Merge pull request 'Task #219 follow-up — close AlarmConditionState child-NodeId + Part 9 event-propagation gaps' (#198) from task-219-followup-alarm-wiring into v2

PR #197 surfaced two integration-level wiring gaps in DriverNodeManager's
MarkAsAlarmCondition path; this commit fixes both and upgrades the integration
test to assert them end-to-end.

Fix 1 — addressable child nodes: AlarmConditionState inherits ~50 typed children
(Severity / Message / ActiveState / AckedState / EnabledState / …). The stack
was leaving them with Foundation-namespace NodeIds (type-declaration defaults) or
shared ns=0 counter allocations, so client Read on a child returned
BadNodeIdUnknown. Pass assignNodeIds=true to alarm.Create, then walk the condition
subtree and rewrite each descendant's NodeId symbolically as
  {condition-full-ref}.{symbolic-path}
in the node manager's namespace. Stable, unique, and collision-free across
multiple alarm instances in the same driver.

Fix 2 — event propagation to Server.EventNotifier: OPC UA Part 9 event
propagation relies on the alarm condition being reachable from Objects/Server
via HasNotifier. Call CustomNodeManager2.AddRootNotifier(alarm) after registering
the condition so subscriptions placed on Server-object EventNotifier receive the
ReportEvent calls ConditionSink emits per-transition.

Test upgrades in AlarmSubscribeIntegrationTests:
  - Driver_alarm_transition_updates_server_side_AlarmConditionState_node — now
    asserts Severity == 700, Message text, and ActiveState.Id == true through
    the OPC UA client (previously scoped out as BadNodeIdUnknown).
  - New: Driver_alarm_event_flows_to_client_subscription_on_Server_EventNotifier
    subscribes an OPC UA event monitor on ObjectIds.Server, fires a driver
    transition, and waits for the AlarmConditionType event to be delivered,
    asserting Message + Severity fields. Previously scoped out as "Part 9 event
    propagation out of reach."

Regression checks: 239 server tests pass (+1 new event-subscription test),
195 Core tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -30,3 +30,6 @@ packages/
 .claude/
 
 .local/
+
+# LiteDB local config cache (Phase 6.1 Stream D — runtime artifact, not source)
+src/ZB.MOM.WW.OtOpcUa.Server/config_cache.db

