGroupEngine : IAsyncDisposable
+{
+    private readonly Func<IReadOnlyList<string>, CancellationToken, Task<IReadOnlyList<DataValueSnapshot>>> _reader;
+    private readonly Action<ISubscriptionHandle, string, DataValueSnapshot> _onChange;
+    private readonly TimeSpan _minInterval;
+    private readonly ConcurrentDictionary<long, SubscriptionState> _subscriptions = new();
+    private long _nextId;
+
+    /// <summary>Default floor for publishing intervals — matches the Modbus 100 ms cap.</summary>
+    public static readonly TimeSpan DefaultMinInterval = TimeSpan.FromMilliseconds(100);
+
+    /// <param name="reader">Driver-supplied batch reader; snapshots MUST be returned in the same
+    ///     order as the input references.</param>
+    /// <param name="onChange">Callback invoked per changed tag — the driver forwards to its own
+    ///     <see cref="ISubscribable.OnDataChange"/> event.</param>
+    /// <param name="minInterval">Interval floor; anything below is clamped. Defaults to 100 ms
+    ///     per <see cref="DefaultMinInterval"/>.</param>
+    public PollGroupEngine(
+        Func<IReadOnlyList<string>, CancellationToken, Task<IReadOnlyList<DataValueSnapshot>>> reader,
+        Action<ISubscriptionHandle, string, DataValueSnapshot> onChange,
+        TimeSpan? minInterval = null)
+    {
+        ArgumentNullException.ThrowIfNull(reader);
+        ArgumentNullException.ThrowIfNull(onChange);
+        _reader = reader;
+        _onChange = onChange;
+        _minInterval = minInterval ?? DefaultMinInterval;
+    }
+
+    /// <summary>Register a new polled subscription and start its background loop.</summary>
+    public ISubscriptionHandle Subscribe(IReadOnlyList<string> fullReferences, TimeSpan publishingInterval)
+    {
+        ArgumentNullException.ThrowIfNull(fullReferences);
+        var id = Interlocked.Increment(ref _nextId);
+        var cts = new CancellationTokenSource();
+        var interval = publishingInterval < _minInterval ? _minInterval : publishingInterval;
+        var handle = new PollSubscriptionHandle(id);
+        var state = new SubscriptionState(handle, [.. fullReferences], interval, cts);
+        _subscriptions[id] = state;
+        _ = Task.Run(() => PollLoopAsync(state, cts.Token), cts.Token);
+        return handle;
+    }
+
+    /// <summary>Cancel the background loop for a handle returned by <see cref="Subscribe"/>.</summary>
+    /// <returns><c>true</c> when the handle was known to the engine and has been torn down.</returns>
+    public bool Unsubscribe(ISubscriptionHandle handle)
+    {
+        if (handle is PollSubscriptionHandle h && _subscriptions.TryRemove(h.Id, out var state))
+        {
+            try { state.Cts.Cancel(); } catch { }
+            state.Cts.Dispose();
+            return true;
+        }
+        return false;
+    }
+
+    /// <summary>Snapshot of active subscription count — exposed for driver diagnostics.</summary>
+    public int ActiveSubscriptionCount => _subscriptions.Count;
+
+    private async Task PollLoopAsync(SubscriptionState state, CancellationToken ct)
+    {
+        // Initial-data push: every subscribed tag fires once at subscribe time regardless of
+        // whether it has changed, satisfying OPC UA Part 4 initial-value semantics.
+        try { await PollOnceAsync(state, forceRaise: true, ct).ConfigureAwait(false); }
+        catch (OperationCanceledException) { return; }
+        catch { /* first-read error tolerated — loop continues */ }
+
+        while (!ct.IsCancellationRequested)
+        {
+            try { await Task.Delay(state.Interval, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { return; }
+
+            try { await PollOnceAsync(state, forceRaise: false, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { return; }
+            catch { /* transient poll error — loop continues, driver health surface logs it */ }
+        }
+    }
+
+    private async Task PollOnceAsync(SubscriptionState state, bool forceRaise, CancellationToken ct)
+    {
+        var snapshots = await _reader(state.TagReferences, ct).ConfigureAwait(false);
+        for (var i = 0; i < state.TagReferences.Count; i++)
+        {
+            var tagRef = state.TagReferences[i];
+            var current = snapshots[i];
+            var lastSeen = state.LastValues.TryGetValue(tagRef, out var prev) ? prev : default;
+
+            if (forceRaise || !Equals(lastSeen?.Value, current.Value) || lastSeen?.StatusCode != current.StatusCode)
+            {
+                state.LastValues[tagRef] = current;
+                _onChange(state.Handle, tagRef, current);
+            }
+        }
+    }
+
+    /// <summary>Cancel every active subscription. Idempotent.</summary>
+    public ValueTask DisposeAsync()
+    {
+        foreach (var state in _subscriptions.Values)
+        {
+            try { state.Cts.Cancel(); } catch { }
+            state.Cts.Dispose();
+        }
+        _subscriptions.Clear();
+        return ValueTask.CompletedTask;
+    }
+
+    private sealed record SubscriptionState(
+        PollSubscriptionHandle Handle,
+        IReadOnlyList<string> TagReferences,
+        TimeSpan Interval,
+        CancellationTokenSource Cts)
+    {
+        public ConcurrentDictionary<string, DataValueSnapshot> LastValues { get; }
+            = new(StringComparer.OrdinalIgnoreCase);
+    }
+
+    private sealed record PollSubscriptionHandle(long Id) : ISubscriptionHandle
+    {
+        public string DiagnosticId => $"poll-sub-{Id}";
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Core/OpcUa/IdentificationFolderBuilder.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Core/OpcUa/IdentificationFolderBuilder.cs
@@ -0,0 +1,91 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.OpcUa;
+
+/// <summary>
+///     Phase 6.4 Stream D: materializes the OPC 40010 Machinery companion-spec Identification
+///     sub-folder under an Equipment node. Reads the nine decision-#139 columns off the
+///     <see cref="Equipment"/> row and emits one property per non-null field.
+/// </summary>
+/// <remarks>
+///     <para>Pure-function shape — testable without a real OPC UA node manager. The caller
+///     passes the builder scoped to the Equipment node; this class handles the Identification
+///     sub-folder creation + per-field <see cref="IAddressSpaceBuilder.AddProperty"/> calls.</para>
+///
+///     <para>ACL binding: the sub-folder + its properties inherit the Equipment scope's
+///     grants (no new scope level). Phase 6.2's trie treats them as part of the Equipment
+///     ScopeId — a user with Equipment-level grant reads Identification; a user without the
+///     grant gets BadUserAccessDenied on both the Equipment node + its Identification variables.
+///     See <c>docs/v2/acl-design.md</c> §Identification cross-reference.</para>
+///
+///     <para>The nine fields per decision #139 are exposed exactly when they carry a non-null
+///     value. A row with all nine null produces no Identification sub-folder at all — the
+///     caller can use <see cref="HasAnyFields(Equipment)"/> to skip the Folder call entirely
+///     and avoid a pointless empty folder appearing in browse trees.</para>
+/// </remarks>
+public static class IdentificationFolderBuilder
+{
+    /// <summary>Browse + display name of the sub-folder — fixed per OPC 40010 convention.</summary>
+    public const string FolderName = "Identification";
+
+    /// <summary>
+    ///     Canonical decision #139 field set exposed in the Identification sub-folder. Order
+    ///     matches the decision-log entry so any browse-order reader can cross-reference
+    ///     without re-sorting.
+    /// </summary>
+    public static IReadOnlyList<string> FieldNames { get; } = new[]
+    {
+        "Manufacturer", "Model", "SerialNumber",
+        "HardwareRevision", "SoftwareRevision",
+        "YearOfConstruction", "AssetLocation",
+        "ManufacturerUri", "DeviceManualUri",
+    };
+
+    /// <summary>True when the equipment row has at least one non-null Identification field.</summary>
+    public static bool HasAnyFields(Equipment equipment)
+    {
+        ArgumentNullException.ThrowIfNull(equipment);
+        return equipment.Manufacturer is not null
+            || equipment.Model is not null
+            || equipment.SerialNumber is not null
+            || equipment.HardwareRevision is not null
+            || equipment.SoftwareRevision is not null
+            || equipment.YearOfConstruction is not null
+            || equipment.AssetLocation is not null
+            || equipment.ManufacturerUri is not null
+            || equipment.DeviceManualUri is not null;
+    }
+
+    /// <summary>
+    ///     Build the Identification sub-folder under <paramref name="equipmentBuilder"/>. No-op
+    ///     when every field is null. Returns the sub-folder builder (or null when no-op) so
+    ///     callers can attach additional nodes underneath if needed.
+    /// </summary>
+    public static IAddressSpaceBuilder? Build(IAddressSpaceBuilder equipmentBuilder, Equipment equipment)
+    {
+        ArgumentNullException.ThrowIfNull(equipmentBuilder);
+        ArgumentNullException.ThrowIfNull(equipment);
+
+        if (!HasAnyFields(equipment)) return null;
+
+        var folder = equipmentBuilder.Folder(FolderName, FolderName);
+        AddIfPresent(folder, "Manufacturer",       DriverDataType.String,   equipment.Manufacturer);
+        AddIfPresent(folder, "Model",              DriverDataType.String,   equipment.Model);
+        AddIfPresent(folder, "SerialNumber",       DriverDataType.String,   equipment.SerialNumber);
+        AddIfPresent(folder, "HardwareRevision",   DriverDataType.String,   equipment.HardwareRevision);
+        AddIfPresent(folder, "SoftwareRevision",   DriverDataType.String,   equipment.SoftwareRevision);
+        AddIfPresent(folder, "YearOfConstruction", DriverDataType.Int32,
+            equipment.YearOfConstruction is null ? null : (object)(int)equipment.YearOfConstruction.Value);
+        AddIfPresent(folder, "AssetLocation",      DriverDataType.String,   equipment.AssetLocation);
+        AddIfPresent(folder, "ManufacturerUri",    DriverDataType.String,   equipment.ManufacturerUri);
+        AddIfPresent(folder, "DeviceManualUri",    DriverDataType.String,   equipment.DeviceManualUri);
+        return folder;
+    }
+
+    private static void AddIfPresent(IAddressSpaceBuilder folder, string name, DriverDataType dataType, object? value)
+    {
+        if (value is null) return;
+        folder.AddProperty(name, dataType, value);
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Core/Resilience/CapabilityInvoker.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Core/Resilience/CapabilityInvoker.cs
@@ -22,6 +22,7 @@ public sealed class CapabilityInvoker
    private readonly string _driverInstanceId;
    private readonly string _driverType;
    private readonly Func<DriverResilienceOptions> _optionsAccessor;
+    private readonly DriverResilienceStatusTracker? _statusTracker;

    /// <summary>
    ///     Construct an invoker for one driver instance.
@@ -33,11 +34,13 @@ public sealed class CapabilityInvoker
    ///     pipeline-invalidate can take effect without restarting the invoker.
    /// </param>
    /// <param name="driverType">Driver type name for structured-log enrichment (e.g. <c>"Modbus"</c>).</param>
+    /// <param name="statusTracker">Optional resilience-status tracker. When wired, every capability call records start/complete so Admin <c>/hosts</c> can surface <see cref="ResilienceStatusSnapshot.CurrentInFlight"/> as the bulkhead-depth proxy.</param>
    public CapabilityInvoker(
        DriverResiliencePipelineBuilder builder,
        string driverInstanceId,
        Func<DriverResilienceOptions> optionsAccessor,
-        string driverType = "Unknown")
+        string driverType = "Unknown",
+        DriverResilienceStatusTracker? statusTracker = null)
    {
        ArgumentNullException.ThrowIfNull(builder);
        ArgumentNullException.ThrowIfNull(optionsAccessor);
@@ -46,6 +49,7 @@ public sealed class CapabilityInvoker
        _driverInstanceId = driverInstanceId;
        _driverType = driverType;
        _optionsAccessor = optionsAccessor;
+        _statusTracker = statusTracker;
    }

    /// <summary>Execute a capability call returning a value, honoring the per-capability pipeline.</summary>
@@ -59,9 +63,17 @@ public sealed class CapabilityInvoker
        ArgumentNullException.ThrowIfNull(callSite);

        var pipeline = ResolvePipeline(capability, hostName);
-        using (LogContextEnricher.Push(_driverInstanceId, _driverType, capability, LogContextEnricher.NewCorrelationId()))
+        _statusTracker?.RecordCallStart(_driverInstanceId, hostName);
+        try
        {
-            return await pipeline.ExecuteAsync(callSite, cancellationToken).ConfigureAwait(false);
+            using (LogContextEnricher.Push(_driverInstanceId, _driverType, capability, LogContextEnricher.NewCorrelationId()))
+            {
+                return await pipeline.ExecuteAsync(callSite, cancellationToken).ConfigureAwait(false);
+            }
+        }
+        finally
+        {
+            _statusTracker?.RecordCallComplete(_driverInstanceId, hostName);
        }
    }

@@ -75,9 +87,17 @@ public sealed class CapabilityInvoker
        ArgumentNullException.ThrowIfNull(callSite);

        var pipeline = ResolvePipeline(capability, hostName);
-        using (LogContextEnricher.Push(_driverInstanceId, _driverType, capability, LogContextEnricher.NewCorrelationId()))
+        _statusTracker?.RecordCallStart(_driverInstanceId, hostName);
+        try
        {
-            await pipeline.ExecuteAsync(callSite, cancellationToken).ConfigureAwait(false);
+            using (LogContextEnricher.Push(_driverInstanceId, _driverType, capability, LogContextEnricher.NewCorrelationId()))
+            {
+                await pipeline.ExecuteAsync(callSite, cancellationToken).ConfigureAwait(false);
+            }
+        }
+        finally
+        {
+            _statusTracker?.RecordCallComplete(_driverInstanceId, hostName);
        }
    }

--- a/src/ZB.MOM.WW.OtOpcUa.Core/Resilience/DriverResilienceOptionsParser.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Core/Resilience/DriverResilienceOptionsParser.cs
@@ -0,0 +1,116 @@
+using System.Text.Json;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Resilience;
+
+/// <summary>
+///     Parses the <c>DriverInstance.ResilienceConfig</c> JSON column into a
+///     <see cref="DriverResilienceOptions"/> instance layered on top of the tier defaults.
+///     Every key in the JSON is optional; missing keys fall back to the tier defaults from
+///     <see cref="DriverResilienceOptions.GetTierDefaults(DriverTier)"/>.
+/// </summary>
+/// <remarks>
+///     <para>Example JSON shape per Phase 6.1 Stream A.2:</para>
+///     <code>
+///     {
+///       "bulkheadMaxConcurrent": 16,
+///       "bulkheadMaxQueue": 64,
+///       "capabilityPolicies": {
+///         "Read":  { "timeoutSeconds": 5, "retryCount": 5, "breakerFailureThreshold": 3 },
+///         "Write": { "timeoutSeconds": 5, "retryCount": 0, "breakerFailureThreshold": 5 }
+///       }
+///     }
+///     </code>
+///
+///     <para>Unrecognised keys + values are ignored so future shapes land without a migration.
+///     Per-capability overrides are layered on top of tier defaults — a partial policy (only
+///     some of TimeoutSeconds/RetryCount/BreakerFailureThreshold) fills in the other fields
+///     from the tier default for that capability.</para>
+///
+///     <para>Parser failures (malformed JSON, type mismatches) fall back to pure tier defaults
+///     + surface through an out-parameter diagnostic. Callers may log the diagnostic but should
+///     NOT fail driver startup — a misconfigured ResilienceConfig should never brick a
+///     working driver.</para>
+/// </remarks>
+public static class DriverResilienceOptionsParser
+{
+    private static readonly JsonSerializerOptions JsonOpts = new()
+    {
+        PropertyNameCaseInsensitive = true,
+        AllowTrailingCommas = true,
+        ReadCommentHandling = JsonCommentHandling.Skip,
+    };
+
+    /// <summary>
+    ///     Parse the JSON payload layered on <paramref name="tier"/>'s defaults. Returns the
+    ///     effective options; <paramref name="parseDiagnostic"/> is null on success, or a
+    ///     human-readable error message when the JSON was malformed (options still returned
+    ///     = tier defaults).
+    /// </summary>
+    public static DriverResilienceOptions ParseOrDefaults(
+        DriverTier tier,
+        string? resilienceConfigJson,
+        out string? parseDiagnostic)
+    {
+        parseDiagnostic = null;
+        var baseDefaults = DriverResilienceOptions.GetTierDefaults(tier);
+        var baseOptions = new DriverResilienceOptions { Tier = tier, CapabilityPolicies = baseDefaults };
+
+        if (string.IsNullOrWhiteSpace(resilienceConfigJson))
+            return baseOptions;
+
+        ResilienceConfigShape? shape;
+        try
+        {
+            shape = JsonSerializer.Deserialize<ResilienceConfigShape>(resilienceConfigJson, JsonOpts);
+        }
+        catch (JsonException ex)
+        {
+            parseDiagnostic = $"ResilienceConfig JSON malformed; falling back to tier {tier} defaults. Detail: {ex.Message}";
+            return baseOptions;
+        }
+
+        if (shape is null) return baseOptions;
+
+        var merged = new Dictionary<DriverCapability, CapabilityPolicy>(baseDefaults);
+        if (shape.CapabilityPolicies is not null)
+        {
+            foreach (var (capName, overridePolicy) in shape.CapabilityPolicies)
+            {
+                if (!Enum.TryParse<DriverCapability>(capName, ignoreCase: true, out var capability))
+                {
+                    parseDiagnostic ??= $"Unknown capability '{capName}' in ResilienceConfig; skipped.";
+                    continue;
+                }
+
+                var basePolicy = merged[capability];
+                merged[capability] = new CapabilityPolicy(
+                    TimeoutSeconds: overridePolicy.TimeoutSeconds ?? basePolicy.TimeoutSeconds,
+                    RetryCount: overridePolicy.RetryCount ?? basePolicy.RetryCount,
+                    BreakerFailureThreshold: overridePolicy.BreakerFailureThreshold ?? basePolicy.BreakerFailureThreshold);
+            }
+        }
+
+        return new DriverResilienceOptions
+        {
+            Tier = tier,
+            CapabilityPolicies = merged,
+            BulkheadMaxConcurrent = shape.BulkheadMaxConcurrent ?? baseOptions.BulkheadMaxConcurrent,
+            BulkheadMaxQueue = shape.BulkheadMaxQueue ?? baseOptions.BulkheadMaxQueue,
+        };
+    }
+
+    private sealed class ResilienceConfigShape
+    {
+        public int? BulkheadMaxConcurrent { get; set; }
+        public int? BulkheadMaxQueue { get; set; }
+        public Dictionary<string, CapabilityPolicyShape>? CapabilityPolicies { get; set; }
+    }
+
+    private sealed class CapabilityPolicyShape
+    {
+        public int? TimeoutSeconds { get; set; }
+        public int? RetryCount { get; set; }
+        public int? BreakerFailureThreshold { get; set; }
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Core/Resilience/DriverResilienceStatusTracker.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Core/Resilience/DriverResilienceStatusTracker.cs
@@ -81,6 +81,29 @@ public sealed class DriverResilienceStatusTracker
            });
    }

