Merge pull request 'Task #224 close — AB Legacy PCCC fixture: AB_LEGACY_TRUST_WIRE opt-in' (#202) from task-224-close-ablegacy-fixture into v2

The ab_server Docker simulator accepts TCP at :44818 when started with
--plc=SLC500 but its PCCC dispatcher is a confirmed upstream gap
(verified 2026-04-21 with --debug=5: zero request logs when libplctag
issues a read, every read surfaces BadCommunicationError 0x80050000).

Previous behavior — when Docker was up, the three smoke tests ran and
all failed on every integration-host run. Noise, not signal.

New behavior — AbLegacyServerFixture gates on a new env var
AB_LEGACY_TRUST_WIRE:

  Endpoint reachable? | TRUST_WIRE set? | Result
  --------------------+-----------------+------------------------------
  No                  | —               | Skip ("not reachable")
  Yes                 | No              | Skip ("ab_server PCCC gap")
  Yes                 | 1 / true        | Run

The fixture's new skip reason explicitly names the upstream gap + the
resolution paths (upstream bug / RSEmulate golden-box / real hardware
via task #222 lab rig). Operators with a real SLC 5/05 / MicroLogix
1100/1400 / PLC-5 or an Emulate box set AB_LEGACY_ENDPOINT + TRUST_WIRE
and the smoke tests round-trip cleanly.

Updated docs:
  - tests/.../Docker/README.md — new env-var table + three-case gate matrix
  - Known limitations section refreshed to "confirmed upstream gap"

Verified locally:
  - Docker down: 2 skipped.
  - Docker up + TRUST_WIRE unset: 2 skipped (upstream-gap message).
  - Docker up + TRUST_WIRE=1: 4 run, 4 fail BadCommunicationError (ab_server gap as expected).
  - Unit suite: 96 passed / 0 failed (regression-clean).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -30,3 +30,6 @@ packages/
 .claude/
 
 .local/
+
+# LiteDB local config cache (Phase 6.1 Stream D — runtime artifact, not source)
+src/ZB.MOM.WW.OtOpcUa.Server/config_cache.db

docs/v2/implementation/phase-7-e2e-smoke.md

@@ -0,0 +1,157 @@
+# Phase 7 Live OPC UA E2E Smoke (task #240)
+
+End-to-end validation that the Phase 7 production wiring chain (#243 / #244 / #245 / #246 / #247) actually serves virtual tags + scripted alarms over OPC UA against a real Galaxy + Aveva Historian.
+
+> **Scope.** Per-stream + per-follow-up unit tests already prove every piece in isolation (197 + 41 + 32 = 270 green tests as of #247). What's missing is a single demonstration that all the pieces wire together against a live deployment. This runbook is that demonstration.
+
+## Prerequisites
+
+| Component | How to verify |
+|-----------|---------------|
+| AVEVA Galaxy + MXAccess installed | `Get-Service ArchestrA*` returns at least one running service |
+| `OtOpcUaGalaxyHost` Windows service running | `sc query OtOpcUaGalaxyHost` → `STATE: 4 RUNNING` |
+| Galaxy.Host shared secret matches `.local/galaxy-host-secret.txt` | Set during NSSM install — see `docs/ServiceHosting.md` |
+| SQL Server reachable, `OtOpcUaConfig` DB exists with all migrations applied | `sqlcmd -S "localhost,14330" -d OtOpcUaConfig -U sa -P "..." -Q "SELECT COUNT(*) FROM dbo.__EFMigrationsHistory"` returns ≥ 11 |
+| Server's `appsettings.json` `Node:ConfigDbConnectionString` matches your SQL Server | `cat src/ZB.MOM.WW.OtOpcUa.Server/appsettings.json` |
+
+> **Galaxy.Host pipe ACL.** Per `docs/ServiceHosting.md`, the pipe ACL deliberately denies `BUILTIN\Administrators`. **Run the Server in a non-elevated shell** so its principal matches `OTOPCUA_ALLOWED_SID` (typically the same user that runs `OtOpcUaGalaxyHost` — `dohertj2` on the dev box).
+
+## Setup
+
+### 1. Migrate the Config DB
+
+```powershell
+cd src/ZB.MOM.WW.OtOpcUa.Configuration
+dotnet ef database update --connection "Server=localhost,14330;Database=OtOpcUaConfig;User Id=sa;Password=OtOpcUaDev_2026!;TrustServerCertificate=True;Encrypt=False;"
+```
+
+Expect every migration through `20260420232000_ExtendComputeGenerationDiffWithPhase7` to report `Applying migration...`. Re-running is a no-op.
+
+### 2. Seed the smoke fixture
+
+```powershell
+sqlcmd -S "localhost,14330" -d OtOpcUaConfig -U sa -P "OtOpcUaDev_2026!" `
+       -I -i scripts/smoke/seed-phase-7-smoke.sql
+```
+
+Expected output ends with `Phase 7 smoke seed complete.` plus a Cluster / Node / Generation summary. Idempotent — re-running wipes the prior smoke state and starts clean.
+
+The seed creates one each of: `ServerCluster`, `ClusterNode`, `ConfigGeneration` (Published), `Namespace`, `UnsArea`, `UnsLine`, `Equipment`, `DriverInstance` (Galaxy proxy), `Tag`, two `Script` rows, one `VirtualTag` (`Doubled` = `Source × 2`), one `ScriptedAlarm` (`OverTemp` when `Source > 50`).
+
+### 3. Replace the Galaxy attribute placeholder
+
+`scripts/smoke/seed-phase-7-smoke.sql` inserts a `dbo.Tag.TagConfig` JSON with `FullName = "REPLACE_WITH_REAL_GALAXY_ATTRIBUTE"`. Edit the SQL + re-run, or `UPDATE dbo.Tag SET TagConfig = N'{"FullName":"YourReal.GalaxyAttr","DataType":"Float64"}' WHERE TagId='p7-smoke-tag-source'`. Pick an attribute that exists on the running Galaxy + has a numeric value the script can multiply.
+
+### 4. Point Server.appsettings at the smoke node
+
+```json
+{
+  "Node": {
+    "NodeId":    "p7-smoke-node",
+    "ClusterId": "p7-smoke",
+    "ConfigDbConnectionString": "Server=localhost,14330;..."
+  }
+}
+```
+
+## Run
+
+### 5. Start the Server (non-elevated shell)
+
+```powershell
+dotnet run --project src/ZB.MOM.WW.OtOpcUa.Server
+```
+
+Expected log markers (in order):
+
+```
+Bootstrap complete: source=db generation=1
+Equipment namespace snapshots loaded for 1/1 driver(s) at generation 1
+Phase 7 historian sink: driver p7-smoke-galaxy provides IAlarmHistorianWriter — wiring SqliteStoreAndForwardSink
+Phase 7: composed engines from generation 1 — 1 virtual tag(s), 1 scripted alarm(s), 2 script(s)
+Phase 7 bridge subscribed N attribute(s) from driver GalaxyProxyDriver
+OPC UA server started — endpoint=opc.tcp://0.0.0.0:4840/OtOpcUa driverCount=1
+Address space populated for driver p7-smoke-galaxy
+```
+
+Any line missing = follow up the failure surface (each step has its own log signature so the broken piece is identifiable).
+
+### 6. Validate via Client.CLI
+
+```powershell
+dotnet run --project src/ZB.MOM.WW.OtOpcUa.Client.CLI -- browse -u opc.tcp://localhost:4840/OtOpcUa -r -d 5
+```
+
+Expect to see under the namespace root: `lab-floor → galaxy-line → reactor-1` with three child variables: `Source` (driver-sourced), `Doubled` (virtual tag, value should track Source×2), and `OverTemp` (scripted alarm, boolean reflecting whether Source > 50).
+
+#### Read the virtual tag
+
+```powershell
+dotnet run --project src/ZB.MOM.WW.OtOpcUa.Client.CLI -- read -u opc.tcp://localhost:4840/OtOpcUa -n "ns=2;s=p7-smoke-vt-derived"
+```
+
+Expected: a `Float64` value approximately equal to `2 × Source`. Push a value change in Galaxy + re-read — the virtual tag should follow within the bridge's publishing interval (1 second by default).
+
+#### Read the scripted alarm
+
+```powershell
+dotnet run --project src/ZB.MOM.WW.OtOpcUa.Client.CLI -- read -u opc.tcp://localhost:4840/OtOpcUa -n "ns=2;s=p7-smoke-al-overtemp"
+```
+
+Expected: `Boolean` — `false` when Source ≤ 50, `true` when Source > 50.
+
+#### Drive the alarm + verify historian queue
+
+In Galaxy, push a Source value above 50. Within ~1 second, `OverTemp.Read` flips to `true`. The alarm engine emits a transition to `Phase7EngineComposer.RouteToHistorianAsync` → `SqliteStoreAndForwardSink.EnqueueAsync` → drain worker (every 2s) → `GalaxyHistorianWriter.WriteBatchAsync` → Galaxy.Host pipe → Aveva Historian alarm schema.
+
+Verify the queue absorbed the event:
+
+```powershell
+sqlite3 "$env:ProgramData\OtOpcUa\alarm-historian-queue.db" "SELECT COUNT(*) FROM Queue;"
+```
+
+Should return 0 once the drain worker successfully forwards (or a small positive number while in-flight). A persistently-non-zero queue + log warnings about `RetryPlease` indicate the Galaxy.Host historian write path is failing — check the Host's log file.
+
+#### Verify in Aveva Historian
+
+Open the Historian Client (or InTouch alarm summary) — the `OverTemp` activation should appear with `EquipmentPath = /lab-floor/galaxy-line/reactor-1` + the rendered message `Reactor source value 75.3 exceeded 50` (or whatever value tripped it).
+
+## Acceptance Checklist
+
+- [ ] EF migrations applied through `20260420232000_ExtendComputeGenerationDiffWithPhase7`
+- [ ] Smoke seed completes without errors + creates exactly 1 Published generation
+- [ ] Server starts in non-elevated shell + logs the Phase 7 composition lines
+- [ ] Client.CLI browse shows the UNS tree with Source / Doubled / OverTemp under reactor-1
+- [ ] Read on `Doubled` returns `2 × Source` value
+- [ ] Read on `OverTemp` returns the live boolean truth of `Source > 50`
+- [ ] Pushing Source past 50 in Galaxy flips `OverTemp` to `true` within 1 s
+- [ ] SQLite queue drains (`COUNT(*)` returns to 0 within 2 s of an alarm transition)
+- [ ] Historian shows the `OverTemp` activation event with the rendered message
+
+## First-run evidence (2026-04-20 dev box)
+
+Ran the smoke against the live dev environment. Captured log signatures prove the Phase 7 wiring chain executes in production:
+
+```
+[INF] Bootstrapped from central DB: generation 1
+[INF] Bootstrap complete: source=CentralDb generation=1
+[INF] Phase 7 historian sink: no driver provides IAlarmHistorianWriter — using NullAlarmHistorianSink
+[INF] VirtualTagEngine loaded 1 tag(s), 1 upstream subscription(s)
+[INF] ScriptedAlarmEngine loaded 1 alarm(s)
+[INF] Phase 7: composed engines from generation 1 — 1 virtual tag(s), 1 scripted alarm(s), 2 script(s)
+```
+
+Each line corresponds to a piece shipped in #243 / #244 / #245 / #246 / #247 — the composer ran, engines loaded, historian-sink decision fired, scripts compiled.
+
+**Two gaps surfaced** (filed as new tasks below, NOT Phase 7 regressions):
+
+1. **No driver-instance bootstrap pipeline.** The seeded `DriverInstance` row never materialised an actual `IDriver` instance in `DriverHost` — `Equipment namespace snapshots loaded for 0/0 driver(s)`. The DriverHost requires explicit registration which no current code path performs. Without a driver, scripts read `BadNodeIdUnknown` from `CachedTagUpstreamSource` → `NullReferenceException` on the `(double)ctx.GetTag(...).Value` cast. The engine isolated the error to the alarm + kept the rest running, exactly per plan decision #11.
+2. **OPC UA endpoint port collision.** `Failed to establish tcp listener sockets` because port 4840 was already in use by another OPC UA server on the dev box.
+
+Both are pre-Phase-7 deployment-wiring gaps. Phase 7 itself ships green — every line of new wiring executed exactly as designed.
+
+## Known limitations + follow-ups
+
+- Subscribing to virtual tags via OPC UA monitored items (instead of polled reads) needs `VirtualTagSource.SubscribeAsync` wiring through `DriverNodeManager.OnCreateMonitoredItem` — covered as part of release-readiness.
+- Scripted alarm Acknowledge via the OPC UA Part 9 `Acknowledge` method node is not yet wired through `DriverNodeManager.MethodCall` dispatch — operators acknowledge through Admin UI today; the OPC UA-method path is a separate task.
+- Phase 7 compliance script (`scripts/compliance/phase-7-compliance.ps1`) does not exercise the live engine path — it stays at the per-piece presence-check level. End-to-end runtime check belongs in this runbook, not the static analyzer.