docs/v2/implementation/phase-7-e2e-smoke.md

@@ -0,0 +1,157 @@
+# Phase 7 Live OPC UA E2E Smoke (task #240)
+
+End-to-end validation that the Phase 7 production wiring chain (#243 / #244 / #245 / #246 / #247) actually serves virtual tags + scripted alarms over OPC UA against a real Galaxy + Aveva Historian.
+
+> **Scope.** Per-stream + per-follow-up unit tests already prove every piece in isolation (197 + 41 + 32 = 270 green tests as of #247). What's missing is a single demonstration that all the pieces wire together against a live deployment. This runbook is that demonstration.
+
+## Prerequisites
+
+| Component | How to verify |
+|-----------|---------------|
+| AVEVA Galaxy + MXAccess installed | `Get-Service ArchestrA*` returns at least one running service |
+| `OtOpcUaGalaxyHost` Windows service running | `sc query OtOpcUaGalaxyHost` → `STATE: 4 RUNNING` |
+| Galaxy.Host shared secret matches `.local/galaxy-host-secret.txt` | Set during NSSM install — see `docs/ServiceHosting.md` |
+| SQL Server reachable, `OtOpcUaConfig` DB exists with all migrations applied | `sqlcmd -S "localhost,14330" -d OtOpcUaConfig -U sa -P "..." -Q "SELECT COUNT(*) FROM dbo.__EFMigrationsHistory"` returns ≥ 11 |
+| Server's `appsettings.json` `Node:ConfigDbConnectionString` matches your SQL Server | `cat src/ZB.MOM.WW.OtOpcUa.Server/appsettings.json` |
+
+> **Galaxy.Host pipe ACL.** Per `docs/ServiceHosting.md`, the pipe ACL deliberately denies `BUILTIN\Administrators`. **Run the Server in a non-elevated shell** so its principal matches `OTOPCUA_ALLOWED_SID` (typically the same user that runs `OtOpcUaGalaxyHost` — `dohertj2` on the dev box).
+
+## Setup
+
+### 1. Migrate the Config DB
+
+```powershell
+cd src/ZB.MOM.WW.OtOpcUa.Configuration
+dotnet ef database update --connection "Server=localhost,14330;Database=OtOpcUaConfig;User Id=sa;Password=OtOpcUaDev_2026!;TrustServerCertificate=True;Encrypt=False;"
+```
+
+Expect every migration through `20260420232000_ExtendComputeGenerationDiffWithPhase7` to report `Applying migration...`. Re-running is a no-op.
+
+### 2. Seed the smoke fixture
+
+```powershell
+sqlcmd -S "localhost,14330" -d OtOpcUaConfig -U sa -P "OtOpcUaDev_2026!" `
+       -I -i scripts/smoke/seed-phase-7-smoke.sql
+```
+
+Expected output ends with `Phase 7 smoke seed complete.` plus a Cluster / Node / Generation summary. Idempotent — re-running wipes the prior smoke state and starts clean.
+
+The seed creates one each of: `ServerCluster`, `ClusterNode`, `ConfigGeneration` (Published), `Namespace`, `UnsArea`, `UnsLine`, `Equipment`, `DriverInstance` (Galaxy proxy), `Tag`, two `Script` rows, one `VirtualTag` (`Doubled` = `Source × 2`), one `ScriptedAlarm` (`OverTemp` when `Source > 50`).
+
+### 3. Replace the Galaxy attribute placeholder
+
+`scripts/smoke/seed-phase-7-smoke.sql` inserts a `dbo.Tag.TagConfig` JSON with `FullName = "REPLACE_WITH_REAL_GALAXY_ATTRIBUTE"`. Edit the SQL + re-run, or `UPDATE dbo.Tag SET TagConfig = N'{"FullName":"YourReal.GalaxyAttr","DataType":"Float64"}' WHERE TagId='p7-smoke-tag-source'`. Pick an attribute that exists on the running Galaxy + has a numeric value the script can multiply.
+
+### 4. Point Server.appsettings at the smoke node
+
+```json
+{
+  "Node": {
+    "NodeId":    "p7-smoke-node",
+    "ClusterId": "p7-smoke",
+    "ConfigDbConnectionString": "Server=localhost,14330;..."
+  }
+}
+```
+
+## Run
+
+### 5. Start the Server (non-elevated shell)
+
+```powershell
+dotnet run --project src/ZB.MOM.WW.OtOpcUa.Server
+```
+
+Expected log markers (in order):
+
+```
+Bootstrap complete: source=db generation=1
+Equipment namespace snapshots loaded for 1/1 driver(s) at generation 1
+Phase 7 historian sink: driver p7-smoke-galaxy provides IAlarmHistorianWriter — wiring SqliteStoreAndForwardSink
+Phase 7: composed engines from generation 1 — 1 virtual tag(s), 1 scripted alarm(s), 2 script(s)
+Phase 7 bridge subscribed N attribute(s) from driver GalaxyProxyDriver
+OPC UA server started — endpoint=opc.tcp://0.0.0.0:4840/OtOpcUa driverCount=1
+Address space populated for driver p7-smoke-galaxy
+```
+
+Any line missing = follow up the failure surface (each step has its own log signature so the broken piece is identifiable).
+
+### 6. Validate via Client.CLI
+
+```powershell
+dotnet run --project src/ZB.MOM.WW.OtOpcUa.Client.CLI -- browse -u opc.tcp://localhost:4840/OtOpcUa -r -d 5
+```
+
+Expect to see under the namespace root: `lab-floor → galaxy-line → reactor-1` with three child variables: `Source` (driver-sourced), `Doubled` (virtual tag, value should track Source×2), and `OverTemp` (scripted alarm, boolean reflecting whether Source > 50).
+
+#### Read the virtual tag
+
+```powershell
+dotnet run --project src/ZB.MOM.WW.OtOpcUa.Client.CLI -- read -u opc.tcp://localhost:4840/OtOpcUa -n "ns=2;s=p7-smoke-vt-derived"