+    /// <summary>
+    ///     Record the entry of a capability call for this (instance, host). Increments the
+    ///     in-flight counter used as the <see cref="ResilienceStatusSnapshot.CurrentInFlight"/>
+    ///     surface (a cheap stand-in for Polly bulkhead depth). Paired with
+    ///     <see cref="RecordCallComplete"/>; callers use try/finally.
+    /// </summary>
+    public void RecordCallStart(string driverInstanceId, string hostName)
+    {
+        var key = new StatusKey(driverInstanceId, hostName);
+        _status.AddOrUpdate(key,
+            _ => new ResilienceStatusSnapshot { CurrentInFlight = 1 },
+            (_, existing) => existing with { CurrentInFlight = existing.CurrentInFlight + 1 });
+    }
+
+    /// <summary>Paired with <see cref="RecordCallStart"/> — decrements the in-flight counter.</summary>
+    public void RecordCallComplete(string driverInstanceId, string hostName)
+    {
+        var key = new StatusKey(driverInstanceId, hostName);
+        _status.AddOrUpdate(key,
+            _ => new ResilienceStatusSnapshot { CurrentInFlight = 0 }, // start-without-complete shouldn't happen; clamp to 0
+            (_, existing) => existing with { CurrentInFlight = Math.Max(0, existing.CurrentInFlight - 1) });
+    }
+
    /// <summary>Snapshot of a specific (instance, host) pair; null if no counters recorded yet.</summary>
    public ResilienceStatusSnapshot? TryGet(string driverInstanceId, string hostName) =>
        _status.TryGetValue(new StatusKey(driverInstanceId, hostName), out var snapshot) ? snapshot : null;
@@ -101,4 +124,12 @@ public sealed record ResilienceStatusSnapshot
    public long BaselineFootprintBytes { get; init; }
    public long CurrentFootprintBytes { get; init; }
    public DateTime LastSampledUtc { get; init; }
+
+    /// <summary>
+    ///     In-flight capability calls against this (instance, host). Bumped on call entry +
+    ///     decremented on completion. Feeds <c>DriverInstanceResilienceStatus.CurrentBulkheadDepth</c>
+    ///     for Admin <c>/hosts</c> — a cheap proxy for the Polly bulkhead depth until the full
+    ///     telemetry observer lands.
+    /// </summary>
+    public int CurrentInFlight { get; init; }
 }
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipDataType.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipDataType.cs
@@ -0,0 +1,61 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+/// <summary>
+///     Logix atomic + string data types, plus a <see cref="Structure"/> marker used when a tag
+///     references a UDT / predefined structure (Timer, Counter, Control). The concrete UDT
+///     shape is resolved via the CIP Template Object at discovery time (PR 5 / PR 6).
+/// </summary>
+/// <remarks>
+///     Mirrors the shape of <c>ModbusDataType</c>. Atomic Logix names (BOOL / SINT / INT / DINT /
+///     LINT / REAL / LREAL / STRING / DT) map one-to-one; BIT + BOOL-in-DINT collapse into
+///     <see cref="Bool"/> with the <c>.N</c> bit-index carried on the <see cref="AbCipTagPath"/>
+///     rather than the data type itself.
+/// </remarks>
+public enum AbCipDataType
+{
+    Bool,
+    SInt,   // signed 8-bit
+    Int,    // signed 16-bit
+    DInt,   // signed 32-bit
+    LInt,   // signed 64-bit
+    USInt,  // unsigned 8-bit (Logix 5000 post-V21)
+    UInt,   // unsigned 16-bit
+    UDInt,  // unsigned 32-bit
+    ULInt,  // unsigned 64-bit
+    Real,   // 32-bit IEEE-754
+    LReal,  // 64-bit IEEE-754
+    String, // Logix STRING (DINT Length + SINT[82] DATA — flattened to .NET string by libplctag)
+    Dt,     // Date/Time — Logix DT == DINT representing seconds-since-epoch per Rockwell conventions
+    /// <summary>
+    ///     UDT / Predefined Structure (Timer / Counter / Control / Message / Axis). Shape is
+    ///     resolved at discovery time; reads + writes fan out to member Variables unless the
+    ///     caller has explicitly opted into whole-UDT decode.
+    /// </summary>
+    Structure,
+}
+
+/// <summary>Map a Logix atomic type to the driver-surface <see cref="DriverDataType"/>.</summary>
+public static class AbCipDataTypeExtensions
+{
+    /// <summary>
+    ///     Map to the driver-agnostic type the server's address-space builder consumes. Unsigned
+    ///     Logix types widen into signed equivalents until <c>DriverDataType</c> picks up unsigned
+    ///     + 64-bit variants (Modbus has the same gap — see <c>ModbusDriver.MapDataType</c>
+    ///     comment re: PR 25).
+    /// </summary>
+    public static DriverDataType ToDriverDataType(this AbCipDataType t) => t switch
+    {
+        AbCipDataType.Bool => DriverDataType.Boolean,
+        AbCipDataType.SInt or AbCipDataType.Int or AbCipDataType.DInt => DriverDataType.Int32,
+        AbCipDataType.USInt or AbCipDataType.UInt or AbCipDataType.UDInt => DriverDataType.Int32,
+        AbCipDataType.LInt or AbCipDataType.ULInt => DriverDataType.Int32, // TODO: Int64 — matches Modbus gap
+        AbCipDataType.Real => DriverDataType.Float32,
+        AbCipDataType.LReal => DriverDataType.Float64,
+        AbCipDataType.String => DriverDataType.String,
+        AbCipDataType.Dt => DriverDataType.Int32, // epoch-seconds DINT
+        AbCipDataType.Structure => DriverDataType.String, // placeholder until UDT PR 6 introduces a structured kind
+        _ => DriverDataType.Int32,
+    };
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipDriver.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipDriver.cs
@@ -0,0 +1,323 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Driver.AbCip.PlcFamilies;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+/// <summary>
+///     Allen-Bradley CIP / EtherNet-IP driver for ControlLogix / CompactLogix / Micro800 /
+///     GuardLogix families. Implements <see cref="IDriver"/> only for now — read/write/
+///     subscribe/discover capabilities ship in subsequent PRs (3–8) and family-specific quirk
+///     profiles ship in PRs 9–12.
+/// </summary>
+/// <remarks>
+///     <para>Wire layer is libplctag 1.6.x (plan decision #11). Per-device host addresses use
+///     the <c>ab://gateway[:port]/cip-path</c> canonical form parsed via
+///     <see cref="AbCipHostAddress.TryParse"/>; those strings become the <c>hostName</c> key
+///     for Polly bulkhead + circuit-breaker isolation per plan decision #144.</para>
+///
+///     <para>Tier A per plan decisions #143–145 — in-process, shares server lifetime, no
+///     sidecar. <see cref="ReinitializeAsync"/> is the Tier-B escape hatch for recovering
+///     from native-heap growth that the CLR allocator can't see; it tears down every
+///     <see cref="PlcTagHandle"/> and reconnects each device.</para>
+/// </remarks>
+public sealed class AbCipDriver : IDriver, IReadable, IWritable, IDisposable, IAsyncDisposable
+{
+    private readonly AbCipDriverOptions _options;
+    private readonly string _driverInstanceId;
+    private readonly IAbCipTagFactory _tagFactory;
+    private readonly Dictionary<string, DeviceState> _devices = new(StringComparer.OrdinalIgnoreCase);
+    private readonly Dictionary<string, AbCipTagDefinition> _tagsByName = new(StringComparer.OrdinalIgnoreCase);
+    private DriverHealth _health = new(DriverState.Unknown, null, null);
+
+    public AbCipDriver(AbCipDriverOptions options, string driverInstanceId,
+        IAbCipTagFactory? tagFactory = null)
+    {
+        ArgumentNullException.ThrowIfNull(options);
+        _options = options;
+        _driverInstanceId = driverInstanceId;
+        _tagFactory = tagFactory ?? new LibplctagTagFactory();
+    }
+
+    public string DriverInstanceId => _driverInstanceId;
+    public string DriverType => "AbCip";
+
+    public Task InitializeAsync(string driverConfigJson, CancellationToken cancellationToken)
+    {
+        _health = new DriverHealth(DriverState.Initializing, null, null);
+        try
+        {
+            foreach (var device in _options.Devices)
+            {
+                var addr = AbCipHostAddress.TryParse(device.HostAddress)
+                    ?? throw new InvalidOperationException(
+                        $"AbCip device has invalid HostAddress '{device.HostAddress}' — expected 'ab://gateway[:port]/cip-path'.");
+                var profile = AbCipPlcFamilyProfile.ForFamily(device.PlcFamily);
+                _devices[device.HostAddress] = new DeviceState(addr, device, profile);
+            }
+            foreach (var tag in _options.Tags) _tagsByName[tag.Name] = tag;
+            _health = new DriverHealth(DriverState.Healthy, DateTime.UtcNow, null);
+        }
+        catch (Exception ex)
+        {
+            _health = new DriverHealth(DriverState.Faulted, null, ex.Message);
+            throw;
+        }
+        return Task.CompletedTask;
+    }
+
+    public async Task ReinitializeAsync(string driverConfigJson, CancellationToken cancellationToken)
+    {
+        await ShutdownAsync(cancellationToken).ConfigureAwait(false);
+        await InitializeAsync(driverConfigJson, cancellationToken).ConfigureAwait(false);
+    }
+
+    public Task ShutdownAsync(CancellationToken cancellationToken)
+    {
+        foreach (var state in _devices.Values)
+            state.DisposeHandles();
+        _devices.Clear();
+        _tagsByName.Clear();
+        _health = new DriverHealth(DriverState.Unknown, _health.LastSuccessfulRead, null);
+        return Task.CompletedTask;
+    }
+
+    // ---- IReadable ----
+
+    /// <summary>
+    ///     Read each <c>fullReference</c> in order. Unknown tags surface as
+    ///     <c>BadNodeIdUnknown</c>; libplctag-layer failures map through
+    ///     <see cref="AbCipStatusMapper.MapLibplctagStatus"/>; any other exception becomes
+    ///     <c>BadCommunicationError</c>. The driver health surface is updated per-call so the
+    ///     Admin UI sees a tight feedback loop between read failures + the driver's state.
+    /// </summary>
+    public async Task<IReadOnlyList<DataValueSnapshot>> ReadAsync(
+        IReadOnlyList<string> fullReferences, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(fullReferences);
+        var now = DateTime.UtcNow;
+        var results = new DataValueSnapshot[fullReferences.Count];
+
+        for (var i = 0; i < fullReferences.Count; i++)
+        {
+            var reference = fullReferences[i];
+            if (!_tagsByName.TryGetValue(reference, out var def))
+            {
+                results[i] = new DataValueSnapshot(null, AbCipStatusMapper.BadNodeIdUnknown, null, now);
+                continue;
+            }
+            if (!_devices.TryGetValue(def.DeviceHostAddress, out var device))
+            {
+                results[i] = new DataValueSnapshot(null, AbCipStatusMapper.BadNodeIdUnknown, null, now);
+                continue;
+            }
+
+            try
+            {
+                var runtime = await EnsureTagRuntimeAsync(device, def, cancellationToken).ConfigureAwait(false);
+                await runtime.ReadAsync(cancellationToken).ConfigureAwait(false);
+
+                var status = runtime.GetStatus();
+                if (status != 0)
+                {
+                    results[i] = new DataValueSnapshot(null,
+                        AbCipStatusMapper.MapLibplctagStatus(status), null, now);
+                    _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead,
+                        $"libplctag status {status} reading {reference}");
+                    continue;
+                }
+
+                var tagPath = AbCipTagPath.TryParse(def.TagPath);
+                var bitIndex = tagPath?.BitIndex;
+                var value = runtime.DecodeValue(def.DataType, bitIndex);
+                results[i] = new DataValueSnapshot(value, AbCipStatusMapper.Good, now, now);
+                _health = new DriverHealth(DriverState.Healthy, now, null);
+            }
+            catch (OperationCanceledException)
+            {
+                throw;
+            }
+            catch (Exception ex)
+            {
+                results[i] = new DataValueSnapshot(null,
+                    AbCipStatusMapper.BadCommunicationError, null, now);
+                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, ex.Message);
+            }
+        }
+
+        return results;
+    }
+
+    // ---- IWritable ----
+
+    /// <summary>
+    ///     Write each request in order. Writes are NOT auto-retried by the driver — per plan
+    ///     decisions #44, #45, #143 the caller opts in via <see cref="AbCipTagDefinition.WriteIdempotent"/>
+    ///     and the resilience pipeline (layered above the driver) decides whether to replay.
+    ///     Non-writable configurations surface as <c>BadNotWritable</c>; type-conversion failures
+    ///     as <c>BadTypeMismatch</c>; transport errors as <c>BadCommunicationError</c>.
+    /// </summary>
+    public async Task<IReadOnlyList<WriteResult>> WriteAsync(
+        IReadOnlyList<WriteRequest> writes, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(writes);
+        var results = new WriteResult[writes.Count];
+        var now = DateTime.UtcNow;
+
+        for (var i = 0; i < writes.Count; i++)
+        {
+            var w = writes[i];
+            if (!_tagsByName.TryGetValue(w.FullReference, out var def))
+            {
+                results[i] = new WriteResult(AbCipStatusMapper.BadNodeIdUnknown);
+                continue;
+            }
+            if (!def.Writable)
+            {
+                results[i] = new WriteResult(AbCipStatusMapper.BadNotWritable);
+                continue;
+            }
+            if (!_devices.TryGetValue(def.DeviceHostAddress, out var device))
+            {
+                results[i] = new WriteResult(AbCipStatusMapper.BadNodeIdUnknown);
+                continue;
+            }
+
+            try
+            {
+                var runtime = await EnsureTagRuntimeAsync(device, def, cancellationToken).ConfigureAwait(false);
+                var tagPath = AbCipTagPath.TryParse(def.TagPath);
+                runtime.EncodeValue(def.DataType, tagPath?.BitIndex, w.Value);
+                await runtime.WriteAsync(cancellationToken).ConfigureAwait(false);
+
+                var status = runtime.GetStatus();
+                results[i] = new WriteResult(status == 0
+                    ? AbCipStatusMapper.Good
+                    : AbCipStatusMapper.MapLibplctagStatus(status));
+                if (status == 0) _health = new DriverHealth(DriverState.Healthy, now, null);
+            }
+            catch (OperationCanceledException)
+            {
+                throw;
+            }
+            catch (NotSupportedException nse)
+            {
+                results[i] = new WriteResult(AbCipStatusMapper.BadNotSupported);
+                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, nse.Message);
+            }
+            catch (FormatException fe)
+            {
+                results[i] = new WriteResult(AbCipStatusMapper.BadTypeMismatch);
+                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, fe.Message);
+            }
+            catch (InvalidCastException ice)
+            {
+                results[i] = new WriteResult(AbCipStatusMapper.BadTypeMismatch);
+                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, ice.Message);
+            }
+            catch (OverflowException oe)
+            {
+                results[i] = new WriteResult(AbCipStatusMapper.BadOutOfRange);
+                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, oe.Message);
+            }
+            catch (Exception ex)
+            {
+                results[i] = new WriteResult(AbCipStatusMapper.BadCommunicationError);
+                _health = new DriverHealth(DriverState.Degraded, _health.LastSuccessfulRead, ex.Message);
+            }
+        }
+
+        return results;
+    }
+
+    /// <summary>
+    ///     Idempotently materialise the runtime handle for a tag definition. First call creates
+    ///     + initialises the libplctag Tag; subsequent calls reuse the cached handle for the
+    ///     lifetime of the device.
+    /// </summary>
+    private async Task<IAbCipTagRuntime> EnsureTagRuntimeAsync(
+        DeviceState device, AbCipTagDefinition def, CancellationToken ct)
+    {
+        if (device.Runtimes.TryGetValue(def.Name, out var existing)) return existing;
+
+        var parsed = AbCipTagPath.TryParse(def.TagPath)
+            ?? throw new InvalidOperationException(
+                $"AbCip tag '{def.Name}' has malformed TagPath '{def.TagPath}'.");
+
+        var runtime = _tagFactory.Create(new AbCipTagCreateParams(
+            Gateway: device.ParsedAddress.Gateway,
+            Port: device.ParsedAddress.Port,
+            CipPath: device.ParsedAddress.CipPath,
+            LibplctagPlcAttribute: device.Profile.LibplctagPlcAttribute,
+            TagName: parsed.ToLibplctagName(),
+            Timeout: _options.Timeout));
+        try
+        {
+            await runtime.InitializeAsync(ct).ConfigureAwait(false);
+        }
+        catch
+        {
+            runtime.Dispose();
+            throw;
+        }
+        device.Runtimes[def.Name] = runtime;
+        return runtime;
+    }
+
+    public DriverHealth GetHealth() => _health;
+
+    /// <summary>
+    ///     CLR-visible allocation footprint only — libplctag's native heap is invisible to the
+    ///     GC. driver-specs.md §3 flags this: operators must watch whole-process RSS for the
+    ///     full picture, and <see cref="ReinitializeAsync"/> is the Tier-B remediation.
+    /// </summary>
+    public long GetMemoryFootprint() => 0;
+
+    public Task FlushOptionalCachesAsync(CancellationToken cancellationToken) => Task.CompletedTask;
+
+    /// <summary>Count of registered devices — exposed for diagnostics + tests.</summary>
+    internal int DeviceCount => _devices.Count;
+
+    /// <summary>Looked-up device state for the given host address. Tests + later-PR capabilities hit this.</summary>
+    internal DeviceState? GetDeviceState(string hostAddress) =>
+        _devices.TryGetValue(hostAddress, out var s) ? s : null;
+
+    public void Dispose() => DisposeAsync().AsTask().GetAwaiter().GetResult();
+
+    public async ValueTask DisposeAsync()
+    {
+        await ShutdownAsync(CancellationToken.None).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    ///     Per-device runtime state. Holds the parsed host address, family profile, and the
+    ///     live <see cref="PlcTagHandle"/> cache keyed by tag path. PRs 3–8 populate + consume
+    ///     this dict via libplctag.
+    /// </summary>
+    internal sealed class DeviceState(
+        AbCipHostAddress parsedAddress,
+        AbCipDeviceOptions options,
+        AbCipPlcFamilyProfile profile)
+    {
+        public AbCipHostAddress ParsedAddress { get; } = parsedAddress;
+        public AbCipDeviceOptions Options { get; } = options;
+        public AbCipPlcFamilyProfile Profile { get; } = profile;
+
+        public Dictionary<string, PlcTagHandle> TagHandles { get; } =
+            new(StringComparer.OrdinalIgnoreCase);
+
+        /// <summary>
+        ///     Per-tag runtime handles owned by this device. One entry per configured tag is
+        ///     created lazily on first read (see <see cref="AbCipDriver.EnsureTagRuntimeAsync"/>).
+        /// </summary>
+        public Dictionary<string, IAbCipTagRuntime> Runtimes { get; } =
+            new(StringComparer.OrdinalIgnoreCase);
+
+        public void DisposeHandles()
+        {
+            foreach (var h in TagHandles.Values) h.Dispose();
+            TagHandles.Clear();
+            foreach (var r in Runtimes.Values) r.Dispose();
+            Runtimes.Clear();
+        }
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipDriverOptions.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipDriverOptions.cs
@@ -0,0 +1,91 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+/// <summary>
+///     AB CIP / EtherNet-IP driver configuration, bound from the driver's <c>DriverConfig</c>
+///     JSON at <c>DriverHost.RegisterAsync</c>. One instance supports N devices (PLCs) behind
+///     the same driver; per-device routing is keyed on <see cref="AbCipDeviceOptions.HostAddress"/>
+///     via <c>IPerCallHostResolver</c>.
+/// </summary>
+/// <remarks>
+///     Per v2 plan decisions #11 (libplctag), #41 (AbCip vs AbLegacy split), #143–144 (per-call
+///     host resolver + resilience keys), #144 (bulkhead keyed on <c>(DriverInstanceId, HostName)</c>).
+/// </remarks>
+public sealed class AbCipDriverOptions
+{
+    /// <summary>
+    ///     PLCs this driver instance talks to. Each device contributes its own <see cref="AbCipHostAddress"/>
+    ///     string as the <c>hostName</c> key used by resilience pipelines and the Admin UI.
+    /// </summary>
+    public IReadOnlyList<AbCipDeviceOptions> Devices { get; init; } = [];
+
+    /// <summary>Pre-declared tag map across all devices — AB discovery lands in PR 5.</summary>
+    public IReadOnlyList<AbCipTagDefinition> Tags { get; init; } = [];
+
+    /// <summary>Per-device probe settings. Falls back to defaults when omitted.</summary>
+    public AbCipProbeOptions Probe { get; init; } = new();
+
+    /// <summary>
+    ///     Default libplctag call timeout applied to reads/writes/discovery when the caller does
+    ///     not pass a more specific value. Matches the Modbus driver's 2-second default.
+    /// </summary>
+    public TimeSpan Timeout { get; init; } = TimeSpan.FromSeconds(2);
+}
+
+/// <summary>
+///     One PLC endpoint. <see cref="HostAddress"/> must parse via
+///     <see cref="AbCipHostAddress.TryParse"/>; misconfigured devices fail driver
+///     initialization rather than silently connecting to nothing.
+/// </summary>
+/// <param name="HostAddress">Canonical <c>ab://gateway[:port]/cip-path</c> string.</param>
+/// <param name="PlcFamily">Which per-family profile to apply. Determines ConnectionSize,
+///     request-packing support, unconnected-only hint, and other quirks.</param>
+/// <param name="DeviceName">Optional display label for Admin UI. Falls back to <see cref="HostAddress"/>.</param>
+public sealed record AbCipDeviceOptions(
+    string HostAddress,
+    AbCipPlcFamily PlcFamily = AbCipPlcFamily.ControlLogix,
+    string? DeviceName = null);
+
+/// <summary>
+///     One AB-backed OPC UA variable. Mirrors the <c>ModbusTagDefinition</c> shape.
+/// </summary>
+/// <param name="Name">Tag name; becomes the OPC UA browse name and full reference.</param>
+/// <param name="DeviceHostAddress">Which device (<see cref="AbCipDeviceOptions.HostAddress"/>) this tag lives on.</param>
+/// <param name="TagPath">Logix symbolic path (controller or program scope).</param>
+/// <param name="DataType">Logix atomic type, or <see cref="AbCipDataType.Structure"/> for UDT-typed tags.</param>
+/// <param name="Writable">When <c>true</c> and the tag's ExternalAccess permits writes, IWritable routes writes here.</param>
+/// <param name="WriteIdempotent">Per plan decisions #44–#45, #143 — safe to replay on write timeout. Default <c>false</c>.</param>
+public sealed record AbCipTagDefinition(
+    string Name,
+    string DeviceHostAddress,
+    string TagPath,
+    AbCipDataType DataType,
+    bool Writable = true,
+    bool WriteIdempotent = false);
+
+/// <summary>Which AB PLC family the device is — selects the profile applied to connection params.</summary>
+public enum AbCipPlcFamily
+{
+    ControlLogix,
+    CompactLogix,
+    Micro800,
+    GuardLogix,
+}
+
+/// <summary>
+///     Background connectivity-probe settings. Enabled by default; the probe reads a cheap tag
+///     on the PLC at the configured interval to drive <see cref="Core.Abstractions.IHostConnectivityProbe"/>
+///     state transitions + Admin UI health status.
+/// </summary>
+public sealed class AbCipProbeOptions
+{
+    public bool Enabled { get; init; } = true;
+    public TimeSpan Interval { get; init; } = TimeSpan.FromSeconds(5);
+    public TimeSpan Timeout { get; init; } = TimeSpan.FromSeconds(2);
+
+    /// <summary>
+    ///     Tag path used for the probe. If null, the driver attempts to read a default
+    ///     system tag (PR 8 wires this up — the choice is family-dependent, e.g.
+    ///     <c>@raw_cpu_type</c> on ControlLogix or a user-configured probe tag on Micro800).
+    /// </summary>
+    public string? ProbeTagPath { get; init; }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipHostAddress.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipHostAddress.cs
@@ -0,0 +1,68 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+/// <summary>
+///     Parsed <c>ab://gateway[:port]/cip-path</c> host-address string used by the AbCip driver
+///     as the <c>hostName</c> key across <see cref="Core.Abstractions.IHostConnectivityProbe"/>,
+///     <see cref="Core.Abstractions.IPerCallHostResolver"/>, and the Polly bulkhead key
+///     <c>(DriverInstanceId, hostName)</c> per v2 plan decision #144.
+/// </summary>
+/// <remarks>
+///     <para>Format matches what libplctag's <c>gateway=...</c> + <c>path=...</c> attributes
+///     consume, so no translation is needed at the wire layer — the parsed <see cref="CipPath"/>
+///     is handed to the native library verbatim.</para>
+///     <list type="bullet">
+///         <item><c>ab://10.0.0.5/1,0</c> — single-chassis ControlLogix, CPU in slot 0.</item>
+///         <item><c>ab://10.0.0.5/1,4</c> — CPU in slot 4.</item>
+///         <item><c>ab://10.0.0.5/1,2,2,192.168.50.20,1,0</c> — bridged ControlLogix.</item>
+///         <item><c>ab://10.0.0.5/</c> (empty path) — Micro800 / MicroLogix without backplane routing.</item>
+///         <item><c>ab://10.0.0.5:44818/1,0</c> — explicit EIP port (default 44818).</item>
+///     </list>
+///     <para>Opaque to the rest of the stack: Admin UI, telemetry, and logs display the full
+///     string so an incident ticket can be matched to the exact gateway + CIP route.</para>
+/// </remarks>
+public sealed record AbCipHostAddress(string Gateway, int Port, string CipPath)
+{
+    /// <summary>Default EtherNet/IP TCP port — spec-reserved.</summary>
+    public const int DefaultEipPort = 44818;
+
+    /// <summary>Recompose the canonical <c>ab://...</c> form.</summary>
+    public override string ToString() => Port == DefaultEipPort
+        ? $"ab://{Gateway}/{CipPath}"
+        : $"ab://{Gateway}:{Port}/{CipPath}";
+
+    /// <summary>
+    ///     Parse <paramref name="value"/>. Returns <c>null</c> on any malformed input — callers
+    ///     should treat a null return as a config-validation failure rather than catching.
+    /// </summary>
+    public static AbCipHostAddress? TryParse(string? value)
+    {
+        if (string.IsNullOrWhiteSpace(value)) return null;
+        const string prefix = "ab://";
+        if (!value.StartsWith(prefix, StringComparison.OrdinalIgnoreCase)) return null;
+
+        var remainder = value[prefix.Length..];
+        var slashIdx = remainder.IndexOf('/');
+        if (slashIdx < 0) return null;
+
+        var authority = remainder[..slashIdx];
+        var cipPath = remainder[(slashIdx + 1)..];
+        if (string.IsNullOrEmpty(authority)) return null;
+
+        var port = DefaultEipPort;
+        var colonIdx = authority.LastIndexOf(':');
+        string gateway;
+        if (colonIdx >= 0)
+        {
+            gateway = authority[..colonIdx];
+            if (!int.TryParse(authority[(colonIdx + 1)..], out port) || port <= 0 || port > 65535)
+                return null;
+        }
+        else
+        {
+            gateway = authority;
+        }
+        if (string.IsNullOrEmpty(gateway)) return null;
+
+        return new AbCipHostAddress(gateway, port, cipPath);
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipStatusMapper.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipStatusMapper.cs
@@ -0,0 +1,79 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+/// <summary>