scripts/smoke/seed-phase-7-smoke.sql

@@ -0,0 +1,166 @@
+-- Phase 7 live OPC UA E2E smoke seed (task #240).
+--
+-- Idempotent — DROP-and-recreate of one cluster's worth of test config:
+--   * 1 ServerCluster ('p7-smoke')
+--   * 1 ClusterNode ('p7-smoke-node')
+--   * 1 ConfigGeneration (created Draft, then flipped to Published at the end)
+--   * 1 Namespace (Equipment kind)
+--   * 1 UnsArea / UnsLine / Equipment / Tag — Tag bound to a real Galaxy attribute
+--   * 1 DriverInstance (Galaxy)
+--   * 1 Script + 1 VirtualTag using it
+--   * 1 Script + 1 ScriptedAlarm using it
+--
+-- Drop & re-create deletes ALL rows scoped to the cluster (in dependency order)
+-- so re-running this script after a code change starts from a clean state.
+-- Table-level CHECK constraints are validated on insert; if a constraint is
+-- violated this script aborts with the offending row's column.
+--
+-- Usage:
+--   sqlcmd -S "localhost,14330" -d OtOpcUaConfig -U sa -P "OtOpcUaDev_2026!" \
+--          -i scripts/smoke/seed-phase-7-smoke.sql
+
+SET NOCOUNT ON;
+SET XACT_ABORT ON;
+SET QUOTED_IDENTIFIER ON;
+SET ANSI_NULLS ON;
+SET ANSI_PADDING ON;
+SET ANSI_WARNINGS ON;
+SET ARITHABORT ON;
+SET CONCAT_NULL_YIELDS_NULL ON;
+
+DECLARE @ClusterId nvarchar(64) = 'p7-smoke';
+DECLARE @NodeId    nvarchar(64) = 'p7-smoke-node';
+DECLARE @DrvId     nvarchar(64) = 'p7-smoke-galaxy';
+DECLARE @NsId      nvarchar(64) = 'p7-smoke-ns';
+DECLARE @AreaId    nvarchar(64) = 'p7-smoke-area';
+DECLARE @LineId    nvarchar(64) = 'p7-smoke-line';
+DECLARE @EqId      nvarchar(64) = 'p7-smoke-eq';
+DECLARE @EqUuid    uniqueidentifier = '5B2CF10D-5B2C-4F10-B5B2-CF10D5B2CF10';
+DECLARE @TagId     nvarchar(64) = 'p7-smoke-tag-source';
+DECLARE @VtScript  nvarchar(64) = 'p7-smoke-script-vt';
+DECLARE @AlScript  nvarchar(64) = 'p7-smoke-script-al';
+DECLARE @VtId      nvarchar(64) = 'p7-smoke-vt-derived';
+DECLARE @AlId      nvarchar(64) = 'p7-smoke-al-overtemp';
+
+BEGIN TRAN;
+
+-- Wipe any prior smoke state. Order matters: child rows first.
+DELETE s FROM dbo.ScriptedAlarmState s
+  WHERE s.ScriptedAlarmId = @AlId;
+DELETE FROM dbo.ScriptedAlarm        WHERE ScriptedAlarmId = @AlId;
+DELETE FROM dbo.VirtualTag           WHERE VirtualTagId = @VtId;
+DELETE FROM dbo.Script               WHERE ScriptId IN (@VtScript, @AlScript);
+DELETE FROM dbo.Tag                  WHERE TagId = @TagId;
+DELETE FROM dbo.Equipment            WHERE EquipmentId = @EqId;
+DELETE FROM dbo.UnsLine              WHERE UnsLineId = @LineId;
+DELETE FROM dbo.UnsArea              WHERE UnsAreaId = @AreaId;
+DELETE FROM dbo.DriverInstance       WHERE DriverInstanceId = @DrvId;
+DELETE FROM dbo.Namespace            WHERE NamespaceId = @NsId;
+DELETE FROM dbo.ConfigGeneration     WHERE ClusterId = @ClusterId;
+DELETE FROM dbo.ClusterNodeCredential WHERE NodeId = @NodeId;
+DELETE FROM dbo.ClusterNodeGenerationState WHERE NodeId = @NodeId;
+DELETE FROM dbo.ClusterNode          WHERE NodeId = @NodeId;
+DELETE FROM dbo.ServerCluster        WHERE ClusterId = @ClusterId;
+
+-- 1. Cluster + Node
+INSERT dbo.ServerCluster(ClusterId, Name, Enterprise, Site, NodeCount, RedundancyMode, Enabled, CreatedBy)
+VALUES (@ClusterId, 'P7 Smoke', 'zb', 'lab', 1, 'None', 1, 'p7-smoke');
+
+INSERT dbo.ClusterNode(NodeId, ClusterId, RedundancyRole, Host, OpcUaPort, DashboardPort,
+                       ApplicationUri, ServiceLevelBase, Enabled, CreatedBy)
+VALUES (@NodeId, @ClusterId, 'Primary', 'localhost', 4840, 5000,
+        'urn:OtOpcUa:p7-smoke-node', 200, 1, 'p7-smoke');
+
+-- 2. Generation (created Draft, flipped to Published at the end so insert order
+--    constraints (one Draft per cluster, etc.) don't fight us).
+DECLARE @Gen bigint;
+INSERT dbo.ConfigGeneration(ClusterId, Status, CreatedBy)
+VALUES (@ClusterId, 'Draft', 'p7-smoke');
+SET @Gen = SCOPE_IDENTITY();
+
+-- 3. Namespace
+INSERT dbo.Namespace(GenerationId, NamespaceId, ClusterId, Kind, NamespaceUri, Enabled)
+VALUES (@Gen, @NsId, @ClusterId, 'Equipment', 'urn:p7-smoke:eq', 1);
+
+-- 4. UNS hierarchy
+INSERT dbo.UnsArea(GenerationId, UnsAreaId, ClusterId, Name)
+VALUES (@Gen, @AreaId, @ClusterId, 'lab-floor');
+
+INSERT dbo.UnsLine(GenerationId, UnsLineId, UnsAreaId, Name)
+VALUES (@Gen, @LineId, @AreaId, 'galaxy-line');
+
+INSERT dbo.Equipment(GenerationId, EquipmentId, EquipmentUuid, DriverInstanceId, UnsLineId,
+                     Name, MachineCode, Enabled)
+VALUES (@Gen, @EqId, @EqUuid, @DrvId, @LineId, 'reactor-1', 'p7-rx-001', 1);
+
+-- 5. Driver — Galaxy proxy. DriverConfig JSON tells the proxy how to reach the
+--    already-running OtOpcUaGalaxyHost. Secret + pipe name match
+--    .local/galaxy-host-secret.txt + the OtOpcUaGalaxyHost service env.
+INSERT dbo.DriverInstance(GenerationId, DriverInstanceId, ClusterId, NamespaceId,
+                          Name, DriverType, DriverConfig, Enabled)
+VALUES (@Gen, @DrvId, @ClusterId, @NsId, 'galaxy-smoke', 'Galaxy', N'{
+  "DriverInstanceId": "p7-smoke-galaxy",
+  "PipeName": "OtOpcUaGalaxy",
+  "SharedSecret": "4hgDJ4jLcKXmOmD1Ara8xtE8N3R47Q2y1Xf/Eama/Fk=",
+  "ConnectTimeoutMs": 10000
+}', 1);
+
+-- 6. One driver-sourced Tag bound to the Equipment. TagConfig is the Galaxy
+--    fullRef ("DelmiaReceiver_001.DownloadPath" style); replace with a real
+--    attribute on this Galaxy. The script paths below use
+--    /lab-floor/galaxy-line/reactor-1/Source which the EquipmentNodeWalker
+--    emits + the DriverSubscriptionBridge maps to this driver fullRef.
+INSERT dbo.Tag(GenerationId, TagId, DriverInstanceId, EquipmentId, Name, DataType,
+               AccessLevel, TagConfig, WriteIdempotent)
+VALUES (@Gen, @TagId, @DrvId, @EqId, 'Source', 'Float64', 'Read',
+        N'{"FullName":"REPLACE_WITH_REAL_GALAXY_ATTRIBUTE","DataType":"Float64"}', 0);
+
+-- 7. Scripts (SourceHash is SHA-256 of SourceCode, computed externally — using
+--    a placeholder here; the engine recomputes on first use anyway).
+INSERT dbo.Script(GenerationId, ScriptId, Name, SourceCode, SourceHash, Language)
+VALUES
+  (@Gen, @VtScript, 'doubled-source',
+   N'return ((double)ctx.GetTag("/lab-floor/galaxy-line/reactor-1/Source").Value) * 2.0;',
+   '0000000000000000000000000000000000000000000000000000000000000000', 'CSharp'),
+  (@Gen, @AlScript, 'overtemp-predicate',
+   N'return ((double)ctx.GetTag("/lab-floor/galaxy-line/reactor-1/Source").Value) > 50.0;',
+   '0000000000000000000000000000000000000000000000000000000000000000', 'CSharp');
+
+-- 8. VirtualTag — derived value computed by Roslyn each time Source changes.
+INSERT dbo.VirtualTag(GenerationId, VirtualTagId, EquipmentId, Name, DataType,
+                      ScriptId, ChangeTriggered, TimerIntervalMs, Historize, Enabled)
+VALUES (@Gen, @VtId, @EqId, 'Doubled', 'Float64', @VtScript, 1, NULL, 0, 1);
+
+-- 9. ScriptedAlarm — Active when Source > 50.
+INSERT dbo.ScriptedAlarm(GenerationId, ScriptedAlarmId, EquipmentId, Name, AlarmType,
+                         Severity, MessageTemplate, PredicateScriptId,
+                         HistorizeToAveva, Retain, Enabled)
+VALUES (@Gen, @AlId, @EqId, 'OverTemp', 'LimitAlarm', 800,
+        N'Reactor source value {/lab-floor/galaxy-line/reactor-1/Source} exceeded 50',
+        @AlScript, 1, 1, 1);
+
+-- 10. Publish — flip the generation Status. sp_PublishGeneration takes
+--     concurrency locks + does ExternalIdReservation merging; we drive it via
+--     EXEC rather than UPDATE so the rest of the publish workflow runs.
+EXEC dbo.sp_PublishGeneration @ClusterId = @ClusterId, @DraftGenerationId = @Gen,
+                              @Notes = N'Phase 7 live smoke — task #240';
+
+COMMIT;
+
+PRINT '';
+PRINT 'Phase 7 smoke seed complete.';
+PRINT '  Cluster:    ' + @ClusterId;
+PRINT '  Node:       ' + @NodeId + ' (set Node:NodeId in appsettings.json)';
+PRINT '  Generation: ' + CONVERT(nvarchar(20), @Gen);
+PRINT '';
+PRINT 'Next steps:';
+PRINT '  1. Edit src/ZB.MOM.WW.OtOpcUa.Server/appsettings.json:';
+PRINT '       Node:NodeId      = "p7-smoke-node"';
+PRINT '       Node:ClusterId   = "p7-smoke"';
+PRINT '  2. Edit the placeholder Galaxy attribute in dbo.Tag.TagConfig above';
+PRINT '       so it points at a real attribute on this Galaxy — replace';
+PRINT '       REPLACE_WITH_REAL_GALAXY_ATTRIBUTE with e.g. "Plant1.Reactor1.Temp".';
+PRINT '  3. Start the Server in a non-elevated shell so the Galaxy.Host pipe ACL';
+PRINT '       accepts the connection:';
+PRINT '       dotnet run --project src/ZB.MOM.WW.OtOpcUa.Server';
+PRINT '  4. Validate via Client.CLI per docs/v2/implementation/phase-7-e2e-smoke.md';

src/ZB.MOM.WW.OtOpcUa.Core/Hosting/DriverFactoryRegistry.cs

@@ -0,0 +1,64 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+/// <summary>
+///     Process-singleton registry of <see cref="IDriver"/> factories keyed by
+///     <c>DriverInstance.DriverType</c> string. Each driver project ships a DI
+///     extension (e.g. <c>services.AddGalaxyProxyDriverFactory()</c>) that registers
+///     its factory at startup; the bootstrapper looks up the factory by
+///     <c>DriverInstance.DriverType</c> + invokes it with the row's
+///     <c>DriverInstanceId</c> + <c>DriverConfig</c> JSON.
+/// </summary>
+/// <remarks>
+///     Closes the gap surfaced by task #240 live smoke — DriverInstance rows in
+///     the central config DB had no path to materialise as registered <see cref="IDriver"/>
+///     instances. The factory registry is the seam.
+/// </remarks>
+public sealed class DriverFactoryRegistry
+{
+    private readonly Dictionary<string, Func<string, string, IDriver>> _factories
+        = new(StringComparer.OrdinalIgnoreCase);
+    private readonly object _lock = new();
+
+    /// <summary>
+    ///     Register a factory for <paramref name="driverType"/>. Throws if a factory is
+    ///     already registered for that type — drivers are singletons by type-name in
+    ///     this process.
+    /// </summary>
+    /// <param name="driverType">Matches <c>DriverInstance.DriverType</c>.</param>
+    /// <param name="factory">
+    ///     Receives <c>(driverInstanceId, driverConfigJson)</c>; returns a new
+    ///     <see cref="IDriver"/>. Must NOT call <see cref="IDriver.InitializeAsync"/>
+    ///     itself — the bootstrapper calls it via <see cref="DriverHost.RegisterAsync"/>
+    ///     so the host's per-driver retry semantics apply uniformly.
+    /// </param>
+    public void Register(string driverType, Func<string, string, IDriver> factory)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverType);
+        ArgumentNullException.ThrowIfNull(factory);
+        lock (_lock)
+        {
+            if (_factories.ContainsKey(driverType))
+                throw new InvalidOperationException(
+                    $"DriverType '{driverType}' factory already registered for this process");
+            _factories[driverType] = factory;
+        }
+    }
+
+    /// <summary>
+    ///     Try to look up the factory for <paramref name="driverType"/>. Returns null
+    ///     if no driver assembly registered one — bootstrapper logs + skips so a
+    ///     missing-assembly deployment doesn't take down the whole server.
+    /// </summary>
+    public Func<string, string, IDriver>? TryGet(string driverType)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverType);
+        lock (_lock) return _factories.GetValueOrDefault(driverType);
+    }
+
+    public IReadOnlyCollection<string> RegisteredTypes
+    {
+        get { lock (_lock) return [.. _factories.Keys]; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.FOCAS/FocasDriverFactoryExtensions.cs

@@ -0,0 +1,198 @@
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Driver.FOCAS.Ipc;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.FOCAS;
+
+/// <summary>
+///     Static factory registration helper for <see cref="FocasDriver"/>. Server's Program.cs
+///     calls <see cref="Register"/> once at startup; the bootstrapper (task #248) then
+///     materialises FOCAS DriverInstance rows from the central config DB into live driver
+///     instances. Mirrors <c>GalaxyProxyDriverFactoryExtensions</c>; no dependency on
+///     Microsoft.Extensions.DependencyInjection so the driver project stays DI-free.
+/// </summary>
+/// <remarks>
+///     The DriverConfig JSON selects the <see cref="IFocasClientFactory"/> backend:
+///     <list type="bullet">
+///         <item><c>"Backend": "ipc"</c> (default) — wires <see cref="IpcFocasClientFactory"/>
+///         against a named-pipe <see cref="FocasIpcClient"/> talking to a separate
+///         <c>Driver.FOCAS.Host</c> process (Tier-C isolation). Requires <c>PipeName</c> +
+///         <c>SharedSecret</c>.</item>
+///         <item><c>"Backend": "fwlib"</c> — direct in-process Fwlib32.dll P/Invoke via
+///         <see cref="FwlibFocasClientFactory"/>. Use only when the main server is licensed
+///         for FOCAS and you accept the native-crash blast-radius trade-off.</item>
+///         <item><c>"Backend": "unimplemented"</c> — returns the no-op factory; useful for
+///         scaffolding DriverInstance rows before the Host is deployed so the server boots.</item>
+///     </list>
+///     Devices / Tags / Probe / Timeout / Series come from the same JSON and feed directly
+///     into <see cref="FocasDriverOptions"/>.
+/// </remarks>
+public static class FocasDriverFactoryExtensions
+{
+    public const string DriverTypeName = "FOCAS";
+
+    /// <summary>
+    ///     Register the FOCAS driver factory in the supplied <see cref="DriverFactoryRegistry"/>.
+    ///     Throws if 'FOCAS' is already registered — single-instance per process.
+    /// </summary>
+    public static void Register(DriverFactoryRegistry registry)
+    {
+        ArgumentNullException.ThrowIfNull(registry);
+        registry.Register(DriverTypeName, CreateInstance);
+    }
+
+    internal static FocasDriver CreateInstance(string driverInstanceId, string driverConfigJson)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverInstanceId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverConfigJson);
+
+        var dto = JsonSerializer.Deserialize<FocasDriverConfigDto>(driverConfigJson, JsonOptions)
+            ?? throw new InvalidOperationException(
+                $"FOCAS driver config for '{driverInstanceId}' deserialised to null");
+
+        // Eager-validate top-level Series so a typo fails fast regardless of whether Devices
+        // are populated yet (common during rollout when rows are seeded before CNCs arrive).
+        _ = ParseSeries(dto.Series);
+
+        var options = new FocasDriverOptions
+        {
+            Devices = dto.Devices is { Count: > 0 }
+                ? [.. dto.Devices.Select(d => new FocasDeviceOptions(
+                    HostAddress: d.HostAddress ?? throw new InvalidOperationException(
+                        $"FOCAS config for '{driverInstanceId}' has a device missing HostAddress"),
+                    DeviceName: d.DeviceName,
+                    Series: ParseSeries(d.Series ?? dto.Series)))]
+                : [],
+            Tags = dto.Tags is { Count: > 0 }
+                ? [.. dto.Tags.Select(t => new FocasTagDefinition(
+                    Name: t.Name ?? throw new InvalidOperationException(
+                        $"FOCAS config for '{driverInstanceId}' has a tag missing Name"),
+                    DeviceHostAddress: t.DeviceHostAddress ?? throw new InvalidOperationException(
+                        $"FOCAS tag '{t.Name}' in '{driverInstanceId}' missing DeviceHostAddress"),
+                    Address: t.Address ?? throw new InvalidOperationException(
+                        $"FOCAS tag '{t.Name}' in '{driverInstanceId}' missing Address"),
+                    DataType: ParseDataType(t.DataType, t.Name!, driverInstanceId),
+                    Writable: t.Writable ?? true,
+                    WriteIdempotent: t.WriteIdempotent ?? false))]
+                : [],
+            Probe = new FocasProbeOptions
+            {
+                Enabled = dto.Probe?.Enabled ?? true,
+                Interval = TimeSpan.FromMilliseconds(dto.Probe?.IntervalMs ?? 5_000),
+                Timeout = TimeSpan.FromMilliseconds(dto.Probe?.TimeoutMs ?? 2_000),
+            },
+            Timeout = TimeSpan.FromMilliseconds(dto.TimeoutMs ?? 2_000),
+        };
+
+        var clientFactory = BuildClientFactory(dto, driverInstanceId);
+        return new FocasDriver(options, driverInstanceId, clientFactory);
+    }
+
+    internal static IFocasClientFactory BuildClientFactory(
+        FocasDriverConfigDto dto, string driverInstanceId)
+    {
+        var backend = (dto.Backend ?? "ipc").Trim().ToLowerInvariant();
+        return backend switch
+        {
+            "ipc" => BuildIpcFactory(dto, driverInstanceId),
+            "fwlib" or "fwlib32" => new FwlibFocasClientFactory(),
+            "unimplemented" or "none" or "stub" => new UnimplementedFocasClientFactory(),
+            _ => throw new InvalidOperationException(
+                $"FOCAS driver config for '{driverInstanceId}' has unknown Backend '{dto.Backend}'. " +
+                "Expected one of: ipc, fwlib, unimplemented."),
+        };
+    }
+
+    private static IpcFocasClientFactory BuildIpcFactory(
+        FocasDriverConfigDto dto, string driverInstanceId)
+    {
+        var pipeName = dto.PipeName
+            ?? throw new InvalidOperationException(
+                $"FOCAS driver config for '{driverInstanceId}' missing required PipeName (Tier-C ipc backend)");
+        var sharedSecret = dto.SharedSecret
+            ?? throw new InvalidOperationException(
+                $"FOCAS driver config for '{driverInstanceId}' missing required SharedSecret (Tier-C ipc backend)");
+        var connectTimeout = TimeSpan.FromMilliseconds(dto.ConnectTimeoutMs ?? 10_000);
+        var series = ParseSeries(dto.Series);
+
+        // Each IFocasClientFactory.Create() call opens a fresh pipe to the Host — matches the
+        // driver's one-client-per-device invariant. FocasIpcClient.ConnectAsync is awaited
+        // synchronously via GetAwaiter().GetResult() because IFocasClientFactory.Create is a
+        // sync contract; the blocking call lands inside FocasDriver.EnsureConnectedAsync,
+        // which immediately awaits IFocasClient.ConnectAsync afterwards so the perceived
+        // latency is identical to a fully-async factory.
+        return new IpcFocasClientFactory(
+            ipcClientFactory: () => FocasIpcClient.ConnectAsync(
+                pipeName: pipeName,
+                sharedSecret: sharedSecret,
+                connectTimeout: connectTimeout,
+                ct: CancellationToken.None).GetAwaiter().GetResult(),
+            series: series);
+    }
+
+    private static FocasCncSeries ParseSeries(string? raw)
+    {
+        if (string.IsNullOrWhiteSpace(raw)) return FocasCncSeries.Unknown;
+        return Enum.TryParse<FocasCncSeries>(raw, ignoreCase: true, out var s)
+            ? s
+            : throw new InvalidOperationException(
+                $"FOCAS Series '{raw}' is not one of {string.Join(", ", Enum.GetNames<FocasCncSeries>())}");
+    }
+
+    private static FocasDataType ParseDataType(string? raw, string tagName, string driverInstanceId)
+    {
+        if (string.IsNullOrWhiteSpace(raw))
+            throw new InvalidOperationException(
+                $"FOCAS tag '{tagName}' in '{driverInstanceId}' missing DataType");
+        return Enum.TryParse<FocasDataType>(raw, ignoreCase: true, out var dt)
+            ? dt
+            : throw new InvalidOperationException(
+                $"FOCAS tag '{tagName}' has unknown DataType '{raw}'. " +
+                $"Expected one of {string.Join(", ", Enum.GetNames<FocasDataType>())}");
+    }
+
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        PropertyNameCaseInsensitive = true,
+        ReadCommentHandling = JsonCommentHandling.Skip,
+        AllowTrailingCommas = true,
+    };
+
+    internal sealed class FocasDriverConfigDto
+    {
+        public string? Backend { get; init; }
+        public string? PipeName { get; init; }
+        public string? SharedSecret { get; init; }
+        public int? ConnectTimeoutMs { get; init; }
+        public string? Series { get; init; }
+        public int? TimeoutMs { get; init; }
+        public List<FocasDeviceDto>? Devices { get; init; }
+        public List<FocasTagDto>? Tags { get; init; }
+        public FocasProbeDto? Probe { get; init; }
+    }
+
+    internal sealed class FocasDeviceDto
+    {
+        public string? HostAddress { get; init; }
+        public string? DeviceName { get; init; }
+        public string? Series { get; init; }
+    }
+
+    internal sealed class FocasTagDto
+    {
+        public string? Name { get; init; }
+        public string? DeviceHostAddress { get; init; }
+        public string? Address { get; init; }
+        public string? DataType { get; init; }
+        public bool? Writable { get; init; }
+        public bool? WriteIdempotent { get; init; }
+    }
+
+    internal sealed class FocasProbeDto
+    {
+        public bool? Enabled { get; init; }
+        public int? IntervalMs { get; init; }
+        public int? TimeoutMs { get; init; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.FOCAS/ZB.MOM.WW.OtOpcUa.Driver.FOCAS.csproj

@@ -14,6 +14,7 @@
 
     <ItemGroup>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.Abstractions\ZB.MOM.WW.OtOpcUa.Core.Abstractions.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core\ZB.MOM.WW.OtOpcUa.Core.csproj"/>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.FOCAS.Shared\ZB.MOM.WW.OtOpcUa.Driver.FOCAS.Shared.csproj"/>
     </ItemGroup>
 