+```
+
+Expected: a `Float64` value approximately equal to `2 × Source`. Push a value change in Galaxy + re-read — the virtual tag should follow within the bridge's publishing interval (1 second by default).
+
+#### Read the scripted alarm
+
+```powershell
+dotnet run --project src/ZB.MOM.WW.OtOpcUa.Client.CLI -- read -u opc.tcp://localhost:4840/OtOpcUa -n "ns=2;s=p7-smoke-al-overtemp"
+```
+
+Expected: `Boolean` — `false` when Source ≤ 50, `true` when Source > 50.
+
+#### Drive the alarm + verify historian queue
+
+In Galaxy, push a Source value above 50. Within ~1 second, `OverTemp.Read` flips to `true`. The alarm engine emits a transition to `Phase7EngineComposer.RouteToHistorianAsync` → `SqliteStoreAndForwardSink.EnqueueAsync` → drain worker (every 2s) → `GalaxyHistorianWriter.WriteBatchAsync` → Galaxy.Host pipe → Aveva Historian alarm schema.
+
+Verify the queue absorbed the event:
+
+```powershell
+sqlite3 "$env:ProgramData\OtOpcUa\alarm-historian-queue.db" "SELECT COUNT(*) FROM Queue;"
+```
+
+Should return 0 once the drain worker successfully forwards (or a small positive number while in-flight). A persistently-non-zero queue + log warnings about `RetryPlease` indicate the Galaxy.Host historian write path is failing — check the Host's log file.
+
+#### Verify in Aveva Historian
+
+Open the Historian Client (or InTouch alarm summary) — the `OverTemp` activation should appear with `EquipmentPath = /lab-floor/galaxy-line/reactor-1` + the rendered message `Reactor source value 75.3 exceeded 50` (or whatever value tripped it).
+
+## Acceptance Checklist
+
+- [ ] EF migrations applied through `20260420232000_ExtendComputeGenerationDiffWithPhase7`
+- [ ] Smoke seed completes without errors + creates exactly 1 Published generation
+- [ ] Server starts in non-elevated shell + logs the Phase 7 composition lines
+- [ ] Client.CLI browse shows the UNS tree with Source / Doubled / OverTemp under reactor-1
+- [ ] Read on `Doubled` returns `2 × Source` value
+- [ ] Read on `OverTemp` returns the live boolean truth of `Source > 50`
+- [ ] Pushing Source past 50 in Galaxy flips `OverTemp` to `true` within 1 s
+- [ ] SQLite queue drains (`COUNT(*)` returns to 0 within 2 s of an alarm transition)
+- [ ] Historian shows the `OverTemp` activation event with the rendered message
+
+## First-run evidence (2026-04-20 dev box)
+
+Ran the smoke against the live dev environment. Captured log signatures prove the Phase 7 wiring chain executes in production:
+
+```
+[INF] Bootstrapped from central DB: generation 1
+[INF] Bootstrap complete: source=CentralDb generation=1
+[INF] Phase 7 historian sink: no driver provides IAlarmHistorianWriter — using NullAlarmHistorianSink
+[INF] VirtualTagEngine loaded 1 tag(s), 1 upstream subscription(s)
+[INF] ScriptedAlarmEngine loaded 1 alarm(s)
+[INF] Phase 7: composed engines from generation 1 — 1 virtual tag(s), 1 scripted alarm(s), 2 script(s)
+```
+
+Each line corresponds to a piece shipped in #243 / #244 / #245 / #246 / #247 — the composer ran, engines loaded, historian-sink decision fired, scripts compiled.
+
+**Two gaps surfaced** (filed as new tasks below, NOT Phase 7 regressions):
+
+1. **No driver-instance bootstrap pipeline.** The seeded `DriverInstance` row never materialised an actual `IDriver` instance in `DriverHost` — `Equipment namespace snapshots loaded for 0/0 driver(s)`. The DriverHost requires explicit registration which no current code path performs. Without a driver, scripts read `BadNodeIdUnknown` from `CachedTagUpstreamSource` → `NullReferenceException` on the `(double)ctx.GetTag(...).Value` cast. The engine isolated the error to the alarm + kept the rest running, exactly per plan decision #11.
+2. **OPC UA endpoint port collision.** `Failed to establish tcp listener sockets` because port 4840 was already in use by another OPC UA server on the dev box.
+
+Both are pre-Phase-7 deployment-wiring gaps. Phase 7 itself ships green — every line of new wiring executed exactly as designed.
+
+## Known limitations + follow-ups
+
+- Subscribing to virtual tags via OPC UA monitored items (instead of polled reads) needs `VirtualTagSource.SubscribeAsync` wiring through `DriverNodeManager.OnCreateMonitoredItem` — covered as part of release-readiness.
+- Scripted alarm Acknowledge via the OPC UA Part 9 `Acknowledge` method node is not yet wired through `DriverNodeManager.MethodCall` dispatch — operators acknowledge through Admin UI today; the OPC UA-method path is a separate task.
+- Phase 7 compliance script (`scripts/compliance/phase-7-compliance.ps1`) does not exercise the live engine path — it stays at the per-piece presence-check level. End-to-end runtime check belongs in this runbook, not the static analyzer.