+///     Maps libplctag / CIP General Status codes to OPC UA StatusCodes. Mirrors the shape of
+///     <c>ModbusDriver.MapModbusExceptionToStatus</c> so Admin UI status displays stay
+///     uniform across drivers.
+/// </summary>
+/// <remarks>
+///     <para>Coverage: the CIP general-status values an AB PLC actually returns during normal
+///     driver operation. Full CIP Volume 1 Appendix B lists 50+ codes; the ones here are the
+///     ones that move the driver's status needle:</para>
+///     <list type="bullet">
+///         <item>0x00 success — OPC UA <c>Good (0)</c>.</item>
+///         <item>0x04 path segment error / 0x05 path destination unknown — <c>BadNodeIdUnknown</c>
+///             (tag doesn't exist).</item>
+///         <item>0x06 partial data transfer — <c>GoodMoreData</c> (fragmented read underway).</item>
+///         <item>0x08 service not supported — <c>BadNotSupported</c> (e.g. write on a safety
+///             partition tag from a non-safety task).</item>
+///         <item>0x0A / 0x13 attribute-list error / insufficient data — <c>BadOutOfRange</c>
+///             (type mismatch or truncated buffer).</item>
+///         <item>0x0B already in requested mode — benign, treated as <c>Good</c>.</item>
+///         <item>0x0E attribute not settable — <c>BadNotWritable</c>.</item>
+///         <item>0x10 device state conflict — <c>BadDeviceFailure</c> (program-mode protected
+///             writes during download / test-mode transitions).</item>
+///         <item>0x16 object does not exist — <c>BadNodeIdUnknown</c>.</item>
+///         <item>0x1E embedded service error — unwrap to the extended status when possible.</item>
+///         <item>any libplctag <c>PLCTAG_STATUS_*</c> below zero — wrapped as
+///             <c>BadCommunicationError</c> until fine-grained mapping lands (PR 3).</item>
+///     </list>
+/// </remarks>
+public static class AbCipStatusMapper
+{
+    public const uint Good = 0u;
+    public const uint GoodMoreData = 0x00A70000u;
+    public const uint BadInternalError = 0x80020000u;
+    public const uint BadNodeIdUnknown = 0x80340000u;
+    public const uint BadNotWritable = 0x803B0000u;
+    public const uint BadOutOfRange = 0x803C0000u;
+    public const uint BadNotSupported = 0x803D0000u;
+    public const uint BadDeviceFailure = 0x80550000u;
+    public const uint BadCommunicationError = 0x80050000u;
+    public const uint BadTimeout = 0x800A0000u;
+    public const uint BadTypeMismatch = 0x80730000u;
+
+    /// <summary>Map a CIP general-status byte to an OPC UA StatusCode.</summary>
+    public static uint MapCipGeneralStatus(byte status) => status switch
+    {
+        0x00 => Good,
+        0x04 or 0x05 => BadNodeIdUnknown,
+        0x06 => GoodMoreData,
+        0x08 => BadNotSupported,
+        0x0A or 0x13 => BadOutOfRange,
+        0x0B => Good,
+        0x0E => BadNotWritable,
+        0x10 => BadDeviceFailure,
+        0x16 => BadNodeIdUnknown,
+        _ => BadInternalError,
+    };
+
+    /// <summary>
+    ///     Map a libplctag return/status code (<c>PLCTAG_STATUS_*</c>) to an OPC UA StatusCode.
+    ///     libplctag uses <c>0 = PLCTAG_STATUS_OK</c>, positive values for pending, negative
+    ///     values for errors.
+    /// </summary>
+    public static uint MapLibplctagStatus(int status)
+    {
+        if (status == 0) return Good;
+        if (status > 0) return GoodMoreData; // PLCTAG_STATUS_PENDING
+        return status switch
+        {
+            -5 => BadTimeout,              // PLCTAG_ERR_TIMEOUT
+            -7 => BadCommunicationError,   // PLCTAG_ERR_BAD_CONNECTION
+            -14 => BadNodeIdUnknown,       // PLCTAG_ERR_NOT_FOUND
+            -16 => BadNotWritable,         // PLCTAG_ERR_NOT_ALLOWED / read-only tag
+            -17 => BadOutOfRange,          // PLCTAG_ERR_OUT_OF_BOUNDS
+            _ => BadCommunicationError,
+        };
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipTagPath.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/AbCipTagPath.cs
@@ -0,0 +1,132 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+/// <summary>
+///     Parsed Logix-symbolic tag path. Handles controller-scope (<c>Motor1_Speed</c>),
+///     program-scope (<c>Program:MainProgram.StepIndex</c>), structured member access
+///     (<c>Motor1.Speed.Setpoint</c>), array subscripts (<c>Array[0]</c>, <c>Matrix[1,2]</c>),
+///     and bit-within-DINT access (<c>Flags.3</c>). Reassembles the canonical Logix syntax via
+///     <see cref="ToLibplctagName"/>, which is the exact string libplctag's <c>name=...</c>
+///     attribute consumes.
+/// </summary>
+/// <remarks>
+///     Scope + members + subscripts are captured structurally so PR 6 (UDT support) can walk
+///     the path against a cached template without re-parsing. <see cref="BitIndex"/> is
+///     non-null only when the trailing segment is a decimal integer between 0 and 31 that
+///     parses as a bit-selector — this is the <c>.N</c> syntax documented in the Logix 5000
+///     General Instructions Reference §Tags, and it applies only to DINT-typed parents. The
+///     parser does not validate the parent type (requires live template data) — it accepts the
+///     shape and defers type-correctness to the runtime.
+/// </remarks>
+public sealed record AbCipTagPath(
+    string? ProgramScope,
+    IReadOnlyList<AbCipTagPathSegment> Segments,
+    int? BitIndex)
+{
+    /// <summary>Rebuild the canonical Logix tag string.</summary>
+    public string ToLibplctagName()
+    {
+        var buf = new System.Text.StringBuilder();
+        if (ProgramScope is not null)
+            buf.Append("Program:").Append(ProgramScope).Append('.');
+
+        for (var i = 0; i < Segments.Count; i++)
+        {
+            if (i > 0) buf.Append('.');
+            var seg = Segments[i];
+            buf.Append(seg.Name);
+            if (seg.Subscripts.Count > 0)
+                buf.Append('[').Append(string.Join(",", seg.Subscripts)).Append(']');
+        }
+        if (BitIndex is not null) buf.Append('.').Append(BitIndex.Value);
+        return buf.ToString();
+    }
+
+    /// <summary>
+    ///     Parse a Logix-symbolic tag reference. Returns <c>null</c> on a shape the parser
+    ///     doesn't support — the driver surfaces that as a config-validation error rather than
+    ///     attempting a best-effort translation.
+    /// </summary>
+    public static AbCipTagPath? TryParse(string? value)
+    {
+        if (string.IsNullOrWhiteSpace(value)) return null;
+        var src = value.Trim();
+
+        string? programScope = null;
+        const string programPrefix = "Program:";
+        if (src.StartsWith(programPrefix, StringComparison.OrdinalIgnoreCase))
+        {
+            var afterPrefix = src[programPrefix.Length..];
+            var dotIdx = afterPrefix.IndexOf('.');
+            if (dotIdx <= 0) return null;
+            programScope = afterPrefix[..dotIdx];
+            src = afterPrefix[(dotIdx + 1)..];
+            if (string.IsNullOrEmpty(src)) return null;
+        }
+
+        // Split on dots, but preserve any [i,j] subscript runs that contain only digits + commas.
+        var parts = new List<string>();
+        var depth = 0;
+        var start = 0;
+        for (var i = 0; i < src.Length; i++)
+        {
+            var c = src[i];
+            if (c == '[') depth++;
+            else if (c == ']') depth--;
+            else if (c == '.' && depth == 0)
+            {
+                parts.Add(src[start..i]);
+                start = i + 1;
+            }
+        }
+        parts.Add(src[start..]);
+        if (depth != 0 || parts.Any(string.IsNullOrEmpty)) return null;
+
+        int? bitIndex = null;
+        if (parts.Count >= 2 && int.TryParse(parts[^1], out var maybeBit)
+            && maybeBit is >= 0 and <= 31
+            && !parts[^1].Contains('['))
+        {
+            bitIndex = maybeBit;
+            parts.RemoveAt(parts.Count - 1);
+        }
+
+        var segments = new List<AbCipTagPathSegment>(parts.Count);
+        foreach (var part in parts)
+        {
+            var bracketIdx = part.IndexOf('[');
+            if (bracketIdx < 0)
+            {
+                if (!IsValidIdent(part)) return null;
+                segments.Add(new AbCipTagPathSegment(part, []));
+                continue;
+            }
+            if (!part.EndsWith(']')) return null;
+            var name = part[..bracketIdx];
+            if (!IsValidIdent(name)) return null;
+            var inner = part[(bracketIdx + 1)..^1];
+            var subs = new List<int>();
+            foreach (var tok in inner.Split(','))
+            {
+                if (!int.TryParse(tok, out var n) || n < 0) return null;
+                subs.Add(n);
+            }
+            if (subs.Count == 0) return null;
+            segments.Add(new AbCipTagPathSegment(name, subs));
+        }
+        if (segments.Count == 0) return null;
+
+        return new AbCipTagPath(programScope, segments, bitIndex);
+    }
+
+    private static bool IsValidIdent(string s)
+    {
+        if (string.IsNullOrEmpty(s)) return false;
+        if (!char.IsLetter(s[0]) && s[0] != '_') return false;
+        for (var i = 1; i < s.Length; i++)
+            if (!char.IsLetterOrDigit(s[i]) && s[i] != '_') return false;
+        return true;
+    }
+}
+
+/// <summary>One path segment: a member name plus any numeric subscripts.</summary>
+public sealed record AbCipTagPathSegment(string Name, IReadOnlyList<int> Subscripts);
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/IAbCipTagRuntime.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/IAbCipTagRuntime.cs
@@ -0,0 +1,63 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+/// <summary>
+///     Thin wire-layer abstraction over a single CIP tag. The driver holds one instance per
+///     <c>(device, tag path)</c> pair; the default implementation delegates to
+///     <see cref="LibplctagTagRuntime"/>. Tests swap in a fake via
+///     <see cref="IAbCipTagFactory"/> so the driver's read / write / status-mapping logic can
+///     be exercised without a running PLC or the native libplctag binary.
+/// </summary>
+public interface IAbCipTagRuntime : IDisposable
+{
+    /// <summary>Create the underlying native tag (equivalent to libplctag's <c>plc_tag_create</c>).</summary>
+    Task InitializeAsync(CancellationToken cancellationToken);
+
+    /// <summary>Issue a read; on completion the local buffer holds the current PLC value.</summary>
+    Task ReadAsync(CancellationToken cancellationToken);
+
+    /// <summary>Flush the local buffer to the PLC.</summary>
+    Task WriteAsync(CancellationToken cancellationToken);
+
+    /// <summary>
+    ///     Raw libplctag status code — mapped to an OPC UA StatusCode via
+    ///     <see cref="AbCipStatusMapper.MapLibplctagStatus"/>. Zero on success, negative on error.
+    /// </summary>
+    int GetStatus();
+
+    /// <summary>
+    ///     Decode the local buffer into a boxed .NET value per the tag's configured type.
+    ///     <paramref name="bitIndex"/> is non-null only for BOOL-within-DINT tags captured in
+    ///     the <c>.N</c> syntax at parse time.
+    /// </summary>
+    object? DecodeValue(AbCipDataType type, int? bitIndex);
+
+    /// <summary>
+    ///     Encode <paramref name="value"/> into the local buffer per the tag's type. Callers
+    ///     pair this with <see cref="WriteAsync"/>.
+    /// </summary>
+    void EncodeValue(AbCipDataType type, int? bitIndex, object? value);
+}
+
+/// <summary>
+///     Factory for per-tag runtime handles. Instantiated once per driver, consumed per
+///     <c>(device, tag path)</c> pair at the first read/write.
+/// </summary>
+public interface IAbCipTagFactory
+{
+    IAbCipTagRuntime Create(AbCipTagCreateParams createParams);
+}
+
+/// <summary>Everything libplctag needs to materialise a tag handle.</summary>
+/// <param name="Gateway">Gateway IP / hostname parsed from <see cref="AbCipHostAddress.Gateway"/>.</param>
+/// <param name="Port">EtherNet/IP TCP port — default 44818.</param>
+/// <param name="CipPath">CIP route path, e.g. <c>1,0</c>. Empty for Micro800.</param>
+/// <param name="LibplctagPlcAttribute">libplctag <c>plc=...</c> attribute, per family profile.</param>
+/// <param name="TagName">Logix symbolic tag name as emitted by <see cref="AbCipTagPath.ToLibplctagName"/>.</param>
+/// <param name="Timeout">libplctag operation timeout (applies to Initialize / Read / Write).</param>
+public sealed record AbCipTagCreateParams(
+    string Gateway,
+    int Port,
+    string CipPath,
+    string LibplctagPlcAttribute,
+    string TagName,
+    TimeSpan Timeout);
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/LibplctagTagRuntime.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/LibplctagTagRuntime.cs
@@ -0,0 +1,137 @@
+using libplctag;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+/// <summary>
+///     Default libplctag-backed <see cref="IAbCipTagRuntime"/>. Wraps a <see cref="Tag"/>
+///     instance + translates our <see cref="AbCipDataType"/> enum into the
+///     <c>GetInt32</c> / <c>GetFloat32</c> / <c>GetString</c> / <c>GetBit</c> calls libplctag
+///     exposes. One runtime instance per <c>(device, tag path)</c>; lifetime is owned by the
+///     driver's per-device state dict.
+/// </summary>
+internal sealed class LibplctagTagRuntime : IAbCipTagRuntime
+{
+    private readonly Tag _tag;
+
+    public LibplctagTagRuntime(AbCipTagCreateParams p)
+    {
+        _tag = new Tag
+        {
+            Gateway = p.Gateway,
+            Path = p.CipPath,
+            PlcType = MapPlcType(p.LibplctagPlcAttribute),
+            Protocol = Protocol.ab_eip,
+            Name = p.TagName,
+            Timeout = p.Timeout,
+        };
+    }
+
+    public Task InitializeAsync(CancellationToken cancellationToken) => _tag.InitializeAsync(cancellationToken);
+    public Task ReadAsync(CancellationToken cancellationToken) => _tag.ReadAsync(cancellationToken);
+    public Task WriteAsync(CancellationToken cancellationToken) => _tag.WriteAsync(cancellationToken);
+
+    public int GetStatus() => (int)_tag.GetStatus();
+
+    public object? DecodeValue(AbCipDataType type, int? bitIndex) => type switch
+    {
+        AbCipDataType.Bool => bitIndex is int bit
+            ? _tag.GetBit(bit)
+            : _tag.GetInt8(0) != 0,
+        AbCipDataType.SInt => (int)(sbyte)_tag.GetInt8(0),
+        AbCipDataType.USInt => (int)_tag.GetUInt8(0),
+        AbCipDataType.Int => (int)_tag.GetInt16(0),
+        AbCipDataType.UInt => (int)_tag.GetUInt16(0),
+        AbCipDataType.DInt => _tag.GetInt32(0),
+        AbCipDataType.UDInt => (int)_tag.GetUInt32(0),
+        AbCipDataType.LInt => _tag.GetInt64(0),
+        AbCipDataType.ULInt => (long)_tag.GetUInt64(0),
+        AbCipDataType.Real => _tag.GetFloat32(0),
+        AbCipDataType.LReal => _tag.GetFloat64(0),
+        AbCipDataType.String => _tag.GetString(0),
+        AbCipDataType.Dt => _tag.GetInt32(0), // seconds-since-epoch DINT; consumer widens as needed
+        AbCipDataType.Structure => null,       // UDT whole-tag decode lands in PR 6
+        _ => null,
+    };
+
+    public void EncodeValue(AbCipDataType type, int? bitIndex, object? value)
+    {
+        switch (type)
+        {
+            case AbCipDataType.Bool:
+                if (bitIndex is int bit)
+                {
+                    // BOOL-within-DINT writes require read-modify-write on the parent DINT.
+                    // Deferred to a follow-up PR — matches the Modbus BitInRegister pattern at
+                    // ModbusDriver.cs:640.
+                    throw new NotSupportedException(
+                        "BOOL-within-DINT writes require read-modify-write; not implemented in PR 4.");
+                }
+                _tag.SetInt8(0, Convert.ToBoolean(value) ? (sbyte)1 : (sbyte)0);
+                break;
+            case AbCipDataType.SInt:
+                _tag.SetInt8(0, Convert.ToSByte(value));
+                break;
+            case AbCipDataType.USInt:
+                _tag.SetUInt8(0, Convert.ToByte(value));
+                break;
+            case AbCipDataType.Int:
+                _tag.SetInt16(0, Convert.ToInt16(value));
+                break;
+            case AbCipDataType.UInt:
+                _tag.SetUInt16(0, Convert.ToUInt16(value));
+                break;
+            case AbCipDataType.DInt:
+                _tag.SetInt32(0, Convert.ToInt32(value));
+                break;
+            case AbCipDataType.UDInt:
+                _tag.SetUInt32(0, Convert.ToUInt32(value));
+                break;
+            case AbCipDataType.LInt:
+                _tag.SetInt64(0, Convert.ToInt64(value));
+                break;
+            case AbCipDataType.ULInt:
+                _tag.SetUInt64(0, Convert.ToUInt64(value));
+                break;
+            case AbCipDataType.Real:
+                _tag.SetFloat32(0, Convert.ToSingle(value));
+                break;
+            case AbCipDataType.LReal:
+                _tag.SetFloat64(0, Convert.ToDouble(value));
+                break;
+            case AbCipDataType.String:
+                _tag.SetString(0, Convert.ToString(value) ?? string.Empty);
+                break;
+            case AbCipDataType.Dt:
+                _tag.SetInt32(0, Convert.ToInt32(value));
+                break;
+            case AbCipDataType.Structure:
+                throw new NotSupportedException("Whole-UDT writes land in PR 6.");
+            default:
+                throw new NotSupportedException($"AbCipDataType {type} not writable.");
+        }
+    }
+
+    public void Dispose() => _tag.Dispose();
+
+    private static PlcType MapPlcType(string attribute) => attribute switch
+    {
+        "controllogix" => PlcType.ControlLogix,
+        "compactlogix" => PlcType.ControlLogix, // libplctag treats CompactLogix under ControlLogix family
+        "micro800" => PlcType.Micro800,
+        "micrologix" => PlcType.MicroLogix,
+        "slc500" => PlcType.Slc500,
+        "plc5" => PlcType.Plc5,
+        "omron-njnx" => PlcType.Omron,
+        _ => PlcType.ControlLogix,
+    };
+}
+
+/// <summary>
+///     Default <see cref="IAbCipTagFactory"/> — creates a fresh <see cref="LibplctagTagRuntime"/>
+///     per call. Stateless; safe to share across devices.
+/// </summary>
+internal sealed class LibplctagTagFactory : IAbCipTagFactory
+{
+    public IAbCipTagRuntime Create(AbCipTagCreateParams createParams) =>
+        new LibplctagTagRuntime(createParams);
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/PlcFamilies/AbCipPlcFamilyProfile.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/PlcFamilies/AbCipPlcFamilyProfile.cs
@@ -0,0 +1,62 @@
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.PlcFamilies;
+
+/// <summary>
+///     Per-family libplctag defaults. Picked up at device-initialization time so each PLC
+///     family gets the correct ConnectionSize, path semantics, and quirks applied without
+///     the caller having to know the protocol-level differences.
+/// </summary>
+/// <remarks>
+///     Mirrors the shape of the Modbus driver's per-family profiles (DL205, Siemens S7,
+///     Mitsubishi MELSEC). ControlLogix is the baseline; each subsequent family is a delta.
+///     Family-specific wire tests ship in PRs 9–12.
+/// </remarks>
+public sealed record AbCipPlcFamilyProfile(
+    string LibplctagPlcAttribute,
+    int DefaultConnectionSize,
+    string DefaultCipPath,
+    bool SupportsRequestPacking,
+    bool SupportsConnectedMessaging,
+    int MaxFragmentBytes)
+{
+    /// <summary>Look up the profile for a configured family.</summary>
+    public static AbCipPlcFamilyProfile ForFamily(AbCipPlcFamily family) => family switch
+    {
+        AbCipPlcFamily.ControlLogix => ControlLogix,
+        AbCipPlcFamily.CompactLogix => CompactLogix,
+        AbCipPlcFamily.Micro800 => Micro800,
+        AbCipPlcFamily.GuardLogix => GuardLogix,
+        _ => ControlLogix,
+    };
+
+    public static readonly AbCipPlcFamilyProfile ControlLogix = new(
+        LibplctagPlcAttribute: "controllogix",
+        DefaultConnectionSize: 4002, // Large Forward Open; FW20+
+        DefaultCipPath: "1,0",
+        SupportsRequestPacking: true,
+        SupportsConnectedMessaging: true,
+        MaxFragmentBytes: 4000);
+
+    public static readonly AbCipPlcFamilyProfile CompactLogix = new(
+        LibplctagPlcAttribute: "compactlogix",
+        DefaultConnectionSize: 504, // 5069-L3x narrower buffer; safe baseline that never over-shoots
+        DefaultCipPath: "1,0",
+        SupportsRequestPacking: true,
+        SupportsConnectedMessaging: true,
+        MaxFragmentBytes: 500);
+
+    public static readonly AbCipPlcFamilyProfile Micro800 = new(
+        LibplctagPlcAttribute: "micro800",
+        DefaultConnectionSize: 488, // Micro800 hard cap
+        DefaultCipPath: "",         // no backplane routing
+        SupportsRequestPacking: false,
+        SupportsConnectedMessaging: false, // unconnected-only on most models
+        MaxFragmentBytes: 484);
+
+    public static readonly AbCipPlcFamilyProfile GuardLogix = new(
+        LibplctagPlcAttribute: "controllogix", // wire protocol identical; safety partition is tag-level
+        DefaultConnectionSize: 4002,
+        DefaultCipPath: "1,0",
+        SupportsRequestPacking: true,
+        SupportsConnectedMessaging: true,
+        MaxFragmentBytes: 4000);
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/PlcTagHandle.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/PlcTagHandle.cs
@@ -0,0 +1,59 @@
+using System.Runtime.InteropServices;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+/// <summary>
+///     <see cref="SafeHandle"/> wrapper around a libplctag native tag handle (an <c>int32</c>
+///     returned from <c>plc_tag_create_ex</c>). Owns lifetime of the native allocation so a
+///     leaked / GC-collected <see cref="PlcTagHandle"/> still calls <c>plc_tag_destroy</c>
+///     during finalization — necessary because native libplctag allocations are opaque to
+///     the driver's <see cref="Core.Abstractions.IDriver.GetMemoryFootprint"/>.
+/// </summary>
+/// <remarks>
+///     <para>Risk documented in driver-specs.md §3 ("Operational Stability Notes"): the CLR
+///     allocation tracker doesn't see libplctag's native heap, only whole-process RSS can.
+///     Every handle leaked past its useful life is a direct contributor to the Tier-B recycle
+///     trigger, so owning lifetime via SafeHandle is non-negotiable.</para>
+///
+///     <para><see cref="IsInvalid"/> is <c>true</c> when the native ID is &lt;= 0 — libplctag
+///     returns negative <c>PLCTAG_ERR_*</c> codes on <c>plc_tag_create_ex</c> failure, which
+///     we surface as an invalid handle rather than a disposable one (destroying a negative
+///     handle would be undefined behavior in the native library).</para>
+///
+///     <para>The actual <c>DllImport</c> for <c>plc_tag_destroy</c> is deferred to PR 3 when
+///     the driver first makes wire calls — PR 2 ships the lifetime scaffold + tests only.
+///     Until the P/Invoke lands, <see cref="ReleaseHandle"/> is a no-op; the finalizer still
+///     runs so the integration is correct as soon as the import is added.</para>
+/// </remarks>
+public sealed class PlcTagHandle : SafeHandle
+{
+    /// <summary>Construct an invalid handle placeholder (use <see cref="FromNative"/> once created).</summary>
+    public PlcTagHandle() : base(invalidHandleValue: IntPtr.Zero, ownsHandle: true) { }
+
+    private PlcTagHandle(int nativeId) : base(invalidHandleValue: IntPtr.Zero, ownsHandle: true)
+    {
+        SetHandle(new IntPtr(nativeId));
+    }
+
+    /// <summary>Handle is invalid when the native ID is zero or negative (libplctag error).</summary>
+    public override bool IsInvalid => handle.ToInt32() <= 0;
+
+    /// <summary>Integer ID libplctag issued on <c>plc_tag_create_ex</c>.</summary>
+    public int NativeId => handle.ToInt32();
+
+    /// <summary>Wrap a native tag ID returned from libplctag.</summary>
+    public static PlcTagHandle FromNative(int nativeId) => new(nativeId);
+
+    /// <summary>
+    ///     Destroy the native tag. No-op for PR 2 (the wire P/Invoke lands in PR 3). The base
+    ///     <see cref="SafeHandle"/> machinery still guarantees this runs exactly once per
+    ///     handle — either during <see cref="SafeHandle.Dispose()"/> or during finalization
+    ///     if the owner was GC'd without explicit Dispose.
+    /// </summary>
+    protected override bool ReleaseHandle()
+    {
+        if (IsInvalid) return true;
+        // PR 3: wire up plc_tag_destroy(handle.ToInt32()) once the DllImport lands.
+        return true;
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/ZB.MOM.WW.OtOpcUa.Driver.AbCip.csproj
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.AbCip/ZB.MOM.WW.OtOpcUa.Driver.AbCip.csproj
@@ -0,0 +1,30 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <LangVersion>latest</LangVersion>
+        <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+        <GenerateDocumentationFile>true</GenerateDocumentationFile>
+        <NoWarn>$(NoWarn);CS1591</NoWarn>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Driver.AbCip</RootNamespace>
+        <AssemblyName>ZB.MOM.WW.OtOpcUa.Driver.AbCip</AssemblyName>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.Abstractions\ZB.MOM.WW.OtOpcUa.Core.Abstractions.csproj"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <!-- libplctag managed wrapper (pulls in libplctag.NativeImport transitively).
+             Decision #11 — EtherNet/IP + CIP + Logix symbolic against ControlLogix / CompactLogix /
+             Micro800 / SLC500 / PLC-5. -->
+        <PackageReference Include="libplctag" Version="1.5.2"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <InternalsVisibleTo Include="ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests"/>
+    </ItemGroup>
+
+</Project>
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriver.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.Modbus/ModbusDriver.cs
@@ -11,19 +11,17 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Modbus;
 ///     <c>IReadable</c>/<c>IWritable</c> abstractions generalize beyond Galaxy.
 /// </summary>
 /// <remarks>
-///     Scope limits: synchronous Read/Write only, no subscriptions (Modbus has no push model;
-///     subscriptions would need a polling loop over the declared tags — additive PR). Historian
-///     + alarm capabilities are out of scope (the protocol doesn't express them).
+///     Scope limits: Historian + alarm capabilities are out of scope (the protocol doesn't
+///     express them). Subscriptions overlay a polling loop via the shared
+///     <see cref="PollGroupEngine"/> since Modbus has no native push model.
 /// </remarks>
-public sealed class ModbusDriver(ModbusDriverOptions options, string driverInstanceId,
-    Func<ModbusDriverOptions, IModbusTransport>? transportFactory = null)
+public sealed class ModbusDriver
    : IDriver, ITagDiscovery, IReadable, IWritable, ISubscribable, IHostConnectivityProbe, IDisposable, IAsyncDisposable
 {
-    // Active polling subscriptions. Each subscription owns a background Task that polls the
-    // tags at its configured interval, diffs against _lastKnownValues, and fires OnDataChange
-    // per changed tag. UnsubscribeAsync cancels the task via the CTS stored on the handle.
-    private readonly System.Collections.Concurrent.ConcurrentDictionary<long, SubscriptionState> _subscriptions = new();
-    private long _nextSubscriptionId;
+    // Polled subscriptions delegate to the shared PollGroupEngine. The driver only supplies
+    // the reader + on-change bridge; the engine owns the loop, interval floor, and lifecycle.
+    private readonly PollGroupEngine _poll;
+    private readonly string _driverInstanceId;