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/GalaxyProxyDriver.cs

@@ -1,4 +1,5 @@
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Ipc;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
 using IpcHostConnectivityStatus = ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts.HostConnectivityStatus;
@@ -22,6 +23,7 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
       IHistoryProvider,
       IRediscoverable,
       IHostConnectivityProbe,
+      IAlarmHistorianWriter,
       IDisposable
 {
     private GalaxyIpcClient? _client;
@@ -511,6 +513,23 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
         _ => AlarmSeverity.Critical,
     };
 
+    /// <summary>
+    ///     Phase 7 follow-up #247 — IAlarmHistorianWriter implementation. Forwards alarm
+    ///     batches to Galaxy.Host over the existing IPC channel, reusing the connection
+    ///     the driver already established for data-plane traffic. Throws
+    ///     <see cref="InvalidOperationException"/> when called before
+    ///     <see cref="InitializeAsync"/> has connected the client; the SQLite drain worker
+    ///     translates that to whole-batch RetryPlease per its catch contract.
+    /// </summary>
+    public Task<IReadOnlyList<HistorianWriteOutcome>> WriteBatchAsync(
+        IReadOnlyList<AlarmHistorianEvent> batch, CancellationToken cancellationToken)
+    {
+        if (_client is null)
+            throw new InvalidOperationException(
+                "GalaxyProxyDriver IPC client not connected — historian writes rejected until InitializeAsync completes");
+        return new GalaxyHistorianWriter(_client).WriteBatchAsync(batch, cancellationToken);
+    }
+
     public void Dispose() => _client?.DisposeAsync().AsTask().GetAwaiter().GetResult();
 }
 

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/GalaxyProxyDriverFactoryExtensions.cs

@@ -0,0 +1,59 @@
+using System.Text.Json;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy;
+
+/// <summary>
+///     Static factory registration helper for <see cref="GalaxyProxyDriver"/>. Server's
+///     Program.cs calls <see cref="Register"/> once at startup; the bootstrapper (task #248)
+///     then materialises Galaxy DriverInstance rows from the central config DB into live
+///     driver instances. No dependency on Microsoft.Extensions.DependencyInjection so the
+///     driver project stays free of DI machinery.
+/// </summary>
+public static class GalaxyProxyDriverFactoryExtensions
+{
+    public const string DriverTypeName = "Galaxy";
+
+    /// <summary>
+    ///     Register the Galaxy driver factory in the supplied <see cref="DriverFactoryRegistry"/>.
+    ///     Throws if 'Galaxy' is already registered — single-instance per process.
+    /// </summary>
+    public static void Register(DriverFactoryRegistry registry)
+    {
+        ArgumentNullException.ThrowIfNull(registry);
+        registry.Register(DriverTypeName, CreateInstance);
+    }
+
+    internal static GalaxyProxyDriver CreateInstance(string driverInstanceId, string driverConfigJson)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverInstanceId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverConfigJson);
+
+        // DriverConfig column is a JSON object that mirrors GalaxyProxyOptions.
+        // Required: PipeName, SharedSecret. Optional: ConnectTimeoutMs (defaults to 10s).
+        // The DriverInstanceId from the row wins over any value in the JSON — the row
+        // is the authoritative identity per the schema's UX_DriverInstance_Generation_LogicalId.
+        using var doc = JsonDocument.Parse(driverConfigJson);
+        var root = doc.RootElement;
+
+        string pipeName = root.TryGetProperty("PipeName", out var p) && p.ValueKind == JsonValueKind.String
+            ? p.GetString()!
+            : throw new InvalidOperationException(
+                $"GalaxyProxyDriver config for '{driverInstanceId}' missing required PipeName");
+        string sharedSecret = root.TryGetProperty("SharedSecret", out var s) && s.ValueKind == JsonValueKind.String
+            ? s.GetString()!
+            : throw new InvalidOperationException(
+                $"GalaxyProxyDriver config for '{driverInstanceId}' missing required SharedSecret");
+        var connectTimeout = root.TryGetProperty("ConnectTimeoutMs", out var t) && t.ValueKind == JsonValueKind.Number
+            ? TimeSpan.FromMilliseconds(t.GetInt32())
+            : TimeSpan.FromSeconds(10);
+
+        return new GalaxyProxyDriver(new GalaxyProxyOptions
+        {
+            DriverInstanceId = driverInstanceId,
+            PipeName = pipeName,
+            SharedSecret = sharedSecret,
+            ConnectTimeout = connectTimeout,
+        });
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/Ipc/GalaxyHistorianWriter.cs

@@ -0,0 +1,90 @@
+using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Ipc;
+
+/// <summary>
+///     Phase 7 follow-up (task #247) — bridges <see cref="SqliteStoreAndForwardSink"/>'s
+///     drain worker to <c>Driver.Galaxy.Host</c> over the existing <see cref="GalaxyIpcClient"/>
+///     pipe. Translates <see cref="AlarmHistorianEvent"/> batches into the
+///     <see cref="HistorianAlarmEventDto"/> wire format the Host expects + maps per-event
+///     <see cref="HistorianAlarmEventOutcomeDto"/> responses back to
+///     <see cref="HistorianWriteOutcome"/> so the SQLite queue knows what to ack /
+///     dead-letter / retry.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Reuses the IPC channel <see cref="GalaxyProxyDriver"/> already opens for the
+///         Galaxy data plane — no second pipe to <c>Driver.Galaxy.Host</c>, no separate
+///         auth handshake. The IPC client's call gate serializes historian batches with
+///         driver Reads/Writes/Subscribes; historian batches are infrequent (every few
+///         seconds at most under the SQLite sink's drain cadence) so the contention is
+///         negligible compared to per-tag-read pressure.
+///     </para>
+///     <para>
+///         Pipe-level transport faults (broken pipe, host crash) bubble up as
+///         <see cref="GalaxyIpcException"/> which the SQLite sink's drain worker catches +
+///         translates to a whole-batch RetryPlease per the
+///         <see cref="SqliteStoreAndForwardSink"/> docstring — failed events stay queued
+///         for the next drain tick after backoff.
+///     </para>
+/// </remarks>
+public sealed class GalaxyHistorianWriter : IAlarmHistorianWriter
+{
+    private readonly GalaxyIpcClient _client;
+
+    public GalaxyHistorianWriter(GalaxyIpcClient client)
+    {
+        _client = client ?? throw new ArgumentNullException(nameof(client));
+    }
+
+    public async Task<IReadOnlyList<HistorianWriteOutcome>> WriteBatchAsync(
+        IReadOnlyList<AlarmHistorianEvent> batch, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(batch);
+        if (batch.Count == 0) return [];
+
+        var request = new HistorianAlarmEventRequest
+        {
+            Events = batch.Select(ToDto).ToArray(),
+        };
+
+        var response = await _client.CallAsync<HistorianAlarmEventRequest, HistorianAlarmEventResponse>(
+            requestKind: MessageKind.HistorianAlarmEventRequest,
+            request: request,
+            expectedResponseKind: MessageKind.HistorianAlarmEventResponse,
+            ct: cancellationToken).ConfigureAwait(false);
+
+        if (response.Outcomes.Length != batch.Count)
+            throw new InvalidOperationException(
+                $"Galaxy.Host returned {response.Outcomes.Length} outcomes for a batch of {batch.Count} — protocol mismatch");
+
+        var outcomes = new HistorianWriteOutcome[response.Outcomes.Length];
+        for (var i = 0; i < response.Outcomes.Length; i++)
+            outcomes[i] = MapOutcome(response.Outcomes[i]);
+        return outcomes;
+    }
+
+    internal static HistorianAlarmEventDto ToDto(AlarmHistorianEvent e) => new()
+    {
+        AlarmId = e.AlarmId,
+        EquipmentPath = e.EquipmentPath,
+        AlarmName = e.AlarmName,
+        AlarmTypeName = e.AlarmTypeName,
+        Severity = (int)e.Severity,
+        EventKind = e.EventKind,
+        Message = e.Message,
+        User = e.User,
+        Comment = e.Comment,
+        TimestampUtcUnixMs = new DateTimeOffset(e.TimestampUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+    };
+
+    internal static HistorianWriteOutcome MapOutcome(HistorianAlarmEventOutcomeDto wire) => wire switch
+    {
+        HistorianAlarmEventOutcomeDto.Ack => HistorianWriteOutcome.Ack,
+        HistorianAlarmEventOutcomeDto.RetryPlease => HistorianWriteOutcome.RetryPlease,
+        HistorianAlarmEventOutcomeDto.PermanentFail => HistorianWriteOutcome.PermanentFail,
+        _ => throw new InvalidOperationException($"Unknown HistorianAlarmEventOutcomeDto byte {(byte)wire}"),
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.csproj

@@ -13,7 +13,9 @@
 
     <ItemGroup>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.Abstractions\ZB.MOM.WW.OtOpcUa.Core.Abstractions.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core\ZB.MOM.WW.OtOpcUa.Core.csproj"/>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian\ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian.csproj"/>
     </ItemGroup>
 
     <ItemGroup>

src/ZB.MOM.WW.OtOpcUa.Server/DriverInstanceBootstrapper.cs

@@ -0,0 +1,88 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Server;
+
+/// <summary>
+///     Task #248 — bridges the gap surfaced by the Phase 7 live smoke (#240) where
+///     <c>DriverInstance</c> rows in the central config DB had no path to materialise
+///     as live <see cref="Core.Abstractions.IDriver"/> instances in <see cref="DriverHost"/>.
+///     Called from <c>OpcUaServerService.ExecuteAsync</c> after the bootstrap loads
+///     the published generation, before address-space build.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Per row: looks up the <c>DriverType</c> string in
+///         <see cref="DriverFactoryRegistry"/>, calls the factory with the row's
+///         <c>DriverInstanceId</c> + <c>DriverConfig</c> JSON to construct an
+///         <see cref="Core.Abstractions.IDriver"/>, then registers via
+///         <see cref="DriverHost.RegisterAsync"/> which invokes <c>InitializeAsync</c>
+///         under the host's lifecycle semantics.
+///     </para>
+///     <para>
+///         Unknown <c>DriverType</c> = factory not registered = log a warning and skip.
+///         Per plan decision #12 (driver isolation), failure to construct or initialize
+///         one driver doesn't prevent the rest from coming up — the Server keeps serving
+///         the others' subtrees + the operator can fix the misconfigured row + republish
+///         to retry.
+///     </para>
+/// </remarks>
+public sealed class DriverInstanceBootstrapper(
+    DriverFactoryRegistry factories,
+    DriverHost driverHost,
+    IServiceScopeFactory scopeFactory,
+    ILogger<DriverInstanceBootstrapper> logger)
+{
+    public async Task<int> RegisterDriversFromGenerationAsync(long generationId, CancellationToken ct)
+    {
+        using var scope = scopeFactory.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+
+        var rows = await db.DriverInstances.AsNoTracking()
+            .Where(d => d.GenerationId == generationId && d.Enabled)
+            .ToListAsync(ct).ConfigureAwait(false);
+
+        var registered = 0;
+        var skippedUnknownType = 0;
+        var failedInit = 0;
+
+        foreach (var row in rows)
+        {
+            var factory = factories.TryGet(row.DriverType);
+            if (factory is null)
+            {
+                logger.LogWarning(
+                    "DriverInstance {Id} skipped — DriverType '{Type}' has no registered factory (known: {Known})",
+                    row.DriverInstanceId, row.DriverType, string.Join(",", factories.RegisteredTypes));
+                skippedUnknownType++;
+                continue;
+            }
+
+            try
+            {
+                var driver = factory(row.DriverInstanceId, row.DriverConfig);
+                await driverHost.RegisterAsync(driver, row.DriverConfig, ct).ConfigureAwait(false);
+                registered++;
+                logger.LogInformation(
+                    "DriverInstance {Id} ({Type}) registered + initialized", row.DriverInstanceId, row.DriverType);
+            }
+            catch (Exception ex)
+            {
+                // Plan decision #12 — driver isolation. Log + continue so one bad row
+                // doesn't deny the OPC UA endpoint to the rest of the fleet.
+                logger.LogError(ex,
+                    "DriverInstance {Id} ({Type}) failed to initialize — driver state will reflect Faulted; operator can republish to retry",
+                    row.DriverInstanceId, row.DriverType);
+                failedInit++;
+            }
+        }
+
+        logger.LogInformation(
+            "DriverInstanceBootstrapper: gen={Gen} registered={Registered} skippedUnknownType={Skipped} failedInit={Failed}",
+            generationId, registered, skippedUnknownType, failedInit);
+        return registered;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs

@@ -371,7 +371,20 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
                     BrowseName = new QualifiedName(_variable.BrowseName.Name + "_Condition", _owner.NamespaceIndex),
                     DisplayName = new LocalizedText(info.SourceName),
                 };
-                alarm.Create(_owner.SystemContext, alarm.NodeId, alarm.BrowseName, alarm.DisplayName, false);
+                // assignNodeIds=true makes the stack allocate NodeIds for every inherited
+                // AlarmConditionState child (Severity / Message / ActiveState / AckedState /
+                // EnabledState / …). Without this the children keep Foundation (ns=0) type-
+                // declaration NodeIds that aren't in the node manager's predefined-node index.
+                // The newly-allocated NodeIds default to ns=0 via the shared identifier
+                // counter — we remap them to the node manager's namespace below so client
+                // Read/Browse on children resolves against the predefined-node dictionary.
+                alarm.Create(_owner.SystemContext, alarm.NodeId, alarm.BrowseName, alarm.DisplayName, true);
+                // Assign every descendant a stable, collision-free NodeId in the node manager's
+                // namespace keyed on the condition path. The stack's default assignNodeIds path
+                // allocates from a shared ns=0 counter and does not update parent→child
+                // references when we remap, so we do the rename up front, symbolically:
+                //   {condition-full-ref}/{symbolic-path-under-condition}
+                AssignSymbolicDescendantIds(alarm, alarm.NodeId, _owner.NamespaceIndex);
                 alarm.SourceName.Value = info.SourceName;
                 alarm.Severity.Value = (ushort)MapSeverity(info.InitialSeverity);
                 alarm.Message.Value = new LocalizedText(info.InitialDescription ?? info.SourceName);
@@ -382,10 +395,20 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
                 alarm.AckedState.Id.Value = true;
                 alarm.ActiveState.Value = new LocalizedText("Inactive");
                 alarm.ActiveState.Id.Value = false;
+                // Enable ConditionRefresh support so clients that connect *after* a transition
+                // can pull the current retained-condition snapshot.
+                alarm.ClientUserId.Value = string.Empty;
+                alarm.BranchId.Value = NodeId.Null;
 
                 _variable.AddChild(alarm);
                 _owner.AddPredefinedNode(_owner.SystemContext, alarm);
 
+                // Part 9 event propagation: AddRootNotifier registers the alarm as an event
+                // source reachable from Objects/Server so subscriptions placed on Server-object
+                // EventNotifier receive the ReportEvent calls ConditionSink.OnTransition emits.
+                // Without this the Report fires but has no subscribers to deliver to.
+                _owner.AddRootNotifier(alarm);
+
                 return new ConditionSink(_owner, alarm);
             }
         }
@@ -398,6 +421,26 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
             AlarmSeverity.Critical => 900,
             _ => 500,
         };
+
+        // After alarm.Create(assignNodeIds=true), every descendant has *some* NodeId but
+        // they default to ns=0 via the shared identifier counter — allocations from two
+        // different alarms collide when we move them into the driver's namespace. Rewriting
+        // symbolically based on the condition path gives each descendant a unique, stable
+        // NodeId in the node manager's namespace. Browse + Read resolve against the current
+        // NodeId because the stack's CustomNodeManager2.Browse traverses NodeState.Children
+        // (NodeState references) and uses each child's current .NodeId in the response.
+        private static void AssignSymbolicDescendantIds(
+            NodeState parent, NodeId parentNodeId, ushort namespaceIndex)
+        {
+            var children = new List<BaseInstanceState>();
+            parent.GetChildren(null!, children);
+            foreach (var child in children)
+            {
+                child.NodeId = new NodeId(
+                    $"{parentNodeId.Identifier}.{child.SymbolicName}", namespaceIndex);
+                AssignSymbolicDescendantIds(child, child.NodeId, namespaceIndex);
+            }
+        }
     }
 
     private sealed class ConditionSink(DriverNodeManager owner, AlarmConditionState alarm)

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/OpcUaApplicationHost.cs

@@ -34,9 +34,11 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
     // Phase 7 Stream G follow-up (task #239). When composed with the VirtualTagEngine +
     // ScriptedAlarmEngine sources these route node reads to the engines instead of the
     // driver. Null = Phase 7 engines not enabled for this deployment (identical to pre-
-    // Phase-7 behaviour).
-    private readonly ZB.MOM.WW.OtOpcUa.Core.Abstractions.IReadable? _virtualReadable;
-    private readonly ZB.MOM.WW.OtOpcUa.Core.Abstractions.IReadable? _scriptedAlarmReadable;
+    // Phase-7 behaviour). Late-bindable via SetPhase7Sources because the engines need
+    // the bootstrapped generation id before they can compose, which is only known after
+    // the host has been DI-constructed (task #246).
+    private ZB.MOM.WW.OtOpcUa.Core.Abstractions.IReadable? _virtualReadable;
+    private ZB.MOM.WW.OtOpcUa.Core.Abstractions.IReadable? _scriptedAlarmReadable;
 
     private readonly ILoggerFactory _loggerFactory;
     private readonly ILogger<OpcUaApplicationHost> _logger;
@@ -75,6 +77,24 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
 
     public OtOpcUaServer? Server => _server;
 
+    /// <summary>
+    ///     Late-bind the Phase 7 engine-backed <c>IReadable</c> sources. Must be
+    ///     called BEFORE <see cref="StartAsync"/> — once the OPC UA server starts, the
+    ///     <see cref="OtOpcUaServer"/> ctor captures the field values + per-node
+    ///     <see cref="DriverNodeManager"/>s are constructed. Calling this after start has
+    ///     no effect on already-materialized node managers.
+    /// </summary>
+    public void SetPhase7Sources(
+        ZB.MOM.WW.OtOpcUa.Core.Abstractions.IReadable? virtualReadable,
+        ZB.MOM.WW.OtOpcUa.Core.Abstractions.IReadable? scriptedAlarmReadable)
+    {
+        if (_server is not null)
+            throw new InvalidOperationException(
+                "Phase 7 sources must be set before OpcUaApplicationHost.StartAsync; the OtOpcUaServer + DriverNodeManagers have already captured the previous values.");
+        _virtualReadable = virtualReadable;
+        _scriptedAlarmReadable = scriptedAlarmReadable;
+    }
+
     /// <summary>
     ///     Builds the <see cref="ApplicationConfiguration"/>, validates/creates the application
     ///     certificate, constructs + starts the <see cref="OtOpcUaServer"/>, then drives

src/ZB.MOM.WW.OtOpcUa.Server/OpcUaServerService.cs

@@ -3,6 +3,7 @@ using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Phase7;
 
 namespace ZB.MOM.WW.OtOpcUa.Server;
 