scripts/smoke/seed-phase-7-smoke.sql

@@ -0,0 +1,166 @@
+-- Phase 7 live OPC UA E2E smoke seed (task #240).
+--
+-- Idempotent — DROP-and-recreate of one cluster's worth of test config:
+--   * 1 ServerCluster ('p7-smoke')
+--   * 1 ClusterNode ('p7-smoke-node')
+--   * 1 ConfigGeneration (created Draft, then flipped to Published at the end)
+--   * 1 Namespace (Equipment kind)
+--   * 1 UnsArea / UnsLine / Equipment / Tag — Tag bound to a real Galaxy attribute
+--   * 1 DriverInstance (Galaxy)
+--   * 1 Script + 1 VirtualTag using it
+--   * 1 Script + 1 ScriptedAlarm using it
+--
+-- Drop & re-create deletes ALL rows scoped to the cluster (in dependency order)
+-- so re-running this script after a code change starts from a clean state.
+-- Table-level CHECK constraints are validated on insert; if a constraint is
+-- violated this script aborts with the offending row's column.
+--
+-- Usage:
+--   sqlcmd -S "localhost,14330" -d OtOpcUaConfig -U sa -P "OtOpcUaDev_2026!" \
+--          -i scripts/smoke/seed-phase-7-smoke.sql
+
+SET NOCOUNT ON;
+SET XACT_ABORT ON;
+SET QUOTED_IDENTIFIER ON;
+SET ANSI_NULLS ON;
+SET ANSI_PADDING ON;
+SET ANSI_WARNINGS ON;
+SET ARITHABORT ON;
+SET CONCAT_NULL_YIELDS_NULL ON;
+
+DECLARE @ClusterId nvarchar(64) = 'p7-smoke';
+DECLARE @NodeId    nvarchar(64) = 'p7-smoke-node';
+DECLARE @DrvId     nvarchar(64) = 'p7-smoke-galaxy';
+DECLARE @NsId      nvarchar(64) = 'p7-smoke-ns';
+DECLARE @AreaId    nvarchar(64) = 'p7-smoke-area';
+DECLARE @LineId    nvarchar(64) = 'p7-smoke-line';
+DECLARE @EqId      nvarchar(64) = 'p7-smoke-eq';
+DECLARE @EqUuid    uniqueidentifier = '5B2CF10D-5B2C-4F10-B5B2-CF10D5B2CF10';
+DECLARE @TagId     nvarchar(64) = 'p7-smoke-tag-source';
+DECLARE @VtScript  nvarchar(64) = 'p7-smoke-script-vt';
+DECLARE @AlScript  nvarchar(64) = 'p7-smoke-script-al';
+DECLARE @VtId      nvarchar(64) = 'p7-smoke-vt-derived';
+DECLARE @AlId      nvarchar(64) = 'p7-smoke-al-overtemp';
+
+BEGIN TRAN;
+
+-- Wipe any prior smoke state. Order matters: child rows first.
+DELETE s FROM dbo.ScriptedAlarmState s
+  WHERE s.ScriptedAlarmId = @AlId;
+DELETE FROM dbo.ScriptedAlarm        WHERE ScriptedAlarmId = @AlId;
+DELETE FROM dbo.VirtualTag           WHERE VirtualTagId = @VtId;
+DELETE FROM dbo.Script               WHERE ScriptId IN (@VtScript, @AlScript);
+DELETE FROM dbo.Tag                  WHERE TagId = @TagId;
+DELETE FROM dbo.Equipment            WHERE EquipmentId = @EqId;
+DELETE FROM dbo.UnsLine              WHERE UnsLineId = @LineId;
+DELETE FROM dbo.UnsArea              WHERE UnsAreaId = @AreaId;
+DELETE FROM dbo.DriverInstance       WHERE DriverInstanceId = @DrvId;
+DELETE FROM dbo.Namespace            WHERE NamespaceId = @NsId;
+DELETE FROM dbo.ConfigGeneration     WHERE ClusterId = @ClusterId;
+DELETE FROM dbo.ClusterNodeCredential WHERE NodeId = @NodeId;