    public event EventHandler<DataChangeEventArgs>? OnDataChange;
    public event EventHandler<HostStatusChangedEventArgs>? OnHostStatusChanged;
@@ -35,15 +33,28 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
    private HostState _hostState = HostState.Unknown;
    private DateTime _hostStateChangedUtc = DateTime.UtcNow;
    private CancellationTokenSource? _probeCts;
-    private readonly ModbusDriverOptions _options = options;
-    private readonly Func<ModbusDriverOptions, IModbusTransport> _transportFactory =
-        transportFactory ?? (o => new ModbusTcpTransport(o.Host, o.Port, o.Timeout, o.AutoReconnect));
+    private readonly ModbusDriverOptions _options;
+    private readonly Func<ModbusDriverOptions, IModbusTransport> _transportFactory;

    private IModbusTransport? _transport;
    private DriverHealth _health = new(DriverState.Unknown, null, null);
    private readonly Dictionary<string, ModbusTagDefinition> _tagsByName = new(StringComparer.OrdinalIgnoreCase);

-    public string DriverInstanceId => driverInstanceId;
+    public ModbusDriver(ModbusDriverOptions options, string driverInstanceId,
+        Func<ModbusDriverOptions, IModbusTransport>? transportFactory = null)
+    {
+        ArgumentNullException.ThrowIfNull(options);
+        _options = options;
+        _driverInstanceId = driverInstanceId;
+        _transportFactory = transportFactory
+            ?? (o => new ModbusTcpTransport(o.Host, o.Port, o.Timeout, o.AutoReconnect));
+        _poll = new PollGroupEngine(
+            reader: ReadAsync,
+            onChange: (handle, tagRef, snapshot) =>
+                OnDataChange?.Invoke(this, new DataChangeEventArgs(handle, tagRef, snapshot)));
+    }
+
+    public string DriverInstanceId => _driverInstanceId;
    public string DriverType => "Modbus";

    public async Task InitializeAsync(string driverConfigJson, CancellationToken cancellationToken)
@@ -84,12 +95,7 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
        _probeCts?.Dispose();
        _probeCts = null;

-        foreach (var state in _subscriptions.Values)
-        {
-            try { state.Cts.Cancel(); } catch { }
-            state.Cts.Dispose();
-        }
-        _subscriptions.Clear();
+        await _poll.DisposeAsync().ConfigureAwait(false);

        if (_transport is not null) await _transport.DisposeAsync().ConfigureAwait(false);
        _transport = null;
@@ -303,85 +309,18 @@ public sealed class ModbusDriver(ModbusDriverOptions options, string driverInsta
        }
    }

-    // ---- ISubscribable (polling overlay) ----
+    // ---- ISubscribable (polling overlay via shared engine) ----

    public Task<ISubscriptionHandle> SubscribeAsync(
-        IReadOnlyList<string> fullReferences, TimeSpan publishingInterval, CancellationToken cancellationToken)
-    {
-        var id = Interlocked.Increment(ref _nextSubscriptionId);
-        var cts = new CancellationTokenSource();
-        var interval = publishingInterval < TimeSpan.FromMilliseconds(100)
-            ? TimeSpan.FromMilliseconds(100) // floor — Modbus can't sustain < 100ms polling reliably
-            : publishingInterval;
-        var handle = new ModbusSubscriptionHandle(id);
-        var state = new SubscriptionState(handle, [.. fullReferences], interval, cts);
-        _subscriptions[id] = state;
-        _ = Task.Run(() => PollLoopAsync(state, cts.Token), cts.Token);
-        return Task.FromResult<ISubscriptionHandle>(handle);
-    }
+        IReadOnlyList<string> fullReferences, TimeSpan publishingInterval, CancellationToken cancellationToken) =>
+        Task.FromResult(_poll.Subscribe(fullReferences, publishingInterval));

    public Task UnsubscribeAsync(ISubscriptionHandle handle, CancellationToken cancellationToken)
    {
-        if (handle is ModbusSubscriptionHandle h && _subscriptions.TryRemove(h.Id, out var state))
-        {
-            state.Cts.Cancel();
-            state.Cts.Dispose();
-        }
+        _poll.Unsubscribe(handle);
        return Task.CompletedTask;
    }

-    private async Task PollLoopAsync(SubscriptionState state, CancellationToken ct)
-    {
-        // Initial-data push: read every tag once at subscribe time so OPC UA clients see the
-        // current value per Part 4 convention, even if the value never changes thereafter.
-        try { await PollOnceAsync(state, forceRaise: true, ct).ConfigureAwait(false); }
-        catch (OperationCanceledException) { return; }
-        catch { /* first-read error — polling continues */ }
-
-        while (!ct.IsCancellationRequested)
-        {
-            try { await Task.Delay(state.Interval, ct).ConfigureAwait(false); }
-            catch (OperationCanceledException) { return; }
-
-            try { await PollOnceAsync(state, forceRaise: false, ct).ConfigureAwait(false); }
-            catch (OperationCanceledException) { return; }
-            catch { /* transient polling error — loop continues, health surface reflects it */ }
-        }
-    }
-
-    private async Task PollOnceAsync(SubscriptionState state, bool forceRaise, CancellationToken ct)
-    {
-        var snapshots = await ReadAsync(state.TagReferences, ct).ConfigureAwait(false);
-        for (var i = 0; i < state.TagReferences.Count; i++)
-        {
-            var tagRef = state.TagReferences[i];
-            var current = snapshots[i];
-            var lastSeen = state.LastValues.TryGetValue(tagRef, out var prev) ? prev : default;
-
-            // Raise on first read (forceRaise) OR when the boxed value differs from last-known.
-            if (forceRaise || !Equals(lastSeen?.Value, current.Value) || lastSeen?.StatusCode != current.StatusCode)
-            {
-                state.LastValues[tagRef] = current;
-                OnDataChange?.Invoke(this, new DataChangeEventArgs(state.Handle, tagRef, current));
-            }
-        }
-    }
-
-    private sealed record SubscriptionState(
-        ModbusSubscriptionHandle Handle,
-        IReadOnlyList<string> TagReferences,
-        TimeSpan Interval,
-        CancellationTokenSource Cts)
-    {
-        public System.Collections.Concurrent.ConcurrentDictionary<string, DataValueSnapshot> LastValues { get; }
-            = new(StringComparer.OrdinalIgnoreCase);
-    }
-
-    private sealed record ModbusSubscriptionHandle(long Id) : ISubscriptionHandle
-    {
-        public string DiagnosticId => $"modbus-sub-{Id}";
-    }
-
    // ---- IHostConnectivityProbe ----

    public IReadOnlyList<HostConnectivityStatus> GetHostStatuses()
--- a/src/ZB.MOM.WW.OtOpcUa.Server/Hosting/ResilienceStatusPublisherHostedService.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/Hosting/ResilienceStatusPublisherHostedService.cs
@@ -0,0 +1,139 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Core.Resilience;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Hosting;
+
+/// <summary>
+///     Samples <see cref="DriverResilienceStatusTracker"/> at a fixed tick + upserts each
+///     <c>(DriverInstanceId, HostName)</c> snapshot into <see cref="DriverInstanceResilienceStatus"/>
+///     so Admin <c>/hosts</c> can render live resilience counters across restarts.
+/// </summary>
+/// <remarks>
+///     <para>Closes the HostedService piece of Phase 6.1 Stream E.2 flagged as a follow-up
+///     when the tracker shipped in PR #82. The Admin UI column-refresh piece (red badge when
+///     ConsecutiveFailures &gt; breakerThreshold / 2 + SignalR push) is still deferred to
+///     the visual-compliance pass — this service owns the persistence half alone.</para>
+///
+///     <para>Tick interval defaults to 5 s. Persistence is best-effort: a DB outage during
+///     a tick logs + continues; the next tick tries again with the latest snapshots. The
+///     hosted service never crashes the app on sample failure.</para>
+///
+///     <para><see cref="PersistOnceAsync"/> factored as a public method so tests can drive
+///     it directly, matching the <see cref="ScheduledRecycleHostedService.TickOnceAsync"/>
+///     pattern for deterministic unit-test timing.</para>
+/// </remarks>
+public sealed class ResilienceStatusPublisherHostedService : BackgroundService
+{
+    private readonly DriverResilienceStatusTracker _tracker;
+    private readonly IDbContextFactory<OtOpcUaConfigDbContext> _dbContextFactory;
+    private readonly ILogger<ResilienceStatusPublisherHostedService> _logger;
+    private readonly TimeProvider _timeProvider;
+
+    /// <summary>Tick interval — how often the tracker snapshot is persisted.</summary>
+    public TimeSpan TickInterval { get; }
+
+    /// <summary>Snapshot of the tick count for diagnostics + test assertions.</summary>
+    public int TickCount { get; private set; }
+
+    public ResilienceStatusPublisherHostedService(
+        DriverResilienceStatusTracker tracker,
+        IDbContextFactory<OtOpcUaConfigDbContext> dbContextFactory,
+        ILogger<ResilienceStatusPublisherHostedService> logger,
+        TimeProvider? timeProvider = null,
+        TimeSpan? tickInterval = null)
+    {
+        ArgumentNullException.ThrowIfNull(tracker);
+        ArgumentNullException.ThrowIfNull(dbContextFactory);
+
+        _tracker = tracker;
+        _dbContextFactory = dbContextFactory;
+        _logger = logger;
+        _timeProvider = timeProvider ?? TimeProvider.System;
+        TickInterval = tickInterval ?? TimeSpan.FromSeconds(5);
+    }
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        _logger.LogInformation(
+            "ResilienceStatusPublisherHostedService starting — tick interval = {Interval}",
+            TickInterval);
+
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            try
+            {
+                await Task.Delay(TickInterval, _timeProvider, stoppingToken).ConfigureAwait(false);
+            }
+            catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested)
+            {
+                break;
+            }
+
+            await PersistOnceAsync(stoppingToken).ConfigureAwait(false);
+        }
+
+        _logger.LogInformation("ResilienceStatusPublisherHostedService stopping after {TickCount} tick(s).", TickCount);
+    }
+
+    /// <summary>
+    ///     Take one snapshot of the tracker + upsert each pair into the persistence table.
+    ///     Swallows transient exceptions + logs them; never throws from a sample failure.
+    /// </summary>
+    public async Task PersistOnceAsync(CancellationToken cancellationToken)
+    {
+        TickCount++;
+        var snapshot = _tracker.Snapshot();
+        if (snapshot.Count == 0) return;
+
+        try
+        {
+            await using var db = await _dbContextFactory.CreateDbContextAsync(cancellationToken).ConfigureAwait(false);
+            var now = _timeProvider.GetUtcNow().UtcDateTime;
+
+            foreach (var (driverInstanceId, hostName, counters) in snapshot)
+            {
+                var existing = await db.DriverInstanceResilienceStatuses
+                    .FirstOrDefaultAsync(x => x.DriverInstanceId == driverInstanceId && x.HostName == hostName, cancellationToken)
+                    .ConfigureAwait(false);
+
+                if (existing is null)
+                {
+                    db.DriverInstanceResilienceStatuses.Add(new DriverInstanceResilienceStatus
+                    {
+                        DriverInstanceId = driverInstanceId,
+                        HostName = hostName,
+                        LastCircuitBreakerOpenUtc = counters.LastBreakerOpenUtc,
+                        ConsecutiveFailures = counters.ConsecutiveFailures,
+                        CurrentBulkheadDepth = counters.CurrentInFlight,
+                        LastRecycleUtc = counters.LastRecycleUtc,
+                        BaselineFootprintBytes = counters.BaselineFootprintBytes,
+                        CurrentFootprintBytes = counters.CurrentFootprintBytes,
+                        LastSampledUtc = now,
+                    });
+                }
+                else
+                {
+                    existing.LastCircuitBreakerOpenUtc = counters.LastBreakerOpenUtc;
+                    existing.ConsecutiveFailures = counters.ConsecutiveFailures;
+                    existing.CurrentBulkheadDepth = counters.CurrentInFlight;
+                    existing.LastRecycleUtc = counters.LastRecycleUtc;
+                    existing.BaselineFootprintBytes = counters.BaselineFootprintBytes;
+                    existing.CurrentFootprintBytes = counters.CurrentFootprintBytes;
+                    existing.LastSampledUtc = now;
+                }
+            }
+
+            await db.SaveChangesAsync(cancellationToken).ConfigureAwait(false);
+        }
+        catch (OperationCanceledException) { throw; }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex,
+                "ResilienceStatusPublisher persistence tick failed; next tick will retry with latest snapshots.");
+        }
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Server/Hosting/ScheduledRecycleHostedService.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/Hosting/ScheduledRecycleHostedService.cs
@@ -0,0 +1,117 @@
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Core.Stability;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Hosting;
+
+/// <summary>
+///     Drives one or more <see cref="ScheduledRecycleScheduler"/> instances on a fixed tick
+///     cadence. Closes Phase 6.1 Stream B.4 by turning the shipped-as-pure-logic scheduler
+///     into a running background feature.
+/// </summary>
+/// <remarks>
+///     <para>Registered as a singleton in Program.cs. Each Tier C driver instance that wants a
+///     scheduled recycle registers its scheduler via
+///     <see cref="AddScheduler(ScheduledRecycleScheduler)"/> at startup. The hosted service
+///     wakes every <see cref="TickInterval"/> (default 1 min) and calls
+///     <see cref="ScheduledRecycleScheduler.TickAsync"/> on each registered scheduler.</para>
+///
+///     <para>Scheduler registration is closed after <see cref="ExecuteAsync"/> starts — callers
+///     must register before the host starts, typically during DI setup. Adding a scheduler
+///     mid-flight throws to avoid confusing "some ticks saw my scheduler, some didn't" races.</para>
+/// </remarks>
+public sealed class ScheduledRecycleHostedService : BackgroundService
+{
+    private readonly List<ScheduledRecycleScheduler> _schedulers = [];
+    private readonly ILogger<ScheduledRecycleHostedService> _logger;
+    private readonly TimeProvider _timeProvider;
+    private bool _started;
+
+    /// <summary>How often <see cref="ScheduledRecycleScheduler.TickAsync"/> fires on each registered scheduler.</summary>
+    public TimeSpan TickInterval { get; }
+
+    public ScheduledRecycleHostedService(
+        ILogger<ScheduledRecycleHostedService> logger,
+        TimeProvider? timeProvider = null,
+        TimeSpan? tickInterval = null)
+    {
+        _logger = logger;
+        _timeProvider = timeProvider ?? TimeProvider.System;
+        TickInterval = tickInterval ?? TimeSpan.FromMinutes(1);
+    }
+
+    /// <summary>Register a scheduler to drive. Must be called before the host starts.</summary>
+    public void AddScheduler(ScheduledRecycleScheduler scheduler)
+    {
+        ArgumentNullException.ThrowIfNull(scheduler);
+        if (_started)
+            throw new InvalidOperationException(
+                "Cannot register a ScheduledRecycleScheduler after the hosted service has started. " +
+                "Register all schedulers during DI configuration / startup.");
+        _schedulers.Add(scheduler);
+    }
+
+    /// <summary>Snapshot of the current tick count — diagnostics only.</summary>
+    public int TickCount { get; private set; }
+
+    /// <summary>Snapshot of the number of registered schedulers — diagnostics only.</summary>
+    public int SchedulerCount => _schedulers.Count;
+
+    public override Task StartAsync(CancellationToken cancellationToken)
+    {
+        _started = true;
+        return base.StartAsync(cancellationToken);
+    }
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        _logger.LogInformation(
+            "ScheduledRecycleHostedService starting — {Count} scheduler(s), tick interval = {Interval}",
+            _schedulers.Count, TickInterval);
+
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            try
+            {
+                await Task.Delay(TickInterval, _timeProvider, stoppingToken).ConfigureAwait(false);
+            }
+            catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested)
+            {
+                break;
+            }
+
+            await TickOnceAsync(stoppingToken).ConfigureAwait(false);
+        }
+
+        _logger.LogInformation("ScheduledRecycleHostedService stopping after {TickCount} tick(s).", TickCount);
+    }
+
+    /// <summary>
+    ///     Execute one scheduler tick against every registered scheduler. Factored out of the
+    ///     <see cref="ExecuteAsync"/> loop so tests can drive it directly without needing to
+    ///     synchronize with <see cref="Task.Delay(TimeSpan, TimeProvider, CancellationToken)"/>.
+    /// </summary>
+    public async Task TickOnceAsync(CancellationToken cancellationToken)
+    {
+        var now = _timeProvider.GetUtcNow().UtcDateTime;
+        TickCount++;
+
+        foreach (var scheduler in _schedulers)
+        {
+            try
+            {
+                var fired = await scheduler.TickAsync(now, cancellationToken).ConfigureAwait(false);
+                if (fired)
+                    _logger.LogInformation("Scheduled recycle fired at {Now:o}; next = {Next:o}",
+                        now, scheduler.NextRecycleUtc);
+            }
+            catch (OperationCanceledException) { throw; }
+            catch (Exception ex)
+            {
+                // A single scheduler fault must not take down the rest — log + continue.
+                _logger.LogError(ex,
+                    "ScheduledRecycleScheduler tick failed at {Now:o}; continuing to other schedulers.", now);
+            }
+        }
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs
@@ -3,6 +3,7 @@ using Microsoft.Extensions.Logging;
 using Opc.Ua;
 using Opc.Ua.Server;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Authorization;
 using ZB.MOM.WW.OtOpcUa.Core.Resilience;
 using ZB.MOM.WW.OtOpcUa.Server.Security;
 using DriverWriteRequest = ZB.MOM.WW.OtOpcUa.Core.Abstractions.WriteRequest;
@@ -34,6 +35,7 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
    private readonly IDriver _driver;
    private readonly IReadable? _readable;
    private readonly IWritable? _writable;
+    private readonly IPerCallHostResolver? _hostResolver;
    private readonly CapabilityInvoker _invoker;
    private readonly ILogger<DriverNodeManager> _logger;

@@ -59,19 +61,45 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
    // returns a child builder per Folder call and the caller threads nesting through those references.
    private FolderState _currentFolder = null!;

+    // Phase 6.2 Stream C follow-up — optional gate + scope resolver. When both are null
+    // the old pre-Phase-6.2 dispatch path runs unchanged (backwards compat for every
+    // integration test that constructs DriverNodeManager without the gate). When wired,
+    // OnReadValue / OnWriteValue / HistoryRead all consult the gate before the invoker call.
+    private readonly AuthorizationGate? _authzGate;
+    private readonly NodeScopeResolver? _scopeResolver;
+
    public DriverNodeManager(IServerInternal server, ApplicationConfiguration configuration,
-        IDriver driver, CapabilityInvoker invoker, ILogger<DriverNodeManager> logger)
+        IDriver driver, CapabilityInvoker invoker, ILogger<DriverNodeManager> logger,
+        AuthorizationGate? authzGate = null, NodeScopeResolver? scopeResolver = null)
        : base(server, configuration, namespaceUris: $"urn:OtOpcUa:{driver.DriverInstanceId}")
    {
        _driver = driver;
        _readable = driver as IReadable;
        _writable = driver as IWritable;
+        _hostResolver = driver as IPerCallHostResolver;
        _invoker = invoker;
+        _authzGate = authzGate;
+        _scopeResolver = scopeResolver;
        _logger = logger;
    }

    protected override NodeStateCollection LoadPredefinedNodes(ISystemContext context) => new();

+    /// <summary>
+    ///     Resolve the host name fed to the Phase 6.1 CapabilityInvoker for a per-tag call.
+    ///     Multi-host drivers that implement <see cref="IPerCallHostResolver"/> get their
+    ///     per-PLC isolation (decision #144); single-host drivers + drivers that don't
+    ///     implement the resolver fall back to the DriverInstanceId — preserves existing
+    ///     Phase 6.1 pipeline-key semantics for those drivers.
+    /// </summary>
+    private string ResolveHostFor(string fullReference)
+    {
+        if (_hostResolver is null) return _driver.DriverInstanceId;
+
+        var resolved = _hostResolver.ResolveHost(fullReference);
+        return string.IsNullOrWhiteSpace(resolved) ? _driver.DriverInstanceId : resolved;
+    }
+
    public override void CreateAddressSpace(IDictionary<NodeId, IList<IReference>> externalReferences)
    {
        lock (Lock)
@@ -197,9 +225,23 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
        try
        {
            var fullRef = node.NodeId.Identifier as string ?? "";
+
+            // Phase 6.2 Stream C — authorization gate. Runs ahead of the invoker so a denied
+            // read never hits the driver. Returns true in lax mode when identity lacks LDAP
+            // groups; strict mode denies those cases. See AuthorizationGate remarks.
+            if (_authzGate is not null && _scopeResolver is not null)
+            {
+                var scope = _scopeResolver.Resolve(fullRef);
+                if (!_authzGate.IsAllowed(context.UserIdentity, OpcUaOperation.Read, scope))
+                {
+                    statusCode = StatusCodes.BadUserAccessDenied;
+                    return ServiceResult.Good;
+                }
+            }
+
            var result = _invoker.ExecuteAsync(
                DriverCapability.Read,
-                _driver.DriverInstanceId,
+                ResolveHostFor(fullRef),
                async ct => (IReadOnlyList<DataValueSnapshot>)await _readable.ReadAsync([fullRef], ct).ConfigureAwait(false),
                CancellationToken.None).AsTask().GetAwaiter().GetResult();
            if (result.Count == 0)
@@ -390,6 +432,23 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
                    fullRef, classification, string.Join(",", roles));
                return new ServiceResult(StatusCodes.BadUserAccessDenied);
            }
+
+            // Phase 6.2 Stream C — additive gate check. The classification/role check above
+            // is the pre-Phase-6.2 baseline; the gate adds per-tag ACL enforcement on top. In
+            // lax mode (default during rollout) the gate falls through when the identity
+            // lacks LDAP groups, so existing integration tests keep passing.
+            if (_authzGate is not null && _scopeResolver is not null)
+            {
+                var scope = _scopeResolver.Resolve(fullRef!);
+                var writeOp = WriteAuthzPolicy.ToOpcUaOperation(classification);
+                if (!_authzGate.IsAllowed(context.UserIdentity, writeOp, scope))
+                {
+                    _logger.LogInformation(
+                        "Write denied by ACL gate for {FullRef}: operation={Op} classification={Classification}",
+                        fullRef, writeOp, classification);
+                    return new ServiceResult(StatusCodes.BadUserAccessDenied);
+                }
+            }
        }

        try
@@ -397,7 +456,7 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
            var isIdempotent = _writeIdempotentByFullRef.GetValueOrDefault(fullRef!, false);
            var capturedValue = value;
            var results = _invoker.ExecuteWriteAsync(
-                _driver.DriverInstanceId,
+                ResolveHostFor(fullRef!),
                isIdempotent,
                async ct => (IReadOnlyList<WriteResult>)await _writable.WriteAsync(
                    [new DriverWriteRequest(fullRef!, capturedValue)],
@@ -482,11 +541,21 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
                continue;
            }