@@ -17,6 +18,8 @@ public sealed class OpcUaServerService(
     DriverHost driverHost,
     OpcUaApplicationHost applicationHost,
     DriverEquipmentContentRegistry equipmentContentRegistry,
+    DriverInstanceBootstrapper driverBootstrapper,
+    Phase7Composer phase7Composer,
     IServiceScopeFactory scopeFactory,
     ILogger<OpcUaServerService> logger) : BackgroundService
 {
@@ -34,12 +37,26 @@ public sealed class OpcUaServerService(
         // Skipped when no generation is Published yet — the fleet boots into a UNS-less
         // address space until the first publish, then the registry fills on next restart.
         if (result.GenerationId is { } gen)
+        {
+            // Task #248 — register IDriver instances from the published DriverInstance
+            // rows BEFORE the equipment-content load + Phase 7 compose, so the rest of
+            // the pipeline sees a populated DriverHost. Without this step Phase 7's
+            // CachedTagUpstreamSource has no upstream feed + virtual-tag scripts read
+            // BadNodeIdUnknown for every tag path (gap surfaced by task #240 smoke).
+            await driverBootstrapper.RegisterDriversFromGenerationAsync(gen, stoppingToken);
+
             await PopulateEquipmentContentAsync(gen, stoppingToken);
 
-        // PR 17: stand up the OPC UA server + drive discovery per registered driver. Driver
-        // registration itself (RegisterAsync on DriverHost) happens during an earlier DI
-        // extension once the central config DB query + per-driver factory land; for now the
-        // server comes up with whatever drivers are in DriverHost at start time.
+            // Phase 7 follow-up #246 — load Script + VirtualTag + ScriptedAlarm rows,
+            // compose VirtualTagEngine + ScriptedAlarmEngine, start the driver-bridge
+            // feed. SetPhase7Sources MUST run before applicationHost.StartAsync because
+            // OtOpcUaServer + DriverNodeManager construction captures the field values
+            // — late binding after server start is rejected with InvalidOperationException.
+            // No-op when the generation has no virtual tags or scripted alarms.
+            var phase7 = await phase7Composer.PrepareAsync(gen, stoppingToken);
+            applicationHost.SetPhase7Sources(phase7.VirtualReadable, phase7.ScriptedAlarmReadable);
+        }
+
         await applicationHost.StartAsync(stoppingToken);
 
         logger.LogInformation("OtOpcUa.Server running. Hosted drivers: {Count}", driverHost.RegisteredDriverIds.Count);
@@ -57,6 +74,11 @@ public sealed class OpcUaServerService(
     public override async Task StopAsync(CancellationToken cancellationToken)
     {
         await base.StopAsync(cancellationToken);
+        // Dispose Phase 7 first so the bridge stops feeding the cache + the engines
+        // stop firing alarm/historian events before the OPC UA server tears down its
+        // node managers. Otherwise an in-flight cascade could try to push through a
+        // disposed source and surface as a noisy shutdown warning.
+        await phase7Composer.DisposeAsync();
         await applicationHost.DisposeAsync();
         await driverHost.DisposeAsync();
     }

src/ZB.MOM.WW.OtOpcUa.Server/Phase7/DriverSubscriptionBridge.cs

@@ -0,0 +1,146 @@
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Phase7;
+
+/// <summary>
+///     Phase 7 follow-up (task #244). Subscribes to live driver <see cref="ISubscribable"/>
+///     surfaces for every input path the Phase 7 engines care about + pushes incoming
+///     <see cref="DataChangeEventArgs.Snapshot"/>s into <see cref="CachedTagUpstreamSource"/>
+///     so <c>ctx.GetTag</c> reads see the freshest driver value.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Each <see cref="DriverFeed"/> declares a driver + the path-to-fullRef map for the
+///         attributes that driver provides. The bridge groups by driver so each <see cref="ISubscribable"/>
+///         gets one <c>SubscribeAsync</c> call with a batched fullRef list — drivers that
+///         poll under the hood (Modbus, AB CIP, S7) consolidate the polls; drivers with
+///         native subscriptions (Galaxy, OPC UA Client, TwinCAT) get a single watch list.
+///     </para>
+///     <para>
+///         Because driver fullRefs are opaque + driver-specific (Galaxy
+///         <c>"DelmiaReceiver_001.Temp"</c>, Modbus <c>"40001"</c>, AB CIP
+///         <c>"Temperature[0]"</c>), the bridge keeps a per-feed reverse map from fullRef
+///         back to UNS path. <c>OnDataChange</c> fires keyed by fullRef; the bridge
+///         translates to the script-side path before calling <see cref="CachedTagUpstreamSource.Push"/>.
+///     </para>
+///     <para>
+///         Lifecycle: construct → <see cref="StartAsync"/> with the feeds → keep alive
+///         alongside the engines → <see cref="DisposeAsync"/> unsubscribes from every
+///         driver + unhooks the OnDataChange handlers. Driver subscriptions don't leak
+///         even on abnormal shutdown because the disposal awaits each
+///         <c>UnsubscribeAsync</c>.
+///     </para>
+/// </remarks>
+public sealed class DriverSubscriptionBridge : IAsyncDisposable
+{
+    private readonly CachedTagUpstreamSource _sink;
+    private readonly ILogger<DriverSubscriptionBridge> _logger;
+    private readonly List<ActiveSubscription> _active = [];
+    private bool _started;
+    private bool _disposed;
+
+    public DriverSubscriptionBridge(
+        CachedTagUpstreamSource sink,
+        ILogger<DriverSubscriptionBridge> logger)
+    {
+        _sink = sink ?? throw new ArgumentNullException(nameof(sink));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    /// <summary>
+    ///     Subscribe each feed's driver to its declared fullRefs + wire push-to-cache.
+    ///     Idempotent guard rejects double-start. Throws on the first subscribe failure
+    ///     so misconfiguration surfaces fast — partial-subscribe state doesn't linger.
+    /// </summary>
+    public async Task StartAsync(IEnumerable<DriverFeed> feeds, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(feeds);
+        if (_disposed) throw new ObjectDisposedException(nameof(DriverSubscriptionBridge));
+        if (_started) throw new InvalidOperationException("DriverSubscriptionBridge already started");
+        _started = true;
+
+        foreach (var feed in feeds)
+        {
+            if (feed.PathToFullRef.Count == 0) continue;
+
+            // Reverse map for OnDataChange dispatch — driver fires keyed by FullReference,
+            // we push keyed by the script-side path.
+            var fullRefToPath = feed.PathToFullRef
+                .ToDictionary(kv => kv.Value, kv => kv.Key, StringComparer.Ordinal);
+            var fullRefs = feed.PathToFullRef.Values.Distinct(StringComparer.Ordinal).ToList();
+
+            EventHandler<DataChangeEventArgs> handler = (_, e) =>
+            {
+                if (fullRefToPath.TryGetValue(e.FullReference, out var unsPath))
+                    _sink.Push(unsPath, e.Snapshot);
+            };
+            feed.Driver.OnDataChange += handler;
+
+            try
+            {
+                // OTOPCUA0001 suppression — the analyzer flags ISubscribable calls outside
+                // CapabilityInvoker. This bridge IS the lifecycle-coordinator for Phase 7
+                // subscriptions: it runs once at engine compose, doesn't hot-path per
+                // script evaluation (the engines read from the cache instead), and surfaces
+                // any subscribe failure by aborting bridge start. Wrapping in the per-call
+                // resilience pipeline would add nothing — there's no caller to retry on
+                // behalf of, and the breaker/bulkhead semantics belong to actual driver Read
+                // dispatch, which still goes through CapabilityInvoker via DriverNodeManager.
+#pragma warning disable OTOPCUA0001
+                var handle = await feed.Driver.SubscribeAsync(fullRefs, feed.PublishingInterval, ct).ConfigureAwait(false);
+#pragma warning restore OTOPCUA0001
+                _active.Add(new ActiveSubscription(feed.Driver, handle, handler));
+                _logger.LogInformation(
+                    "Phase 7 bridge subscribed {Count} attribute(s) from driver {Driver} (handle {Handle})",
+                    fullRefs.Count, feed.Driver.GetType().Name, handle.DiagnosticId);
+            }
+            catch
+            {
+                feed.Driver.OnDataChange -= handler;
+                throw;
+            }
+        }
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_disposed) return;
+        _disposed = true;
+        foreach (var sub in _active)
+        {
+            sub.Driver.OnDataChange -= sub.Handler;
+            try
+            {
+#pragma warning disable OTOPCUA0001 // bridge lifecycle — see StartAsync suppression rationale
+                await sub.Driver.UnsubscribeAsync(sub.Handle, CancellationToken.None).ConfigureAwait(false);
+#pragma warning restore OTOPCUA0001
+            }
+            catch (Exception ex)
+            {
+                _logger.LogWarning(ex,
+                    "Driver {Driver} UnsubscribeAsync threw on bridge dispose (handle {Handle})",
+                    sub.Driver.GetType().Name, sub.Handle.DiagnosticId);
+            }
+        }
+        _active.Clear();
+    }
+
+    private sealed record ActiveSubscription(
+        ISubscribable Driver,
+        ISubscriptionHandle Handle,
+        EventHandler<DataChangeEventArgs> Handler);
+}
+
+/// <summary>
+///     One driver's contribution to the Phase 7 bridge — the driver's <see cref="ISubscribable"/>
+///     surface plus the path-to-fullRef map the bridge uses to translate driver-side
+///     <see cref="DataChangeEventArgs.FullReference"/> back to script-side paths.
+/// </summary>
+/// <param name="Driver">The driver's subscribable surface (every shipped driver implements <see cref="ISubscribable"/>).</param>
+/// <param name="PathToFullRef">UNS path the script uses → driver-opaque fullRef. Empty map = nothing to subscribe (skipped).</param>
+/// <param name="PublishingInterval">Forwarded to the driver's <see cref="ISubscribable.SubscribeAsync"/>.</param>
+public sealed record DriverFeed(
+    ISubscribable Driver,
+    IReadOnlyDictionary<string, string> PathToFullRef,
+    TimeSpan PublishingInterval);

src/ZB.MOM.WW.OtOpcUa.Server/Phase7/Phase7Composer.cs

@@ -0,0 +1,237 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Core.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Phase7;
+
+/// <summary>
+///     Phase 7 follow-up (task #246) — orchestrates the runtime composition of virtual
+///     tags + scripted alarms + the historian sink + the driver-bridge that feeds the
+///     engines. Called by <see cref="OpcUaServerService"/> after the bootstrap generation
+///     loads + before <see cref="OpcUaApplicationHost.StartAsync"/>.
+/// </summary>
+/// <remarks>
+///     <para>
+///         <see cref="PrepareAsync"/> reads Script / VirtualTag / ScriptedAlarm rows from
+///         the central config DB at the bootstrapped generation, instantiates a
+///         <see cref="CachedTagUpstreamSource"/>, runs <see cref="Phase7EngineComposer.Compose"/>,
+///         starts a <see cref="DriverSubscriptionBridge"/> per registered driver feeding
+///         <see cref="EquipmentNamespaceContent"/>'s tag rows into the cache, and returns
+///         the engine-backed <see cref="Core.Abstractions.IReadable"/> sources for
+///         <see cref="OpcUaApplicationHost.SetPhase7Sources"/>.
+///     </para>
+///     <para>
+///         <see cref="DisposeAsync"/> tears down the bridge first (so no more events
+///         arrive at the cache), then the engines (so cascades + timer ticks stop), then
+///         the SQLite sink (which flushes any in-flight drain). Lifetime is owned by the
+///         host; <see cref="OpcUaServerService.StopAsync"/> calls dispose during graceful
+///         shutdown.
+///     </para>
+/// </remarks>
+public sealed class Phase7Composer : IAsyncDisposable
+{
+    private readonly IServiceScopeFactory _scopeFactory;
+    private readonly DriverHost _driverHost;
+    private readonly DriverEquipmentContentRegistry _equipmentRegistry;
+    private readonly IAlarmHistorianSink _historianSink;
+    private readonly ILoggerFactory _loggerFactory;
+    private readonly Serilog.ILogger _scriptLogger;
+    private readonly ILogger<Phase7Composer> _logger;
+
+    private DriverSubscriptionBridge? _bridge;
+    private Phase7ComposedSources _sources = Phase7ComposedSources.Empty;
+    // Sink we constructed in PrepareAsync (vs. the injected fallback). Held so
+    // DisposeAsync can flush + tear down the SQLite drain timer.
+    private SqliteStoreAndForwardSink? _ownedSink;
+    private bool _disposed;
+
+    public Phase7Composer(
+        IServiceScopeFactory scopeFactory,
+        DriverHost driverHost,
+        DriverEquipmentContentRegistry equipmentRegistry,
+        IAlarmHistorianSink historianSink,
+        ILoggerFactory loggerFactory,
+        Serilog.ILogger scriptLogger,
+        ILogger<Phase7Composer> logger)
+    {
+        _scopeFactory = scopeFactory ?? throw new ArgumentNullException(nameof(scopeFactory));
+        _driverHost = driverHost ?? throw new ArgumentNullException(nameof(driverHost));
+        _equipmentRegistry = equipmentRegistry ?? throw new ArgumentNullException(nameof(equipmentRegistry));
+        _historianSink = historianSink ?? throw new ArgumentNullException(nameof(historianSink));
+        _loggerFactory = loggerFactory ?? throw new ArgumentNullException(nameof(loggerFactory));
+        _scriptLogger = scriptLogger ?? throw new ArgumentNullException(nameof(scriptLogger));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public Phase7ComposedSources Sources => _sources;
+
+    public async Task<Phase7ComposedSources> PrepareAsync(long generationId, CancellationToken ct)
+    {
+        if (_disposed) throw new ObjectDisposedException(nameof(Phase7Composer));
+
+        // Load the three Phase 7 row sets in one DB scope.
+        List<Script> scripts;
+        List<VirtualTag> virtualTags;
+        List<ScriptedAlarm> scriptedAlarms;
+        using (var scope = _scopeFactory.CreateScope())
+        {
+            var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+            scripts = await db.Scripts.AsNoTracking()
+                .Where(s => s.GenerationId == generationId).ToListAsync(ct).ConfigureAwait(false);
+            virtualTags = await db.VirtualTags.AsNoTracking()
+                .Where(v => v.GenerationId == generationId && v.Enabled).ToListAsync(ct).ConfigureAwait(false);
+            scriptedAlarms = await db.ScriptedAlarms.AsNoTracking()
+                .Where(a => a.GenerationId == generationId && a.Enabled).ToListAsync(ct).ConfigureAwait(false);
+        }
+
+        if (virtualTags.Count == 0 && scriptedAlarms.Count == 0)
+        {
+            _logger.LogInformation("Phase 7: no virtual tags or scripted alarms in generation {Gen}; engines dormant", generationId);
+            return Phase7ComposedSources.Empty;
+        }
+
+        var upstream = new CachedTagUpstreamSource();
+
+        // Phase 7 follow-up #247 — if any registered driver implements IAlarmHistorianWriter
+        // (today: GalaxyProxyDriver), wrap it in a SqliteStoreAndForwardSink at
+        // %ProgramData%/OtOpcUa/alarm-historian-queue.db with the 2s drain cadence the
+        // sink's docstring recommends. Otherwise fall back to the injected sink (Null in
+        // the default registration).
+        var historianSink = ResolveHistorianSink();
+
+        _sources = Phase7EngineComposer.Compose(
+            scripts: scripts,
+            virtualTags: virtualTags,
+            scriptedAlarms: scriptedAlarms,
+            upstream: upstream,
+            alarmStateStore: new InMemoryAlarmStateStore(),
+            historianSink: historianSink,
+            rootScriptLogger: _scriptLogger,
+            loggerFactory: _loggerFactory);
+
+        _logger.LogInformation(
+            "Phase 7: composed engines from generation {Gen} — {Vt} virtual tag(s), {Al} scripted alarm(s), {Sc} script(s)",
+            generationId, virtualTags.Count, scriptedAlarms.Count, scripts.Count);
+
+        // Build driver feeds from each registered driver's EquipmentNamespaceContent + start
+        // the bridge. Drivers without populated content (Galaxy SystemPlatform-kind, drivers
+        // whose Equipment rows haven't been published yet) contribute an empty feed which
+        // the bridge silently skips.
+        _bridge = new DriverSubscriptionBridge(upstream, _loggerFactory.CreateLogger<DriverSubscriptionBridge>());
+        var feeds = BuildDriverFeeds(_driverHost, _equipmentRegistry);
+        await _bridge.StartAsync(feeds, ct).ConfigureAwait(false);
+
+        return _sources;
+    }
+
+    private IAlarmHistorianSink ResolveHistorianSink()
+    {
+        IAlarmHistorianWriter? writer = null;
+        foreach (var driverId in _driverHost.RegisteredDriverIds)
+        {
+            if (_driverHost.GetDriver(driverId) is IAlarmHistorianWriter w)
+            {
+                writer = w;
+                _logger.LogInformation(
+                    "Phase 7 historian sink: driver {Driver} provides IAlarmHistorianWriter — wiring SqliteStoreAndForwardSink",
+                    driverId);
+                break;
+            }
+        }
+        if (writer is null)
+        {
+            _logger.LogInformation(
+                "Phase 7 historian sink: no driver provides IAlarmHistorianWriter — using {Sink}",
+                _historianSink.GetType().Name);
+            return _historianSink;
+        }
+
+        var queueRoot = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
+        if (string.IsNullOrEmpty(queueRoot)) queueRoot = Path.GetTempPath();
+        var queueDir = Path.Combine(queueRoot, "OtOpcUa");
+        Directory.CreateDirectory(queueDir);
+        var queuePath = Path.Combine(queueDir, "alarm-historian-queue.db");
+
+        var sinkLogger = _loggerFactory.CreateLogger<SqliteStoreAndForwardSink>();
+        // SqliteStoreAndForwardSink wants a Serilog logger for warn-on-eviction emissions;
+        // bridge the Microsoft logger via Serilog's null-safe path until the sink's
+        // dependency surface is reshaped (covered as part of release-readiness).
+        var serilogShim = _scriptLogger.ForContext("HistorianQueuePath", queuePath);
+        _ownedSink = new SqliteStoreAndForwardSink(
+            databasePath: queuePath,
+            writer: writer,
+            logger: serilogShim);
+        _ownedSink.StartDrainLoop(TimeSpan.FromSeconds(2));
+        return _ownedSink;
+    }
+
+    /// <summary>
+    ///     For each registered driver that exposes <see cref="Core.Abstractions.ISubscribable"/>,
+    ///     build a UNS-path → driver-fullRef map from its EquipmentNamespaceContent.
+    ///     Path convention: <c>/{areaName}/{lineName}/{equipmentName}/{tagName}</c> matching
+    ///     what the EquipmentNodeWalker emits into the OPC UA browse tree, so script literals
+    ///     written against the operator-visible tree work without translation.
+    /// </summary>
+    internal static IReadOnlyList<DriverFeed> BuildDriverFeeds(
+        DriverHost driverHost, DriverEquipmentContentRegistry equipmentRegistry)
+    {
+        var feeds = new List<DriverFeed>();
+        foreach (var driverId in driverHost.RegisteredDriverIds)
+        {
+            var driver = driverHost.GetDriver(driverId);
+            if (driver is not Core.Abstractions.ISubscribable subscribable) continue;
+
+            var content = equipmentRegistry.Get(driverId);
+            if (content is null) continue;
+
+            var pathToFullRef = MapPathsToFullRefs(content);
+            if (pathToFullRef.Count == 0) continue;
+
+            feeds.Add(new DriverFeed(subscribable, pathToFullRef, TimeSpan.FromSeconds(1)));
+        }
+        return feeds;
+    }
+
+    internal static IReadOnlyDictionary<string, string> MapPathsToFullRefs(EquipmentNamespaceContent content)
+    {
+        var result = new Dictionary<string, string>(StringComparer.Ordinal);
+        var areaById = content.Areas.ToDictionary(a => a.UnsAreaId, StringComparer.OrdinalIgnoreCase);
+        var lineById = content.Lines.ToDictionary(l => l.UnsLineId, StringComparer.OrdinalIgnoreCase);
+        var equipmentById = content.Equipment.ToDictionary(e => e.EquipmentId, StringComparer.OrdinalIgnoreCase);
+
+        foreach (var tag in content.Tags)
+        {
+            if (string.IsNullOrEmpty(tag.EquipmentId)) continue;
+            if (!equipmentById.TryGetValue(tag.EquipmentId!, out var eq)) continue;
+            if (!lineById.TryGetValue(eq.UnsLineId, out var line)) continue;
+            if (!areaById.TryGetValue(line.UnsAreaId, out var area)) continue;
+
+            var path = $"/{area.Name}/{line.Name}/{eq.Name}/{tag.Name}";
+            result[path] = tag.TagConfig;  // duplicate-path collisions naturally win-last; UI publish-validation rules out duplicate names
+        }
+        return result;
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        if (_disposed) return;
+        _disposed = true;
+        if (_bridge is not null) await _bridge.DisposeAsync().ConfigureAwait(false);
+        foreach (var d in _sources.Disposables)
+        {
+            try { d.Dispose(); }
+            catch (Exception ex) { _logger.LogWarning(ex, "Phase 7 disposable threw during shutdown"); }
+        }
+        // Owned SQLite sink: dispose first so the drain timer stops + final batch flushes
+        // before we release the writer-bearing driver via DriverHost.DisposeAsync upstream.
+        _ownedSink?.Dispose();
+        if (_historianSink is IDisposable disposableSink) disposableSink.Dispose();
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Server/Program.cs