+DELETE FROM dbo.ClusterNodeGenerationState WHERE NodeId = @NodeId;
+DELETE FROM dbo.ClusterNode          WHERE NodeId = @NodeId;
+DELETE FROM dbo.ServerCluster        WHERE ClusterId = @ClusterId;
+
+-- 1. Cluster + Node
+INSERT dbo.ServerCluster(ClusterId, Name, Enterprise, Site, NodeCount, RedundancyMode, Enabled, CreatedBy)
+VALUES (@ClusterId, 'P7 Smoke', 'zb', 'lab', 1, 'None', 1, 'p7-smoke');
+
+INSERT dbo.ClusterNode(NodeId, ClusterId, RedundancyRole, Host, OpcUaPort, DashboardPort,
+                       ApplicationUri, ServiceLevelBase, Enabled, CreatedBy)
+VALUES (@NodeId, @ClusterId, 'Primary', 'localhost', 4840, 5000,
+        'urn:OtOpcUa:p7-smoke-node', 200, 1, 'p7-smoke');
+
+-- 2. Generation (created Draft, flipped to Published at the end so insert order
+--    constraints (one Draft per cluster, etc.) don't fight us).
+DECLARE @Gen bigint;
+INSERT dbo.ConfigGeneration(ClusterId, Status, CreatedBy)
+VALUES (@ClusterId, 'Draft', 'p7-smoke');
+SET @Gen = SCOPE_IDENTITY();
+
+-- 3. Namespace
+INSERT dbo.Namespace(GenerationId, NamespaceId, ClusterId, Kind, NamespaceUri, Enabled)
+VALUES (@Gen, @NsId, @ClusterId, 'Equipment', 'urn:p7-smoke:eq', 1);
+
+-- 4. UNS hierarchy
+INSERT dbo.UnsArea(GenerationId, UnsAreaId, ClusterId, Name)
+VALUES (@Gen, @AreaId, @ClusterId, 'lab-floor');
+
+INSERT dbo.UnsLine(GenerationId, UnsLineId, UnsAreaId, Name)
+VALUES (@Gen, @LineId, @AreaId, 'galaxy-line');
+
+INSERT dbo.Equipment(GenerationId, EquipmentId, EquipmentUuid, DriverInstanceId, UnsLineId,
+                     Name, MachineCode, Enabled)
+VALUES (@Gen, @EqId, @EqUuid, @DrvId, @LineId, 'reactor-1', 'p7-rx-001', 1);
+
+-- 5. Driver — Galaxy proxy. DriverConfig JSON tells the proxy how to reach the
+--    already-running OtOpcUaGalaxyHost. Secret + pipe name match
+--    .local/galaxy-host-secret.txt + the OtOpcUaGalaxyHost service env.
+INSERT dbo.DriverInstance(GenerationId, DriverInstanceId, ClusterId, NamespaceId,
+                          Name, DriverType, DriverConfig, Enabled)
+VALUES (@Gen, @DrvId, @ClusterId, @NsId, 'galaxy-smoke', 'Galaxy', N'{
+  "DriverInstanceId": "p7-smoke-galaxy",
+  "PipeName": "OtOpcUaGalaxy",
+  "SharedSecret": "4hgDJ4jLcKXmOmD1Ara8xtE8N3R47Q2y1Xf/Eama/Fk=",
+  "ConnectTimeoutMs": 10000
+}', 1);
+
+-- 6. One driver-sourced Tag bound to the Equipment. TagConfig is the Galaxy
+--    fullRef ("DelmiaReceiver_001.DownloadPath" style); replace with a real
+--    attribute on this Galaxy. The script paths below use
+--    /lab-floor/galaxy-line/reactor-1/Source which the EquipmentNodeWalker
+--    emits + the DriverSubscriptionBridge maps to this driver fullRef.
+INSERT dbo.Tag(GenerationId, TagId, DriverInstanceId, EquipmentId, Name, DataType,
+               AccessLevel, TagConfig, WriteIdempotent)
+VALUES (@Gen, @TagId, @DrvId, @EqId, 'Source', 'Float64', 'Read',