+            if (_authzGate is not null && _scopeResolver is not null)
+            {
+                var historyScope = _scopeResolver.Resolve(fullRef);
+                if (!_authzGate.IsAllowed(context.UserIdentity, OpcUaOperation.HistoryRead, historyScope))
+                {
+                    WriteAccessDenied(results, errors, i);
+                    continue;
+                }
+            }
+
            try
            {
                var driverResult = _invoker.ExecuteAsync(
                    DriverCapability.HistoryRead,
-                    _driver.DriverInstanceId,
+                    ResolveHostFor(fullRef),
                    async ct => await History.ReadRawAsync(
                        fullRef,
                        details.StartTime,
@@ -546,11 +615,21 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
                continue;
            }

+            if (_authzGate is not null && _scopeResolver is not null)
+            {
+                var historyScope = _scopeResolver.Resolve(fullRef);
+                if (!_authzGate.IsAllowed(context.UserIdentity, OpcUaOperation.HistoryRead, historyScope))
+                {
+                    WriteAccessDenied(results, errors, i);
+                    continue;
+                }
+            }
+
            try
            {
                var driverResult = _invoker.ExecuteAsync(
                    DriverCapability.HistoryRead,
-                    _driver.DriverInstanceId,
+                    ResolveHostFor(fullRef),
                    async ct => await History.ReadProcessedAsync(
                        fullRef,
                        details.StartTime,
@@ -603,11 +682,21 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
                continue;
            }

+            if (_authzGate is not null && _scopeResolver is not null)
+            {
+                var historyScope = _scopeResolver.Resolve(fullRef);
+                if (!_authzGate.IsAllowed(context.UserIdentity, OpcUaOperation.HistoryRead, historyScope))
+                {
+                    WriteAccessDenied(results, errors, i);
+                    continue;
+                }
+            }
+
            try
            {
                var driverResult = _invoker.ExecuteAsync(
                    DriverCapability.HistoryRead,
-                    _driver.DriverInstanceId,
+                    ResolveHostFor(fullRef),
                    async ct => await History.ReadAtTimeAsync(fullRef, requestedTimes, ct).ConfigureAwait(false),
                    CancellationToken.None).AsTask().GetAwaiter().GetResult();

@@ -660,11 +749,24 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
            // "all sources in the driver's namespace" per the IHistoryProvider contract.
            var fullRef = ResolveFullRef(handle);

+            // fullRef is null for event-history queries that target a notifier (driver root).
+            // Those are cluster-wide reads + need a different scope shape; skip the gate here
+            // and let the driver-level authz handle them. Non-null path gets per-node gating.
+            if (fullRef is not null && _authzGate is not null && _scopeResolver is not null)
+            {
+                var historyScope = _scopeResolver.Resolve(fullRef);
+                if (!_authzGate.IsAllowed(context.UserIdentity, OpcUaOperation.HistoryRead, historyScope))
+                {
+                    WriteAccessDenied(results, errors, i);
+                    continue;
+                }
+            }
+
            try
            {
                var driverResult = _invoker.ExecuteAsync(
                    DriverCapability.HistoryRead,
-                    _driver.DriverInstanceId,
+                    fullRef is null ? _driver.DriverInstanceId : ResolveHostFor(fullRef),
                    async ct => await History.ReadEventsAsync(
                        sourceName: fullRef,
                        startUtc: details.StartTime,
@@ -721,6 +823,12 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
        errors[i] = StatusCodes.BadInternalError;
    }

+    private static void WriteAccessDenied(IList<OpcHistoryReadResult> results, IList<ServiceResult> errors, int i)
+    {
+        results[i] = new OpcHistoryReadResult { StatusCode = StatusCodes.BadUserAccessDenied };
+        errors[i] = StatusCodes.BadUserAccessDenied;
+    }
+
    private static void WriteNodeIdUnknown(IList<OpcHistoryReadResult> results, IList<ServiceResult> errors, int i)
    {
        WriteNodeIdUnknown(results, errors, i);
--- a/src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OpcUaApplicationHost.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OpcUaApplicationHost.cs
@@ -1,6 +1,7 @@
 using Microsoft.Extensions.Logging;
 using Opc.Ua;
 using Opc.Ua.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Core.OpcUa;
 using ZB.MOM.WW.OtOpcUa.Core.Resilience;
@@ -23,6 +24,11 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
    private readonly DriverHost _driverHost;
    private readonly IUserAuthenticator _authenticator;
    private readonly DriverResiliencePipelineBuilder _pipelineBuilder;
+    private readonly AuthorizationGate? _authzGate;
+    private readonly NodeScopeResolver? _scopeResolver;
+    private readonly StaleConfigFlag? _staleConfigFlag;
+    private readonly Func<string, ZB.MOM.WW.OtOpcUa.Core.Abstractions.DriverTier>? _tierLookup;
+    private readonly Func<string, string?>? _resilienceConfigLookup;
    private readonly ILoggerFactory _loggerFactory;
    private readonly ILogger<OpcUaApplicationHost> _logger;
    private ApplicationInstance? _application;
@@ -32,12 +38,22 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable

    public OpcUaApplicationHost(OpcUaServerOptions options, DriverHost driverHost,
        IUserAuthenticator authenticator, ILoggerFactory loggerFactory, ILogger<OpcUaApplicationHost> logger,
-        DriverResiliencePipelineBuilder? pipelineBuilder = null)
+        DriverResiliencePipelineBuilder? pipelineBuilder = null,
+        AuthorizationGate? authzGate = null,
+        NodeScopeResolver? scopeResolver = null,
+        StaleConfigFlag? staleConfigFlag = null,
+        Func<string, ZB.MOM.WW.OtOpcUa.Core.Abstractions.DriverTier>? tierLookup = null,
+        Func<string, string?>? resilienceConfigLookup = null)
    {
        _options = options;
        _driverHost = driverHost;
        _authenticator = authenticator;
        _pipelineBuilder = pipelineBuilder ?? new DriverResiliencePipelineBuilder();
+        _authzGate = authzGate;
+        _scopeResolver = scopeResolver;
+        _staleConfigFlag = staleConfigFlag;
+        _tierLookup = tierLookup;
+        _resilienceConfigLookup = resilienceConfigLookup;
        _loggerFactory = loggerFactory;
        _logger = logger;
    }
@@ -64,7 +80,9 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
            throw new InvalidOperationException(
                $"OPC UA application certificate could not be validated or created in {_options.PkiStoreRoot}");

-        _server = new OtOpcUaServer(_driverHost, _authenticator, _pipelineBuilder, _loggerFactory);
+        _server = new OtOpcUaServer(_driverHost, _authenticator, _pipelineBuilder, _loggerFactory,
+            authzGate: _authzGate, scopeResolver: _scopeResolver,
+            tierLookup: _tierLookup, resilienceConfigLookup: _resilienceConfigLookup);
        await _application.Start(_server).ConfigureAwait(false);

        _logger.LogInformation("OPC UA server started — endpoint={Endpoint} driverCount={Count}",
@@ -77,6 +95,7 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
            _healthHost = new HealthEndpointsHost(
                _driverHost,
                _loggerFactory.CreateLogger<HealthEndpointsHost>(),
+                usingStaleConfig: _staleConfigFlag is null ? null : () => _staleConfigFlag.IsStale,
                prefix: _options.HealthEndpointsPrefix);
            _healthHost.Start();
        }
--- a/src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OtOpcUaServer.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OtOpcUaServer.cs
@@ -21,6 +21,10 @@ public sealed class OtOpcUaServer : StandardServer
    private readonly DriverHost _driverHost;
    private readonly IUserAuthenticator _authenticator;
    private readonly DriverResiliencePipelineBuilder _pipelineBuilder;
+    private readonly AuthorizationGate? _authzGate;
+    private readonly NodeScopeResolver? _scopeResolver;
+    private readonly Func<string, DriverTier>? _tierLookup;
+    private readonly Func<string, string?>? _resilienceConfigLookup;
    private readonly ILoggerFactory _loggerFactory;
    private readonly List<DriverNodeManager> _driverNodeManagers = new();

@@ -28,11 +32,19 @@ public sealed class OtOpcUaServer : StandardServer
        DriverHost driverHost,
        IUserAuthenticator authenticator,
        DriverResiliencePipelineBuilder pipelineBuilder,
-        ILoggerFactory loggerFactory)
+        ILoggerFactory loggerFactory,
+        AuthorizationGate? authzGate = null,
+        NodeScopeResolver? scopeResolver = null,
+        Func<string, DriverTier>? tierLookup = null,
+        Func<string, string?>? resilienceConfigLookup = null)
    {
        _driverHost = driverHost;
        _authenticator = authenticator;
        _pipelineBuilder = pipelineBuilder;
+        _authzGate = authzGate;
+        _scopeResolver = scopeResolver;
+        _tierLookup = tierLookup;
+        _resilienceConfigLookup = resilienceConfigLookup;
        _loggerFactory = loggerFactory;
    }

@@ -53,12 +65,19 @@ public sealed class OtOpcUaServer : StandardServer
            if (driver is null) continue;

            var logger = _loggerFactory.CreateLogger<DriverNodeManager>();
-            // Per-driver resilience options: default Tier A pending Stream B.1 which wires
-            // per-type tiers into DriverTypeRegistry. Read ResilienceConfig JSON from the
-            // DriverInstance row in a follow-up PR; for now every driver gets Tier A defaults.
-            var options = new DriverResilienceOptions { Tier = DriverTier.A };
+            // Per-driver resilience options: tier comes from lookup (Phase 6.1 Stream B.1
+            // DriverTypeRegistry in the prod wire-up) or falls back to Tier A. ResilienceConfig
+            // JSON comes from the DriverInstance row via the optional lookup Func; parser
+            // layers JSON overrides on top of tier defaults (Phase 6.1 Stream A.2).
+            var tier = _tierLookup?.Invoke(driver.DriverType) ?? DriverTier.A;
+            var resilienceJson = _resilienceConfigLookup?.Invoke(driver.DriverInstanceId);
+            var options = DriverResilienceOptionsParser.ParseOrDefaults(tier, resilienceJson, out var diag);
+            if (diag is not null)
+                logger.LogWarning("ResilienceConfig parse diagnostic for driver {DriverId}: {Diag}", driver.DriverInstanceId, diag);
+
            var invoker = new CapabilityInvoker(_pipelineBuilder, driver.DriverInstanceId, () => options, driver.DriverType);
-            var manager = new DriverNodeManager(server, configuration, driver, invoker, logger);
+            var manager = new DriverNodeManager(server, configuration, driver, invoker, logger,
+                authzGate: _authzGate, scopeResolver: _scopeResolver);
            _driverNodeManagers.Add(manager);
        }

--- a/src/ZB.MOM.WW.OtOpcUa.Server/Redundancy/ClusterTopologyLoader.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/Redundancy/ClusterTopologyLoader.cs
@@ -0,0 +1,96 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Redundancy;
+
+/// <summary>
+///     Pure-function mapper from the shared config DB's <see cref="ServerCluster"/> +
+///     <see cref="ClusterNode"/> rows to an immutable <see cref="RedundancyTopology"/>.
+///     Validates Phase 6.3 Stream A.1 invariants and throws
+///     <see cref="InvalidTopologyException"/> on violation so the coordinator can fail startup
+///     fast with a clear message rather than boot into an ambiguous state.
+/// </summary>
+/// <remarks>
+///     Stateless — the caller owns the DB round-trip + hands rows in. Keeping it pure makes
+///     the invariant matrix testable without EF or SQL Server.
+/// </remarks>
+public static class ClusterTopologyLoader
+{
+    /// <summary>Build a topology snapshot for the given self node. Throws on invariant violation.</summary>
+    public static RedundancyTopology Load(string selfNodeId, ServerCluster cluster, IReadOnlyList<ClusterNode> nodes)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(selfNodeId);
+        ArgumentNullException.ThrowIfNull(cluster);
+        ArgumentNullException.ThrowIfNull(nodes);
+
+        ValidateClusterShape(cluster, nodes);
+        ValidateUniqueApplicationUris(nodes);
+        ValidatePrimaryCount(cluster, nodes);
+
+        var self = nodes.FirstOrDefault(n => string.Equals(n.NodeId, selfNodeId, StringComparison.OrdinalIgnoreCase))
+                   ?? throw new InvalidTopologyException(
+                       $"Self node '{selfNodeId}' is not a member of cluster '{cluster.ClusterId}'. " +
+                       $"Members: {string.Join(", ", nodes.Select(n => n.NodeId))}.");
+
+        var peers = nodes
+            .Where(n => !string.Equals(n.NodeId, selfNodeId, StringComparison.OrdinalIgnoreCase))
+            .Select(n => new RedundancyPeer(
+                NodeId: n.NodeId,
+                Role: n.RedundancyRole,
+                Host: n.Host,
+                OpcUaPort: n.OpcUaPort,
+                DashboardPort: n.DashboardPort,
+                ApplicationUri: n.ApplicationUri))
+            .ToList();
+
+        return new RedundancyTopology(
+            ClusterId: cluster.ClusterId,
+            SelfNodeId: self.NodeId,
+            SelfRole: self.RedundancyRole,
+            Mode: cluster.RedundancyMode,
+            Peers: peers,
+            SelfApplicationUri: self.ApplicationUri);
+    }
+
+    private static void ValidateClusterShape(ServerCluster cluster, IReadOnlyList<ClusterNode> nodes)
+    {
+        if (nodes.Count == 0)
+            throw new InvalidTopologyException($"Cluster '{cluster.ClusterId}' has zero nodes.");
+
+        // Decision #83 — v2.0 caps clusters at two nodes.
+        if (nodes.Count > 2)
+            throw new InvalidTopologyException(
+                $"Cluster '{cluster.ClusterId}' has {nodes.Count} nodes. v2.0 supports at most 2 nodes per cluster (decision #83).");
+
+        // Every node must belong to the given cluster.
+        var wrongCluster = nodes.FirstOrDefault(n =>
+            !string.Equals(n.ClusterId, cluster.ClusterId, StringComparison.OrdinalIgnoreCase));
+        if (wrongCluster is not null)
+            throw new InvalidTopologyException(
+                $"Node '{wrongCluster.NodeId}' belongs to cluster '{wrongCluster.ClusterId}', not '{cluster.ClusterId}'.");
+    }
+
+    private static void ValidateUniqueApplicationUris(IReadOnlyList<ClusterNode> nodes)
+    {
+        var dup = nodes
+            .GroupBy(n => n.ApplicationUri, StringComparer.Ordinal)
+            .FirstOrDefault(g => g.Count() > 1);
+        if (dup is not null)
+            throw new InvalidTopologyException(
+                $"Nodes {string.Join(", ", dup.Select(n => n.NodeId))} share ApplicationUri '{dup.Key}'. " +
+                $"OPC UA Part 4 requires unique ApplicationUri per server — clients pin trust here (decision #86).");
+    }
+
+    private static void ValidatePrimaryCount(ServerCluster cluster, IReadOnlyList<ClusterNode> nodes)
+    {
+        // Standalone mode: any role is fine. Warm / Hot: at most one Primary per cluster.
+        if (cluster.RedundancyMode == RedundancyMode.None) return;
+
+        var primaries = nodes.Count(n => n.RedundancyRole == RedundancyRole.Primary);
+        if (primaries > 1)
+            throw new InvalidTopologyException(
+                $"Cluster '{cluster.ClusterId}' has {primaries} Primary nodes in redundancy mode {cluster.RedundancyMode}. " +
+                $"At most one Primary per cluster (decision #84). Runtime detects and demotes both to ServiceLevel 2 " +
+                $"per the 8-state matrix; startup fails fast to surface the misconfiguration earlier.");
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Server/Redundancy/PeerReachability.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/Redundancy/PeerReachability.cs
@@ -0,0 +1,42 @@
+namespace ZB.MOM.WW.OtOpcUa.Server.Redundancy;
+
+/// <summary>
+///     Latest observed reachability of the peer node per the Phase 6.3 Stream B.1/B.2 two-layer
+///     probe model. HTTP layer is the fast-fail; UA layer is authoritative.
+/// </summary>
+/// <remarks>
+///     Fed into the <see cref="ServiceLevelCalculator"/> as <c>peerHttpHealthy</c> +
+///     <c>peerUaHealthy</c>. The concrete probe loops (<c>PeerHttpProbeLoop</c> +
+///     <c>PeerUaProbeLoop</c>) live in a Stream B runtime follow-up — this type is the
+///     contract the publisher reads; probers write via
+///     <see cref="PeerReachabilityTracker"/>.
+/// </remarks>
+public sealed record PeerReachability(bool HttpHealthy, bool UaHealthy)
+{
+    public static readonly PeerReachability Unknown = new(false, false);
+    public static readonly PeerReachability FullyHealthy = new(true, true);
+
+    /// <summary>True when both probes report healthy — the <c>ServiceLevelCalculator</c>'s peerReachable gate.</summary>
+    public bool BothHealthy => HttpHealthy && UaHealthy;
+}
+
+/// <summary>
+///     Thread-safe holder of the latest <see cref="PeerReachability"/> per peer NodeId. Probe
+///     loops call <see cref="Update"/>; the <see cref="RedundancyStatePublisher"/> reads via
+///     <see cref="Get"/>.
+/// </summary>
+public sealed class PeerReachabilityTracker
+{
+    private readonly System.Collections.Concurrent.ConcurrentDictionary<string, PeerReachability> _byPeer =
+        new(StringComparer.OrdinalIgnoreCase);
+
+    public void Update(string peerNodeId, PeerReachability reachability)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(peerNodeId);
+        _byPeer[peerNodeId] = reachability ?? throw new ArgumentNullException(nameof(reachability));
+    }
+
+    /// <summary>Current reachability for a peer. Returns <see cref="PeerReachability.Unknown"/> when not yet probed.</summary>
+    public PeerReachability Get(string peerNodeId) =>
+        _byPeer.TryGetValue(peerNodeId, out var r) ? r : PeerReachability.Unknown;
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Server/Redundancy/RedundancyCoordinator.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/Redundancy/RedundancyCoordinator.cs
@@ -0,0 +1,107 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Redundancy;
+
+/// <summary>
+///     Process-singleton holder of the current <see cref="RedundancyTopology"/>. Reads the
+///     shared config DB at <see cref="InitializeAsync"/> time + re-reads on
+///     <see cref="RefreshAsync"/> (called after <c>sp_PublishGeneration</c> completes so
+///     operator role-swaps take effect without a process restart).
+/// </summary>
+/// <remarks>
+///     <para>Per Phase 6.3 Stream A.1-A.2. The coordinator is the source of truth for the
+///     <see cref="ServiceLevelCalculator"/> inputs: role (from topology), peer reachability
+///     (from peer-probe loops — Stream B.1/B.2 follow-up), apply-in-progress (from
+///     <see cref="ApplyLeaseRegistry"/>), topology-valid (from invariant checks at load time
+///     + runtime detection of conflicting peer claims).</para>
+///
+///     <para>Topology refresh is CAS-style: a new <see cref="RedundancyTopology"/> instance
+///     replaces the old one atomically via <see cref="Interlocked.Exchange{T}"/>. Readers
+///     always see a coherent snapshot — never a partial transition.</para>
+/// </remarks>
+public sealed class RedundancyCoordinator
+{
+    private readonly IDbContextFactory<OtOpcUaConfigDbContext> _dbContextFactory;
+    private readonly ILogger<RedundancyCoordinator> _logger;
+    private readonly string _selfNodeId;
+    private readonly string _selfClusterId;
+    private RedundancyTopology? _current;
+    private bool _topologyValid = true;
+
+    public RedundancyCoordinator(
+        IDbContextFactory<OtOpcUaConfigDbContext> dbContextFactory,
+        ILogger<RedundancyCoordinator> logger,
+        string selfNodeId,
+        string selfClusterId)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(selfNodeId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(selfClusterId);
+
+        _dbContextFactory = dbContextFactory;
+        _logger = logger;
+        _selfNodeId = selfNodeId;
+        _selfClusterId = selfClusterId;
+    }
+
+    /// <summary>Last-loaded topology; null before <see cref="InitializeAsync"/> completes.</summary>
+    public RedundancyTopology? Current => Volatile.Read(ref _current);
+
+    /// <summary>
+    ///     True when the last load/refresh completed without an invariant violation; false
+    ///     forces <see cref="ServiceLevelCalculator"/> into the <see cref="ServiceLevelBand.InvalidTopology"/>
+    ///     band regardless of other inputs.
+    /// </summary>
+    public bool IsTopologyValid => Volatile.Read(ref _topologyValid);
+
+    /// <summary>Load the topology for the first time. Throws on invariant violation.</summary>
+    public async Task InitializeAsync(CancellationToken ct)
+    {
+        await RefreshInternalAsync(throwOnInvalid: true, ct).ConfigureAwait(false);
+    }
+
+    /// <summary>
+    ///     Re-read the topology from the shared DB. Called after <c>sp_PublishGeneration</c>
+    ///     completes or after an Admin-triggered role-swap. Never throws — on invariant
+    ///     violation it logs + flips <see cref="IsTopologyValid"/> false so the calculator
+    ///     returns <see cref="ServiceLevelBand.InvalidTopology"/> = 2.
+    /// </summary>
+    public async Task RefreshAsync(CancellationToken ct)
+    {
+        await RefreshInternalAsync(throwOnInvalid: false, ct).ConfigureAwait(false);
+    }
+
+    private async Task RefreshInternalAsync(bool throwOnInvalid, CancellationToken ct)
+    {
+        await using var db = await _dbContextFactory.CreateDbContextAsync(ct).ConfigureAwait(false);
+
+        var cluster = await db.ServerClusters.AsNoTracking()
+            .FirstOrDefaultAsync(c => c.ClusterId == _selfClusterId, ct).ConfigureAwait(false)
+            ?? throw new InvalidTopologyException($"Cluster '{_selfClusterId}' not found in config DB.");
+
+        var nodes = await db.ClusterNodes.AsNoTracking()
+            .Where(n => n.ClusterId == _selfClusterId && n.Enabled)
+            .ToListAsync(ct).ConfigureAwait(false);
+
+        try
+        {
+            var topology = ClusterTopologyLoader.Load(_selfNodeId, cluster, nodes);
+            Volatile.Write(ref _current, topology);
+            Volatile.Write(ref _topologyValid, true);
+            _logger.LogInformation(
+                "Redundancy topology loaded: cluster={Cluster} self={Self} role={Role} mode={Mode} peers={PeerCount}",
+                topology.ClusterId, topology.SelfNodeId, topology.SelfRole, topology.Mode, topology.PeerCount);
+        }
+        catch (InvalidTopologyException ex)
+        {
+            Volatile.Write(ref _topologyValid, false);
+            _logger.LogError(ex,
+                "Redundancy topology invariant violation for cluster {Cluster}: {Reason}",
+                _selfClusterId, ex.Message);
+            if (throwOnInvalid) throw;
+        }
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Server/Redundancy/RedundancyStatePublisher.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/Redundancy/RedundancyStatePublisher.cs
@@ -0,0 +1,142 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Redundancy;
+
+/// <summary>
+///     Orchestrates Phase 6.3 Stream C: feeds the <see cref="ServiceLevelCalculator"/> with the
+///     current (topology, peer reachability, apply-in-progress, recovery dwell, self health)
+///     inputs and emits the resulting <see cref="byte"/> + labelled <see cref="ServiceLevelBand"/>
+///     to subscribers. The OPC UA <c>ServiceLevel</c> variable node consumes this via
+///     <see cref="OnStateChanged"/> on every tick.
+/// </summary>
+/// <remarks>
+///     Pure orchestration — no background timer, no OPC UA stack dep. The caller (a
+///     HostedService in a future PR, or a test) drives <see cref="ComputeAndPublish"/> at
+///     whatever cadence is appropriate. Each call reads the inputs + recomputes the ServiceLevel
+///     byte; state is fired on the <see cref="OnStateChanged"/> event when the byte differs from
+///     the last emitted value (edge-triggered). The <see cref="OnServerUriArrayChanged"/> event
+///     fires whenever the topology's <c>ServerUriArray</c> content changes.
+/// </remarks>
+public sealed class RedundancyStatePublisher
+{
+    private readonly RedundancyCoordinator _coordinator;
+    private readonly ApplyLeaseRegistry _leases;
+    private readonly RecoveryStateManager _recovery;
+    private readonly PeerReachabilityTracker _peers;
+    private readonly Func<bool> _selfHealthy;
+    private readonly Func<bool> _operatorMaintenance;
+    private byte _lastByte = 255; // start at Authoritative — harmless before first tick
+    private IReadOnlyList<string>? _lastServerUriArray;
+
+    public RedundancyStatePublisher(
+        RedundancyCoordinator coordinator,
+        ApplyLeaseRegistry leases,
+        RecoveryStateManager recovery,
+        PeerReachabilityTracker peers,
+        Func<bool>? selfHealthy = null,
+        Func<bool>? operatorMaintenance = null)
+    {
+        ArgumentNullException.ThrowIfNull(coordinator);
+        ArgumentNullException.ThrowIfNull(leases);
+        ArgumentNullException.ThrowIfNull(recovery);
+        ArgumentNullException.ThrowIfNull(peers);
+
+        _coordinator = coordinator;
+        _leases = leases;
+        _recovery = recovery;
+        _peers = peers;
+        _selfHealthy = selfHealthy ?? (() => true);
+        _operatorMaintenance = operatorMaintenance ?? (() => false);
+    }
+
+    /// <summary>
+    ///     Fires with the current ServiceLevel byte + band on every call to
+    ///     <see cref="ComputeAndPublish"/> when the byte differs from the previously-emitted one.
+    /// </summary>
+    public event Action<ServiceLevelSnapshot>? OnStateChanged;
+
+    /// <summary>
+    ///     Fires when the cluster's ServerUriArray (self + peers) content changes — e.g. an
+    ///     operator adds or removes a peer. Consumer is the OPC UA <c>ServerUriArray</c>
+    ///     variable node in Stream C.2.
+    /// </summary>
+    public event Action<IReadOnlyList<string>>? OnServerUriArrayChanged;
+
+    /// <summary>Snapshot of the last-published ServiceLevel byte — diagnostics + tests.</summary>
+    public byte LastByte => _lastByte;
+
+    /// <summary>
+    ///     Compute the current ServiceLevel + emit change events if anything moved. Caller
+    ///     drives cadence — a 1 s tick in production is reasonable; tests drive it directly.
+    /// </summary>
+    public ServiceLevelSnapshot ComputeAndPublish()
+    {
+        var topology = _coordinator.Current;
+        if (topology is null)
+        {
+            // Not yet initialized — surface NoData so clients don't treat us as authoritative.
+            return Emit((byte)ServiceLevelBand.NoData, null);
+        }
+
+        // Aggregate peer reachability. For 2-node v2.0 clusters there is at most one peer;
+        // treat "all peers healthy" as the boolean input to the calculator.
+        var peerReachable = topology.Peers.All(p => _peers.Get(p.NodeId).BothHealthy);
+        var peerUaHealthy = topology.Peers.All(p => _peers.Get(p.NodeId).UaHealthy);
+        var peerHttpHealthy = topology.Peers.All(p => _peers.Get(p.NodeId).HttpHealthy);
+
+        var role = MapRole(topology.SelfRole);
+
+        var value = ServiceLevelCalculator.Compute(
+            role: role,
+            selfHealthy: _selfHealthy(),
+            peerUaHealthy: peerUaHealthy,
+            peerHttpHealthy: peerHttpHealthy,
+            applyInProgress: _leases.IsApplyInProgress,
+            recoveryDwellMet: _recovery.IsDwellMet(),
+            topologyValid: _coordinator.IsTopologyValid,
+            operatorMaintenance: _operatorMaintenance());
+
+        MaybeFireServerUriArray(topology);
+        return Emit(value, topology);
+    }
+
+    private static RedundancyRole MapRole(RedundancyRole role) => role switch
+    {
+        // Standalone is serving; treat as Primary for the matrix since the calculator
+        // already special-cases Standalone inside its Compute.
+        RedundancyRole.Primary => RedundancyRole.Primary,
+        RedundancyRole.Secondary => RedundancyRole.Secondary,
+        _ => RedundancyRole.Standalone,
+    };
+
+    private ServiceLevelSnapshot Emit(byte value, RedundancyTopology? topology)
+    {
+        var snap = new ServiceLevelSnapshot(
+            Value: value,
+            Band: ServiceLevelCalculator.Classify(value),
+            Topology: topology);
+
+        if (value != _lastByte)
+        {
+            _lastByte = value;
+            OnStateChanged?.Invoke(snap);
+        }
+        return snap;
+    }
+
+    private void MaybeFireServerUriArray(RedundancyTopology topology)
+    {
+        var current = topology.ServerUriArray();
+        if (_lastServerUriArray is null || !current.SequenceEqual(_lastServerUriArray, StringComparer.Ordinal))
+        {
+            _lastServerUriArray = current;
+            OnServerUriArrayChanged?.Invoke(current);
+        }
+    }
+}
+
+/// <summary>Per-tick output of <see cref="RedundancyStatePublisher.ComputeAndPublish"/>.</summary>
+public sealed record ServiceLevelSnapshot(
+    byte Value,
+    ServiceLevelBand Band,
+    RedundancyTopology? Topology);
--- a/src/ZB.MOM.WW.OtOpcUa.Server/Redundancy/RedundancyTopology.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/Redundancy/RedundancyTopology.cs
@@ -0,0 +1,55 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Redundancy;
+
+/// <summary>
+///     Snapshot of the cluster topology the <see cref="RedundancyCoordinator"/> holds. Read
+///     once at startup + refreshed on publish-generation notification. Immutable — every
+///     refresh produces a new instance so observers can compare identity-equality to detect
+///     topology change.
+/// </summary>
+/// <remarks>
+///     Per Phase 6.3 Stream A.1. Invariants enforced by the loader (see
+///     <see cref="ClusterTopologyLoader"/>): at most one Primary per cluster for
+///     WarmActive/Hot redundancy modes; every node has a unique ApplicationUri (OPC UA
+///     Part 4 requirement — clients pin trust here); at most 2 nodes total per cluster
+///     (decision #83).
+/// </remarks>
+public sealed record RedundancyTopology(
+    string ClusterId,
+    string SelfNodeId,
+    RedundancyRole SelfRole,
+    RedundancyMode Mode,
+    IReadOnlyList<RedundancyPeer> Peers,
+    string SelfApplicationUri)
+{
+    /// <summary>Peer count — 0 for a standalone (single-node) cluster, 1 for v2 two-node clusters.</summary>
+    public int PeerCount => Peers.Count;
+
+    /// <summary>
+    ///     ServerUriArray shape per OPC UA Part 4 §6.6.2.2 — self first, peers in stable
+    ///     deterministic order (lexicographic by NodeId), self's ApplicationUri always at index 0.
+    /// </summary>
+    public IReadOnlyList<string> ServerUriArray() =>
+        new[] { SelfApplicationUri }
+            .Concat(Peers.OrderBy(p => p.NodeId, StringComparer.OrdinalIgnoreCase).Select(p => p.ApplicationUri))
+            .ToList();
+}
+
+/// <summary>One peer in the cluster (every node other than self).</summary>
+/// <param name="NodeId">Peer's stable logical NodeId (e.g. <c>"LINE3-OPCUA-B"</c>).</param>
+/// <param name="Role">Peer's declared redundancy role from the shared config DB.</param>
+/// <param name="Host">Peer's hostname / IP — drives the health-probe target.</param>
+/// <param name="OpcUaPort">Peer's OPC UA endpoint port.</param>
+/// <param name="DashboardPort">Peer's dashboard / health-endpoint port.</param>
+/// <param name="ApplicationUri">Peer's declared ApplicationUri (carried in <see cref="RedundancyTopology.ServerUriArray"/>).</param>
+public sealed record RedundancyPeer(
+    string NodeId,
+    RedundancyRole Role,
+    string Host,
+    int OpcUaPort,
+    int DashboardPort,
+    string ApplicationUri);
+
+/// <summary>Thrown when the loader detects a topology-invariant violation at startup or refresh.</summary>
+public sealed class InvalidTopologyException(string message) : Exception(message);
--- a/src/ZB.MOM.WW.OtOpcUa.Server/SealedBootstrap.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/SealedBootstrap.cs
@@ -0,0 +1,100 @@
+using System.Text.Json;
+using Microsoft.Data.SqlClient;
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
+
+namespace ZB.MOM.WW.OtOpcUa.Server;
+
+/// <summary>
+///     Phase 6.1 Stream D consumption hook — bootstraps the node's current generation through
+///     the <see cref="ResilientConfigReader"/> pipeline + writes every successful central-DB
+///     read into the <see cref="GenerationSealedCache"/> so the next cache-miss path has a
+///     sealed snapshot to fall back to.
+/// </summary>
+/// <remarks>
+///     <para>Alongside the original <see cref="NodeBootstrap"/> (which uses the single-file
+///     <see cref="ILocalConfigCache"/>). Program.cs can switch to this one once operators are
+///     ready for the generation-sealed semantics. The original stays for backward compat
+///     with the three integration tests that construct <see cref="NodeBootstrap"/> directly.</para>
+///
+///     <para>Closes release blocker #2 in <c>docs/v2/v2-release-readiness.md</c> — the
+///     generation-sealed cache + resilient reader + stale-config flag ship as unit-tested
+///     primitives in PR #81 but no production path consumed them until this wrapper.</para>
+/// </remarks>
+public sealed class SealedBootstrap
+{
+    private readonly NodeOptions _options;
+    private readonly GenerationSealedCache _cache;
+    private readonly ResilientConfigReader _reader;
+    private readonly StaleConfigFlag _staleFlag;
+    private readonly ILogger<SealedBootstrap> _logger;
+
+    public SealedBootstrap(
+        NodeOptions options,
+        GenerationSealedCache cache,
+        ResilientConfigReader reader,
+        StaleConfigFlag staleFlag,
+        ILogger<SealedBootstrap> logger)
+    {
+        _options = options;
+        _cache = cache;
+        _reader = reader;
+        _staleFlag = staleFlag;
+        _logger = logger;
+    }
+
+    /// <summary>
+    ///     Resolve the current generation for this node. Routes the central-DB fetch through
+    ///     <see cref="ResilientConfigReader"/> (timeout → retry → fallback-to-cache) + seals a
+    ///     fresh snapshot on every successful DB read so a future cache-miss has something to
+    ///     serve.
+    /// </summary>
+    public async Task<BootstrapResult> LoadCurrentGenerationAsync(CancellationToken ct)
+    {
+        return await _reader.ReadAsync(
+            _options.ClusterId,
+            centralFetch: async innerCt => await FetchFromCentralAsync(innerCt).ConfigureAwait(false),
+            fromSnapshot: snap => BootstrapResult.FromCache(snap.GenerationId),
+            ct).ConfigureAwait(false);
+    }
+
+    private async ValueTask<BootstrapResult> FetchFromCentralAsync(CancellationToken ct)
+    {
+        await using var conn = new SqlConnection(_options.ConfigDbConnectionString);
+        await conn.OpenAsync(ct).ConfigureAwait(false);
+
+        await using var cmd = conn.CreateCommand();
+        cmd.CommandText = "EXEC dbo.sp_GetCurrentGenerationForCluster @NodeId=@n, @ClusterId=@c";
+        cmd.Parameters.AddWithValue("@n", _options.NodeId);
+        cmd.Parameters.AddWithValue("@c", _options.ClusterId);
+
+        await using var reader = await cmd.ExecuteReaderAsync(ct).ConfigureAwait(false);
+        if (!await reader.ReadAsync(ct).ConfigureAwait(false))
+        {
+            _logger.LogWarning("Cluster {Cluster} has no Published generation yet", _options.ClusterId);
+            return BootstrapResult.EmptyFromDb();
+        }
+
+        var generationId = reader.GetInt64(0);
+        _logger.LogInformation("Bootstrapped from central DB: generation {GenerationId}; sealing snapshot", generationId);
+
+        // Seal a minimal snapshot with the generation pointer. A richer snapshot that carries
+        // the full sp_GetGenerationContent payload lands when the bootstrap flow grows to
+        // consume the content during offline operation (separate follow-up — see decision #148
+        // and phase-6-1 Stream D.3). The pointer alone is enough for the fallback path to
+        // surface the last-known-good generation id + flip UsingStaleConfig.
+        await _cache.SealAsync(new GenerationSnapshot
+        {
+            ClusterId = _options.ClusterId,
+            GenerationId = generationId,
+            CachedAt = DateTime.UtcNow,
+            PayloadJson = JsonSerializer.Serialize(new { generationId, source = "sp_GetCurrentGenerationForCluster" }),
+        }, ct).ConfigureAwait(false);
+
+        // StaleConfigFlag bookkeeping: ResilientConfigReader.MarkFresh on the returning call
+        // path; we're on the fresh branch so we don't touch the flag here.
+        _ = _staleFlag; // held so the field isn't flagged unused
+
+        return BootstrapResult.FromDb(generationId);
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Server/Security/NodeScopeResolver.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/Security/NodeScopeResolver.cs
@@ -0,0 +1,47 @@
+using ZB.MOM.WW.OtOpcUa.Core.Authorization;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Security;
+
+/// <summary>
+///     Maps a driver-side full reference (e.g. <c>"TestMachine_001/Oven/SetPoint"</c>) to the
+///     <see cref="NodeScope"/> the Phase 6.2 evaluator walks. Today a simplified resolver that
+///     returns a cluster-scoped + tag-only scope — the deeper UnsArea / UnsLine / Equipment
+///     path lookup from the live Configuration DB is a Stream C.12 follow-up.
+/// </summary>
+/// <remarks>
+///     <para>The flat cluster-level scope is sufficient for v2 GA because Phase 6.2 ACL grants
+///     at the Cluster scope cascade to every tag below (decision #129 — additive grants). The
+///     finer hierarchy only matters when operators want per-area or per-equipment grants;
+///     those still work for Cluster-level grants, and landing the finer resolution in a
+///     follow-up doesn't regress the base security model.</para>
+///
+///     <para>Thread-safety: the resolver is stateless once constructed. Callers may cache a
+///     single instance per DriverNodeManager without locks.</para>
+/// </remarks>
+public sealed class NodeScopeResolver
+{
+    private readonly string _clusterId;
+
+    public NodeScopeResolver(string clusterId)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(clusterId);
+        _clusterId = clusterId;
+    }
+
+    /// <summary>
+    ///     Resolve a node scope for the given driver-side <paramref name="fullReference"/>.
+    ///     Phase 1 shape: returns <c>ClusterId</c> + <c>TagId = fullReference</c> only;
+    ///     NamespaceId / UnsArea / UnsLine / Equipment stay null. A future resolver will
+    ///     join against the Configuration DB to populate the full path.
+    /// </summary>
+    public NodeScope Resolve(string fullReference)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(fullReference);
+        return new NodeScope
+        {
+            ClusterId = _clusterId,
+            TagId = fullReference,
+            Kind = NodeHierarchyKind.Equipment,
+        };
+    }
+}
--- a/src/ZB.MOM.WW.OtOpcUa.Server/Security/WriteAuthzPolicy.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/Security/WriteAuthzPolicy.cs
@@ -67,4 +67,22 @@ public static class WriteAuthzPolicy
        SecurityClassification.ViewOnly => null, // IsAllowed short-circuits
        _ => null,
    };
+
+    /// <summary>
+    ///     Maps a driver-reported <see cref="SecurityClassification"/> to the
+    ///     <see cref="Core.Abstractions.OpcUaOperation"/> the Phase 6.2 evaluator consults
+    ///     for the matching <see cref="Configuration.Enums.NodePermissions"/> bit.
+    ///     FreeAccess + ViewOnly fall back to WriteOperate — the evaluator never sees them
+    ///     because <see cref="IsAllowed"/> short-circuits first.
+    /// </summary>
+    public static Core.Abstractions.OpcUaOperation ToOpcUaOperation(SecurityClassification classification) =>
+        classification switch
+        {
+            SecurityClassification.Operate => Core.Abstractions.OpcUaOperation.WriteOperate,
+            SecurityClassification.SecuredWrite => Core.Abstractions.OpcUaOperation.WriteOperate,
+            SecurityClassification.Tune => Core.Abstractions.OpcUaOperation.WriteTune,
+            SecurityClassification.VerifiedWrite => Core.Abstractions.OpcUaOperation.WriteConfigure,
+            SecurityClassification.Configure => Core.Abstractions.OpcUaOperation.WriteConfigure,
+            _ => Core.Abstractions.OpcUaOperation.WriteOperate,
+        };
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/EquipmentImportBatchServiceTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/EquipmentImportBatchServiceTests.cs
@@ -0,0 +1,165 @@
+using Microsoft.EntityFrameworkCore;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Admin.Services;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class EquipmentImportBatchServiceTests : IDisposable
+{
+    private readonly OtOpcUaConfigDbContext _db;
+    private readonly EquipmentImportBatchService _svc;
+
+    public EquipmentImportBatchServiceTests()
+    {
+        var options = new DbContextOptionsBuilder<OtOpcUaConfigDbContext>()
+            .UseInMemoryDatabase($"import-batch-{Guid.NewGuid():N}")
+            .Options;
+        _db = new OtOpcUaConfigDbContext(options);
+        _svc = new EquipmentImportBatchService(_db);
+    }
+
+    public void Dispose() => _db.Dispose();
+
+    private static EquipmentCsvRow Row(string zTag, string name = "eq-1") => new()
+    {
+        ZTag = zTag,
+        MachineCode = "mc",
+        SAPID = "sap",
+        EquipmentId = "eq-id",
+        EquipmentUuid = Guid.NewGuid().ToString(),
+        Name = name,
+        UnsAreaName = "area",
+        UnsLineName = "line",
+    };
+
+    [Fact]
+    public async Task CreateBatch_PopulatesId_AndTimestamp()
+    {
+        var batch = await _svc.CreateBatchAsync("c1", "alice", CancellationToken.None);
+
+        batch.Id.ShouldNotBe(Guid.Empty);
+        batch.CreatedAtUtc.ShouldBeGreaterThan(DateTime.UtcNow.AddMinutes(-1));
+        batch.RowsStaged.ShouldBe(0);
+    }
+
+    [Fact]
+    public async Task StageRows_AcceptedAndRejected_AllPersist()
+    {
+        var batch = await _svc.CreateBatchAsync("c1", "alice", CancellationToken.None);
+
+        await _svc.StageRowsAsync(batch.Id,
+            acceptedRows: [Row("z-1"), Row("z-2")],
+            rejectedRows: [new EquipmentCsvRowError(LineNumber: 5, Reason: "duplicate ZTag")],
+            CancellationToken.None);
+
+        var reloaded = await _db.EquipmentImportBatches.Include(b => b.Rows).FirstAsync(b => b.Id == batch.Id);
+        reloaded.RowsStaged.ShouldBe(3);
+        reloaded.RowsAccepted.ShouldBe(2);
+        reloaded.RowsRejected.ShouldBe(1);
+        reloaded.Rows.Count.ShouldBe(3);
+        reloaded.Rows.Count(r => r.IsAccepted).ShouldBe(2);
+        reloaded.Rows.Single(r => !r.IsAccepted).RejectReason.ShouldBe("duplicate ZTag");
+    }
+
+    [Fact]
+    public async Task DropBatch_RemovesBatch_AndCascades_Rows()
+    {
+        var batch = await _svc.CreateBatchAsync("c1", "alice", CancellationToken.None);
+        await _svc.StageRowsAsync(batch.Id, [Row("z-1")], [], CancellationToken.None);
+
+        await _svc.DropBatchAsync(batch.Id, CancellationToken.None);
+
+        (await _db.EquipmentImportBatches.AnyAsync(b => b.Id == batch.Id)).ShouldBeFalse();
+        (await _db.EquipmentImportRows.AnyAsync(r => r.BatchId == batch.Id)).ShouldBeFalse("cascaded delete clears rows");
+    }
+
+    [Fact]
+    public async Task DropBatch_AfterFinalise_Throws()
+    {
+        var batch = await _svc.CreateBatchAsync("c1", "alice", CancellationToken.None);
+        await _svc.StageRowsAsync(batch.Id, [Row("z-1")], [], CancellationToken.None);
+        await _svc.FinaliseBatchAsync(batch.Id, generationId: 1, driverInstanceIdForRows: "drv-1", unsLineIdForRows: "line-1", CancellationToken.None);
+
+        await Should.ThrowAsync<ImportBatchAlreadyFinalisedException>(
+            () => _svc.DropBatchAsync(batch.Id, CancellationToken.None));
+    }
+
+    [Fact]
+    public async Task Finalise_AcceptedRows_BecomeEquipment()
+    {
+        var batch = await _svc.CreateBatchAsync("c1", "alice", CancellationToken.None);
+        await _svc.StageRowsAsync(batch.Id,
+            [Row("z-1", name: "alpha"), Row("z-2", name: "beta")],
+            rejectedRows: [new EquipmentCsvRowError(1, "rejected")],
+            CancellationToken.None);
+
+        await _svc.FinaliseBatchAsync(batch.Id, 5, "drv-modbus", "line-warsaw", CancellationToken.None);
+
+        var equipment = await _db.Equipment.Where(e => e.GenerationId == 5).ToListAsync();
+        equipment.Count.ShouldBe(2);
+        equipment.Select(e => e.Name).ShouldBe(["alpha", "beta"], ignoreOrder: true);
+        equipment.All(e => e.DriverInstanceId == "drv-modbus").ShouldBeTrue();
+        equipment.All(e => e.UnsLineId == "line-warsaw").ShouldBeTrue();
+
+        var reloaded = await _db.EquipmentImportBatches.FirstAsync(b => b.Id == batch.Id);
+        reloaded.FinalisedAtUtc.ShouldNotBeNull();
+    }
+
+    [Fact]
+    public async Task Finalise_Twice_Throws()
+    {
+        var batch = await _svc.CreateBatchAsync("c1", "alice", CancellationToken.None);
+        await _svc.StageRowsAsync(batch.Id, [Row("z-1")], [], CancellationToken.None);
+        await _svc.FinaliseBatchAsync(batch.Id, 1, "drv", "line", CancellationToken.None);
+
+        await Should.ThrowAsync<ImportBatchAlreadyFinalisedException>(
+            () => _svc.FinaliseBatchAsync(batch.Id, 2, "drv", "line", CancellationToken.None));
+    }
+
+    [Fact]
+    public async Task Finalise_MissingBatch_Throws()
+    {
+        await Should.ThrowAsync<ImportBatchNotFoundException>(
+            () => _svc.FinaliseBatchAsync(Guid.NewGuid(), 1, "drv", "line", CancellationToken.None));
+    }
+
+    [Fact]
+    public async Task Stage_After_Finalise_Throws()
+    {
+        var batch = await _svc.CreateBatchAsync("c1", "alice", CancellationToken.None);
+        await _svc.StageRowsAsync(batch.Id, [Row("z-1")], [], CancellationToken.None);
+        await _svc.FinaliseBatchAsync(batch.Id, 1, "drv", "line", CancellationToken.None);
+
+        await Should.ThrowAsync<ImportBatchAlreadyFinalisedException>(
+            () => _svc.StageRowsAsync(batch.Id, [Row("z-2")], [], CancellationToken.None));
+    }
+
+    [Fact]
+    public async Task ListByUser_FiltersByCreator_AndFinalised()
+    {
+        var a = await _svc.CreateBatchAsync("c1", "alice", CancellationToken.None);
+        var b = await _svc.CreateBatchAsync("c1", "bob", CancellationToken.None);
+        await _svc.StageRowsAsync(a.Id, [Row("z-a")], [], CancellationToken.None);
+        await _svc.FinaliseBatchAsync(a.Id, 1, "d", "l", CancellationToken.None);
+        _ = b;
+
+        var aliceOpen = await _svc.ListByUserAsync("alice", includeFinalised: false, CancellationToken.None);
+        aliceOpen.ShouldBeEmpty("alice's only batch is finalised");
+
+        var aliceAll = await _svc.ListByUserAsync("alice", includeFinalised: true, CancellationToken.None);
+        aliceAll.Count.ShouldBe(1);
+
+        var bobOpen = await _svc.ListByUserAsync("bob", includeFinalised: false, CancellationToken.None);
+        bobOpen.Count.ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task DropBatch_Unknown_IsNoOp()
+    {
+        await _svc.DropBatchAsync(Guid.NewGuid(), CancellationToken.None);
+        // no throw
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests/SchemaComplianceTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Configuration.Tests/SchemaComplianceTests.cs
@@ -31,6 +31,8 @@ public sealed class SchemaComplianceTests
            "DriverHostStatus",
            "DriverInstanceResilienceStatus",
            "LdapGroupRoleMapping",
+            "EquipmentImportBatch",
+            "EquipmentImportRow",
        };