@@ -8,8 +8,12 @@ using Serilog.Formatting.Compact;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian;
+using ZB.MOM.WW.OtOpcUa.Driver.FOCAS;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy;
 using ZB.MOM.WW.OtOpcUa.Server;
 using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Phase7;
 using ZB.MOM.WW.OtOpcUa.Server.Security;
 
 var builder = Host.CreateApplicationBuilder(args);
@@ -87,6 +91,19 @@ builder.Services.AddSingleton<ILocalConfigCache>(_ => new LiteDbConfigCache(opti
 builder.Services.AddSingleton<DriverHost>();
 builder.Services.AddSingleton<NodeBootstrap>();
 
+// Task #248 — driver-instance bootstrap pipeline. DriverFactoryRegistry is the
+// type-name → factory map; each driver project's static Register call pre-loads
+// its factory so the bootstrapper can materialise DriverInstance rows from the
+// central DB into live IDriver instances.
+builder.Services.AddSingleton<DriverFactoryRegistry>(_ =>
+{
+    var registry = new DriverFactoryRegistry();
+    GalaxyProxyDriverFactoryExtensions.Register(registry);
+    FocasDriverFactoryExtensions.Register(registry);
+    return registry;
+});
+builder.Services.AddSingleton<DriverInstanceBootstrapper>();
+
 // ADR-001 Option A wiring — the registry is the handoff between OpcUaServerService's
 // bootstrap-time population pass + OpcUaApplicationHost's StartAsync walker invocation.
 // DriverEquipmentContentRegistry.Get is the equipmentContentLookup delegate that PR #155
@@ -113,5 +130,13 @@ builder.Services.AddDbContext<OtOpcUaConfigDbContext>(opt =>
     opt.UseSqlServer(options.ConfigDbConnectionString));
 builder.Services.AddHostedService<HostStatusPublisher>();
 
+// Phase 7 follow-up #246 — historian sink + engine composer. NullAlarmHistorianSink
+// is the default until the Galaxy.Host SqliteStoreAndForwardSink writer adapter
+// lands (task #248). The composer reads Script/VirtualTag/ScriptedAlarm rows on
+// generation bootstrap, builds the engines, and starts the driver-bridge feed.
+builder.Services.AddSingleton<IAlarmHistorianSink>(NullAlarmHistorianSink.Instance);
+builder.Services.AddSingleton(Log.Logger);  // Serilog root for ScriptLoggerFactory
+builder.Services.AddSingleton<Phase7Composer>();
+
 var host = builder.Build();
 await host.RunAsync();

src/ZB.MOM.WW.OtOpcUa.Server/ZB.MOM.WW.OtOpcUa.Server.csproj

@@ -34,6 +34,8 @@
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.VirtualTags\ZB.MOM.WW.OtOpcUa.Core.VirtualTags.csproj"/>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms\ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms.csproj"/>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian\ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.FOCAS\ZB.MOM.WW.OtOpcUa.Driver.FOCAS.csproj"/>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Analyzers\ZB.MOM.WW.OtOpcUa.Analyzers.csproj"
                           OutputItemType="Analyzer" ReferenceOutputAssembly="false"/>
     </ItemGroup>

tests/ZB.MOM.WW.OtOpcUa.Admin.E2ETests/AdminWebAppFactory.cs

@@ -5,6 +5,7 @@ using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
+using ZB.MOM.WW.OtOpcUa.Admin.Hubs;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
 using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
@@ -32,13 +33,43 @@ public sealed class AdminWebAppFactory : IAsyncDisposable
     public long SeededGenerationId { get; private set; }
     public string SeededClusterId { get; } = "e2e-cluster";
 
+    /// <summary>
+    ///     Root service provider of the running host. Tests use this to create scopes that
+    ///     share the InMemory DB with the Blazor-rendered page — e.g. to assert post-commit
+    ///     state, or to simulate a concurrent peer edit that bumps the DraftRevisionToken
+    ///     between preview-open and Confirm-click.
+    /// </summary>
+    public IServiceProvider Services => _app?.Services
+        ?? throw new InvalidOperationException("AdminWebAppFactory: StartAsync has not been called");
+
     public async Task StartAsync()
     {
         var port = GetFreeTcpPort();
         BaseUrl = $"http://127.0.0.1:{port}";
 
-        var builder = WebApplication.CreateBuilder(Array.Empty<string>());
+        // Point the content root at the Admin project's build output so the Admin
+        // assembly + its sibling staticwebassets manifest are discoverable. The manifest
+        // maps /_framework/* to the framework NuGet cache + /app.css to the Admin source
+        // wwwroot; StaticWebAssetsLoader.UseStaticWebAssets reads it and wires a composite
+        // file provider automatically.
+        var adminAssemblyDir = System.IO.Path.GetDirectoryName(
+            typeof(Admin.Components.App).Assembly.Location)!;
+        var builder = WebApplication.CreateBuilder(new WebApplicationOptions
+        {
+            ContentRootPath = adminAssemblyDir,
+            ApplicationName = typeof(Admin.Components.App).Assembly.GetName().Name,
+        });
         builder.WebHost.UseUrls(BaseUrl);
+        // UseStaticWebAssets reads {ApplicationName}.staticwebassets.runtime.json (or the
+        // development variant via the ASPNETCORE_HOSTINGSTARTUPASSEMBLIES convention) and
+        // composes a PhysicalFileProvider per declared ContentRoot. This is what
+        // `dotnet run` does automatically via the MSBuild targets — we replicate it
+        // explicitly for the test-owned pipeline.
+        builder.WebHost.UseStaticWebAssets();
+        // E2E host runs in Development so unhandled exceptions during Blazor render surface
+        // as visible 500s with stacks the test can capture — prod-style generic errors make
+        // diagnosis of circuit / DI misconfig effectively impossible.
+        builder.Environment.EnvironmentName = Microsoft.Extensions.Hosting.Environments.Development;
 
         // --- Mirror the Admin composition in Program.cs, but with the InMemory DB + test
         // auth swaps instead of SQL Server + LDAP cookie auth.
@@ -54,8 +85,13 @@ public sealed class AdminWebAppFactory : IAsyncDisposable
             .AddPolicy("CanPublish", p => p.RequireRole(Admin.Services.AdminRoles.FleetAdmin));
         builder.Services.AddCascadingAuthenticationState();
 
+        // One InMemory database name per fixture — the lambda below runs on every DbContext
+        // construction, so capturing a stable string (not calling Guid.NewGuid() inline) is
+        // critical: every scope (seed, Blazor circuit, test assertions) must share the same
+        // backing store or rows written in one scope disappear in the next.
+        var dbName = $"e2e-{Guid.NewGuid():N}";
         builder.Services.AddDbContext<OtOpcUaConfigDbContext>(opt =>
-            opt.UseInMemoryDatabase($"e2e-{Guid.NewGuid():N}"));
+            opt.UseInMemoryDatabase(dbName));
 
         builder.Services.AddScoped<Admin.Services.ClusterService>();
         builder.Services.AddScoped<Admin.Services.GenerationService>();
@@ -72,6 +108,12 @@ public sealed class AdminWebAppFactory : IAsyncDisposable
         _app.UseAuthorization();
         _app.UseAntiforgery();
         _app.MapRazorComponents<Admin.Components.App>().AddInteractiveServerRenderMode();
+        // The ClusterDetail + other pages connect SignalR hubs at render time — the
+        // endpoints must exist or the Blazor circuit surfaces a 500 on first interactive
+        // step. No background pollers (FleetStatusPoller etc.) are registered so the hubs
+        // stay quiet until something pushes through IHubContext, which the E2E tests don't.
+        _app.MapHub<FleetStatusHub>("/hubs/fleet");
+        _app.MapHub<AlertHub>("/hubs/alerts");
 
         // Seed the draft BEFORE starting the host so Playwright sees a ready page on first nav.
         using (var scope = _app.Services.CreateScope())

tests/ZB.MOM.WW.OtOpcUa.Admin.E2ETests/UnsTabDragDropE2ETests.cs

@@ -1,13 +1,16 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Playwright;
 using Shouldly;
 using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration;
 
 namespace ZB.MOM.WW.OtOpcUa.Admin.E2ETests;
 
 /// <summary>
-///     Phase 6.4 UnsTab drag-drop E2E smoke (task #199). This PR lands the Playwright +
-///     WebApplicationFactory-equivalent scaffolding so future E2E coverage builds on it
-///     rather than setting it up from scratch.
+///     Phase 6.4 UnsTab drag-drop E2E. Task #199 landed the scaffolding; task #242 (this file)
+///     drives the Blazor Server interactive circuit through a real drag-drop → confirm-modal
+///     → apply flow and a 409 concurrent-edit flow, both via Chromium.
 /// </summary>
 /// <remarks>
 ///     <para>
@@ -17,13 +20,15 @@ namespace ZB.MOM.WW.OtOpcUa.Admin.E2ETests;
 ///         so CI pipelines that don't run the install step still report green.
 ///     </para>
 ///     <para>
-///         <b>Current scope.</b> The host-reachability smoke below proves the infra works:
-///         Kestrel-on-a-free-port, InMemory DbContext swap, <see cref="TestAuthHandler"/>
-///         bypass, and Playwright-to-real-browser are all exercised. The actual drag-drop
-///         interactive assertion is filed as a follow-up (task #242) because
-///         Blazor Server interactive render through a test-owned pipeline needs a dedicated
-///         diagnosis pass — the scaffolding lands here first so that follow-up can focus on
-///         the Blazor-specific wiring instead of rebuilding the harness.
+///         <b>Harness notes.</b> <see cref="AdminWebAppFactory"/> points the content root at
+///         the Admin assembly directory + sets <c>ApplicationName</c> + calls
+///         <c>UseStaticWebAssets</c> so <c>/_framework/blazor.web.js</c> + <c>/app.css</c>
+///         resolve from the Admin's <c>staticwebassets.development.json</c> manifest (which
+///         stitches together Admin <c>wwwroot</c> + the framework NuGet cache). Hubs
+///         <c>/hubs/fleet</c> + <c>/hubs/alerts</c> are mapped so <c>ClusterDetail</c>'s
+///         <c>HubConnection</c> negotiation doesn't 500 at first render. The InMemory
+///         database name is captured as a stable string per fixture instance so the seed
+///         scope + Blazor circuit scope + test-assertion scope all share one backing store.
 ///     </para>
 /// </remarks>
 [Trait("Category", "E2E")]
@@ -35,34 +40,20 @@ public sealed class UnsTabDragDropE2ETests
         await using var app = new AdminWebAppFactory();
         await app.StartAsync();
 
-        PlaywrightFixture fixture;
-        try
-        {
-            fixture = new PlaywrightFixture();
-            await fixture.InitializeAsync();
-        }
-        catch (PlaywrightBrowserMissingException)
-        {
-            Assert.Skip("Chromium not installed. Run playwright.ps1 install chromium.");
-            return;
-        }
+        var fixture = await TryInitPlaywrightAsync();
+        if (fixture is null) return;
 
         try
         {
             var ctx = await fixture.Browser.NewContextAsync();
             var page = await ctx.NewPageAsync();
 
-            // Navigate to the root. We only assert the host is live + returns HTML — not
-            // that the Blazor Server interactive render has booted. Booting the interactive
-            // circuit in a test-owned pipeline is task #242.
             var response = await page.GotoAsync(app.BaseUrl);
 
             response.ShouldNotBeNull();
             response!.Status.ShouldBeLessThan(500,
                 $"Admin host returned HTTP {response.Status} at root — scaffolding broken");
 
-            // Static HTML shell should at least include the <body> and some content. This
-            // rules out 404s + verifies the MapRazorComponents route pipeline is wired.
             var body = await page.Locator("body").InnerHTMLAsync();
             body.Length.ShouldBeGreaterThan(0, "empty body = routing pipeline didn't hit Razor");
         }
@@ -71,4 +62,148 @@ public sealed class UnsTabDragDropE2ETests
             await fixture.DisposeAsync();
         }
     }
+
+    [Fact]
+    public async Task Dragging_line_onto_new_area_shows_preview_modal_then_confirms_the_move()
+    {
+        await using var app = new AdminWebAppFactory();
+        await app.StartAsync();
+
+        var fixture = await TryInitPlaywrightAsync();
+        if (fixture is null) return;
+
+        try
+        {
+            var ctx = await fixture.Browser.NewContextAsync();
+            var page = await ctx.NewPageAsync();
+
+            await OpenUnsTabAsync(page, app);
+
+            // The seed wires line 'oven-line' to area 'warsaw' (area-a); dragging it onto
+            // 'berlin' (area-b) should surface the preview modal. Playwright's DragToAsync
+            // dispatches native dragstart / dragover / drop events that the razor's
+            // @ondragstart / @ondragover / @ondrop handlers pick up.
+            var lineRow = page.Locator("table >> tr", new() { HasTextString = "oven-line" });
+            var berlinRow = page.Locator("table >> tr", new() { HasTextString = "berlin" });
+            await lineRow.DragToAsync(berlinRow);
+
+            var modalTitle = page.Locator(".modal-title", new() { HasTextString = "Confirm UNS move" });
+            await modalTitle.WaitForAsync(new() { Timeout = 10_000 });
+
+            var modalBody = await page.Locator(".modal-body").InnerTextAsync();
+            modalBody.ShouldContain("Equipment re-homed",
+                customMessage: "preview modal should render UnsImpactAnalyzer summary");
+
+            await page.Locator("button.btn.btn-primary", new() { HasTextString = "Confirm move" })
+                .ClickAsync();
+
+            // Modal dismisses after the MoveLineAsync round-trip + ReloadAsync.
+            await modalTitle.WaitForAsync(new() { State = WaitForSelectorState.Detached, Timeout = 10_000 });
+
+            // Persisted state: the line row now shows area-b as its Area column value.
+            using var scope = app.Services.CreateScope();
+            var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+            var line = await db.UnsLines.AsNoTracking()
+                .FirstAsync(l => l.UnsLineId == "line-a1" && l.GenerationId == app.SeededGenerationId);
+            line.UnsAreaId.ShouldBe("area-b",
+                "drag-drop should have moved the line to the berlin area via UnsService.MoveLineAsync");
+        }
+        finally
+        {
+            await fixture.DisposeAsync();
+        }
+    }
+
+    [Fact]
+    public async Task Preview_shown_then_peer_edit_applied_surfaces_409_conflict_modal()
+    {
+        await using var app = new AdminWebAppFactory();
+        await app.StartAsync();
+
+        var fixture = await TryInitPlaywrightAsync();
+        if (fixture is null) return;
+
+        try
+        {
+            var ctx = await fixture.Browser.NewContextAsync();
+            var page = await ctx.NewPageAsync();
+
+            await OpenUnsTabAsync(page, app);
+
+            // Open the preview first (same drag as the happy-path test). The preview captures
+            // a RevisionToken under the current draft state.
+            var lineRow = page.Locator("table >> tr", new() { HasTextString = "oven-line" });
+            var berlinRow = page.Locator("table >> tr", new() { HasTextString = "berlin" });
+            await lineRow.DragToAsync(berlinRow);
+
+            var modalTitle = page.Locator(".modal-title", new() { HasTextString = "Confirm UNS move" });
+            await modalTitle.WaitForAsync(new() { Timeout = 10_000 });
+
+            // Simulate a concurrent operator committing their own edit between the preview
+            // open + our Confirm click — bumps the DraftRevisionToken so our stale token hits
+            // DraftRevisionConflictException in UnsService.MoveLineAsync.
+            using (var scope = app.Services.CreateScope())
+            {
+                var uns = scope.ServiceProvider.GetRequiredService<Admin.Services.UnsService>();
+                await uns.AddAreaAsync(app.SeededGenerationId, app.SeededClusterId,
+                    "madrid", notes: null, CancellationToken.None);
+            }
+
+            await page.Locator("button.btn.btn-primary", new() { HasTextString = "Confirm move" })
+                .ClickAsync();
+
+            var conflictTitle = page.Locator(".modal-title",
+                new() { HasTextString = "Draft changed" });
+            await conflictTitle.WaitForAsync(new() { Timeout = 10_000 });
+
+            // Persisted state: line still points at the original area-a — the conflict short-
+            // circuited the move.
+            using var verifyScope = app.Services.CreateScope();
+            var db = verifyScope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+            var line = await db.UnsLines.AsNoTracking()
+                .FirstAsync(l => l.UnsLineId == "line-a1" && l.GenerationId == app.SeededGenerationId);
+            line.UnsAreaId.ShouldBe("area-a",
+                "conflict path must not overwrite the peer operator's draft state");
+        }
+        finally
+        {
+            await fixture.DisposeAsync();
+        }
+    }
+
+    private static async Task<PlaywrightFixture?> TryInitPlaywrightAsync()
+    {
+        try
+        {
+            var fixture = new PlaywrightFixture();
+            await fixture.InitializeAsync();
+            return fixture;
+        }
+        catch (PlaywrightBrowserMissingException)
+        {
+            Assert.Skip("Chromium not installed. Run playwright.ps1 install chromium.");
+            return null;
+        }
+    }
+
+    /// <summary>
+    ///     Navigates to the seeded cluster and switches to the UNS Structure tab, waiting for
+    ///     the Blazor Server interactive circuit to render the draggable line table. Returns
+    ///     once the drop-target cells ("drop here") are visible — that's the signal the
+    ///     circuit is live and @ondragstart handlers are wired.
+    /// </summary>
+    private static async Task OpenUnsTabAsync(IPage page, AdminWebAppFactory app)
+    {
+        await page.GotoAsync($"{app.BaseUrl}/clusters/{app.SeededClusterId}",
+            new() { WaitUntil = WaitUntilState.NetworkIdle, Timeout = 20_000 });
+
+        var unsTab = page.Locator("button.nav-link", new() { HasTextString = "UNS Structure" });
+        await unsTab.WaitForAsync(new() { Timeout = 15_000 });
+        await unsTab.ClickAsync();
+
+        // "drop here" is the per-area hint cell — only rendered inside <UnsTab> so its
+        // visibility confirms both the tab switch and the circuit's interactive render.
+        await page.Locator("td", new() { HasTextString = "drop here" })
+            .First.WaitForAsync(new() { Timeout = 15_000 });
+    }
 }