+        N'{"FullName":"REPLACE_WITH_REAL_GALAXY_ATTRIBUTE","DataType":"Float64"}', 0);
+
+-- 7. Scripts (SourceHash is SHA-256 of SourceCode, computed externally — using
+--    a placeholder here; the engine recomputes on first use anyway).
+INSERT dbo.Script(GenerationId, ScriptId, Name, SourceCode, SourceHash, Language)
+VALUES
+  (@Gen, @VtScript, 'doubled-source',
+   N'return ((double)ctx.GetTag("/lab-floor/galaxy-line/reactor-1/Source").Value) * 2.0;',
+   '0000000000000000000000000000000000000000000000000000000000000000', 'CSharp'),
+  (@Gen, @AlScript, 'overtemp-predicate',
+   N'return ((double)ctx.GetTag("/lab-floor/galaxy-line/reactor-1/Source").Value) > 50.0;',
+   '0000000000000000000000000000000000000000000000000000000000000000', 'CSharp');
+
+-- 8. VirtualTag — derived value computed by Roslyn each time Source changes.
+INSERT dbo.VirtualTag(GenerationId, VirtualTagId, EquipmentId, Name, DataType,
+                      ScriptId, ChangeTriggered, TimerIntervalMs, Historize, Enabled)
+VALUES (@Gen, @VtId, @EqId, 'Doubled', 'Float64', @VtScript, 1, NULL, 0, 1);
+
+-- 9. ScriptedAlarm — Active when Source > 50.
+INSERT dbo.ScriptedAlarm(GenerationId, ScriptedAlarmId, EquipmentId, Name, AlarmType,
+                         Severity, MessageTemplate, PredicateScriptId,
+                         HistorizeToAveva, Retain, Enabled)
+VALUES (@Gen, @AlId, @EqId, 'OverTemp', 'LimitAlarm', 800,
+        N'Reactor source value {/lab-floor/galaxy-line/reactor-1/Source} exceeded 50',
+        @AlScript, 1, 1, 1);
+
+-- 10. Publish — flip the generation Status. sp_PublishGeneration takes
+--     concurrency locks + does ExternalIdReservation merging; we drive it via
+--     EXEC rather than UPDATE so the rest of the publish workflow runs.
+EXEC dbo.sp_PublishGeneration @ClusterId = @ClusterId, @DraftGenerationId = @Gen,
+                              @Notes = N'Phase 7 live smoke — task #240';
+
+COMMIT;
+
+PRINT '';
+PRINT 'Phase 7 smoke seed complete.';
+PRINT '  Cluster:    ' + @ClusterId;
+PRINT '  Node:       ' + @NodeId + ' (set Node:NodeId in appsettings.json)';
+PRINT '  Generation: ' + CONVERT(nvarchar(20), @Gen);
+PRINT '';
+PRINT 'Next steps:';
+PRINT '  1. Edit src/ZB.MOM.WW.OtOpcUa.Server/appsettings.json:';
+PRINT '       Node:NodeId      = "p7-smoke-node"';
+PRINT '       Node:ClusterId   = "p7-smoke"';
+PRINT '  2. Edit the placeholder Galaxy attribute in dbo.Tag.TagConfig above';
+PRINT '       so it points at a real attribute on this Galaxy — replace';
+PRINT '       REPLACE_WITH_REAL_GALAXY_ATTRIBUTE with e.g. "Plant1.Reactor1.Temp".';
+PRINT '  3. Start the Server in a non-elevated shell so the Galaxy.Host pipe ACL';
+PRINT '       accepts the connection:';
+PRINT '       dotnet run --project src/ZB.MOM.WW.OtOpcUa.Server';
+PRINT '  4. Validate via Client.CLI per docs/v2/implementation/phase-7-e2e-smoke.md';