        var actual = QueryStrings(@"
@@ -78,6 +80,7 @@ WHERE  i.is_unique = 1 AND i.has_filter = 1;",
            "CK_ServerCluster_RedundancyMode_NodeCount",
            "CK_Device_DeviceConfig_IsJson",
            "CK_DriverInstance_DriverConfig_IsJson",
+            "CK_DriverInstance_ResilienceConfig_IsJson",
            "CK_PollGroup_IntervalMs_Min",
            "CK_Tag_TagConfig_IsJson",
            "CK_ConfigAuditLog_DetailsJson_IsJson",
--- a/tests/ZB.MOM.WW.OtOpcUa.Core.Abstractions.Tests/PollGroupEngineTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Core.Abstractions.Tests/PollGroupEngineTests.cs
@@ -0,0 +1,245 @@
+using System.Collections.Concurrent;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Abstractions.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class PollGroupEngineTests
+{
+    private sealed class FakeSource
+    {
+        public ConcurrentDictionary<string, object?> Values { get; } = new();
+        public int ReadCount;
+
+        public Task<IReadOnlyList<DataValueSnapshot>> ReadAsync(
+            IReadOnlyList<string> refs, CancellationToken ct)
+        {
+            Interlocked.Increment(ref ReadCount);
+            var now = DateTime.UtcNow;
+            IReadOnlyList<DataValueSnapshot> snapshots = refs
+                .Select(r => Values.TryGetValue(r, out var v)
+                    ? new DataValueSnapshot(v, 0u, now, now)
+                    : new DataValueSnapshot(null, 0x80340000u, null, now))
+                .ToList();
+            return Task.FromResult(snapshots);
+        }
+    }
+
+    [Fact]
+    public async Task Initial_poll_force_raises_every_subscribed_tag()
+    {
+        var src = new FakeSource();
+        src.Values["A"] = 1;
+        src.Values["B"] = "hello";
+
+        var events = new ConcurrentQueue<(ISubscriptionHandle h, string r, DataValueSnapshot s)>();
+        await using var engine = new PollGroupEngine(src.ReadAsync,
+            (h, r, s) => events.Enqueue((h, r, s)));
+
+        var handle = engine.Subscribe(["A", "B"], TimeSpan.FromMilliseconds(200));
+        await WaitForAsync(() => events.Count >= 2, TimeSpan.FromSeconds(2));
+
+        events.Select(e => e.r).ShouldBe(["A", "B"], ignoreOrder: true);
+        engine.Unsubscribe(handle).ShouldBeTrue();
+    }
+
+    [Fact]
+    public async Task Unchanged_value_raises_only_once()
+    {
+        var src = new FakeSource();
+        src.Values["X"] = 42;
+
+        var events = new ConcurrentQueue<(ISubscriptionHandle, string, DataValueSnapshot)>();
+        await using var engine = new PollGroupEngine(src.ReadAsync,
+            (h, r, s) => events.Enqueue((h, r, s)));
+
+        var handle = engine.Subscribe(["X"], TimeSpan.FromMilliseconds(100));
+        await Task.Delay(500);
+        engine.Unsubscribe(handle);
+
+        events.Count.ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Value_change_raises_new_event()
+    {
+        var src = new FakeSource();
+        src.Values["X"] = 1;
+
+        var events = new ConcurrentQueue<(ISubscriptionHandle, string, DataValueSnapshot)>();
+        await using var engine = new PollGroupEngine(src.ReadAsync,
+            (h, r, s) => events.Enqueue((h, r, s)));
+
+        var handle = engine.Subscribe(["X"], TimeSpan.FromMilliseconds(100));
+        await WaitForAsync(() => events.Count >= 1, TimeSpan.FromSeconds(1));
+        src.Values["X"] = 2;
+        await WaitForAsync(() => events.Count >= 2, TimeSpan.FromSeconds(2));
+
+        engine.Unsubscribe(handle);
+        events.Last().Item3.Value.ShouldBe(2);
+    }
+
+    [Fact]
+    public async Task Unsubscribe_halts_the_loop()
+    {
+        var src = new FakeSource();
+        src.Values["X"] = 1;
+
+        var events = new ConcurrentQueue<(ISubscriptionHandle, string, DataValueSnapshot)>();
+        await using var engine = new PollGroupEngine(src.ReadAsync,
+            (h, r, s) => events.Enqueue((h, r, s)));
+
+        var handle = engine.Subscribe(["X"], TimeSpan.FromMilliseconds(100));
+        await WaitForAsync(() => events.Count >= 1, TimeSpan.FromSeconds(1));
+        engine.Unsubscribe(handle).ShouldBeTrue();
+        var afterUnsub = events.Count;
+
+        src.Values["X"] = 999;
+        await Task.Delay(400);
+        events.Count.ShouldBe(afterUnsub);
+    }
+
+    [Fact]
+    public async Task Interval_below_floor_is_clamped()
+    {
+        var src = new FakeSource();
+        src.Values["X"] = 1;
+
+        var events = new ConcurrentQueue<(ISubscriptionHandle, string, DataValueSnapshot)>();
+        await using var engine = new PollGroupEngine(src.ReadAsync,
+            (h, r, s) => events.Enqueue((h, r, s)),
+            minInterval: TimeSpan.FromMilliseconds(200));
+
+        var handle = engine.Subscribe(["X"], TimeSpan.FromMilliseconds(5));
+        await Task.Delay(300);
+        engine.Unsubscribe(handle);
+
+        // 300 ms window, 200 ms floor, stable value → initial push + at most 1 extra poll.
+        // With zero changes only the initial-data push fires.
+        events.Count.ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Multiple_subscriptions_are_independent()
+    {
+        var src = new FakeSource();
+        src.Values["A"] = 1;
+        src.Values["B"] = 2;
+
+        var a = new ConcurrentQueue<string>();
+        var b = new ConcurrentQueue<string>();
+        await using var engine = new PollGroupEngine(src.ReadAsync,
+            (h, r, s) =>
+            {
+                if (r == "A") a.Enqueue(r);
+                else if (r == "B") b.Enqueue(r);
+            });
+
+        var ha = engine.Subscribe(["A"], TimeSpan.FromMilliseconds(100));
+        var hb = engine.Subscribe(["B"], TimeSpan.FromMilliseconds(100));
+
+        await WaitForAsync(() => a.Count >= 1 && b.Count >= 1, TimeSpan.FromSeconds(2));
+        engine.Unsubscribe(ha);
+        var aCount = a.Count;
+        src.Values["B"] = 77;
+        await WaitForAsync(() => b.Count >= 2, TimeSpan.FromSeconds(2));
+
+        a.Count.ShouldBe(aCount);
+        b.Count.ShouldBeGreaterThanOrEqualTo(2);
+        engine.Unsubscribe(hb);
+    }
+
+    [Fact]
+    public async Task Reader_exception_does_not_crash_loop()
+    {
+        var throwCount = 0;
+        var readCount = 0;
+        Task<IReadOnlyList<DataValueSnapshot>> Reader(IReadOnlyList<string> refs, CancellationToken ct)
+        {
+            if (Interlocked.Increment(ref readCount) <= 2)
+            {
+                Interlocked.Increment(ref throwCount);
+                throw new InvalidOperationException("boom");
+            }
+            var now = DateTime.UtcNow;
+            return Task.FromResult<IReadOnlyList<DataValueSnapshot>>(
+                refs.Select(r => new DataValueSnapshot(1, 0u, now, now)).ToList());
+        }
+
+        var events = new ConcurrentQueue<string>();
+        await using var engine = new PollGroupEngine(Reader,
+            (h, r, s) => events.Enqueue(r));
+
+        var handle = engine.Subscribe(["X"], TimeSpan.FromMilliseconds(100));
+        await WaitForAsync(() => events.Count >= 1, TimeSpan.FromSeconds(2));
+        engine.Unsubscribe(handle);
+
+        throwCount.ShouldBe(2);
+        events.Count.ShouldBeGreaterThanOrEqualTo(1);
+    }
+
+    [Fact]
+    public async Task Unsubscribe_unknown_handle_returns_false()
+    {
+        var src = new FakeSource();
+        await using var engine = new PollGroupEngine(src.ReadAsync, (_, _, _) => { });
+
+        var foreign = new DummyHandle();
+        engine.Unsubscribe(foreign).ShouldBeFalse();
+    }
+
+    [Fact]
+    public async Task ActiveSubscriptionCount_tracks_lifecycle()
+    {
+        var src = new FakeSource();
+        src.Values["X"] = 1;
+        await using var engine = new PollGroupEngine(src.ReadAsync, (_, _, _) => { });
+
+        engine.ActiveSubscriptionCount.ShouldBe(0);
+        var h1 = engine.Subscribe(["X"], TimeSpan.FromMilliseconds(200));
+        var h2 = engine.Subscribe(["X"], TimeSpan.FromMilliseconds(200));
+        engine.ActiveSubscriptionCount.ShouldBe(2);
+
+        engine.Unsubscribe(h1);
+        engine.ActiveSubscriptionCount.ShouldBe(1);
+        engine.Unsubscribe(h2);
+        engine.ActiveSubscriptionCount.ShouldBe(0);
+    }
+
+    [Fact]
+    public async Task DisposeAsync_cancels_all_subscriptions()
+    {
+        var src = new FakeSource();
+        src.Values["X"] = 1;
+
+        var events = new ConcurrentQueue<string>();
+        var engine = new PollGroupEngine(src.ReadAsync,
+            (h, r, s) => events.Enqueue(r));
+
+        _ = engine.Subscribe(["X"], TimeSpan.FromMilliseconds(100));
+        _ = engine.Subscribe(["X"], TimeSpan.FromMilliseconds(100));
+        await WaitForAsync(() => events.Count >= 2, TimeSpan.FromSeconds(2));
+
+        await engine.DisposeAsync();
+        engine.ActiveSubscriptionCount.ShouldBe(0);
+
+        var afterDispose = events.Count;
+        await Task.Delay(300);
+        // After dispose no more events — everything is cancelled.
+        events.Count.ShouldBe(afterDispose);
+    }
+
+    private sealed record DummyHandle : ISubscriptionHandle
+    {
+        public string DiagnosticId => "dummy";
+    }
+
+    private static async Task WaitForAsync(Func<bool> condition, TimeSpan timeout)
+    {
+        var deadline = DateTime.UtcNow + timeout;
+        while (!condition() && DateTime.UtcNow < deadline)
+            await Task.Delay(20);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Core.Tests/OpcUa/IdentificationFolderBuilderTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Core.Tests/OpcUa/IdentificationFolderBuilderTests.cs
@@ -0,0 +1,158 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.OpcUa;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Tests.OpcUa;
+
+[Trait("Category", "Unit")]
+public sealed class IdentificationFolderBuilderTests
+{
+    private sealed class RecordingBuilder : IAddressSpaceBuilder
+    {
+        public List<(string BrowseName, string DisplayName)> Folders { get; } = [];
+        public List<(string BrowseName, DriverDataType DataType, object? Value)> Properties { get; } = [];
+
+        public IAddressSpaceBuilder Folder(string browseName, string displayName)
+        {
+            Folders.Add((browseName, displayName));
+            return this; // flat recording — identification fields land in the same bucket
+        }
+
+        public IVariableHandle Variable(string browseName, string displayName, DriverAttributeInfo attributeInfo)
+            => throw new NotSupportedException("Identification fields use AddProperty, not Variable");
+
+        public void AddProperty(string browseName, DriverDataType dataType, object? value)
+            => Properties.Add((browseName, dataType, value));
+    }
+
+    private static Equipment EmptyEquipment() => new()
+    {
+        EquipmentId = "EQ-000000000001",
+        DriverInstanceId = "drv-1",
+        UnsLineId = "line-1",
+        Name = "eq-1",
+        MachineCode = "machine_001",
+    };
+
+    private static Equipment FullyPopulatedEquipment() => new()
+    {
+        EquipmentId = "EQ-000000000001",
+        DriverInstanceId = "drv-1",
+        UnsLineId = "line-1",
+        Name = "eq-1",
+        MachineCode = "machine_001",
+        Manufacturer = "Siemens",
+        Model = "S7-1500",
+        SerialNumber = "SN-12345",
+        HardwareRevision = "Rev-A",
+        SoftwareRevision = "Fw-2.3.1",
+        YearOfConstruction = 2023,
+        AssetLocation = "Warsaw-West/Bldg-3",
+        ManufacturerUri = "https://siemens.example",
+        DeviceManualUri = "https://siemens.example/manual",
+    };
+
+    [Fact]
+    public void HasAnyFields_AllNull_ReturnsFalse()
+    {
+        IdentificationFolderBuilder.HasAnyFields(EmptyEquipment()).ShouldBeFalse();
+    }
+
+    [Fact]
+    public void HasAnyFields_OneNonNull_ReturnsTrue()
+    {
+        var eq = EmptyEquipment();
+        eq.SerialNumber = "SN-1";
+        IdentificationFolderBuilder.HasAnyFields(eq).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Build_AllNull_ReturnsNull_AndDoesNotEmit_Folder()
+    {
+        var builder = new RecordingBuilder();
+
+        var result = IdentificationFolderBuilder.Build(builder, EmptyEquipment());
+
+        result.ShouldBeNull();
+        builder.Folders.ShouldBeEmpty("no Identification folder when every field is null");
+        builder.Properties.ShouldBeEmpty();
+    }
+
+    [Fact]
+    public void Build_FullyPopulated_EmitsAllNineFields()
+    {
+        var builder = new RecordingBuilder();
+
+        var result = IdentificationFolderBuilder.Build(builder, FullyPopulatedEquipment());
+
+        result.ShouldNotBeNull();
+        builder.Folders.ShouldContain(f => f.BrowseName == "Identification");
+        builder.Properties.Count.ShouldBe(9);
+        builder.Properties.Select(p => p.BrowseName).ShouldBe(
+            ["Manufacturer", "Model", "SerialNumber",
+             "HardwareRevision", "SoftwareRevision",
+             "YearOfConstruction", "AssetLocation",
+             "ManufacturerUri", "DeviceManualUri"],
+            "property order matches decision #139 exactly");
+    }
+
+    [Fact]
+    public void Build_OnlyNonNull_Are_Emitted()
+    {
+        var eq = EmptyEquipment();
+        eq.Manufacturer = "Siemens";
+        eq.SerialNumber = "SN-1";
+        eq.YearOfConstruction = 2024;
+        var builder = new RecordingBuilder();
+
+        IdentificationFolderBuilder.Build(builder, eq);
+
+        builder.Properties.Count.ShouldBe(3, "only the 3 non-null fields are exposed");
+        builder.Properties.Select(p => p.BrowseName).ShouldBe(
+            ["Manufacturer", "SerialNumber", "YearOfConstruction"]);
+    }
+
+    [Fact]
+    public void YearOfConstruction_Maps_Short_To_Int32_DriverDataType()
+    {
+        var eq = EmptyEquipment();
+        eq.YearOfConstruction = 2023;
+        var builder = new RecordingBuilder();
+
+        IdentificationFolderBuilder.Build(builder, eq);
+
+        var prop = builder.Properties.Single(p => p.BrowseName == "YearOfConstruction");
+        prop.DataType.ShouldBe(DriverDataType.Int32);
+        prop.Value.ShouldBe(2023, "short is widened to int for OPC UA Int32 representation");
+    }
+
+    [Fact]
+    public void Build_StringValues_RoundTrip()
+    {
+        var eq = FullyPopulatedEquipment();
+        var builder = new RecordingBuilder();
+
+        IdentificationFolderBuilder.Build(builder, eq);
+
+        builder.Properties.Single(p => p.BrowseName == "Manufacturer").Value.ShouldBe("Siemens");
+        builder.Properties.Single(p => p.BrowseName == "DeviceManualUri").Value.ShouldBe("https://siemens.example/manual");
+    }
+
+    [Fact]
+    public void FieldNames_Match_Decision139_Exactly()
+    {
+        IdentificationFolderBuilder.FieldNames.ShouldBe(
+            ["Manufacturer", "Model", "SerialNumber",
+             "HardwareRevision", "SoftwareRevision",
+             "YearOfConstruction", "AssetLocation",
+             "ManufacturerUri", "DeviceManualUri"]);
+    }
+
+    [Fact]
+    public void FolderName_Is_Identification()
+    {
+        IdentificationFolderBuilder.FolderName.ShouldBe("Identification");
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Resilience/DriverResilienceOptionsParserTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Resilience/DriverResilienceOptionsParserTests.cs
@@ -0,0 +1,166 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Resilience;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Tests.Resilience;
+
+[Trait("Category", "Unit")]
+public sealed class DriverResilienceOptionsParserTests
+{
+    [Fact]
+    public void NullJson_ReturnsPureTierDefaults()
+    {
+        var options = DriverResilienceOptionsParser.ParseOrDefaults(DriverTier.A, null, out var diag);
+
+        diag.ShouldBeNull();
+        options.Tier.ShouldBe(DriverTier.A);
+        options.Resolve(DriverCapability.Read).ShouldBe(
+            DriverResilienceOptions.GetTierDefaults(DriverTier.A)[DriverCapability.Read]);
+    }
+
+    [Fact]
+    public void WhitespaceJson_ReturnsDefaults()
+    {
+        DriverResilienceOptionsParser.ParseOrDefaults(DriverTier.B, "   ", out var diag);
+        diag.ShouldBeNull();
+    }
+
+    [Fact]
+    public void MalformedJson_FallsBack_WithDiagnostic()
+    {
+        var options = DriverResilienceOptionsParser.ParseOrDefaults(DriverTier.A, "{not json", out var diag);
+
+        diag.ShouldNotBeNull();
+        diag.ShouldContain("malformed");
+        options.Tier.ShouldBe(DriverTier.A);
+        options.Resolve(DriverCapability.Read).ShouldBe(
+            DriverResilienceOptions.GetTierDefaults(DriverTier.A)[DriverCapability.Read]);
+    }
+
+    [Fact]
+    public void EmptyObject_ReturnsDefaults()
+    {
+        var options = DriverResilienceOptionsParser.ParseOrDefaults(DriverTier.A, "{}", out var diag);
+
+        diag.ShouldBeNull();
+        options.Resolve(DriverCapability.Write).ShouldBe(
+            DriverResilienceOptions.GetTierDefaults(DriverTier.A)[DriverCapability.Write]);
+    }
+
+    [Fact]
+    public void ReadOverride_MergedIntoTierDefaults()
+    {
+        var json = """
+            {
+              "capabilityPolicies": {
+                "Read": { "timeoutSeconds": 5, "retryCount": 7, "breakerFailureThreshold": 2 }
+              }
+            }
+            """;
+
+        var options = DriverResilienceOptionsParser.ParseOrDefaults(DriverTier.A, json, out var diag);
+
+        diag.ShouldBeNull();
+        var read = options.Resolve(DriverCapability.Read);
+        read.TimeoutSeconds.ShouldBe(5);
+        read.RetryCount.ShouldBe(7);
+        read.BreakerFailureThreshold.ShouldBe(2);
+
+        // Other capabilities untouched
+        options.Resolve(DriverCapability.Write).ShouldBe(
+            DriverResilienceOptions.GetTierDefaults(DriverTier.A)[DriverCapability.Write]);
+    }
+
+    [Fact]
+    public void PartialPolicy_FillsMissingFieldsFromTierDefault()
+    {
+        var json = """
+            {
+              "capabilityPolicies": {
+                "Read": { "retryCount": 10 }
+              }
+            }
+            """;
+
+        var options = DriverResilienceOptionsParser.ParseOrDefaults(DriverTier.A, json, out _);
+
+        var read = options.Resolve(DriverCapability.Read);
+        var tierDefault = DriverResilienceOptions.GetTierDefaults(DriverTier.A)[DriverCapability.Read];
+        read.RetryCount.ShouldBe(10);
+        read.TimeoutSeconds.ShouldBe(tierDefault.TimeoutSeconds, "partial override; timeout falls back to tier default");
+        read.BreakerFailureThreshold.ShouldBe(tierDefault.BreakerFailureThreshold);
+    }
+
+    [Fact]
+    public void BulkheadOverrides_AreHonored()
+    {
+        var json = """
+            { "bulkheadMaxConcurrent": 100, "bulkheadMaxQueue": 500 }
+            """;
+
+        var options = DriverResilienceOptionsParser.ParseOrDefaults(DriverTier.B, json, out _);
+
+        options.BulkheadMaxConcurrent.ShouldBe(100);
+        options.BulkheadMaxQueue.ShouldBe(500);
+    }
+
+    [Fact]
+    public void UnknownCapability_Surfaces_InDiagnostic_ButDoesNotFail()
+    {
+        var json = """
+            {
+              "capabilityPolicies": {
+                "InventedCapability": { "timeoutSeconds": 99 }
+              }
+            }
+            """;
+
+        var options = DriverResilienceOptionsParser.ParseOrDefaults(DriverTier.A, json, out var diag);
+
+        diag.ShouldNotBeNull();
+        diag.ShouldContain("InventedCapability");
+        // Known capabilities untouched.
+        options.Resolve(DriverCapability.Read).ShouldBe(
+            DriverResilienceOptions.GetTierDefaults(DriverTier.A)[DriverCapability.Read]);
+    }
+
+    [Fact]
+    public void PropertyNames_AreCaseInsensitive()
+    {
+        var json = """
+            { "BULKHEADMAXCONCURRENT": 42 }
+            """;
+
+        var options = DriverResilienceOptionsParser.ParseOrDefaults(DriverTier.A, json, out _);
+
+        options.BulkheadMaxConcurrent.ShouldBe(42);
+    }
+
+    [Fact]
+    public void CapabilityName_IsCaseInsensitive()
+    {
+        var json = """
+            { "capabilityPolicies": { "read": { "retryCount": 99 } } }
+            """;
+
+        var options = DriverResilienceOptionsParser.ParseOrDefaults(DriverTier.A, json, out var diag);
+
+        diag.ShouldBeNull();
+        options.Resolve(DriverCapability.Read).RetryCount.ShouldBe(99);
+    }
+
+    [Theory]
+    [InlineData(DriverTier.A)]
+    [InlineData(DriverTier.B)]
+    [InlineData(DriverTier.C)]
+    public void EveryTier_WithEmptyJson_RoundTrips_Its_Defaults(DriverTier tier)
+    {
+        var options = DriverResilienceOptionsParser.ParseOrDefaults(tier, "{}", out var diag);
+
+        diag.ShouldBeNull();
+        options.Tier.ShouldBe(tier);
+        foreach (var cap in Enum.GetValues<DriverCapability>())
+            options.Resolve(cap).ShouldBe(DriverResilienceOptions.GetTierDefaults(tier)[cap]);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Resilience/InFlightCounterTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Resilience/InFlightCounterTests.cs
@@ -0,0 +1,130 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Resilience;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Tests.Resilience;
+
+[Trait("Category", "Unit")]
+public sealed class InFlightCounterTests
+{
+    [Fact]
+    public void StartThenComplete_NetsToZero()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        tracker.RecordCallStart("drv", "host-a");
+        tracker.RecordCallComplete("drv", "host-a");
+
+        tracker.TryGet("drv", "host-a")!.CurrentInFlight.ShouldBe(0);
+    }
+
+    [Fact]
+    public void NestedStarts_SumDepth()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        tracker.RecordCallStart("drv", "host-a");
+        tracker.RecordCallStart("drv", "host-a");
+        tracker.RecordCallStart("drv", "host-a");
+
+        tracker.TryGet("drv", "host-a")!.CurrentInFlight.ShouldBe(3);
+
+        tracker.RecordCallComplete("drv", "host-a");
+        tracker.TryGet("drv", "host-a")!.CurrentInFlight.ShouldBe(2);
+    }
+
+    [Fact]
+    public void CompleteBeforeStart_ClampedToZero()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        tracker.RecordCallComplete("drv", "host-a");
+
+        // A stray Complete without a matching Start shouldn't drive the counter negative.
+        tracker.TryGet("drv", "host-a")!.CurrentInFlight.ShouldBe(0);
+    }
+
+    [Fact]
+    public void DifferentHosts_TrackIndependently()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        tracker.RecordCallStart("drv", "host-a");
+        tracker.RecordCallStart("drv", "host-a");
+        tracker.RecordCallStart("drv", "host-b");
+
+        tracker.TryGet("drv", "host-a")!.CurrentInFlight.ShouldBe(2);
+        tracker.TryGet("drv", "host-b")!.CurrentInFlight.ShouldBe(1);
+    }
+
+    [Fact]
+    public void ConcurrentStarts_DoNotLose_Count()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        Parallel.For(0, 500, _ => tracker.RecordCallStart("drv", "host-a"));
+
+        tracker.TryGet("drv", "host-a")!.CurrentInFlight.ShouldBe(500);
+    }
+
+    [Fact]
+    public async Task CapabilityInvoker_IncrementsTracker_DuringExecution()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        var invoker = new CapabilityInvoker(
+            new DriverResiliencePipelineBuilder(),
+            "drv-live",
+            () => new DriverResilienceOptions { Tier = DriverTier.A },
+            driverType: "Modbus",
+            statusTracker: tracker);
+
+        var observedMidCall = -1;
+        await invoker.ExecuteAsync(
+            DriverCapability.Read,
+            "plc-1",
+            async _ =>
+            {
+                observedMidCall = tracker.TryGet("drv-live", "plc-1")?.CurrentInFlight ?? -1;
+                await Task.Yield();
+                return 42;
+            },
+            CancellationToken.None);
+
+        observedMidCall.ShouldBe(1, "during call, in-flight == 1");
+        tracker.TryGet("drv-live", "plc-1")!.CurrentInFlight.ShouldBe(0, "post-call, counter decremented");
+    }
+
+    [Fact]
+    public async Task CapabilityInvoker_ExceptionPath_DecrementsCounter()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        var invoker = new CapabilityInvoker(
+            new DriverResiliencePipelineBuilder(),
+            "drv-live",
+            () => new DriverResilienceOptions { Tier = DriverTier.A },
+            statusTracker: tracker);
+
+        await Should.ThrowAsync<InvalidOperationException>(async () =>
+            await invoker.ExecuteAsync<int>(
+                DriverCapability.Write,
+                "plc-1",
+                _ => throw new InvalidOperationException("boom"),
+                CancellationToken.None));
+
+        tracker.TryGet("drv-live", "plc-1")!.CurrentInFlight.ShouldBe(0,
+            "finally-block must decrement even when call-site throws");
+    }
+
+    [Fact]
+    public async Task CapabilityInvoker_WithoutTracker_DoesNotThrow()
+    {
+        var invoker = new CapabilityInvoker(
+            new DriverResiliencePipelineBuilder(),
+            "drv-live",
+            () => new DriverResilienceOptions { Tier = DriverTier.A },
+            statusTracker: null);
+
+        var result = await invoker.ExecuteAsync(
+            DriverCapability.Read, "host-1",
+            _ => ValueTask.FromResult(7),
+            CancellationToken.None);
+
+        result.ShouldBe(7);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Resilience/PerCallHostResolverDispatchTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Resilience/PerCallHostResolverDispatchTests.cs
@@ -0,0 +1,110 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Resilience;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Tests.Resilience;
+
+/// <summary>
+///     Exercises the per-call host resolver contract against the shared
+///     <see cref="DriverResiliencePipelineBuilder"/> + <see cref="CapabilityInvoker"/> — one
+///     dead PLC behind a multi-device driver must NOT open the breaker for healthy sibling
+///     PLCs (decision #144).
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class PerCallHostResolverDispatchTests
+{
+    private sealed class StaticResolver : IPerCallHostResolver
+    {
+        private readonly Dictionary<string, string> _map;
+        public StaticResolver(Dictionary<string, string> map) => _map = map;
+        public string ResolveHost(string fullReference) =>
+            _map.TryGetValue(fullReference, out var host) ? host : string.Empty;
+    }
+
+    [Fact]
+    public async Task DeadPlc_DoesNotOpenBreaker_For_HealthyPlc_With_Resolver()
+    {
+        // Two PLCs behind one driver. Dead PLC keeps failing; healthy PLC must keep serving.
+        var builder = new DriverResiliencePipelineBuilder();
+        var options = new DriverResilienceOptions { Tier = DriverTier.B };
+        var invoker = new CapabilityInvoker(builder, "drv-modbus", () => options);
+
+        var resolver = new StaticResolver(new Dictionary<string, string>
+        {
+            ["tag-on-dead"]  = "plc-dead",
+            ["tag-on-alive"] = "plc-alive",
+        });
+
+        var threshold = options.Resolve(DriverCapability.Read).BreakerFailureThreshold;
+        for (var i = 0; i < threshold + 3; i++)
+        {
+            await Should.ThrowAsync<Exception>(async () =>
+                await invoker.ExecuteAsync(
+                    DriverCapability.Read,
+                    hostName: resolver.ResolveHost("tag-on-dead"),
+                    _ => throw new InvalidOperationException("plc-dead unreachable"),
+                    CancellationToken.None));
+        }
+
+        // Healthy PLC's pipeline is in a different bucket; the first call should succeed
+        // without hitting the dead-PLC breaker.
+        var aliveAttempts = 0;
+        await invoker.ExecuteAsync(
+            DriverCapability.Read,
+            hostName: resolver.ResolveHost("tag-on-alive"),
+            _ => { aliveAttempts++; return ValueTask.FromResult("ok"); },
+            CancellationToken.None);
+
+        aliveAttempts.ShouldBe(1, "decision #144 — per-PLC isolation keeps healthy PLCs serving");
+    }
+
+    [Fact]
+    public void Resolver_EmptyString_Treated_As_Single_Host_Fallback()
+    {
+        var resolver = new StaticResolver(new Dictionary<string, string>
+        {
+            ["tag-unknown"] = "",
+        });
+
+        resolver.ResolveHost("tag-unknown").ShouldBe("");
+        resolver.ResolveHost("not-in-map").ShouldBe("", "unknown refs return empty so dispatch falls back to single-host");
+    }
+
+    [Fact]
+    public async Task WithoutResolver_SameHost_Shares_One_Pipeline()
+    {
+        // Without a resolver all calls share the DriverInstanceId pipeline — that's the
+        // pre-decision-#144 behavior single-host drivers should keep.
+        var builder = new DriverResiliencePipelineBuilder();
+        var options = new DriverResilienceOptions { Tier = DriverTier.A };
+        var invoker = new CapabilityInvoker(builder, "drv-single", () => options);
+
+        await invoker.ExecuteAsync(DriverCapability.Read, "drv-single",
+            _ => ValueTask.FromResult("a"), CancellationToken.None);
+        await invoker.ExecuteAsync(DriverCapability.Read, "drv-single",
+            _ => ValueTask.FromResult("b"), CancellationToken.None);
+
+        builder.CachedPipelineCount.ShouldBe(1, "single-host drivers share one pipeline");
+    }
+
+    [Fact]
+    public async Task WithResolver_TwoHosts_Get_Two_Pipelines()
+    {
+        var builder = new DriverResiliencePipelineBuilder();
+        var options = new DriverResilienceOptions { Tier = DriverTier.B };
+        var invoker = new CapabilityInvoker(builder, "drv-modbus", () => options);
+        var resolver = new StaticResolver(new Dictionary<string, string>
+        {
+            ["tag-a"] = "plc-a",
+            ["tag-b"] = "plc-b",
+        });
+
+        await invoker.ExecuteAsync(DriverCapability.Read, resolver.ResolveHost("tag-a"),
+            _ => ValueTask.FromResult(1), CancellationToken.None);
+        await invoker.ExecuteAsync(DriverCapability.Read, resolver.ResolveHost("tag-b"),
+            _ => ValueTask.FromResult(2), CancellationToken.None);
+
+        builder.CachedPipelineCount.ShouldBe(2, "each host keyed on its own pipeline");
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbCipReadSmokeTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbCipReadSmokeTests.cs
@@ -0,0 +1,44 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests;
+
+/// <summary>
+///     End-to-end smoke tests that exercise the real libplctag stack against a running
+///     <c>ab_server</c>. Skipped when the binary isn't on PATH (<see cref="AbServerFactAttribute"/>).
+/// </summary>
+/// <remarks>
+///     Intentionally minimal — per-family + per-capability coverage ships in PRs 9–12 once the
+///     integration harness is CI-ready. This file exists at PR 3 time to prove the wire path
+///     works end-to-end on developer boxes that have <c>ab_server</c>.
+/// </remarks>
+[Trait("Category", "Integration")]
+[Trait("Requires", "AbServer")]
+public sealed class AbCipReadSmokeTests : IAsyncLifetime
+{
+    private readonly AbServerFixture _fixture = new();
+
+    public async ValueTask InitializeAsync() => await _fixture.InitializeAsync();
+    public async ValueTask DisposeAsync() => await _fixture.DisposeAsync();
+
+    [AbServerFact]
+    public async Task Driver_reads_DInt_from_ab_server()
+    {
+        var drv = new AbCipDriver(new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions($"ab://127.0.0.1:{_fixture.Port}/1,0", AbCipPlcFamily.ControlLogix)],
+            Tags = [new AbCipTagDefinition("Counter", $"ab://127.0.0.1:{_fixture.Port}/1,0", "TestDINT", AbCipDataType.DInt)],
+            Timeout = TimeSpan.FromSeconds(5),
+        }, "drv-smoke");
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        var snapshots = await drv.ReadAsync(["Counter"], CancellationToken.None);
+
+        snapshots.Single().StatusCode.ShouldBe(AbCipStatusMapper.Good);
+        drv.GetHealth().State.ShouldBe(DriverState.Healthy);
+
+        await drv.ShutdownAsync(CancellationToken.None);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbServerFixture.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbServerFixture.cs
@@ -0,0 +1,109 @@
+using System.Diagnostics;
+using Xunit;
+using Xunit.Sdk;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests;
+
+/// <summary>
+///     Shared fixture that starts libplctag's <c>ab_server</c> simulator in the background for
+///     the duration of an integration test collection. Binary is expected on PATH; the per-test
+///     JSON profile is passed via <c>--config</c>.
+/// </summary>
+/// <remarks>
+///     <para><c>ab_server</c> is a C binary shipped in the same repo as libplctag (see
+///     <c>test-data-sources.md</c> §2 and plan decision #99). On a developer workstation it's
+///     built once from source and placed on PATH; in CI we intend to publish a prebuilt Windows
+///     x64 binary as a GitHub release asset in a follow-up PR so the fixture can download +
+///     extract it at setup time. Until then every test in this project is skipped when
+///     <c>ab_server</c> is not locatable.</para>
+///
+///     <para>Per-family JSON profiles (ControlLogix / CompactLogix / Micro800 / GuardLogix)
+///     ship under <c>Profiles/</c> and drive the simulator's tag shape — this is where the
+///     UDT + Program-scope coverage gap will be filled by the hand-rolled stub in PR 6.</para>
+/// </remarks>
+public sealed class AbServerFixture : IAsyncLifetime
+{
+    private Process? _proc;
+    public int Port { get; } = 44818;
+
+    public bool IsAvailable { get; private set; }
+
+    public ValueTask InitializeAsync() => InitializeAsync(default);
+    public ValueTask DisposeAsync() => DisposeAsync(default);
+
+    public async ValueTask InitializeAsync(CancellationToken cancellationToken)
+    {
+        if (LocateBinary() is not string binary)
+        {
+            IsAvailable = false;
+            return;
+        }
+        IsAvailable = true;
+
+        _proc = new Process
+        {
+            StartInfo = new ProcessStartInfo
+            {
+                FileName = binary,
+                Arguments = $"--port {Port} --plc controllogix",
+                RedirectStandardOutput = true,
+                RedirectStandardError = true,
+                UseShellExecute = false,
+                CreateNoWindow = true,
+            },
+        };
+        _proc.Start();
+
+        // Give the server a moment to accept its listen socket before tests try to connect.
+        await Task.Delay(500, cancellationToken).ConfigureAwait(false);
+    }
+
+    public ValueTask DisposeAsync(CancellationToken cancellationToken)
+    {
+        try
+        {
+            if (_proc is { HasExited: false })
+            {
+                _proc.Kill(entireProcessTree: true);
+                _proc.WaitForExit(5_000);
+            }
+        }
+        catch { /* best-effort cleanup */ }
+        _proc?.Dispose();
+        return ValueTask.CompletedTask;
+    }
+