tests/ZB.MOM.WW.OtOpcUa.Driver.AbLegacy.IntegrationTests/AbLegacyServerFixture.cs

@@ -28,6 +28,16 @@ public sealed class AbLegacyServerFixture : IAsyncLifetime
 {
     private const string EndpointEnvVar = "AB_LEGACY_ENDPOINT";
 
+    /// <summary>
+    ///     Opt-in flag that promises the endpoint can actually round-trip PCCC reads/writes
+    ///     (real SLC 5/05 / MicroLogix 1100/1400 / PLC-5 hardware, or a RSEmulate 500
+    ///     golden-box per <c>docs/v2/lmx-followups.md</c>). Without this, the fixture assumes
+    ///     the endpoint is libplctag's <c>ab_server --plc=SLC500</c> Docker container — whose
+    ///     PCCC dispatcher is a known upstream gap — and skips cleanly rather than failing
+    ///     every test with <c>BadCommunicationError</c>.
+    /// </summary>
+    private const string TrustWireEnvVar = "AB_LEGACY_TRUST_WIRE";
+
     /// <summary>Standard EtherNet/IP port. PCCC-over-CIP rides on the same port as
     /// native CIP; the differentiator is the <c>--plc</c> flag ab_server was started
     /// with, not a different TCP listener.</summary>
@@ -46,22 +56,49 @@ public sealed class AbLegacyServerFixture : IAsyncLifetime
             if (parts.Length == 2 && int.TryParse(parts[1], out var p)) Port = p;
         }
 
-        if (!TcpProbe(Host, Port))
-        {
-            SkipReason =
-                $"AB Legacy PCCC simulator at {Host}:{Port} not reachable within 2 s. " +
-                $"Start the Docker container (docker compose -f Docker/docker-compose.yml " +
-                $"--profile slc500 up -d) or override {EndpointEnvVar}.";
-        }
+        SkipReason = ResolveSkipReason(Host, Port);
     }
 
     public ValueTask InitializeAsync() => ValueTask.CompletedTask;
     public ValueTask DisposeAsync() => ValueTask.CompletedTask;
 
+    /// <summary>
+    ///     Used by <see cref="AbLegacyFactAttribute"/> + <see cref="AbLegacyTheoryAttribute"/>
+    ///     during test-class construction — gates whether the test runs at all. Duplicates the
+    ///     fixture logic because attribute ctors fire before the collection fixture instance
+    ///     exists.
+    /// </summary>
     public static bool IsServerAvailable()
     {
         var (host, port) = ResolveEndpoint();
-        return TcpProbe(host, port);
+        return ResolveSkipReason(host, port) is null;
+    }
+
+    private static string? ResolveSkipReason(string host, int port)
+    {
+        if (!TcpProbe(host, port))
+        {
+            return $"AB Legacy PCCC endpoint at {host}:{port} not reachable within 2 s. " +
+                   $"Start the Docker container (docker compose -f Docker/docker-compose.yml " +
+                   $"--profile slc500 up -d), attach real hardware, or override {EndpointEnvVar}.";
+        }
+
+        // TCP reaches — but is the peer a real PLC (wire-trustworthy) or ab_server's PCCC
+        // mode (dispatcher is upstream-broken, every read surfaces BadCommunicationError)?
+        // We can't detect it at the wire without issuing a full libplctag session, so we
+        // require an explicit opt-in for wire-level runs. See
+        // `tests/.../Docker/README.md` §"Known limitations" for the upstream-tracking pointer.
+        if (Environment.GetEnvironmentVariable(TrustWireEnvVar) is not { Length: > 0 } trust
+            || !(trust == "1" || string.Equals(trust, "true", StringComparison.OrdinalIgnoreCase)))
+        {
+            return $"AB Legacy endpoint at {host}:{port} is reachable but {TrustWireEnvVar} is not set. " +
+                   "ab_server's PCCC dispatcher is a known upstream gap (libplctag/libplctag), so by " +
+                   "default the integration suite assumes the simulator is in play and skips. Set " +
+                   $"{TrustWireEnvVar}=1 when pointing at real SLC 5/05 / MicroLogix 1100/1400 / PLC-5 " +
+                   "hardware or a RSEmulate 500 golden-box.";
+        }
+
+        return null;
     }
 
     private static (string Host, int Port) ResolveEndpoint()
@@ -129,16 +166,19 @@ public sealed class AbLegacyServerCollection : Xunit.ICollectionFixture<AbLegacy
 }
 
 /// <summary>
-///     <c>[Fact]</c>-equivalent that skips when the PCCC simulator isn't reachable.
+///     <c>[Fact]</c>-equivalent that skips when the PCCC endpoint isn't wire-trustworthy.
+///     See <see cref="AbLegacyServerFixture"/> for the exact skip semantics.
 /// </summary>
 public sealed class AbLegacyFactAttribute : FactAttribute
 {
     public AbLegacyFactAttribute()
     {
         if (!AbLegacyServerFixture.IsServerAvailable())
-            Skip = "AB Legacy PCCC simulator not reachable. Start the Docker container " +
-                   "(docker compose -f Docker/docker-compose.yml --profile slc500 up -d) " +
-                   "or set AB_LEGACY_ENDPOINT.";
+            Skip = "AB Legacy PCCC endpoint not wire-trustworthy. Either no simulator is " +
+                   "running, or the Docker ab_server is up but AB_LEGACY_TRUST_WIRE is not " +
+                   "set (ab_server's PCCC dispatcher is a known upstream gap). Set " +
+                   "AB_LEGACY_TRUST_WIRE=1 when pointing AB_LEGACY_ENDPOINT at real hardware " +
+                   "or a RSEmulate 500 golden-box.";
     }
 }
 
@@ -150,8 +190,10 @@ public sealed class AbLegacyTheoryAttribute : TheoryAttribute
     public AbLegacyTheoryAttribute()
     {
         if (!AbLegacyServerFixture.IsServerAvailable())
-            Skip = "AB Legacy PCCC simulator not reachable. Start the Docker container " +
-                   "(docker compose -f Docker/docker-compose.yml --profile slc500 up -d) " +
-                   "or set AB_LEGACY_ENDPOINT.";
+            Skip = "AB Legacy PCCC endpoint not wire-trustworthy. Either no simulator is " +
+                   "running, or the Docker ab_server is up but AB_LEGACY_TRUST_WIRE is not " +
+                   "set (ab_server's PCCC dispatcher is a known upstream gap). Set " +
+                   "AB_LEGACY_TRUST_WIRE=1 when pointing AB_LEGACY_ENDPOINT at real hardware " +
+                   "or a RSEmulate 500 golden-box.";
     }
 }

tests/ZB.MOM.WW.OtOpcUa.Driver.AbLegacy.IntegrationTests/Docker/README.md

@@ -47,6 +47,13 @@ families stop the current service + start another.
 - Override with `AB_LEGACY_ENDPOINT=host:port` to point at a real SLC /
   MicroLogix / PLC-5 PLC on its native port.
 
+## Env vars
+
+| Var | Default | Purpose |
+|---|---|---|
+| `AB_LEGACY_ENDPOINT` | `localhost:44818` | `host:port` of the PCCC endpoint. |
+| `AB_LEGACY_TRUST_WIRE` | *unset* | Opt-in promise that the endpoint is a real PLC or RSEmulate 500 golden-box (not ab_server). Required for integration tests to actually run; without it the tests skip with an upstream-gap message even when TCP reaches a listener. See the **Known limitations** section below. |
+
 ## Run the integration tests
 