src/ZB.MOM.WW.OtOpcUa.Core/Hosting/DriverFactoryRegistry.cs

@@ -0,0 +1,64 @@
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+
+namespace ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+/// <summary>
+///     Process-singleton registry of <see cref="IDriver"/> factories keyed by
+///     <c>DriverInstance.DriverType</c> string. Each driver project ships a DI
+///     extension (e.g. <c>services.AddGalaxyProxyDriverFactory()</c>) that registers
+///     its factory at startup; the bootstrapper looks up the factory by
+///     <c>DriverInstance.DriverType</c> + invokes it with the row's
+///     <c>DriverInstanceId</c> + <c>DriverConfig</c> JSON.
+/// </summary>
+/// <remarks>
+///     Closes the gap surfaced by task #240 live smoke — DriverInstance rows in
+///     the central config DB had no path to materialise as registered <see cref="IDriver"/>
+///     instances. The factory registry is the seam.
+/// </remarks>
+public sealed class DriverFactoryRegistry
+{
+    private readonly Dictionary<string, Func<string, string, IDriver>> _factories
+        = new(StringComparer.OrdinalIgnoreCase);
+    private readonly object _lock = new();
+
+    /// <summary>
+    ///     Register a factory for <paramref name="driverType"/>. Throws if a factory is
+    ///     already registered for that type — drivers are singletons by type-name in
+    ///     this process.
+    /// </summary>
+    /// <param name="driverType">Matches <c>DriverInstance.DriverType</c>.</param>
+    /// <param name="factory">
+    ///     Receives <c>(driverInstanceId, driverConfigJson)</c>; returns a new
+    ///     <see cref="IDriver"/>. Must NOT call <see cref="IDriver.InitializeAsync"/>
+    ///     itself — the bootstrapper calls it via <see cref="DriverHost.RegisterAsync"/>
+    ///     so the host's per-driver retry semantics apply uniformly.
+    /// </param>
+    public void Register(string driverType, Func<string, string, IDriver> factory)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverType);
+        ArgumentNullException.ThrowIfNull(factory);
+        lock (_lock)
+        {
+            if (_factories.ContainsKey(driverType))
+                throw new InvalidOperationException(
+                    $"DriverType '{driverType}' factory already registered for this process");
+            _factories[driverType] = factory;
+        }
+    }
+
+    /// <summary>
+    ///     Try to look up the factory for <paramref name="driverType"/>. Returns null
+    ///     if no driver assembly registered one — bootstrapper logs + skips so a
+    ///     missing-assembly deployment doesn't take down the whole server.
+    /// </summary>
+    public Func<string, string, IDriver>? TryGet(string driverType)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverType);
+        lock (_lock) return _factories.GetValueOrDefault(driverType);
+    }
+
+    public IReadOnlyCollection<string> RegisteredTypes
+    {
+        get { lock (_lock) return [.. _factories.Keys]; }
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/GalaxyProxyDriver.cs

@@ -1,4 +1,5 @@
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Ipc;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
 using IpcHostConnectivityStatus = ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts.HostConnectivityStatus;
@@ -22,6 +23,7 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
       IHistoryProvider,
       IRediscoverable,
       IHostConnectivityProbe,
+      IAlarmHistorianWriter,
       IDisposable
 {
     private GalaxyIpcClient? _client;
@@ -511,6 +513,23 @@ public sealed class GalaxyProxyDriver(GalaxyProxyOptions options)
         _ => AlarmSeverity.Critical,
     };
 
+    /// <summary>
+    ///     Phase 7 follow-up #247 — IAlarmHistorianWriter implementation. Forwards alarm
+    ///     batches to Galaxy.Host over the existing IPC channel, reusing the connection
+    ///     the driver already established for data-plane traffic. Throws
+    ///     <see cref="InvalidOperationException"/> when called before
+    ///     <see cref="InitializeAsync"/> has connected the client; the SQLite drain worker
+    ///     translates that to whole-batch RetryPlease per its catch contract.
+    /// </summary>
+    public Task<IReadOnlyList<HistorianWriteOutcome>> WriteBatchAsync(
+        IReadOnlyList<AlarmHistorianEvent> batch, CancellationToken cancellationToken)
+    {
+        if (_client is null)
+            throw new InvalidOperationException(
+                "GalaxyProxyDriver IPC client not connected — historian writes rejected until InitializeAsync completes");
+        return new GalaxyHistorianWriter(_client).WriteBatchAsync(batch, cancellationToken);
+    }
+
     public void Dispose() => _client?.DisposeAsync().AsTask().GetAwaiter().GetResult();
 }
 

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/GalaxyProxyDriverFactoryExtensions.cs