+    /// <summary>
+    ///     Locate <c>ab_server</c> on PATH. Returns <c>null</c> when missing — tests that
+    ///     depend on it should use <see cref="AbServerFact"/> so CI runs without the binary
+    ///     simply skip rather than fail.
+    /// </summary>
+    public static string? LocateBinary()
+    {
+        var names = new[] { "ab_server.exe", "ab_server" };
+        var path = Environment.GetEnvironmentVariable("PATH") ?? "";
+        foreach (var dir in path.Split(Path.PathSeparator))
+        {
+            foreach (var name in names)
+            {
+                var candidate = Path.Combine(dir, name);
+                if (File.Exists(candidate)) return candidate;
+            }
+        }
+        return null;
+    }
+}
+
+/// <summary>
+///     <c>[Fact]</c>-equivalent that skips when <c>ab_server</c> is not available on PATH.
+///     Integration tests use this instead of <c>[Fact]</c> so a developer box without
+///     <c>ab_server</c> installed still gets a green run.
+/// </summary>
+public sealed class AbServerFactAttribute : FactAttribute
+{
+    public AbServerFactAttribute()
+    {
+        if (AbServerFixture.LocateBinary() is null)
+            Skip = "ab_server not on PATH; install libplctag test binaries to run.";
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests.csproj
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests.csproj
@@ -0,0 +1,31 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <IsPackable>false</IsPackable>
+        <IsTestProject>true</IsTestProject>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="xunit.v3" Version="1.1.0"/>
+        <PackageReference Include="Shouldly" Version="4.3.0"/>
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
+        <PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
+            <PrivateAssets>all</PrivateAssets>
+            <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+    </ItemGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Driver.AbCip\ZB.MOM.WW.OtOpcUa.Driver.AbCip.csproj"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+</Project>
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipDriverReadTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipDriverReadTests.cs
@@ -0,0 +1,214 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class AbCipDriverReadTests
+{
+    private static (AbCipDriver drv, FakeAbCipTagFactory factory) NewDriver(params AbCipTagDefinition[] tags)
+    {
+        var factory = new FakeAbCipTagFactory();
+        var opts = new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions("ab://10.0.0.5/1,0")],
+            Tags = tags,
+        };
+        var drv = new AbCipDriver(opts, "drv-1", factory);
+        return (drv, factory);
+    }
+
+    [Fact]
+    public async Task Unknown_reference_maps_to_BadNodeIdUnknown()
+    {
+        var (drv, _) = NewDriver();
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var snapshots = await drv.ReadAsync(["does-not-exist"], CancellationToken.None);
+
+        snapshots.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadNodeIdUnknown);
+        snapshots.Single().Value.ShouldBeNull();
+    }
+
+    [Fact]
+    public async Task Tag_on_unknown_device_maps_to_BadNodeIdUnknown()
+    {
+        var factory = new FakeAbCipTagFactory();
+        var opts = new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions("ab://10.0.0.5/1,0")],
+            Tags = [new AbCipTagDefinition("Orphan", "ab://10.0.0.99/1,0", "Tag1", AbCipDataType.DInt)],
+        };
+        var drv = new AbCipDriver(opts, "drv-1", factory);
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var snapshots = await drv.ReadAsync(["Orphan"], CancellationToken.None);
+        snapshots.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadNodeIdUnknown);
+    }
+
+    [Fact]
+    public async Task Successful_DInt_read_returns_Good_with_value()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Speed", "ab://10.0.0.5/1,0", "Motor1.Speed", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        // Customise the fake before the first read so the tag returns 4200.
+        factory.Customise = p => new FakeAbCipTag(p) { Value = 4200 };
+
+        var snapshots = await drv.ReadAsync(["Speed"], CancellationToken.None);
+
+        snapshots.Single().StatusCode.ShouldBe(AbCipStatusMapper.Good);
+        snapshots.Single().Value.ShouldBe(4200);
+        factory.Tags["Motor1.Speed"].InitializeCount.ShouldBe(1);
+        factory.Tags["Motor1.Speed"].ReadCount.ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Repeat_read_reuses_runtime_without_reinitialise()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Speed", "ab://10.0.0.5/1,0", "Motor1.Speed", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => new FakeAbCipTag(p) { Value = 1 };
+
+        await drv.ReadAsync(["Speed"], CancellationToken.None);
+        await drv.ReadAsync(["Speed"], CancellationToken.None);
+        await drv.ReadAsync(["Speed"], CancellationToken.None);
+
+        factory.Tags["Motor1.Speed"].InitializeCount.ShouldBe(1); // lazy init happens once
+        factory.Tags["Motor1.Speed"].ReadCount.ShouldBe(3);
+    }
+
+    [Fact]
+    public async Task NonZero_libplctag_status_maps_via_AbCipStatusMapper()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Ghost", "ab://10.0.0.5/1,0", "Missing.Tag", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => new FakeAbCipTag(p) { Status = -14 /* PLCTAG_ERR_NOT_FOUND */ };
+
+        var snapshots = await drv.ReadAsync(["Ghost"], CancellationToken.None);
+
+        snapshots.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadNodeIdUnknown);
+        snapshots.Single().Value.ShouldBeNull();
+    }
+
+    [Fact]
+    public async Task Exception_during_read_surfaces_BadCommunicationError()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Broken", "ab://10.0.0.5/1,0", "Broken", AbCipDataType.Real));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => new FakeAbCipTag(p) { ThrowOnRead = true };
+
+        var snapshots = await drv.ReadAsync(["Broken"], CancellationToken.None);
+
+        snapshots.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadCommunicationError);
+        snapshots.Single().Value.ShouldBeNull();
+        drv.GetHealth().State.ShouldBe(DriverState.Degraded);
+    }
+
+    [Fact]
+    public async Task Batched_reads_preserve_order_and_per_tag_status()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("A", "ab://10.0.0.5/1,0", "A", AbCipDataType.DInt),
+            new AbCipTagDefinition("B", "ab://10.0.0.5/1,0", "B", AbCipDataType.Real),
+            new AbCipTagDefinition("C", "ab://10.0.0.5/1,0", "C", AbCipDataType.String));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => p.TagName switch
+        {
+            "A" => new FakeAbCipTag(p) { Value = 42 },
+            "B" => new FakeAbCipTag(p) { Value = 3.14f },
+            _ => new FakeAbCipTag(p) { Value = "hello" },
+        };
+
+        var snapshots = await drv.ReadAsync(["A", "B", "C"], CancellationToken.None);
+
+        snapshots.Count.ShouldBe(3);
+        snapshots[0].Value.ShouldBe(42);
+        snapshots[1].Value.ShouldBe(3.14f);
+        snapshots[2].Value.ShouldBe("hello");
+        snapshots.ShouldAllBe(s => s.StatusCode == AbCipStatusMapper.Good);
+    }
+
+    [Fact]
+    public async Task Successful_read_marks_health_Healthy()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Pressure", "ab://10.0.0.5/1,0", "PT_101", AbCipDataType.Real));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => new FakeAbCipTag(p) { Value = 14.7f };
+
+        await drv.ReadAsync(["Pressure"], CancellationToken.None);
+        drv.GetHealth().State.ShouldBe(DriverState.Healthy);
+        drv.GetHealth().LastSuccessfulRead.ShouldNotBeNull();
+    }
+
+    [Fact]
+    public async Task TagCreateParams_are_built_from_device_and_profile()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Counter", "ab://10.0.0.5/1,0", "Program:P.Counter", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        await drv.ReadAsync(["Counter"], CancellationToken.None);
+
+        var p = factory.Tags["Program:P.Counter"].CreationParams;
+        p.Gateway.ShouldBe("10.0.0.5");
+        p.Port.ShouldBe(44818);
+        p.CipPath.ShouldBe("1,0");
+        p.LibplctagPlcAttribute.ShouldBe("controllogix");
+        p.TagName.ShouldBe("Program:P.Counter");
+    }
+
+    [Fact]
+    public async Task Cancellation_propagates_from_read()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Slow", "ab://10.0.0.5/1,0", "Slow", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => new FakeAbCipTag(p)
+        {
+            ThrowOnRead = true,
+            Exception = new OperationCanceledException(),
+        };
+
+        using var cts = new CancellationTokenSource();
+        await Should.ThrowAsync<OperationCanceledException>(
+            () => drv.ReadAsync(["Slow"], cts.Token));
+    }
+
+    [Fact]
+    public async Task ShutdownAsync_disposes_each_tag_runtime()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("A", "ab://10.0.0.5/1,0", "A", AbCipDataType.DInt),
+            new AbCipTagDefinition("B", "ab://10.0.0.5/1,0", "B", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => new FakeAbCipTag(p) { Value = 1 };
+        await drv.ReadAsync(["A", "B"], CancellationToken.None);
+
+        await drv.ShutdownAsync(CancellationToken.None);
+
+        factory.Tags["A"].Disposed.ShouldBeTrue();
+        factory.Tags["B"].Disposed.ShouldBeTrue();
+    }
+
+    [Fact]
+    public async Task Initialize_failure_disposes_tag_and_surfaces_communication_error()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("DoomedTag", "ab://10.0.0.5/1,0", "Nope", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => new FakeAbCipTag(p) { ThrowOnInitialize = true };
+
+        var snapshots = await drv.ReadAsync(["DoomedTag"], CancellationToken.None);
+
+        snapshots.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadCommunicationError);
+        factory.Tags["Nope"].Disposed.ShouldBeTrue();
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipDriverTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipDriverTests.cs
@@ -0,0 +1,131 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+using ZB.MOM.WW.OtOpcUa.Driver.AbCip.PlcFamilies;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class AbCipDriverTests
+{
+    [Fact]
+    public void DriverType_is_AbCip()
+    {
+        var drv = new AbCipDriver(new AbCipDriverOptions(), "drv-1");
+        drv.DriverType.ShouldBe("AbCip");
+        drv.DriverInstanceId.ShouldBe("drv-1");
+    }
+
+    [Fact]
+    public async Task InitializeAsync_with_empty_devices_succeeds_and_marks_healthy()
+    {
+        var drv = new AbCipDriver(new AbCipDriverOptions(), "drv-1");
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        drv.GetHealth().State.ShouldBe(DriverState.Healthy);
+    }
+
+    [Fact]
+    public async Task InitializeAsync_registers_each_device_with_its_family_profile()
+    {
+        var drv = new AbCipDriver(new AbCipDriverOptions
+        {
+            Devices =
+            [
+                new AbCipDeviceOptions("ab://10.0.0.5/1,0", AbCipPlcFamily.ControlLogix),
+                new AbCipDeviceOptions("ab://10.0.0.6/", AbCipPlcFamily.Micro800),
+            ],
+        }, "drv-1");
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        drv.DeviceCount.ShouldBe(2);
+        drv.GetDeviceState("ab://10.0.0.5/1,0")!.Profile.ShouldBe(AbCipPlcFamilyProfile.ControlLogix);
+        drv.GetDeviceState("ab://10.0.0.6/")!.Profile.ShouldBe(AbCipPlcFamilyProfile.Micro800);
+    }
+
+    [Fact]
+    public async Task InitializeAsync_with_malformed_host_address_faults()
+    {
+        var drv = new AbCipDriver(new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions("not-a-valid-address")],
+        }, "drv-1");
+
+        await Should.ThrowAsync<InvalidOperationException>(
+            () => drv.InitializeAsync("{}", CancellationToken.None));
+        drv.GetHealth().State.ShouldBe(DriverState.Faulted);
+    }
+
+    [Fact]
+    public async Task ShutdownAsync_clears_devices_and_marks_unknown()
+    {
+        var drv = new AbCipDriver(new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions("ab://10.0.0.5/1,0")],
+        }, "drv-1");
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        drv.DeviceCount.ShouldBe(1);
+
+        await drv.ShutdownAsync(CancellationToken.None);
+        drv.DeviceCount.ShouldBe(0);
+        drv.GetHealth().State.ShouldBe(DriverState.Unknown);
+    }
+
+    [Fact]
+    public async Task ReinitializeAsync_cycles_devices()
+    {
+        var drv = new AbCipDriver(new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions("ab://10.0.0.5/1,0")],
+        }, "drv-1");
+
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        await drv.ReinitializeAsync("{}", CancellationToken.None);
+
+        drv.DeviceCount.ShouldBe(1);
+        drv.GetHealth().State.ShouldBe(DriverState.Healthy);
+    }
+
+    [Fact]
+    public void Family_profiles_expose_expected_defaults()
+    {
+        AbCipPlcFamilyProfile.ControlLogix.LibplctagPlcAttribute.ShouldBe("controllogix");
+        AbCipPlcFamilyProfile.ControlLogix.DefaultConnectionSize.ShouldBe(4002);
+        AbCipPlcFamilyProfile.ControlLogix.DefaultCipPath.ShouldBe("1,0");
+
+        AbCipPlcFamilyProfile.Micro800.DefaultCipPath.ShouldBe(""); // no backplane routing
+        AbCipPlcFamilyProfile.Micro800.SupportsRequestPacking.ShouldBeFalse();
+        AbCipPlcFamilyProfile.Micro800.SupportsConnectedMessaging.ShouldBeFalse();
+
+        AbCipPlcFamilyProfile.CompactLogix.DefaultConnectionSize.ShouldBe(504);
+        AbCipPlcFamilyProfile.GuardLogix.LibplctagPlcAttribute.ShouldBe("controllogix");
+    }
+
+    [Fact]
+    public void PlcTagHandle_IsInvalid_for_zero_or_negative_native_id()
+    {
+        PlcTagHandle.FromNative(-5).IsInvalid.ShouldBeTrue();
+        PlcTagHandle.FromNative(0).IsInvalid.ShouldBeTrue();
+        PlcTagHandle.FromNative(42).IsInvalid.ShouldBeFalse();
+    }
+
+    [Fact]
+    public void PlcTagHandle_Dispose_is_idempotent()
+    {
+        var h = PlcTagHandle.FromNative(42);
+        h.Dispose();
+        h.Dispose(); // must not throw
+    }
+
+    [Fact]
+    public void AbCipDataType_maps_atomics_to_driver_types()
+    {
+        AbCipDataType.Bool.ToDriverDataType().ShouldBe(DriverDataType.Boolean);
+        AbCipDataType.DInt.ToDriverDataType().ShouldBe(DriverDataType.Int32);
+        AbCipDataType.Real.ToDriverDataType().ShouldBe(DriverDataType.Float32);
+        AbCipDataType.LReal.ToDriverDataType().ShouldBe(DriverDataType.Float64);
+        AbCipDataType.String.ToDriverDataType().ShouldBe(DriverDataType.String);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipDriverWriteTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipDriverWriteTests.cs
@@ -0,0 +1,230 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class AbCipDriverWriteTests
+{
+    private static (AbCipDriver drv, FakeAbCipTagFactory factory) NewDriver(params AbCipTagDefinition[] tags)
+    {
+        var factory = new FakeAbCipTagFactory();
+        var drv = new AbCipDriver(new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions("ab://10.0.0.5/1,0")],
+            Tags = tags,
+        }, "drv-1", factory);
+        return (drv, factory);
+    }
+
+    [Fact]
+    public async Task Unknown_reference_maps_to_BadNodeIdUnknown()
+    {
+        var (drv, _) = NewDriver();
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var results = await drv.WriteAsync(
+            [new WriteRequest("does-not-exist", 1)], CancellationToken.None);
+
+        results.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadNodeIdUnknown);
+    }
+
+    [Fact]
+    public async Task Non_writable_tag_maps_to_BadNotWritable()
+    {
+        var (drv, _) = NewDriver(
+            new AbCipTagDefinition("ReadOnly", "ab://10.0.0.5/1,0", "RO", AbCipDataType.DInt, Writable: false));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var results = await drv.WriteAsync(
+            [new WriteRequest("ReadOnly", 7)], CancellationToken.None);
+
+        results.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadNotWritable);
+    }
+
+    [Fact]
+    public async Task Successful_DInt_write_encodes_and_flushes()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Speed", "ab://10.0.0.5/1,0", "Motor1.Speed", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var results = await drv.WriteAsync(
+            [new WriteRequest("Speed", 4200)], CancellationToken.None);
+
+        results.Single().StatusCode.ShouldBe(AbCipStatusMapper.Good);
+        factory.Tags["Motor1.Speed"].Value.ShouldBe(4200);
+        factory.Tags["Motor1.Speed"].WriteCount.ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task Bit_in_dint_write_returns_BadNotSupported()
+    {
+        var factory = new FakeAbCipTagFactory { Customise = p => new ThrowingBoolBitFake(p) };
+        var drv = new AbCipDriver(new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions("ab://10.0.0.5/1,0")],
+            Tags = [new AbCipTagDefinition("Flag3", "ab://10.0.0.5/1,0", "Flags.3", AbCipDataType.Bool)],
+        }, "drv-1", factory);
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var results = await drv.WriteAsync(
+            [new WriteRequest("Flag3", true)], CancellationToken.None);
+
+        results.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadNotSupported);
+    }
+
+    [Fact]
+    public async Task Non_zero_libplctag_status_after_write_maps_via_AbCipStatusMapper()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Broken", "ab://10.0.0.5/1,0", "Broken", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => new FakeAbCipTag(p) { Status = -5 /* timeout */ };
+
+        var results = await drv.WriteAsync(
+            [new WriteRequest("Broken", 1)], CancellationToken.None);
+
+        results.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadTimeout);
+    }
+
+    [Fact]
+    public async Task Type_mismatch_surfaces_BadTypeMismatch()
+    {
+        var (drv, _) = NewDriver(
+            new AbCipTagDefinition("Speed", "ab://10.0.0.5/1,0", "Speed", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        // Force a FormatException inside Convert.ToInt32 via a runtime that forwards to real Convert.
+        var factory = new FakeAbCipTagFactory
+        {
+            Customise = p => new RealConvertFake(p),
+        };
+        var drv2 = new AbCipDriver(new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions("ab://10.0.0.5/1,0")],
+            Tags = [new AbCipTagDefinition("Speed", "ab://10.0.0.5/1,0", "Speed", AbCipDataType.DInt)],
+        }, "drv-2", factory);
+        await drv2.InitializeAsync("{}", CancellationToken.None);
+
+        var results = await drv2.WriteAsync(
+            [new WriteRequest("Speed", "not-a-number")], CancellationToken.None);
+
+        results.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadTypeMismatch);
+    }
+
+    [Fact]
+    public async Task Overflow_surfaces_BadOutOfRange()
+    {
+        var factory = new FakeAbCipTagFactory { Customise = p => new RealConvertFake(p) };
+        var drv = new AbCipDriver(new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions("ab://10.0.0.5/1,0")],
+            Tags = [new AbCipTagDefinition("Narrow", "ab://10.0.0.5/1,0", "N", AbCipDataType.Int)],
+        }, "drv-1", factory);
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var results = await drv.WriteAsync(
+            [new WriteRequest("Narrow", 1_000_000)], CancellationToken.None);
+
+        results.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadOutOfRange);
+    }
+
+    [Fact]
+    public async Task Exception_during_write_surfaces_BadCommunicationError()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Broken", "ab://10.0.0.5/1,0", "Broken", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => new ThrowOnWriteFake(p);
+
+        var results = await drv.WriteAsync(
+            [new WriteRequest("Broken", 1)], CancellationToken.None);
+
+        results.Single().StatusCode.ShouldBe(AbCipStatusMapper.BadCommunicationError);
+        drv.GetHealth().State.ShouldBe(DriverState.Degraded);
+    }
+
+    [Fact]
+    public async Task Batch_preserves_order_across_success_and_failure()
+    {
+        var factory = new FakeAbCipTagFactory();
+        var drv = new AbCipDriver(new AbCipDriverOptions
+        {
+            Devices = [new AbCipDeviceOptions("ab://10.0.0.5/1,0")],
+            Tags =
+            [
+                new AbCipTagDefinition("A", "ab://10.0.0.5/1,0", "A", AbCipDataType.DInt),
+                new AbCipTagDefinition("B", "ab://10.0.0.5/1,0", "B", AbCipDataType.DInt, Writable: false),
+                new AbCipTagDefinition("C", "ab://10.0.0.5/1,0", "C", AbCipDataType.DInt),
+            ],
+        }, "drv-1", factory);
+        await drv.InitializeAsync("{}", CancellationToken.None);
+
+        var results = await drv.WriteAsync(
+        [
+            new WriteRequest("A", 1),
+            new WriteRequest("B", 2),
+            new WriteRequest("UnknownTag", 3),
+            new WriteRequest("C", 4),
+        ], CancellationToken.None);
+
+        results.Count.ShouldBe(4);
+        results[0].StatusCode.ShouldBe(AbCipStatusMapper.Good);
+        results[1].StatusCode.ShouldBe(AbCipStatusMapper.BadNotWritable);
+        results[2].StatusCode.ShouldBe(AbCipStatusMapper.BadNodeIdUnknown);
+        results[3].StatusCode.ShouldBe(AbCipStatusMapper.Good);
+    }
+
+    [Fact]
+    public async Task Cancellation_propagates_from_write()
+    {
+        var (drv, factory) = NewDriver(
+            new AbCipTagDefinition("Slow", "ab://10.0.0.5/1,0", "Slow", AbCipDataType.DInt));
+        await drv.InitializeAsync("{}", CancellationToken.None);
+        factory.Customise = p => new CancelOnWriteFake(p);
+
+        await Should.ThrowAsync<OperationCanceledException>(
+            () => drv.WriteAsync([new WriteRequest("Slow", 1)], CancellationToken.None));
+    }
+
+    // ---- test-fake variants that exercise the real type / error handling ----
+
+    private sealed class RealConvertFake(AbCipTagCreateParams p) : FakeAbCipTag(p)
+    {
+        public override void EncodeValue(AbCipDataType type, int? bitIndex, object? value)
+        {
+            switch (type)
+            {
+                case AbCipDataType.Int: _ = Convert.ToInt16(value); break;
+                case AbCipDataType.DInt: _ = Convert.ToInt32(value); break;
+                default: _ = Convert.ToInt32(value); break;
+            }
+            Value = value;
+        }
+    }
+
+    private sealed class ThrowingBoolBitFake(AbCipTagCreateParams p) : FakeAbCipTag(p)
+    {
+        public override void EncodeValue(AbCipDataType type, int? bitIndex, object? value)
+        {
+            if (type == AbCipDataType.Bool && bitIndex is not null)
+                throw new NotSupportedException("bit-in-DINT deferred");
+            Value = value;
+        }
+    }
+
+    private sealed class ThrowOnWriteFake(AbCipTagCreateParams p) : FakeAbCipTag(p)
+    {
+        public override Task WriteAsync(CancellationToken ct) =>
+            Task.FromException(new InvalidOperationException("wire dropped"));
+    }
+
+    private sealed class CancelOnWriteFake(AbCipTagCreateParams p) : FakeAbCipTag(p)
+    {
+        public override Task WriteAsync(CancellationToken ct) =>
+            Task.FromException(new OperationCanceledException());
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipHostAddressTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipHostAddressTests.cs
@@ -0,0 +1,65 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class AbCipHostAddressTests
+{
+    [Theory]
+    [InlineData("ab://10.0.0.5/1,0", "10.0.0.5", 44818, "1,0")]
+    [InlineData("ab://10.0.0.5/1,4", "10.0.0.5", 44818, "1,4")]
+    [InlineData("ab://10.0.0.5/1,2,2,192.168.50.20,1,0", "10.0.0.5", 44818, "1,2,2,192.168.50.20,1,0")]
+    [InlineData("ab://10.0.0.5/", "10.0.0.5", 44818, "")]
+    [InlineData("ab://plc-01.factory.internal/1,0", "plc-01.factory.internal", 44818, "1,0")]
+    [InlineData("ab://10.0.0.5:44818/1,0", "10.0.0.5", 44818, "1,0")]
+    [InlineData("ab://10.0.0.5:2222/1,0", "10.0.0.5", 2222, "1,0")]
+    [InlineData("AB://10.0.0.5/1,0", "10.0.0.5", 44818, "1,0")] // case-insensitive scheme
+    public void TryParse_accepts_valid_forms(string input, string gateway, int port, string cipPath)
+    {
+        var parsed = AbCipHostAddress.TryParse(input);
+        parsed.ShouldNotBeNull();
+        parsed.Gateway.ShouldBe(gateway);
+        parsed.Port.ShouldBe(port);
+        parsed.CipPath.ShouldBe(cipPath);
+    }
+
+    [Theory]
+    [InlineData(null)]
+    [InlineData("")]
+    [InlineData("   ")]
+    [InlineData("http://10.0.0.5/1,0")]         // wrong scheme
+    [InlineData("ab:10.0.0.5/1,0")]             // missing //
+    [InlineData("ab://10.0.0.5")]               // no path slash
+    [InlineData("ab:///1,0")]                   // no gateway
+    [InlineData("ab://10.0.0.5:0/1,0")]         // invalid port
+    [InlineData("ab://10.0.0.5:65536/1,0")]     // port out of range
+    [InlineData("ab://10.0.0.5:abc/1,0")]       // non-numeric port
+    public void TryParse_rejects_invalid_forms(string? input)
+    {
+        AbCipHostAddress.TryParse(input).ShouldBeNull();
+    }
+
+    [Theory]
+    [InlineData("10.0.0.5", 44818, "1,0", "ab://10.0.0.5/1,0")]
+    [InlineData("10.0.0.5", 2222, "1,0", "ab://10.0.0.5:2222/1,0")]
+    [InlineData("10.0.0.5", 44818, "", "ab://10.0.0.5/")]
+    public void ToString_canonicalises(string gateway, int port, string path, string expected)
+    {
+        var addr = new AbCipHostAddress(gateway, port, path);
+        addr.ToString().ShouldBe(expected);
+    }
+
+    [Fact]
+    public void RoundTrip_is_stable()
+    {
+        const string input = "ab://plc-01:44818/1,2,2,10.0.0.10,1,0";
+        var parsed = AbCipHostAddress.TryParse(input)!;
+        // Default port is stripped in canonical form; explicit 44818 → becomes default form.
+        parsed.ToString().ShouldBe("ab://plc-01/1,2,2,10.0.0.10,1,0");
+
+        var parsedAgain = AbCipHostAddress.TryParse(parsed.ToString())!;
+        parsedAgain.ShouldBe(parsed);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipStatusMapperTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipStatusMapperTests.cs
@@ -0,0 +1,41 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class AbCipStatusMapperTests
+{
+    [Theory]
+    [InlineData((byte)0x00, AbCipStatusMapper.Good)]
+    [InlineData((byte)0x04, AbCipStatusMapper.BadNodeIdUnknown)]
+    [InlineData((byte)0x05, AbCipStatusMapper.BadNodeIdUnknown)]
+    [InlineData((byte)0x06, AbCipStatusMapper.GoodMoreData)]
+    [InlineData((byte)0x08, AbCipStatusMapper.BadNotSupported)]
+    [InlineData((byte)0x0A, AbCipStatusMapper.BadOutOfRange)]
+    [InlineData((byte)0x13, AbCipStatusMapper.BadOutOfRange)]
+    [InlineData((byte)0x0B, AbCipStatusMapper.Good)]
+    [InlineData((byte)0x0E, AbCipStatusMapper.BadNotWritable)]
+    [InlineData((byte)0x10, AbCipStatusMapper.BadDeviceFailure)]
+    [InlineData((byte)0x16, AbCipStatusMapper.BadNodeIdUnknown)]
+    [InlineData((byte)0xFF, AbCipStatusMapper.BadInternalError)]
+    public void MapCipGeneralStatus_maps_known_codes(byte status, uint expected)
+    {
+        AbCipStatusMapper.MapCipGeneralStatus(status).ShouldBe(expected);
+    }
+
+    [Theory]
+    [InlineData(0, AbCipStatusMapper.Good)]
+    [InlineData(1, AbCipStatusMapper.GoodMoreData)] // PLCTAG_STATUS_PENDING
+    [InlineData(-5, AbCipStatusMapper.BadTimeout)]
+    [InlineData(-7, AbCipStatusMapper.BadCommunicationError)]
+    [InlineData(-14, AbCipStatusMapper.BadNodeIdUnknown)]
+    [InlineData(-16, AbCipStatusMapper.BadNotWritable)]
+    [InlineData(-17, AbCipStatusMapper.BadOutOfRange)]
+    [InlineData(-99, AbCipStatusMapper.BadCommunicationError)] // unknown negative → generic comms failure
+    public void MapLibplctagStatus_maps_known_codes(int status, uint expected)
+    {
+        AbCipStatusMapper.MapLibplctagStatus(status).ShouldBe(expected);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipTagPathTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/AbCipTagPathTests.cs
@@ -0,0 +1,146 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class AbCipTagPathTests
+{
+    [Fact]
+    public void Controller_scope_single_segment()
+    {
+        var p = AbCipTagPath.TryParse("Motor1_Speed");
+        p.ShouldNotBeNull();
+        p.ProgramScope.ShouldBeNull();
+        p.Segments.Count.ShouldBe(1);
+        p.Segments[0].Name.ShouldBe("Motor1_Speed");
+        p.Segments[0].Subscripts.ShouldBeEmpty();
+        p.BitIndex.ShouldBeNull();
+        p.ToLibplctagName().ShouldBe("Motor1_Speed");
+    }
+
+    [Fact]
+    public void Program_scope_parses()
+    {
+        var p = AbCipTagPath.TryParse("Program:MainProgram.StepIndex");
+        p.ShouldNotBeNull();
+        p.ProgramScope.ShouldBe("MainProgram");
+        p.Segments.Single().Name.ShouldBe("StepIndex");
+        p.ToLibplctagName().ShouldBe("Program:MainProgram.StepIndex");
+    }
+
+    [Fact]
+    public void Structured_member_access_splits_segments()
+    {
+        var p = AbCipTagPath.TryParse("Motor1.Speed.Setpoint");
+        p.ShouldNotBeNull();
+        p.Segments.Select(s => s.Name).ShouldBe(["Motor1", "Speed", "Setpoint"]);
+        p.ToLibplctagName().ShouldBe("Motor1.Speed.Setpoint");
+    }
+
+    [Fact]
+    public void Single_dim_array_subscript()
+    {
+        var p = AbCipTagPath.TryParse("Data[7]");
+        p.ShouldNotBeNull();
+        p.Segments.Single().Name.ShouldBe("Data");
+        p.Segments.Single().Subscripts.ShouldBe([7]);
+        p.ToLibplctagName().ShouldBe("Data[7]");
+    }
+
+    [Fact]
+    public void Multi_dim_array_subscript()
+    {
+        var p = AbCipTagPath.TryParse("Matrix[1,2,3]");
+        p.ShouldNotBeNull();
+        p.Segments.Single().Subscripts.ShouldBe([1, 2, 3]);
+        p.ToLibplctagName().ShouldBe("Matrix[1,2,3]");
+    }
+
+    [Fact]
+    public void Bit_in_dint_captured_as_bit_index()
+    {
+        var p = AbCipTagPath.TryParse("Flags.3");
+        p.ShouldNotBeNull();
+        p.Segments.Single().Name.ShouldBe("Flags");
+        p.BitIndex.ShouldBe(3);
+        p.ToLibplctagName().ShouldBe("Flags.3");
+    }
+
+    [Fact]
+    public void Bit_in_dint_after_member()
+    {
+        var p = AbCipTagPath.TryParse("Motor.Status.12");
+        p.ShouldNotBeNull();
+        p.Segments.Select(s => s.Name).ShouldBe(["Motor", "Status"]);
+        p.BitIndex.ShouldBe(12);
+        p.ToLibplctagName().ShouldBe("Motor.Status.12");
+    }
+
+    [Fact]
+    public void Bit_index_32_rejected_out_of_range()
+    {
+        // 32 exceeds the DINT bit width — treated as a member name rather than bit selector,
+        // which fails ident validation and returns null.
+        AbCipTagPath.TryParse("Flags.32").ShouldBeNull();
+    }
+
+    [Fact]
+    public void Program_scope_with_members_and_subscript_and_bit()
+    {
+        var p = AbCipTagPath.TryParse("Program:MainProgram.Motors[0].Status.5");
+        p.ShouldNotBeNull();
+        p.ProgramScope.ShouldBe("MainProgram");
+        p.Segments.Select(s => s.Name).ShouldBe(["Motors", "Status"]);
+        p.Segments[0].Subscripts.ShouldBe([0]);
+        p.BitIndex.ShouldBe(5);
+        p.ToLibplctagName().ShouldBe("Program:MainProgram.Motors[0].Status.5");
+    }
+
+    [Theory]
+    [InlineData(null)]
+    [InlineData("")]
+    [InlineData("   ")]
+    [InlineData("Program:")]             // empty scope
+    [InlineData("Program:MP")]            // no body after scope
+    [InlineData("1InvalidStart")]         // ident starts with digit
+    [InlineData("Bad Name")]              // space in ident
+    [InlineData("Motor[]")]               // empty subscript
+    [InlineData("Motor[-1]")]             // negative subscript
+    [InlineData("Motor[a]")]              // non-numeric subscript
+    [InlineData("Motor[")]                // unbalanced bracket
+    [InlineData("Motor.")]                // trailing dot
+    [InlineData(".Motor")]                // leading dot
+    public void Invalid_shapes_return_null(string? input)
+    {
+        AbCipTagPath.TryParse(input).ShouldBeNull();
+    }
+
+    [Fact]
+    public void Ident_with_underscore_accepted()
+    {
+        AbCipTagPath.TryParse("_private_tag")!.Segments.Single().Name.ShouldBe("_private_tag");
+    }
+
+    [Fact]
+    public void ToLibplctagName_recomposes_round_trip()
+    {
+        var cases = new[]
+        {
+            "Motor1_Speed",
+            "Program:Main.Counter",
+            "Array[5]",
+            "Matrix[1,2]",
+            "Obj.Member.Sub",
+            "Flags.0",
+            "Program:P.Obj[2].Flags.15",
+        };
+        foreach (var c in cases)
+        {
+            var parsed = AbCipTagPath.TryParse(c);
+            parsed.ShouldNotBeNull(c);
+            parsed.ToLibplctagName().ShouldBe(c);
+        }
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/FakeAbCipTag.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/FakeAbCipTag.cs
@@ -0,0 +1,67 @@
+using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests;
+
+/// <summary>
+///     Test fake for <see cref="IAbCipTagRuntime"/>. Stores the mock PLC value in
+///     <see cref="Value"/> + returns it from <see cref="DecodeValue"/>. Use
+///     <see cref="Status"/> to simulate libplctag error codes,
+///     <see cref="ThrowOnInitialize"/> / <see cref="ThrowOnRead"/> to simulate exceptions.
+/// </summary>
+internal class FakeAbCipTag : IAbCipTagRuntime
+{
+    public AbCipTagCreateParams CreationParams { get; }
+    public object? Value { get; set; }
+    public int Status { get; set; }
+    public bool ThrowOnInitialize { get; set; }
+    public bool ThrowOnRead { get; set; }
+    public Exception? Exception { get; set; }
+    public int InitializeCount { get; private set; }
+    public int ReadCount { get; private set; }
+    public int WriteCount { get; private set; }
+    public bool Disposed { get; private set; }
+
+    public FakeAbCipTag(AbCipTagCreateParams createParams) => CreationParams = createParams;
+
+    public virtual Task InitializeAsync(CancellationToken cancellationToken)
+    {
+        InitializeCount++;
+        if (ThrowOnInitialize) throw Exception ?? new InvalidOperationException("fake initialize failure");
+        return Task.CompletedTask;
+    }
+
+    public virtual Task ReadAsync(CancellationToken cancellationToken)
+    {
+        ReadCount++;
+        if (ThrowOnRead) throw Exception ?? new InvalidOperationException("fake read failure");
+        return Task.CompletedTask;
+    }
+
+    public virtual Task WriteAsync(CancellationToken cancellationToken)
+    {
+        WriteCount++;
+        return Task.CompletedTask;
+    }
+
+    public virtual int GetStatus() => Status;
+
+    public virtual object? DecodeValue(AbCipDataType type, int? bitIndex) => Value;
+
+    public virtual void EncodeValue(AbCipDataType type, int? bitIndex, object? value) => Value = value;
+
+    public virtual void Dispose() => Disposed = true;
+}
+