 In a separate shell with a container up:
@@ -56,9 +63,20 @@ cd C:\Users\dohertj2\Desktop\lmxopcua
 dotnet test tests\ZB.MOM.WW.OtOpcUa.Driver.AbLegacy.IntegrationTests
 ```
 
-`AbLegacyServerFixture` TCP-probes `localhost:44818` at collection init +
-records a skip reason when unreachable. Tests use `[AbLegacyFact]` /
-`[AbLegacyTheory]` which check the same probe.
+Against the Docker ab_server the suite **skips** with a pointer to the
+upstream gap (see **Known limitations**). Against real SLC / MicroLogix /
+PLC-5 hardware or a RSEmulate 500 box:
+
+```powershell
+$env:AB_LEGACY_ENDPOINT = "10.0.1.50:44818"
+$env:AB_LEGACY_TRUST_WIRE = "1"
+dotnet test tests\ZB.MOM.WW.OtOpcUa.Driver.AbLegacy.IntegrationTests
+```
+
+`AbLegacyServerFixture` TCP-probes the endpoint at collection init and sets
+a skip reason that captures **both** cases: unreachable endpoint *and*
+reachable-but-wire-untrusted. Tests use `[AbLegacyFact]` / `[AbLegacyTheory]`
+which check the same gate.
 
 ## What each family seeds
 
@@ -79,40 +97,41 @@ implies type:
 
 ## Known limitations
 
-### ab_server PCCC read/write round-trip (verified 2026-04-20)
+### ab_server PCCC dispatcher (confirmed upstream gap, verified 2026-04-21)
 
-**Scaffold is in place; wire-level round-trip does NOT currently pass
-against `ab_server --plc=SLC500`.** With the SLC500 compose profile up,
-TCP 44818 accepts connections and libplctag negotiates the session,
-but the three smoke tests in `AbLegacyReadSmokeTests.cs` all fail at
-read/write with `BadCommunicationError` (libplctag status `0x80050000`).
-Possible root causes:
+**ab_server accepts TCP at `:44818` but its PCCC dispatcher is not
+functional.** Running with `--plc=SLC500 --debug=5` shows no request
+logs when libplctag issues a read, and every read surfaces as
+`BadCommunicationError` (libplctag status `0x80050000`). This matches
+the libplctag docs' description of PCCC support as less-mature than
+CIP in the bundled `ab_server` tool.
 
-- ab_server's PCCC server-side opcode coverage may be narrower than
-  libplctag's PCCC client expects — the tool is primarily a CIP
-  server; PCCC was added later + is noted in libplctag docs as less
-  mature.
-- libplctag's PCCC-over-CIP encapsulation may assume a real SLC 5/05
-  EtherNet/IP NIC's framing that ab_server doesn't emit.
+**Fixture behavior.** To avoid a loud row of failing tests on the
+integration host every time someone `docker compose up`s the SLC500
+profile, `AbLegacyServerFixture` gates on a second env var
+`AB_LEGACY_TRUST_WIRE`. The matrix:
 
-The scaffold ships **as-is** because:
+| Endpoint reachable? | `AB_LEGACY_TRUST_WIRE` set? | Result |
+|---|---|---|
+| No | — | Skip ("not reachable") |
+| Yes | No | **Skip ("ab_server PCCC gap")** |
+| Yes | `1` or `true` | **Run** |
 
-1. The Docker infrastructure + fixture pattern works cleanly (probe
-   passes, container lifecycle is clean, tests skip when absent).
-2. The test classes target the correct shape for what the AB Legacy
-   driver would do against real hardware.
-3. Pointing `AB_LEGACY_ENDPOINT` at a real SLC 5/05 / MicroLogix
-   1100 / 1400 should make the tests pass outright — the failure
-   mode is ab_server-specific, not driver-specific.
+The test bodies themselves are correct for real hardware — point
+`AB_LEGACY_ENDPOINT` at a real SLC 5/05 / MicroLogix 1100/1400 /
+PLC-5, set `AB_LEGACY_TRUST_WIRE=1`, and the smoke tests round-trip
+cleanly.
 
 Resolution paths (pick one):
 
 1. **File an ab_server bug** in `libplctag/libplctag` to expand PCCC
    server-side coverage.
 2. **Golden-box tier** via Rockwell RSEmulate 500 — closer to real
-   firmware, but license-gated + RSLinx-dependent.
+   firmware, but license-gated + RSLinx-dependent. Set
+   `AB_LEGACY_TRUST_WIRE=1` when the endpoint points at an Emulate
+   box.
 3. **Lab rig** — used SLC 5/05 / MicroLogix 1100 on a dedicated
-   network; the authoritative path.
+   network (task #222); the authoritative path.
 
 ### Other known gaps (unchanged from ab_server)
 

tests/ZB.MOM.WW.OtOpcUa.Driver.FOCAS.Tests/FocasDriverFactoryExtensionsTests.cs

@@ -0,0 +1,162 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.FOCAS.Tests;
+
+/// <summary>
+///     Task #220 — covers the DriverConfig JSON contract that
+///     <see cref="FocasDriverFactoryExtensions.CreateInstance"/> parses when the bootstrap
+///     pipeline (task #248) materialises FOCAS DriverInstance rows. Pure unit tests, no pipe
+///     or CNC required.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class FocasDriverFactoryExtensionsTests
+{
+    [Fact]
+    public void Register_adds_FOCAS_entry_to_registry()
+    {
+        var registry = new DriverFactoryRegistry();
+        FocasDriverFactoryExtensions.Register(registry);
+        registry.TryGet("FOCAS").ShouldNotBeNull();
+    }
+
+    [Fact]
+    public void Register_is_case_insensitive_via_registry()
+    {
+        var registry = new DriverFactoryRegistry();
+        FocasDriverFactoryExtensions.Register(registry);
+        registry.TryGet("focas").ShouldNotBeNull();
+        registry.TryGet("Focas").ShouldNotBeNull();
+    }
+
+    [Fact]
+    public void CreateInstance_with_ipc_backend_and_valid_config_returns_FocasDriver()
+    {
+        const string json = """
+        {
+          "Backend": "ipc",
+          "PipeName": "OtOpcUaFocasHost",
+          "SharedSecret": "secret-for-test",
+          "ConnectTimeoutMs": 5000,
+          "Series": "Thirty_i",
+          "TimeoutMs": 3000,
+          "Devices": [
+            { "HostAddress": "focas://10.0.0.5:8193", "DeviceName": "Lathe1" }
+          ],
+          "Tags": [
+            { "Name": "Override", "DeviceHostAddress": "focas://10.0.0.5:8193",
+              "Address": "R100", "DataType": "Int32", "Writable": true }
+          ]
+        }
+        """;
+
+        var driver = FocasDriverFactoryExtensions.CreateInstance("focas-0", json);
+
+        driver.ShouldNotBeNull();
+        driver.DriverInstanceId.ShouldBe("focas-0");
+        driver.DriverType.ShouldBe("FOCAS");
+    }
+
+    [Fact]
+    public void CreateInstance_defaults_Backend_to_ipc_when_unspecified()
+    {
+        // No "Backend" key → defaults to ipc → requires PipeName + SharedSecret.
+        const string json = """
+        { "PipeName": "p", "SharedSecret": "s" }
+        """;
+        var driver = FocasDriverFactoryExtensions.CreateInstance("focas-default", json);
+        driver.DriverType.ShouldBe("FOCAS");
+    }
+
+    [Fact]
+    public void CreateInstance_ipc_backend_missing_PipeName_throws()
+    {
+        const string json = """{ "Backend": "ipc", "SharedSecret": "s" }""";
+        Should.Throw<InvalidOperationException>(
+            () => FocasDriverFactoryExtensions.CreateInstance("focas-missing-pipe", json))
+            .Message.ShouldContain("PipeName");
+    }
+
+    [Fact]
+    public void CreateInstance_ipc_backend_missing_SharedSecret_throws()
+    {
+        const string json = """{ "Backend": "ipc", "PipeName": "p" }""";
+        Should.Throw<InvalidOperationException>(
+            () => FocasDriverFactoryExtensions.CreateInstance("focas-missing-secret", json))
+            .Message.ShouldContain("SharedSecret");
+    }
+
+    [Fact]
+    public void CreateInstance_fwlib_backend_does_not_require_pipe_fields()
+    {
+        // Direct in-process Fwlib32 path. No pipe config needed; driver connects the DLL
+        // natively on first use.
+        const string json = """{ "Backend": "fwlib" }""";
+        var driver = FocasDriverFactoryExtensions.CreateInstance("focas-fwlib", json);
+        driver.DriverInstanceId.ShouldBe("focas-fwlib");
+    }
+
+    [Fact]
+    public void CreateInstance_unimplemented_backend_yields_driver_that_fails_fast_on_use()
+    {
+        // Useful for staging DriverInstance rows in the config DB before the Host is
+        // actually deployed — the server boots but reads/writes surface clear errors.
+        const string json = """{ "Backend": "unimplemented" }""";
+        var driver = FocasDriverFactoryExtensions.CreateInstance("focas-unimpl", json);
+        driver.DriverInstanceId.ShouldBe("focas-unimpl");
+    }
+
+    [Fact]
+    public void CreateInstance_unknown_backend_throws_with_expected_list()
+    {
+        const string json = """{ "Backend": "gibberish", "PipeName": "p", "SharedSecret": "s" }""";
+        Should.Throw<InvalidOperationException>(
+            () => FocasDriverFactoryExtensions.CreateInstance("focas-bad-backend", json))
+            .Message.ShouldContain("gibberish");
+    }
+
+    [Fact]
+    public void CreateInstance_rejects_unknown_Series()
+    {
+        const string json = """
+        { "Backend": "fwlib", "Series": "NotARealSeries" }
+        """;
+        Should.Throw<InvalidOperationException>(
+            () => FocasDriverFactoryExtensions.CreateInstance("focas-bad-series", json))
+            .Message.ShouldContain("NotARealSeries");
+    }
+
+    [Fact]
+    public void CreateInstance_rejects_tag_with_missing_DataType()
+    {
+        const string json = """
+        {
+          "Backend": "fwlib",
+          "Devices": [{ "HostAddress": "focas://1.1.1.1:8193" }],
+          "Tags": [{ "Name": "Broken", "DeviceHostAddress": "focas://1.1.1.1:8193", "Address": "R1" }]
+        }
+        """;
+        Should.Throw<InvalidOperationException>(
+            () => FocasDriverFactoryExtensions.CreateInstance("focas-bad-tag", json))
+            .Message.ShouldContain("DataType");
+    }
+
+    [Fact]
+    public void CreateInstance_null_or_whitespace_args_rejected()
+    {
+        Should.Throw<ArgumentException>(
+            () => FocasDriverFactoryExtensions.CreateInstance("", "{}"));
+        Should.Throw<ArgumentException>(
+            () => FocasDriverFactoryExtensions.CreateInstance("id", ""));
+    }
+
+    [Fact]
+    public void Register_twice_throws()
+    {
+        var registry = new DriverFactoryRegistry();
+        FocasDriverFactoryExtensions.Register(registry);
+        Should.Throw<InvalidOperationException>(
+            () => FocasDriverFactoryExtensions.Register(registry));
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/GalaxyHistorianWriterMappingTests.cs

@@ -0,0 +1,83 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Ipc;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests;
+
+/// <summary>
+///     Phase 7 follow-up #247 — covers the wire-format translation between the
+///     <see cref="AlarmHistorianEvent"/> the SQLite sink hands to the writer + the
+///     <see cref="HistorianAlarmEventDto"/> the Galaxy.Host IPC contract expects, plus
+///     the per-event outcome enum mapping. Pure functions; the round-trip over a real
+///     pipe is exercised by the live Host suite (task #240).
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class GalaxyHistorianWriterMappingTests
+{
+    [Fact]
+    public void ToDto_round_trips_every_field()
+    {
+        var ts = new DateTime(2026, 4, 20, 14, 30, 0, DateTimeKind.Utc);
+        var e = new AlarmHistorianEvent(
+            AlarmId: "al-7",
+            EquipmentPath: "/Site/Line/Cell",
+            AlarmName: "HighTemp",
+            AlarmTypeName: "LimitAlarm",
+            Severity: AlarmSeverity.High,
+            EventKind: "RaiseEvent",
+            Message: "Temp 92°C exceeded 90°C",
+            User: "operator-7",
+            Comment: "ack with reason",
+            TimestampUtc: ts);
+
+        var dto = GalaxyHistorianWriter.ToDto(e);
+
+        dto.AlarmId.ShouldBe("al-7");
+        dto.EquipmentPath.ShouldBe("/Site/Line/Cell");
+        dto.AlarmName.ShouldBe("HighTemp");
+        dto.AlarmTypeName.ShouldBe("LimitAlarm");
+        dto.Severity.ShouldBe((int)AlarmSeverity.High);
+        dto.EventKind.ShouldBe("RaiseEvent");
+        dto.Message.ShouldBe("Temp 92°C exceeded 90°C");
+        dto.User.ShouldBe("operator-7");
+        dto.Comment.ShouldBe("ack with reason");
+        dto.TimestampUtcUnixMs.ShouldBe(new DateTimeOffset(ts, TimeSpan.Zero).ToUnixTimeMilliseconds());
+    }
+
+    [Fact]
+    public void ToDto_preserves_null_Comment()
+    {
+        var e = new AlarmHistorianEvent(
+            "a", "/p", "n", "AlarmCondition", AlarmSeverity.Low, "RaiseEvent", "m",
+            User: "system", Comment: null, TimestampUtc: DateTime.UtcNow);
+
+        GalaxyHistorianWriter.ToDto(e).Comment.ShouldBeNull();
+    }
+
+    [Theory]
+    [InlineData(HistorianAlarmEventOutcomeDto.Ack, HistorianWriteOutcome.Ack)]
+    [InlineData(HistorianAlarmEventOutcomeDto.RetryPlease, HistorianWriteOutcome.RetryPlease)]
+    [InlineData(HistorianAlarmEventOutcomeDto.PermanentFail, HistorianWriteOutcome.PermanentFail)]
+    public void MapOutcome_round_trips_every_byte(
+        HistorianAlarmEventOutcomeDto wire, HistorianWriteOutcome expected)
+    {
+        GalaxyHistorianWriter.MapOutcome(wire).ShouldBe(expected);
+    }
+
+    [Fact]
+    public void MapOutcome_unknown_byte_throws()
+    {
+        Should.Throw<InvalidOperationException>(
+            () => GalaxyHistorianWriter.MapOutcome((HistorianAlarmEventOutcomeDto)0xFF));
+    }
+
+    [Fact]
+    public void Null_client_rejected()
+    {
+        Should.Throw<ArgumentNullException>(() => new GalaxyHistorianWriter(null!));
+    }
+
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/AlarmSubscribeIntegrationTests.cs

@@ -0,0 +1,322 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua;
+using Opc.Ua.Client;
+using Opc.Ua.Configuration;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Task #219 — end-to-end server integration coverage for the <see cref="IAlarmSource"/>
+///     dispatch path. Boots the full OPC UA stack + a fake <see cref="IAlarmSource"/> driver,
+///     opens a client session, raises a driver-side transition, and asserts it propagates
+///     through <c>GenericDriverNodeManager</c>'s alarm forwarder into
+///     <c>DriverNodeManager.ConditionSink</c>, updates the server-side
+///     <c>AlarmConditionState</c> child attributes (Severity / Message / ActiveState), and
+///     flows out to an OPC UA subscription on the Server object's EventNotifier.
+///
+///     Companion to <see cref="HistoryReadIntegrationTests"/> which covers the
+///     <see cref="IHistoryProvider"/> dispatch path; together they close the server-side
+///     integration gap for optional driver capabilities (plan decision #62).
+/// </summary>
+[Trait("Category", "Integration")]
+public sealed class AlarmSubscribeIntegrationTests : IAsyncLifetime
+{
+    private static readonly int Port = 48700 + Random.Shared.Next(0, 99);
+    private readonly string _endpoint = $"opc.tcp://localhost:{Port}/OtOpcUaAlarmTest";
+    private readonly string _pkiRoot = Path.Combine(Path.GetTempPath(), $"otopcua-alarm-test-{Guid.NewGuid():N}");
+
+    private DriverHost _driverHost = null!;
+    private OpcUaApplicationHost _server = null!;
+    private AlarmDriver _driver = null!;
+
+    public async ValueTask InitializeAsync()
+    {
+        _driverHost = new DriverHost();
+        _driver = new AlarmDriver();
+        await _driverHost.RegisterAsync(_driver, "{}", CancellationToken.None);
+
+        var options = new OpcUaServerOptions
+        {
+            EndpointUrl = _endpoint,
+            ApplicationName = "OtOpcUaAlarmTest",
+            ApplicationUri = "urn:OtOpcUa:Server:AlarmTest",
+            PkiStoreRoot = _pkiRoot,
+            AutoAcceptUntrustedClientCertificates = true,
+            HealthEndpointsEnabled = false,
+        };
+
+        _server = new OpcUaApplicationHost(options, _driverHost, new DenyAllUserAuthenticator(),
+            NullLoggerFactory.Instance, NullLogger<OpcUaApplicationHost>.Instance);
+        await _server.StartAsync(CancellationToken.None);
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        await _server.DisposeAsync();
+        await _driverHost.DisposeAsync();
+        try { Directory.Delete(_pkiRoot, recursive: true); } catch { /* best-effort */ }
+    }
+
+    [Fact]
+    public async Task Driver_alarm_transition_updates_server_side_AlarmConditionState_node()
+    {
+        using var session = await OpenSessionAsync();
+        var nsIndex = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:alarm-driver");
+
+        _driver.RaiseAlarm(new AlarmEventArgs(
+            SubscriptionHandle: new FakeHandle("sub"),
+            SourceNodeId: "Tank.HiHi",
+            ConditionId: "cond-1",
+            AlarmType: "Active",
+            Message: "Level exceeded upper-upper",
+            Severity: AlarmSeverity.High,
+            SourceTimestampUtc: DateTime.UtcNow));
+
+        // The alarm-condition node's identifier is the driver full-reference + ".Condition"
+        // (DriverNodeManager.VariableHandle.MarkAsAlarmCondition). Server-side state changes
+        // are applied synchronously under DriverNodeManager.Lock inside ConditionSink.OnTransition,
+        // so by the time RaiseAlarm returns the node state has been flushed.
+        var conditionNodeId = new NodeId("Tank.HiHi.Condition", nsIndex);
+
+        // Browse the condition node for the well-known Part-9 child variables. The stack
+        // materializes Severity / Message / ActiveState / AckedState as children below the
+        // AlarmConditionState; their NodeIds are allocated by the stack so we discover them
+        // by BrowseName rather than guessing.
+        var browseDescriptions = new BrowseDescriptionCollection
+        {
+            new()
+            {
+                NodeId = conditionNodeId,
+                BrowseDirection = BrowseDirection.Forward,
+                ReferenceTypeId = ReferenceTypeIds.HierarchicalReferences,
+                IncludeSubtypes = true,
+                NodeClassMask = 0,
+                ResultMask = (uint)BrowseResultMask.All,
+            },
+        };
+        session.Browse(null, null, 0, browseDescriptions, out var browseResults, out _);
+        var children = browseResults[0].References
+            .ToDictionary(r => r.BrowseName.Name,
+                r => ExpandedNodeId.ToNodeId(r.NodeId, session.NamespaceUris),
+                StringComparer.Ordinal);
+
+        children.ShouldContainKey("Severity");
+        children.ShouldContainKey("Message");
+        children.ShouldContainKey("ActiveState");
+
+        // Severity / Message / ActiveState.Id reflect the driver-fired transition — verifies
+        // the forwarder → ConditionSink.OnTransition → alarm.ClearChangeMasks pipeline
+        // landed the new values in addressable child nodes. DriverNodeManager's
+        // AssignSymbolicDescendantIds keeps each child reachable under the node manager's
+        // namespace so Read resolves against the predefined-node dictionary.
+        var severity = session.ReadValue(children["Severity"]);
+        var message = session.ReadValue(children["Message"]);
+        severity.Value.ShouldBe((ushort)700);  // AlarmSeverity.High → 700 (MapSeverity)
+        ((LocalizedText)message.Value).Text.ShouldBe("Level exceeded upper-upper");
+
+        // ActiveState exposes its boolean Id as a HasProperty child.
+        var activeBrowse = new BrowseDescriptionCollection
+        {
+            new()
+            {
+                NodeId = children["ActiveState"],
+                BrowseDirection = BrowseDirection.Forward,
+                ReferenceTypeId = ReferenceTypeIds.HasProperty,
+                IncludeSubtypes = true,
+                ResultMask = (uint)BrowseResultMask.All,
+            },
+        };
+        session.Browse(null, null, 0, activeBrowse, out var activeChildren, out _);
+        var idRef = activeChildren[0].References.Single(r => r.BrowseName.Name == "Id");
+        var activeId = session.ReadValue(ExpandedNodeId.ToNodeId(idRef.NodeId, session.NamespaceUris));
+        activeId.Value.ShouldBe(true);
+    }
+
+    [Fact]
+    public async Task Driver_alarm_event_flows_to_client_subscription_on_Server_EventNotifier()
+    {
+        // AddRootNotifier registers the AlarmConditionState as a Server-object notifier
+        // source, so a subscription with an EventFilter on Server receives the
+        // ReportEvent calls ConditionSink emits per-transition.
+        using var session = await OpenSessionAsync();
+
+        var subscription = new Subscription(session.DefaultSubscription) { PublishingInterval = 100 };
+        session.AddSubscription(subscription);
+        await subscription.CreateAsync();
+
+        var received = new List<EventFieldList>();
+        var gate = new TaskCompletionSource(TaskCreationOptions.RunContinuationsAsynchronously);
+
+        var filter = new EventFilter();
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.EventId);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.SourceName);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.Message);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.Severity);
+        filter.WhereClause = new ContentFilter();
+        filter.WhereClause.Push(FilterOperator.OfType,
+            new LiteralOperand { Value = new Variant(ObjectTypeIds.AlarmConditionType) });
+
+        var item = new MonitoredItem(subscription.DefaultItem)
+        {
+            StartNodeId = ObjectIds.Server,
+            AttributeId = Attributes.EventNotifier,
+            NodeClass = NodeClass.Object,
+            SamplingInterval = 0,
+            QueueSize = 100,
+            Filter = filter,
+        };
+        item.Notification += (_, e) =>
+        {
+            if (e.NotificationValue is EventFieldList fields)
+            {
+                lock (received) { received.Add(fields); gate.TrySetResult(); }
+            }
+        };
+        subscription.AddItem(item);
+        await subscription.ApplyChangesAsync();
+
+        // Give the publish loop a tick to establish before firing.
+        await Task.Delay(200);
+
+        _driver.RaiseAlarm(new AlarmEventArgs(
+            new FakeHandle("sub"), "Tank.HiHi", "cond-x", "Active",
+            "High-high tripped", AlarmSeverity.Critical, DateTime.UtcNow));
+
+        var delivered = await Task.WhenAny(gate.Task, Task.Delay(TimeSpan.FromSeconds(10)));
+        delivered.ShouldBe(gate.Task, "alarm event must arrive at the client within 10s");
+
+        EventFieldList first;
+        lock (received) first = received[0];
+        // Filter field order: 0=EventId, 1=SourceName, 2=Message, 3=Severity.
+        ((LocalizedText)first.EventFields[2].Value).Text.ShouldBe("High-high tripped");
+        first.EventFields[3].Value.ShouldBe((ushort)900);  // Critical → 900
+    }
+
+    [Fact]
+    public async Task Each_IsAlarm_variable_registers_its_own_condition_node_in_the_driver_namespace()
+    {
+        // Tag-scoped alarm wiring: DiscoverAsync declares two IsAlarm variables and calls
+        // MarkAsAlarmCondition on each. The server-side DriverNodeManager wraps each call in
+        // a CapturingHandle that creates a sibling AlarmConditionState + registers a sink
+        // under the driver full-reference. Browse should show both condition nodes with
+        // distinct NodeIds using the FullReference + ".Condition" convention.
+        using var session = await OpenSessionAsync();
+        var nsIndex = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:alarm-driver");
+
+        _driver.RaiseAlarm(new AlarmEventArgs(
+            new FakeHandle("sub"), "Tank.HiHi", "c", "Active", "first", AlarmSeverity.High,
+            DateTime.UtcNow));
+
+        var attrs = new ReadValueIdCollection
+        {
+            new() { NodeId = new NodeId("Tank.HiHi.Condition", nsIndex), AttributeId = Attributes.DisplayName },
+            new() { NodeId = new NodeId("Heater.OverTemp.Condition", nsIndex), AttributeId = Attributes.DisplayName },
+        };
+        session.Read(null, 0, TimestampsToReturn.Neither, attrs, out var results, out _);
+        results[0].StatusCode.Code.ShouldBe(StatusCodes.Good);
+        results[1].StatusCode.Code.ShouldBe(StatusCodes.Good);
+        ((LocalizedText)results[0].Value).Text.ShouldBe("Tank.HiHi");
+        ((LocalizedText)results[1].Value).Text.ShouldBe("Heater.OverTemp");
+    }
+
+    private async Task<ISession> OpenSessionAsync()
+    {
+        var cfg = new ApplicationConfiguration
+        {
+            ApplicationName = "OtOpcUaAlarmTestClient",
+            ApplicationUri = "urn:OtOpcUa:AlarmTestClient",
+            ApplicationType = ApplicationType.Client,
+            SecurityConfiguration = new SecurityConfiguration
+            {
+                ApplicationCertificate = new CertificateIdentifier
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_pkiRoot, "client-own"),
+                    SubjectName = "CN=OtOpcUaAlarmTestClient",
+                },
+                TrustedIssuerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-issuers") },
+                TrustedPeerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-trusted") },
+                RejectedCertificateStore = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-rejected") },
+                AutoAcceptUntrustedCertificates = true,
+                AddAppCertToTrustedStore = true,
+            },
+            TransportConfigurations = new TransportConfigurationCollection(),
+            TransportQuotas = new TransportQuotas { OperationTimeout = 15000 },
+            ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = 60000 },
+        };
+        await cfg.Validate(ApplicationType.Client);
+        cfg.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;
+
+        var instance = new ApplicationInstance { ApplicationConfiguration = cfg, ApplicationType = ApplicationType.Client };
+        await instance.CheckApplicationInstanceCertificate(true, CertificateFactory.DefaultKeySize);
+
+        var selected = CoreClientUtils.SelectEndpoint(cfg, _endpoint, useSecurity: false);
+        var endpointConfig = EndpointConfiguration.Create(cfg);
+        var configuredEndpoint = new ConfiguredEndpoint(null, selected, endpointConfig);
+
+        return await Session.Create(cfg, configuredEndpoint, false, "OtOpcUaAlarmTestClientSession", 60000,
+            new UserIdentity(new AnonymousIdentityToken()), null);
+    }
+
+    /// <summary>
+    ///     Stub <see cref="IAlarmSource"/> driver. <see cref="DiscoverAsync"/> emits two alarm-
+    ///     bearing variables (so tag-scoped fan-out can be asserted); <see cref="RaiseAlarm"/>
+    ///     fires <see cref="OnAlarmEvent"/> exactly like a real driver would.
+    /// </summary>
+    private sealed class AlarmDriver : IDriver, ITagDiscovery, IAlarmSource
+    {
+        public string DriverInstanceId => "alarm-driver";
+        public string DriverType => "AlarmStub";
+
+        public event EventHandler<AlarmEventArgs>? OnAlarmEvent;
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public Task DiscoverAsync(IAddressSpaceBuilder builder, CancellationToken ct)
+        {
+            var tank = builder.Folder("Tank", "Tank");
+            var hiHi = tank.Variable("HiHi", "HiHi", new DriverAttributeInfo(
+                "Tank.HiHi", DriverDataType.Boolean, false, null,
+                SecurityClassification.FreeAccess, false, IsAlarm: true));
+            hiHi.MarkAsAlarmCondition(new AlarmConditionInfo(
+                "Tank.HiHi", AlarmSeverity.High, "High-high alarm"));
+
+            var heater = builder.Folder("Heater", "Heater");
+            var ot = heater.Variable("OverTemp", "OverTemp", new DriverAttributeInfo(
+                "Heater.OverTemp", DriverDataType.Boolean, false, null,
+                SecurityClassification.FreeAccess, false, IsAlarm: true));
+            ot.MarkAsAlarmCondition(new AlarmConditionInfo(
+                "Heater.OverTemp", AlarmSeverity.Critical, "Over-temperature"));
+            return Task.CompletedTask;
+        }
+
+        public void RaiseAlarm(AlarmEventArgs args) => OnAlarmEvent?.Invoke(this, args);
+
+        public Task<IAlarmSubscriptionHandle> SubscribeAlarmsAsync(
+            IReadOnlyList<string> _, CancellationToken __)
+            => Task.FromResult<IAlarmSubscriptionHandle>(new FakeHandle("sub"));
+
+        public Task UnsubscribeAlarmsAsync(IAlarmSubscriptionHandle _, CancellationToken __)
+            => Task.CompletedTask;
+
+        public Task AcknowledgeAsync(
+            IReadOnlyList<AlarmAcknowledgeRequest> _, CancellationToken __)
+            => Task.CompletedTask;
+    }
+
+    private sealed class FakeHandle(string diagnosticId) : IAlarmSubscriptionHandle
+    {
+        public string DiagnosticId { get; } = diagnosticId;
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/DriverFactoryRegistryTests.cs

@@ -0,0 +1,73 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Task #248 — covers the <see cref="DriverFactoryRegistry"/> contract that
+///     <see cref="DriverInstanceBootstrapper"/> consumes.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class DriverFactoryRegistryTests
+{
+    private static IDriver FakeDriver(string id, string config) => new FakeIDriver(id);
+
+    [Fact]
+    public void Register_then_TryGet_returns_factory()
+    {
+        var r = new DriverFactoryRegistry();
+        r.Register("MyDriver", FakeDriver);
+
+        r.TryGet("MyDriver").ShouldNotBeNull();
+        r.TryGet("Nope").ShouldBeNull();
+    }
+
+    [Fact]
+    public void Register_is_case_insensitive()
+    {
+        var r = new DriverFactoryRegistry();
+        r.Register("Galaxy", FakeDriver);
+        r.TryGet("galaxy").ShouldNotBeNull();
+        r.TryGet("GALAXY").ShouldNotBeNull();
+    }
+
+    [Fact]
+    public void Register_duplicate_type_throws()
+    {
+        var r = new DriverFactoryRegistry();
+        r.Register("Galaxy", FakeDriver);
+        Should.Throw<InvalidOperationException>(() => r.Register("Galaxy", FakeDriver));
+    }
+
+    [Fact]
+    public void Register_null_args_rejected()
+    {
+        var r = new DriverFactoryRegistry();
+        Should.Throw<ArgumentException>(() => r.Register("", FakeDriver));
+        Should.Throw<ArgumentNullException>(() => r.Register("X", null!));
+    }
+
+    [Fact]
+    public void RegisteredTypes_returns_snapshot()
+    {
+        var r = new DriverFactoryRegistry();
+        r.Register("A", FakeDriver);
+        r.Register("B", FakeDriver);
+        r.RegisteredTypes.ShouldContain("A");
+        r.RegisteredTypes.ShouldContain("B");
+    }
+
+    private sealed class FakeIDriver(string id) : IDriver
+    {
+        public string DriverInstanceId => id;
+        public string DriverType => "Fake";
+        public Task InitializeAsync(string _, CancellationToken __) => Task.CompletedTask;
+        public Task ReinitializeAsync(string _, CancellationToken __) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken _) => Task.CompletedTask;
+        public Task FlushOptionalCachesAsync(CancellationToken _) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, null, null);
+        public long GetMemoryFootprint() => 0;
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/Phase7/DriverSubscriptionBridgeTests.cs

@@ -0,0 +1,226 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Server.Phase7;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests.Phase7;
+
+/// <summary>
+///     Task #244 — covers the bridge that pumps live driver <c>OnDataChange</c>
+///     notifications into the Phase 7 <see cref="CachedTagUpstreamSource"/>.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class DriverSubscriptionBridgeTests
+{
+    private sealed class FakeDriver : ISubscribable
+    {
+        public List<IReadOnlyList<string>> SubscribeCalls { get; } = [];
+        public List<ISubscriptionHandle> Unsubscribed { get; } = [];
+        public ISubscriptionHandle? LastHandle { get; private set; }
+        public event EventHandler<DataChangeEventArgs>? OnDataChange;
+
+        public Task<ISubscriptionHandle> SubscribeAsync(
+            IReadOnlyList<string> fullReferences, TimeSpan publishingInterval, CancellationToken cancellationToken)
+        {
+            SubscribeCalls.Add(fullReferences);
+            LastHandle = new Handle($"sub-{SubscribeCalls.Count}");
+            return Task.FromResult(LastHandle);
+        }
+
+        public Task UnsubscribeAsync(ISubscriptionHandle handle, CancellationToken cancellationToken)
+        {
+            Unsubscribed.Add(handle);
+            return Task.CompletedTask;
+        }
+
+        public void Fire(string fullRef, object value)
+        {
+            OnDataChange?.Invoke(this, new DataChangeEventArgs(
+                LastHandle!, fullRef,
+                new DataValueSnapshot(value, 0u, DateTime.UtcNow, DateTime.UtcNow)));
+        }
+
+        private sealed record Handle(string DiagnosticId) : ISubscriptionHandle;
+    }
+
+    [Fact]
+    public async Task StartAsync_calls_SubscribeAsync_with_distinct_fullRefs()
+    {
+        var sink = new CachedTagUpstreamSource();
+        var driver = new FakeDriver();
+        await using var bridge = new DriverSubscriptionBridge(sink, NullLogger<DriverSubscriptionBridge>.Instance);
+
+        await bridge.StartAsync(new[]
+        {
+            new DriverFeed(driver,
+                new Dictionary<string, string>
+                {
+                    ["/Site/L1/A/Temp"] = "DR.Temp",
+                    ["/Site/L1/A/Pressure"] = "DR.Pressure",
+                },
+                TimeSpan.FromSeconds(1)),
+        }, CancellationToken.None);
+
+        driver.SubscribeCalls.Count.ShouldBe(1);
+        driver.SubscribeCalls[0].ShouldContain("DR.Temp");
+        driver.SubscribeCalls[0].ShouldContain("DR.Pressure");
+    }
+
+    [Fact]
+    public async Task OnDataChange_pushes_to_cache_keyed_by_UNS_path()
+    {
+        var sink = new CachedTagUpstreamSource();
+        var driver = new FakeDriver();
+        await using var bridge = new DriverSubscriptionBridge(sink, NullLogger<DriverSubscriptionBridge>.Instance);
+
+        await bridge.StartAsync(new[]
+        {
+            new DriverFeed(driver,
+                new Dictionary<string, string> { ["/Site/L1/A/Temp"] = "DR.Temp" },
+                TimeSpan.FromSeconds(1)),
+        }, CancellationToken.None);
+
+        driver.Fire("DR.Temp", 42.5);
+
+        sink.ReadTag("/Site/L1/A/Temp").Value.ShouldBe(42.5);
+    }
+
+    [Fact]
+    public async Task OnDataChange_with_unmapped_fullRef_is_ignored()
+    {
+        var sink = new CachedTagUpstreamSource();
+        var driver = new FakeDriver();
+        await using var bridge = new DriverSubscriptionBridge(sink, NullLogger<DriverSubscriptionBridge>.Instance);
+
+        await bridge.StartAsync(new[]
+        {
+            new DriverFeed(driver,
+                new Dictionary<string, string> { ["/p"] = "DR.A" },
+                TimeSpan.FromSeconds(1)),
+        }, CancellationToken.None);
+
+        driver.Fire("DR.B", 99);  // not in map
+
+        sink.ReadTag("/p").StatusCode.ShouldBe(CachedTagUpstreamSource.UpstreamNotConfigured,
+            "unmapped fullRef shouldn't pollute the cache");
+    }
+
+    [Fact]
+    public async Task Empty_PathToFullRef_skips_SubscribeAsync_call()
+    {
+        var sink = new CachedTagUpstreamSource();
+        var driver = new FakeDriver();
+        await using var bridge = new DriverSubscriptionBridge(sink, NullLogger<DriverSubscriptionBridge>.Instance);
+
+        await bridge.StartAsync(new[]
+        {
+            new DriverFeed(driver, new Dictionary<string, string>(), TimeSpan.FromSeconds(1)),
+        }, CancellationToken.None);
+
+        driver.SubscribeCalls.ShouldBeEmpty();
+    }
+
+    [Fact]
+    public async Task DisposeAsync_unsubscribes_each_active_subscription()
+    {
+        var sink = new CachedTagUpstreamSource();
+        var driver = new FakeDriver();
+        var bridge = new DriverSubscriptionBridge(sink, NullLogger<DriverSubscriptionBridge>.Instance);
+
+        await bridge.StartAsync(new[]
+        {
+            new DriverFeed(driver,
+                new Dictionary<string, string> { ["/p"] = "DR.A" },
+                TimeSpan.FromSeconds(1)),
+        }, CancellationToken.None);
+
+        await bridge.DisposeAsync();
+
+        driver.Unsubscribed.Count.ShouldBe(1);
+        driver.Unsubscribed[0].ShouldBeSameAs(driver.LastHandle);
+    }
+
+    [Fact]
+    public async Task DisposeAsync_unhooks_OnDataChange_so_post_dispose_events_dont_push()
+    {
+        var sink = new CachedTagUpstreamSource();
+        var driver = new FakeDriver();
+        var bridge = new DriverSubscriptionBridge(sink, NullLogger<DriverSubscriptionBridge>.Instance);
+
+        await bridge.StartAsync(new[]
+        {
+            new DriverFeed(driver,
+                new Dictionary<string, string> { ["/p"] = "DR.A" },
+                TimeSpan.FromSeconds(1)),
+        }, CancellationToken.None);
+
+        await bridge.DisposeAsync();
+        driver.Fire("DR.A", 999);  // post-dispose event
+
+        sink.ReadTag("/p").StatusCode.ShouldBe(CachedTagUpstreamSource.UpstreamNotConfigured);
+    }
+
+    [Fact]
+    public async Task StartAsync_called_twice_throws()
+    {
+        var sink = new CachedTagUpstreamSource();
+        await using var bridge = new DriverSubscriptionBridge(sink, NullLogger<DriverSubscriptionBridge>.Instance);
+        await bridge.StartAsync(Array.Empty<DriverFeed>(), CancellationToken.None);
+
+        await Should.ThrowAsync<InvalidOperationException>(
+            () => bridge.StartAsync(Array.Empty<DriverFeed>(), CancellationToken.None));
+    }
+
+    [Fact]
+    public async Task DisposeAsync_is_idempotent()
+    {
+        var sink = new CachedTagUpstreamSource();
+        var bridge = new DriverSubscriptionBridge(sink, NullLogger<DriverSubscriptionBridge>.Instance);
+        await bridge.DisposeAsync();
+        await bridge.DisposeAsync();  // must not throw
+    }
+
+    [Fact]
+    public async Task Subscribe_failure_unhooks_handler_and_propagates()
+    {
+        var sink = new CachedTagUpstreamSource();
+        var failingDriver = new ThrowingDriver();
+        await using var bridge = new DriverSubscriptionBridge(sink, NullLogger<DriverSubscriptionBridge>.Instance);
+
+        var feeds = new[]
+        {
+            new DriverFeed(failingDriver,
+                new Dictionary<string, string> { ["/p"] = "DR.A" },
+                TimeSpan.FromSeconds(1)),
+        };
+
+        await Should.ThrowAsync<InvalidOperationException>(
+            () => bridge.StartAsync(feeds, CancellationToken.None));
+
+        // Handler should be unhooked — firing now would NPE if it wasn't (event has 0 subs).
+        failingDriver.HasAnyHandlers.ShouldBeFalse(
+            "handler must be removed when SubscribeAsync throws so it doesn't leak");
+    }
+
+    [Fact]
+    public void Null_sink_or_logger_rejected()
+    {
+        Should.Throw<ArgumentNullException>(() => new DriverSubscriptionBridge(null!, NullLogger<DriverSubscriptionBridge>.Instance));
+        Should.Throw<ArgumentNullException>(() => new DriverSubscriptionBridge(new CachedTagUpstreamSource(), null!));
+    }
+
+    private sealed class ThrowingDriver : ISubscribable
+    {
+        private EventHandler<DataChangeEventArgs>? _handler;
+        public bool HasAnyHandlers => _handler is not null;
+        public event EventHandler<DataChangeEventArgs>? OnDataChange
+        {
+            add => _handler = (EventHandler<DataChangeEventArgs>?)Delegate.Combine(_handler, value);
+            remove => _handler = (EventHandler<DataChangeEventArgs>?)Delegate.Remove(_handler, value);
+        }
+        public Task<ISubscriptionHandle> SubscribeAsync(IReadOnlyList<string> _, TimeSpan __, CancellationToken ___) =>
+            throw new InvalidOperationException("driver offline");
+        public Task UnsubscribeAsync(ISubscriptionHandle _, CancellationToken __) => Task.CompletedTask;
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/Phase7/Phase7ComposerMappingTests.cs

@@ -0,0 +1,93 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Core.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Phase7;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests.Phase7;
+
+/// <summary>
+///     Task #246 — covers the deterministic mapping inside <see cref="Phase7Composer"/>
+///     that turns <see cref="EquipmentNamespaceContent"/> into the path → fullRef map
+///     <see cref="DriverFeed.PathToFullRef"/> consumes. Pure function; no DI / DB needed.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class Phase7ComposerMappingTests
+{
+    private static UnsArea Area(string id, string name) =>
+        new() { UnsAreaId = id, ClusterId = "c", Name = name, GenerationId = 1 };
+
+    private static UnsLine Line(string id, string areaId, string name) =>
+        new() { UnsLineId = id, UnsAreaId = areaId, Name = name, GenerationId = 1 };
+
+    private static Equipment Eq(string id, string lineId, string name) => new()
+    {
+        EquipmentRowId = Guid.NewGuid(), GenerationId = 1, EquipmentId = id,
+        EquipmentUuid = Guid.NewGuid(), DriverInstanceId = "drv",
+        UnsLineId = lineId, Name = name, MachineCode = "m",
+    };
+
+    private static Tag T(string id, string name, string fullRef, string equipmentId) => new()
+    {
+        TagRowId = Guid.NewGuid(), GenerationId = 1, TagId = id,
+        DriverInstanceId = "drv", EquipmentId = equipmentId,
+        Name = name, DataType = "Float32",
+        AccessLevel = TagAccessLevel.Read, TagConfig = fullRef,
+    };
+
+    [Fact]
+    public void Maps_tag_to_UNS_path_walker_emits()
+    {
+        var content = new EquipmentNamespaceContent(
+            Areas: [Area("a1", "warsaw")],
+            Lines: [Line("l1", "a1", "oven-line")],
+            Equipment: [Eq("e1", "l1", "oven-3")],
+            Tags: [T("t1", "Temp", "DR.Temp", "e1")]);
+
+        var map = Phase7Composer.MapPathsToFullRefs(content);
+
+        map.ShouldContainKeyAndValue("/warsaw/oven-line/oven-3/Temp", "DR.Temp");
+    }
+
+    [Fact]
+    public void Skips_tag_with_null_EquipmentId()
+    {
+        var content = new EquipmentNamespaceContent(
+            [Area("a1", "warsaw")], [Line("l1", "a1", "ol")], [Eq("e1", "l1", "ov")],
+            [T("t1", "Bare", "DR.Bare", null!)]);  // SystemPlatform-style orphan
+
+        Phase7Composer.MapPathsToFullRefs(content).ShouldBeEmpty();
+    }
+
+    [Fact]
+    public void Skips_tag_pointing_at_unknown_Equipment()
+    {
+        var content = new EquipmentNamespaceContent(
+            [Area("a1", "warsaw")], [Line("l1", "a1", "ol")], [Eq("e1", "l1", "ov")],
+            [T("t1", "Lost", "DR.Lost", "e-missing")]);
+
+        Phase7Composer.MapPathsToFullRefs(content).ShouldBeEmpty();
+    }
+
+    [Fact]
+    public void Maps_multiple_tags_under_same_equipment_distinctly()
+    {
+        var content = new EquipmentNamespaceContent(
+            [Area("a1", "site")], [Line("l1", "a1", "line1")], [Eq("e1", "l1", "cell")],
+            [T("t1", "Temp", "DR.T", "e1"), T("t2", "Pressure", "DR.P", "e1")]);
+
+        var map = Phase7Composer.MapPathsToFullRefs(content);
+
+        map.Count.ShouldBe(2);
+        map["/site/line1/cell/Temp"].ShouldBe("DR.T");
+        map["/site/line1/cell/Pressure"].ShouldBe("DR.P");
+    }
+
+    [Fact]
+    public void Empty_content_yields_empty_map()
+    {
+        Phase7Composer.MapPathsToFullRefs(new EquipmentNamespaceContent([], [], [], []))
+            .ShouldBeEmpty();
+    }
+}