+/// <summary>Test factory that produces <see cref="FakeAbCipTag"/>s and indexes them for assertion.</summary>
+internal sealed class FakeAbCipTagFactory : IAbCipTagFactory
+{
+    public Dictionary<string, FakeAbCipTag> Tags { get; } = new(StringComparer.OrdinalIgnoreCase);
+    public Func<AbCipTagCreateParams, FakeAbCipTag>? Customise { get; set; }
+
+    public IAbCipTagRuntime Create(AbCipTagCreateParams createParams)
+    {
+        var fake = Customise?.Invoke(createParams) ?? new FakeAbCipTag(createParams);
+        Tags[createParams.TagName] = fake;
+        return fake;
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests.csproj
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests.csproj
@@ -0,0 +1,31 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <TargetFramework>net10.0</TargetFramework>
+        <Nullable>enable</Nullable>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <IsPackable>false</IsPackable>
+        <IsTestProject>true</IsTestProject>
+        <RootNamespace>ZB.MOM.WW.OtOpcUa.Driver.AbCip.Tests</RootNamespace>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="xunit.v3" Version="1.1.0"/>
+        <PackageReference Include="Shouldly" Version="4.3.0"/>
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
+        <PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
+            <PrivateAssets>all</PrivateAssets>
+            <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+        </PackageReference>
+    </ItemGroup>
+
+    <ItemGroup>
+        <ProjectReference Include="..\..\src\ZB.MOM.WW.OtOpcUa.Driver.AbCip\ZB.MOM.WW.OtOpcUa.Driver.AbCip.csproj"/>
+    </ItemGroup>
+
+    <ItemGroup>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-37gx-xxp4-5rgx"/>
+        <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-w3x6-4m5h-cxqf"/>
+    </ItemGroup>
+
+</Project>
--- a/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/ClusterTopologyLoaderTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/ClusterTopologyLoaderTests.cs
@@ -0,0 +1,163 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Server.Redundancy;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class ClusterTopologyLoaderTests
+{
+    private static ServerCluster Cluster(RedundancyMode mode = RedundancyMode.Warm) => new()
+    {
+        ClusterId = "c1",
+        Name = "Warsaw-West",
+        Enterprise = "zb",
+        Site = "warsaw-west",
+        RedundancyMode = mode,
+        CreatedBy = "test",
+    };
+
+    private static ClusterNode Node(string id, RedundancyRole role, string host, int port = 4840, string? appUri = null) => new()
+    {
+        NodeId = id,
+        ClusterId = "c1",
+        RedundancyRole = role,
+        Host = host,
+        OpcUaPort = port,
+        ApplicationUri = appUri ?? $"urn:{host}:OtOpcUa",
+        CreatedBy = "test",
+    };
+
+    [Fact]
+    public void SingleNode_Standalone_Loads()
+    {
+        var cluster = Cluster(RedundancyMode.None);
+        var nodes = new[] { Node("A", RedundancyRole.Standalone, "hostA") };
+
+        var topology = ClusterTopologyLoader.Load("A", cluster, nodes);
+
+        topology.SelfNodeId.ShouldBe("A");
+        topology.SelfRole.ShouldBe(RedundancyRole.Standalone);
+        topology.Peers.ShouldBeEmpty();
+        topology.SelfApplicationUri.ShouldBe("urn:hostA:OtOpcUa");
+    }
+
+    [Fact]
+    public void TwoNode_Cluster_LoadsSelfAndPeer()
+    {
+        var cluster = Cluster();
+        var nodes = new[]
+        {
+            Node("A", RedundancyRole.Primary,   "hostA"),
+            Node("B", RedundancyRole.Secondary, "hostB"),
+        };
+
+        var topology = ClusterTopologyLoader.Load("A", cluster, nodes);
+
+        topology.SelfNodeId.ShouldBe("A");
+        topology.SelfRole.ShouldBe(RedundancyRole.Primary);
+        topology.Peers.Count.ShouldBe(1);
+        topology.Peers[0].NodeId.ShouldBe("B");
+        topology.Peers[0].Role.ShouldBe(RedundancyRole.Secondary);
+    }
+
+    [Fact]
+    public void ServerUriArray_Puts_Self_First_Peers_SortedLexicographically()
+    {
+        var cluster = Cluster();
+        var nodes = new[]
+        {
+            Node("A", RedundancyRole.Primary,   "hostA", appUri: "urn:A"),
+            Node("B", RedundancyRole.Secondary, "hostB", appUri: "urn:B"),
+        };
+
+        var topology = ClusterTopologyLoader.Load("A", cluster, nodes);
+
+        topology.ServerUriArray().ShouldBe(["urn:A", "urn:B"]);
+    }
+
+    [Fact]
+    public void EmptyNodes_Throws()
+    {
+        Should.Throw<InvalidTopologyException>(
+            () => ClusterTopologyLoader.Load("A", Cluster(), []));
+    }
+
+    [Fact]
+    public void SelfNotInCluster_Throws()
+    {
+        var nodes = new[] { Node("B", RedundancyRole.Primary, "hostB") };
+
+        Should.Throw<InvalidTopologyException>(
+            () => ClusterTopologyLoader.Load("A-missing", Cluster(), nodes));
+    }
+
+    [Fact]
+    public void ThreeNodeCluster_Rejected_Per_Decision83()
+    {
+        var nodes = new[]
+        {
+            Node("A", RedundancyRole.Primary,   "hostA"),
+            Node("B", RedundancyRole.Secondary, "hostB"),
+            Node("C", RedundancyRole.Secondary, "hostC"),
+        };
+
+        var ex = Should.Throw<InvalidTopologyException>(
+            () => ClusterTopologyLoader.Load("A", Cluster(), nodes));
+        ex.Message.ShouldContain("decision #83");
+    }
+
+    [Fact]
+    public void DuplicateApplicationUri_Rejected()
+    {
+        var nodes = new[]
+        {
+            Node("A", RedundancyRole.Primary,   "hostA", appUri: "urn:shared"),
+            Node("B", RedundancyRole.Secondary, "hostB", appUri: "urn:shared"),
+        };
+
+        var ex = Should.Throw<InvalidTopologyException>(
+            () => ClusterTopologyLoader.Load("A", Cluster(), nodes));
+        ex.Message.ShouldContain("ApplicationUri");
+    }
+
+    [Fact]
+    public void TwoPrimaries_InWarmMode_Rejected()
+    {
+        var nodes = new[]
+        {
+            Node("A", RedundancyRole.Primary, "hostA"),
+            Node("B", RedundancyRole.Primary, "hostB"),
+        };
+
+        var ex = Should.Throw<InvalidTopologyException>(
+            () => ClusterTopologyLoader.Load("A", Cluster(RedundancyMode.Warm), nodes));
+        ex.Message.ShouldContain("2 Primary");
+    }
+
+    [Fact]
+    public void CrossCluster_Node_Rejected()
+    {
+        var foreign = Node("B", RedundancyRole.Secondary, "hostB");
+        foreign.ClusterId = "c-other";
+
+        var nodes = new[] { Node("A", RedundancyRole.Primary, "hostA"), foreign };
+
+        Should.Throw<InvalidTopologyException>(
+            () => ClusterTopologyLoader.Load("A", Cluster(), nodes));
+    }
+
+    [Fact]
+    public void None_Mode_Allows_Any_Role_Mix()
+    {
+        // Standalone clusters don't enforce Primary-count; operator can pick anything.
+        var cluster = Cluster(RedundancyMode.None);
+        var nodes = new[] { Node("A", RedundancyRole.Primary, "hostA") };
+
+        var topology = ClusterTopologyLoader.Load("A", cluster, nodes);
+
+        topology.Mode.ShouldBe(RedundancyMode.None);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/NodeScopeResolverTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/NodeScopeResolverTests.cs
@@ -0,0 +1,64 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Authorization;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class NodeScopeResolverTests
+{
+    [Fact]
+    public void Resolve_PopulatesClusterAndTag()
+    {
+        var resolver = new NodeScopeResolver("c-warsaw");
+
+        var scope = resolver.Resolve("TestMachine_001/Oven/SetPoint");
+
+        scope.ClusterId.ShouldBe("c-warsaw");
+        scope.TagId.ShouldBe("TestMachine_001/Oven/SetPoint");
+        scope.Kind.ShouldBe(NodeHierarchyKind.Equipment);
+    }
+
+    [Fact]
+    public void Resolve_Leaves_UnsPath_Null_For_Phase1()
+    {
+        var resolver = new NodeScopeResolver("c-1");
+
+        var scope = resolver.Resolve("tag-1");
+
+        // Phase 1 flat scope — finer resolution tracked as Stream C.12 follow-up.
+        scope.NamespaceId.ShouldBeNull();
+        scope.UnsAreaId.ShouldBeNull();
+        scope.UnsLineId.ShouldBeNull();
+        scope.EquipmentId.ShouldBeNull();
+    }
+
+    [Fact]
+    public void Resolve_Throws_OnEmptyFullReference()
+    {
+        var resolver = new NodeScopeResolver("c-1");
+
+        Should.Throw<ArgumentException>(() => resolver.Resolve(""));
+        Should.Throw<ArgumentException>(() => resolver.Resolve("   "));
+    }
+
+    [Fact]
+    public void Ctor_Throws_OnEmptyClusterId()
+    {
+        Should.Throw<ArgumentException>(() => new NodeScopeResolver(""));
+    }
+
+    [Fact]
+    public void Resolver_IsStateless_AcrossCalls()
+    {
+        var resolver = new NodeScopeResolver("c");
+        var s1 = resolver.Resolve("tag-a");
+        var s2 = resolver.Resolve("tag-b");
+
+        s1.TagId.ShouldBe("tag-a");
+        s2.TagId.ShouldBe("tag-b");
+        s1.ClusterId.ShouldBe("c");
+        s2.ClusterId.ShouldBe("c");
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/RedundancyStatePublisherTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/RedundancyStatePublisherTests.cs
@@ -0,0 +1,213 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Server.Redundancy;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class RedundancyStatePublisherTests : IDisposable
+{
+    private readonly OtOpcUaConfigDbContext _db;
+    private readonly IDbContextFactory<OtOpcUaConfigDbContext> _dbFactory;
+
+    public RedundancyStatePublisherTests()
+    {
+        var options = new DbContextOptionsBuilder<OtOpcUaConfigDbContext>()
+            .UseInMemoryDatabase($"redundancy-publisher-{Guid.NewGuid():N}")
+            .Options;
+        _db = new OtOpcUaConfigDbContext(options);
+        _dbFactory = new DbContextFactory(options);
+    }
+
+    public void Dispose() => _db.Dispose();
+
+    private sealed class DbContextFactory(DbContextOptions<OtOpcUaConfigDbContext> options)
+        : IDbContextFactory<OtOpcUaConfigDbContext>
+    {
+        public OtOpcUaConfigDbContext CreateDbContext() => new(options);
+    }
+
+    private async Task<RedundancyCoordinator> SeedAndInitialize(string selfNodeId, params (string id, RedundancyRole role, string appUri)[] nodes)
+    {
+        var cluster = new ServerCluster
+        {
+            ClusterId = "c1",
+            Name = "Warsaw-West",
+            Enterprise = "zb",
+            Site = "warsaw-west",
+            RedundancyMode = nodes.Length == 1 ? RedundancyMode.None : RedundancyMode.Warm,
+            CreatedBy = "test",
+        };
+        _db.ServerClusters.Add(cluster);
+        foreach (var (id, role, appUri) in nodes)
+        {
+            _db.ClusterNodes.Add(new ClusterNode
+            {
+                NodeId = id,
+                ClusterId = "c1",
+                RedundancyRole = role,
+                Host = id.ToLowerInvariant(),
+                ApplicationUri = appUri,
+                CreatedBy = "test",
+            });
+        }
+        await _db.SaveChangesAsync();
+
+        var coordinator = new RedundancyCoordinator(_dbFactory, NullLogger<RedundancyCoordinator>.Instance, selfNodeId, "c1");
+        await coordinator.InitializeAsync(CancellationToken.None);
+        return coordinator;
+    }
+
+    [Fact]
+    public async Task BeforeInit_Publishes_NoData()
+    {
+        // Coordinator not initialized — current topology is null.
+        var coordinator = new RedundancyCoordinator(_dbFactory, NullLogger<RedundancyCoordinator>.Instance, "A", "c1");
+        var publisher = new RedundancyStatePublisher(
+            coordinator, new ApplyLeaseRegistry(), new RecoveryStateManager(), new PeerReachabilityTracker());
+
+        var snap = publisher.ComputeAndPublish();
+
+        snap.Band.ShouldBe(ServiceLevelBand.NoData);
+        snap.Value.ShouldBe((byte)1);
+        await Task.Yield();
+    }
+
+    [Fact]
+    public async Task AuthoritativePrimary_WhenHealthyAndPeerReachable()
+    {
+        var coordinator = await SeedAndInitialize("A",
+            ("A", RedundancyRole.Primary,   "urn:A"),
+            ("B", RedundancyRole.Secondary, "urn:B"));
+        var peers = new PeerReachabilityTracker();
+        peers.Update("B", PeerReachability.FullyHealthy);
+
+        var publisher = new RedundancyStatePublisher(
+            coordinator, new ApplyLeaseRegistry(), new RecoveryStateManager(), peers);
+
+        var snap = publisher.ComputeAndPublish();
+
+        snap.Value.ShouldBe((byte)255);
+        snap.Band.ShouldBe(ServiceLevelBand.AuthoritativePrimary);
+    }
+
+    [Fact]
+    public async Task IsolatedPrimary_WhenPeerUnreachable_RetainsAuthority()
+    {
+        var coordinator = await SeedAndInitialize("A",
+            ("A", RedundancyRole.Primary,   "urn:A"),
+            ("B", RedundancyRole.Secondary, "urn:B"));
+        var peers = new PeerReachabilityTracker();
+        peers.Update("B", PeerReachability.Unknown);
+
+        var publisher = new RedundancyStatePublisher(
+            coordinator, new ApplyLeaseRegistry(), new RecoveryStateManager(), peers);
+
+        var snap = publisher.ComputeAndPublish();
+
+        snap.Value.ShouldBe((byte)230);
+    }
+
+    [Fact]
+    public async Task MidApply_WhenLeaseOpen_Dominates()
+    {
+        var coordinator = await SeedAndInitialize("A",
+            ("A", RedundancyRole.Primary,   "urn:A"),
+            ("B", RedundancyRole.Secondary, "urn:B"));
+        var leases = new ApplyLeaseRegistry();
+        var peers = new PeerReachabilityTracker();
+        peers.Update("B", PeerReachability.FullyHealthy);
+
+        await using var lease = leases.BeginApplyLease(1, Guid.NewGuid());
+        var publisher = new RedundancyStatePublisher(
+            coordinator, leases, new RecoveryStateManager(), peers);
+
+        var snap = publisher.ComputeAndPublish();
+
+        snap.Value.ShouldBe((byte)200);
+    }
+
+    [Fact]
+    public async Task SelfUnhealthy_Returns_NoData()
+    {
+        var coordinator = await SeedAndInitialize("A",
+            ("A", RedundancyRole.Primary,   "urn:A"),
+            ("B", RedundancyRole.Secondary, "urn:B"));
+        var peers = new PeerReachabilityTracker();
+        peers.Update("B", PeerReachability.FullyHealthy);
+
+        var publisher = new RedundancyStatePublisher(
+            coordinator, new ApplyLeaseRegistry(), new RecoveryStateManager(), peers,
+            selfHealthy: () => false);
+
+        var snap = publisher.ComputeAndPublish();
+
+        snap.Value.ShouldBe((byte)1);
+    }
+
+    [Fact]
+    public async Task OnStateChanged_FiresOnly_OnValueChange()
+    {
+        var coordinator = await SeedAndInitialize("A",
+            ("A", RedundancyRole.Primary,   "urn:A"),
+            ("B", RedundancyRole.Secondary, "urn:B"));
+        var peers = new PeerReachabilityTracker();
+        peers.Update("B", PeerReachability.FullyHealthy);
+
+        var publisher = new RedundancyStatePublisher(
+            coordinator, new ApplyLeaseRegistry(), new RecoveryStateManager(), peers);
+
+        var emitCount = 0;
+        byte? lastEmitted = null;
+        publisher.OnStateChanged += snap => { emitCount++; lastEmitted = snap.Value; };
+
+        publisher.ComputeAndPublish(); // first tick — emits 255 since _lastByte was seeded at 255; no change
+        peers.Update("B", PeerReachability.Unknown);
+        publisher.ComputeAndPublish(); // 255 → 230 transition — emits
+        publisher.ComputeAndPublish(); // still 230 — no emit
+
+        emitCount.ShouldBe(1);
+        lastEmitted.ShouldBe((byte)230);
+    }
+
+    [Fact]
+    public async Task OnServerUriArrayChanged_FiresOnce_PerTopology()
+    {
+        var coordinator = await SeedAndInitialize("A",
+            ("A", RedundancyRole.Primary,   "urn:A"),
+            ("B", RedundancyRole.Secondary, "urn:B"));
+        var peers = new PeerReachabilityTracker();
+        peers.Update("B", PeerReachability.FullyHealthy);
+
+        var publisher = new RedundancyStatePublisher(
+            coordinator, new ApplyLeaseRegistry(), new RecoveryStateManager(), peers);
+
+        var emits = new List<IReadOnlyList<string>>();
+        publisher.OnServerUriArrayChanged += arr => emits.Add(arr);
+
+        publisher.ComputeAndPublish();
+        publisher.ComputeAndPublish();
+        publisher.ComputeAndPublish();
+
+        emits.Count.ShouldBe(1, "ServerUriArray event is edge-triggered on topology content change");
+        emits[0].ShouldBe(["urn:A", "urn:B"]);
+    }
+
+    [Fact]
+    public async Task Standalone_Cluster_IsAuthoritative_When_Healthy()
+    {
+        var coordinator = await SeedAndInitialize("A",
+            ("A", RedundancyRole.Standalone, "urn:A"));
+        var publisher = new RedundancyStatePublisher(
+            coordinator, new ApplyLeaseRegistry(), new RecoveryStateManager(), new PeerReachabilityTracker());
+
+        var snap = publisher.ComputeAndPublish();
+
+        snap.Value.ShouldBe((byte)255);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/ResilienceStatusPublisherHostedServiceTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/ResilienceStatusPublisherHostedServiceTests.cs
@@ -0,0 +1,161 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Core.Resilience;
+using ZB.MOM.WW.OtOpcUa.Server.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class ResilienceStatusPublisherHostedServiceTests : IDisposable
+{
+    private static readonly DateTime T0 = new(2026, 4, 19, 12, 0, 0, DateTimeKind.Utc);
+
+    private sealed class FakeClock : TimeProvider
+    {
+        public DateTime Utc { get; set; } = T0;
+        public override DateTimeOffset GetUtcNow() => new(Utc, TimeSpan.Zero);
+    }
+
+    private sealed class InMemoryDbContextFactory : IDbContextFactory<OtOpcUaConfigDbContext>
+    {
+        private readonly DbContextOptions<OtOpcUaConfigDbContext> _options;
+        public InMemoryDbContextFactory(string dbName)
+        {
+            _options = new DbContextOptionsBuilder<OtOpcUaConfigDbContext>()
+                .UseInMemoryDatabase(dbName)
+                .Options;
+        }
+        public OtOpcUaConfigDbContext CreateDbContext() => new(_options);
+    }
+
+    private readonly string _dbName = $"resilience-pub-{Guid.NewGuid():N}";
+    private readonly InMemoryDbContextFactory _factory;
+    private readonly OtOpcUaConfigDbContext _readCtx;
+
+    public ResilienceStatusPublisherHostedServiceTests()
+    {
+        _factory = new InMemoryDbContextFactory(_dbName);
+        _readCtx = _factory.CreateDbContext();
+    }
+
+    public void Dispose() => _readCtx.Dispose();
+
+    [Fact]
+    public async Task EmptyTracker_Tick_NoOp_NoRowsWritten()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        var host = new ResilienceStatusPublisherHostedService(
+            tracker, _factory, NullLogger<ResilienceStatusPublisherHostedService>.Instance);
+
+        await host.PersistOnceAsync(CancellationToken.None);
+
+        host.TickCount.ShouldBe(1);
+        (await _readCtx.DriverInstanceResilienceStatuses.CountAsync()).ShouldBe(0);
+    }
+
+    [Fact]
+    public async Task SingleHost_OnePairWithCounters_UpsertsNewRow()
+    {
+        var clock = new FakeClock();
+        var tracker = new DriverResilienceStatusTracker();
+        tracker.RecordFailure("drv-1", "plc-a", T0);
+        tracker.RecordFailure("drv-1", "plc-a", T0);
+        tracker.RecordBreakerOpen("drv-1", "plc-a", T0.AddSeconds(1));
+
+        var host = new ResilienceStatusPublisherHostedService(
+            tracker, _factory, NullLogger<ResilienceStatusPublisherHostedService>.Instance,
+            timeProvider: clock);
+
+        clock.Utc = T0.AddSeconds(2);
+        await host.PersistOnceAsync(CancellationToken.None);
+
+        var row = await _readCtx.DriverInstanceResilienceStatuses.SingleAsync();
+        row.DriverInstanceId.ShouldBe("drv-1");
+        row.HostName.ShouldBe("plc-a");
+        row.ConsecutiveFailures.ShouldBe(2);
+        row.LastCircuitBreakerOpenUtc.ShouldBe(T0.AddSeconds(1));
+        row.LastSampledUtc.ShouldBe(T0.AddSeconds(2));
+    }
+
+    [Fact]
+    public async Task SecondTick_UpdatesExistingRow_InPlace()
+    {
+        var clock = new FakeClock();
+        var tracker = new DriverResilienceStatusTracker();
+        tracker.RecordFailure("drv-1", "plc-a", T0);
+
+        var host = new ResilienceStatusPublisherHostedService(
+            tracker, _factory, NullLogger<ResilienceStatusPublisherHostedService>.Instance,
+            timeProvider: clock);
+
+        clock.Utc = T0.AddSeconds(5);
+        await host.PersistOnceAsync(CancellationToken.None);
+
+        // Second tick: success resets the counter.
+        tracker.RecordSuccess("drv-1", "plc-a", T0.AddSeconds(6));
+        clock.Utc = T0.AddSeconds(10);
+        await host.PersistOnceAsync(CancellationToken.None);
+
+        (await _readCtx.DriverInstanceResilienceStatuses.CountAsync()).ShouldBe(1, "one row, updated in place");
+        var row = await _readCtx.DriverInstanceResilienceStatuses.SingleAsync();
+        row.ConsecutiveFailures.ShouldBe(0);
+        row.LastSampledUtc.ShouldBe(T0.AddSeconds(10));
+    }
+
+    [Fact]
+    public async Task MultipleHosts_BothPersist_Independently()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        tracker.RecordFailure("drv-1", "plc-a", T0);
+        tracker.RecordFailure("drv-1", "plc-a", T0);
+        tracker.RecordFailure("drv-1", "plc-b", T0);
+
+        var host = new ResilienceStatusPublisherHostedService(
+            tracker, _factory, NullLogger<ResilienceStatusPublisherHostedService>.Instance);
+
+        await host.PersistOnceAsync(CancellationToken.None);
+
+        var rows = await _readCtx.DriverInstanceResilienceStatuses
+            .OrderBy(r => r.HostName)
+            .ToListAsync();
+        rows.Count.ShouldBe(2);
+        rows[0].HostName.ShouldBe("plc-a");
+        rows[0].ConsecutiveFailures.ShouldBe(2);
+        rows[1].HostName.ShouldBe("plc-b");
+        rows[1].ConsecutiveFailures.ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task FootprintCounters_Persist()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        tracker.RecordFootprint("drv-1", "plc-a",
+            baselineBytes: 100_000_000, currentBytes: 150_000_000, T0);
+
+        var host = new ResilienceStatusPublisherHostedService(
+            tracker, _factory, NullLogger<ResilienceStatusPublisherHostedService>.Instance);
+
+        await host.PersistOnceAsync(CancellationToken.None);
+
+        var row = await _readCtx.DriverInstanceResilienceStatuses.SingleAsync();
+        row.BaselineFootprintBytes.ShouldBe(100_000_000);
+        row.CurrentFootprintBytes.ShouldBe(150_000_000);
+    }
+
+    [Fact]
+    public async Task TickCount_Advances_OnEveryCall()
+    {
+        var tracker = new DriverResilienceStatusTracker();
+        var host = new ResilienceStatusPublisherHostedService(
+            tracker, _factory, NullLogger<ResilienceStatusPublisherHostedService>.Instance);
+
+        await host.PersistOnceAsync(CancellationToken.None);
+        await host.PersistOnceAsync(CancellationToken.None);
+        await host.PersistOnceAsync(CancellationToken.None);
+
+        host.TickCount.ShouldBe(3);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/ScheduledRecycleHostedServiceTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/ScheduledRecycleHostedServiceTests.cs
@@ -0,0 +1,152 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Stability;
+using ZB.MOM.WW.OtOpcUa.Server.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class ScheduledRecycleHostedServiceTests
+{
+    private static readonly DateTime T0 = new(2026, 4, 19, 0, 0, 0, DateTimeKind.Utc);
+
+    private sealed class FakeClock : TimeProvider
+    {
+        public DateTime Utc { get; set; } = T0;
+        public override DateTimeOffset GetUtcNow() => new(Utc, TimeSpan.Zero);
+    }
+
+    private sealed class FakeSupervisor : IDriverSupervisor
+    {
+        public string DriverInstanceId => "tier-c-fake";
+        public int RecycleCount { get; private set; }
+        public Task RecycleAsync(string reason, CancellationToken cancellationToken)
+        {
+            RecycleCount++;
+            return Task.CompletedTask;
+        }
+    }
+
+    private sealed class ThrowingSupervisor : IDriverSupervisor
+    {
+        public string DriverInstanceId => "tier-c-throws";
+        public Task RecycleAsync(string reason, CancellationToken cancellationToken)
+            => throw new InvalidOperationException("supervisor unavailable");
+    }
+
+    [Fact]
+    public async Task TickOnce_BeforeInterval_DoesNotFire()
+    {
+        var clock = new FakeClock();
+        var supervisor = new FakeSupervisor();
+        var scheduler = new ScheduledRecycleScheduler(
+            DriverTier.C, TimeSpan.FromMinutes(5), T0, supervisor,
+            NullLogger<ScheduledRecycleScheduler>.Instance);
+
+        var host = new ScheduledRecycleHostedService(NullLogger<ScheduledRecycleHostedService>.Instance, clock);
+        host.AddScheduler(scheduler);
+
+        clock.Utc = T0.AddMinutes(1);
+        await host.TickOnceAsync(CancellationToken.None);
+
+        supervisor.RecycleCount.ShouldBe(0);
+        host.TickCount.ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task TickOnce_AfterInterval_Fires()
+    {
+        var clock = new FakeClock();
+        var supervisor = new FakeSupervisor();
+        var scheduler = new ScheduledRecycleScheduler(
+            DriverTier.C, TimeSpan.FromMinutes(5), T0, supervisor,
+            NullLogger<ScheduledRecycleScheduler>.Instance);
+
+        var host = new ScheduledRecycleHostedService(NullLogger<ScheduledRecycleHostedService>.Instance, clock);
+        host.AddScheduler(scheduler);
+
+        clock.Utc = T0.AddMinutes(6);
+        await host.TickOnceAsync(CancellationToken.None);
+
+        supervisor.RecycleCount.ShouldBe(1);
+    }
+
+    [Fact]
+    public async Task TickOnce_MultipleTicks_AccumulateCount()
+    {
+        var clock = new FakeClock();
+        var host = new ScheduledRecycleHostedService(NullLogger<ScheduledRecycleHostedService>.Instance, clock);
+
+        await host.TickOnceAsync(CancellationToken.None);
+        await host.TickOnceAsync(CancellationToken.None);
+        await host.TickOnceAsync(CancellationToken.None);
+
+        host.TickCount.ShouldBe(3);
+    }
+
+    [Fact]
+    public async Task AddScheduler_AfterStart_Throws()
+    {
+        var host = new ScheduledRecycleHostedService(NullLogger<ScheduledRecycleHostedService>.Instance);
+        using var cts = new CancellationTokenSource();
+        cts.Cancel();
+
+        await host.StartAsync(cts.Token); // flips _started true even with cancelled token
+        await host.StopAsync(CancellationToken.None);
+
+        var scheduler = new ScheduledRecycleScheduler(
+            DriverTier.C, TimeSpan.FromMinutes(5), DateTime.UtcNow, new FakeSupervisor(),
+            NullLogger<ScheduledRecycleScheduler>.Instance);
+
+        Should.Throw<InvalidOperationException>(() => host.AddScheduler(scheduler));
+    }
+
+    [Fact]
+    public async Task OneSchedulerThrowing_DoesNotStopOthers()
+    {
+        var clock = new FakeClock();
+        var good = new FakeSupervisor();
+        var bad = new ThrowingSupervisor();
+
+        var goodSch = new ScheduledRecycleScheduler(
+            DriverTier.C, TimeSpan.FromMinutes(5), T0, good,
+            NullLogger<ScheduledRecycleScheduler>.Instance);
+        var badSch = new ScheduledRecycleScheduler(
+            DriverTier.C, TimeSpan.FromMinutes(5), T0, bad,
+            NullLogger<ScheduledRecycleScheduler>.Instance);
+
+        var host = new ScheduledRecycleHostedService(NullLogger<ScheduledRecycleHostedService>.Instance, clock);
+        host.AddScheduler(badSch);
+        host.AddScheduler(goodSch);
+
+        clock.Utc = T0.AddMinutes(6);
+        await host.TickOnceAsync(CancellationToken.None);
+
+        good.RecycleCount.ShouldBe(1, "a faulting scheduler must not poison its neighbours");
+    }
+
+    [Fact]
+    public void SchedulerCount_MatchesAdded()
+    {
+        var host = new ScheduledRecycleHostedService(NullLogger<ScheduledRecycleHostedService>.Instance);
+        var sup = new FakeSupervisor();
+        host.AddScheduler(new ScheduledRecycleScheduler(DriverTier.C, TimeSpan.FromMinutes(5), DateTime.UtcNow, sup, NullLogger<ScheduledRecycleScheduler>.Instance));
+        host.AddScheduler(new ScheduledRecycleScheduler(DriverTier.C, TimeSpan.FromMinutes(10), DateTime.UtcNow, sup, NullLogger<ScheduledRecycleScheduler>.Instance));
+
+        host.SchedulerCount.ShouldBe(2);
+    }
+
+    [Fact]
+    public async Task EmptyScheduler_List_TicksCleanly()
+    {
+        var clock = new FakeClock();
+        var host = new ScheduledRecycleHostedService(NullLogger<ScheduledRecycleHostedService>.Instance, clock);
+
+        // No registered schedulers — tick is a no-op + counter still advances.
+        await host.TickOnceAsync(CancellationToken.None);
+
+        host.TickCount.ShouldBe(1);
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/SealedBootstrapIntegrationTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/SealedBootstrapIntegrationTests.cs
@@ -0,0 +1,133 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Integration-style tests for the Phase 6.1 Stream D consumption hook — they don't touch
+///     SQL Server (the real SealedBootstrap does, via sp_GetCurrentGenerationForCluster), but
+///     they exercise ResilientConfigReader + GenerationSealedCache + StaleConfigFlag end-to-end
+///     by simulating central-DB outcomes through a direct ReadAsync call.
+/// </summary>
+[Trait("Category", "Integration")]
+public sealed class SealedBootstrapIntegrationTests : IDisposable
+{
+    private readonly string _root = Path.Combine(Path.GetTempPath(), $"otopcua-sealed-bootstrap-{Guid.NewGuid():N}");
+
+    public void Dispose()
+    {
+        try
+        {
+            if (!Directory.Exists(_root)) return;
+            foreach (var f in Directory.EnumerateFiles(_root, "*", SearchOption.AllDirectories))
+                File.SetAttributes(f, FileAttributes.Normal);
+            Directory.Delete(_root, recursive: true);
+        }
+        catch { /* best-effort */ }
+    }
+
+    [Fact]
+    public async Task CentralDbSuccess_SealsSnapshot_And_FlagFresh()
+    {
+        var cache = new GenerationSealedCache(_root);
+        var flag = new StaleConfigFlag();
+        var reader = new ResilientConfigReader(cache, flag, NullLogger<ResilientConfigReader>.Instance,
+            timeout: TimeSpan.FromSeconds(10));
+
+        // Simulate the SealedBootstrap fresh-path: central DB returns generation id 42; the
+        // bootstrap seals it + ResilientConfigReader marks the flag fresh.
+        var result = await reader.ReadAsync(
+            "c-a",
+            centralFetch: async _ =>
+            {
+                await cache.SealAsync(new GenerationSnapshot
+                {
+                    ClusterId = "c-a",
+                    GenerationId = 42,
+                    CachedAt = DateTime.UtcNow,
+                    PayloadJson = "{\"gen\":42}",
+                }, CancellationToken.None);
+                return (long?)42;
+            },
+            fromSnapshot: snap => (long?)snap.GenerationId,
+            CancellationToken.None);
+
+        result.ShouldBe(42);
+        flag.IsStale.ShouldBeFalse();
+        cache.TryGetCurrentGenerationId("c-a").ShouldBe(42);
+    }
+
+    [Fact]
+    public async Task CentralDbFails_FallsBackToSealedSnapshot_FlagStale()
+    {
+        var cache = new GenerationSealedCache(_root);
+        var flag = new StaleConfigFlag();
+        var reader = new ResilientConfigReader(cache, flag, NullLogger<ResilientConfigReader>.Instance,
+            timeout: TimeSpan.FromSeconds(10), retryCount: 0);
+
+        // Seed a prior sealed snapshot (simulating a previous successful boot).
+        await cache.SealAsync(new GenerationSnapshot
+        {
+            ClusterId = "c-a", GenerationId = 37, CachedAt = DateTime.UtcNow,
+            PayloadJson = "{\"gen\":37}",
+        });
+
+        // Now simulate central DB down → fallback.
+        var result = await reader.ReadAsync(
+            "c-a",
+            centralFetch: _ => throw new InvalidOperationException("SQL dead"),
+            fromSnapshot: snap => (long?)snap.GenerationId,
+            CancellationToken.None);
+
+        result.ShouldBe(37);
+        flag.IsStale.ShouldBeTrue("cache fallback flips the /healthz flag");
+    }
+
+    [Fact]
+    public async Task NoSnapshot_AndCentralDown_Throws_ClearError()
+    {
+        var cache = new GenerationSealedCache(_root);
+        var flag = new StaleConfigFlag();
+        var reader = new ResilientConfigReader(cache, flag, NullLogger<ResilientConfigReader>.Instance,
+            timeout: TimeSpan.FromSeconds(10), retryCount: 0);
+
+        await Should.ThrowAsync<GenerationCacheUnavailableException>(async () =>
+        {
+            await reader.ReadAsync<long?>(
+                "c-a",
+                centralFetch: _ => throw new InvalidOperationException("SQL dead"),
+                fromSnapshot: snap => (long?)snap.GenerationId,
+                CancellationToken.None);
+        });
+    }
+
+    [Fact]
+    public async Task SuccessfulBootstrap_AfterFailure_ClearsStaleFlag()
+    {
+        var cache = new GenerationSealedCache(_root);
+        var flag = new StaleConfigFlag();
+        var reader = new ResilientConfigReader(cache, flag, NullLogger<ResilientConfigReader>.Instance,
+            timeout: TimeSpan.FromSeconds(10), retryCount: 0);
+
+        await cache.SealAsync(new GenerationSnapshot
+        {
+            ClusterId = "c-a", GenerationId = 1, CachedAt = DateTime.UtcNow, PayloadJson = "{}",
+        });
+
+        // Fallback serves snapshot → flag goes stale.
+        await reader.ReadAsync("c-a",
+            centralFetch: _ => throw new InvalidOperationException("dead"),
+            fromSnapshot: s => (long?)s.GenerationId,
+            CancellationToken.None);
+        flag.IsStale.ShouldBeTrue();
+
+        // Subsequent successful bootstrap clears it.
+        await reader.ReadAsync("c-a",
+            centralFetch: _ => ValueTask.FromResult((long?)5),
+            fromSnapshot: s => (long?)s.GenerationId,
+            CancellationToken.None);
+        flag.IsStale.ShouldBeFalse("next successful DB round-trip clears the flag");
+    }
+}
--- a/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/ZB.MOM.WW.OtOpcUa.Server.Tests.csproj
+++ b/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/ZB.MOM.WW.OtOpcUa.Server.Tests.csproj
@@ -14,6 +14,7 @@
        <PackageReference Include="Shouldly" Version="4.3.0"/>
        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
        <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.0"/>
+        <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="10.0.0"/>
        <PackageReference Include="OPCFoundation.NetStandard.Opc.Ua.Client" Version="1.5.374.126"/>
        <PackageReference Include="xunit.runner.visualstudio" Version="3.0.2">
            <PrivateAssets>all</PrivateAssets>