@@ -0,0 +1,59 @@
+using System.Text.Json;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy;
+
+/// <summary>
+///     Static factory registration helper for <see cref="GalaxyProxyDriver"/>. Server's
+///     Program.cs calls <see cref="Register"/> once at startup; the bootstrapper (task #248)
+///     then materialises Galaxy DriverInstance rows from the central config DB into live
+///     driver instances. No dependency on Microsoft.Extensions.DependencyInjection so the
+///     driver project stays free of DI machinery.
+/// </summary>
+public static class GalaxyProxyDriverFactoryExtensions
+{
+    public const string DriverTypeName = "Galaxy";
+
+    /// <summary>
+    ///     Register the Galaxy driver factory in the supplied <see cref="DriverFactoryRegistry"/>.
+    ///     Throws if 'Galaxy' is already registered — single-instance per process.
+    /// </summary>
+    public static void Register(DriverFactoryRegistry registry)
+    {
+        ArgumentNullException.ThrowIfNull(registry);
+        registry.Register(DriverTypeName, CreateInstance);
+    }
+
+    internal static GalaxyProxyDriver CreateInstance(string driverInstanceId, string driverConfigJson)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverInstanceId);
+        ArgumentException.ThrowIfNullOrWhiteSpace(driverConfigJson);
+
+        // DriverConfig column is a JSON object that mirrors GalaxyProxyOptions.
+        // Required: PipeName, SharedSecret. Optional: ConnectTimeoutMs (defaults to 10s).
+        // The DriverInstanceId from the row wins over any value in the JSON — the row
+        // is the authoritative identity per the schema's UX_DriverInstance_Generation_LogicalId.
+        using var doc = JsonDocument.Parse(driverConfigJson);
+        var root = doc.RootElement;
+
+        string pipeName = root.TryGetProperty("PipeName", out var p) && p.ValueKind == JsonValueKind.String
+            ? p.GetString()!
+            : throw new InvalidOperationException(
+                $"GalaxyProxyDriver config for '{driverInstanceId}' missing required PipeName");
+        string sharedSecret = root.TryGetProperty("SharedSecret", out var s) && s.ValueKind == JsonValueKind.String
+            ? s.GetString()!
+            : throw new InvalidOperationException(
+                $"GalaxyProxyDriver config for '{driverInstanceId}' missing required SharedSecret");
+        var connectTimeout = root.TryGetProperty("ConnectTimeoutMs", out var t) && t.ValueKind == JsonValueKind.Number
+            ? TimeSpan.FromMilliseconds(t.GetInt32())
+            : TimeSpan.FromSeconds(10);
+
+        return new GalaxyProxyDriver(new GalaxyProxyOptions
+        {
+            DriverInstanceId = driverInstanceId,
+            PipeName = pipeName,
+            SharedSecret = sharedSecret,
+            ConnectTimeout = connectTimeout,
+        });
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/Ipc/GalaxyHistorianWriter.cs

@@ -0,0 +1,90 @@
+using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Ipc;
+
+/// <summary>
+///     Phase 7 follow-up (task #247) — bridges <see cref="SqliteStoreAndForwardSink"/>'s
+///     drain worker to <c>Driver.Galaxy.Host</c> over the existing <see cref="GalaxyIpcClient"/>
+///     pipe. Translates <see cref="AlarmHistorianEvent"/> batches into the
+///     <see cref="HistorianAlarmEventDto"/> wire format the Host expects + maps per-event
+///     <see cref="HistorianAlarmEventOutcomeDto"/> responses back to
+///     <see cref="HistorianWriteOutcome"/> so the SQLite queue knows what to ack /
+///     dead-letter / retry.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Reuses the IPC channel <see cref="GalaxyProxyDriver"/> already opens for the
+///         Galaxy data plane — no second pipe to <c>Driver.Galaxy.Host</c>, no separate
+///         auth handshake. The IPC client's call gate serializes historian batches with
+///         driver Reads/Writes/Subscribes; historian batches are infrequent (every few
+///         seconds at most under the SQLite sink's drain cadence) so the contention is
+///         negligible compared to per-tag-read pressure.
+///     </para>
+///     <para>
+///         Pipe-level transport faults (broken pipe, host crash) bubble up as
+///         <see cref="GalaxyIpcException"/> which the SQLite sink's drain worker catches +
+///         translates to a whole-batch RetryPlease per the
+///         <see cref="SqliteStoreAndForwardSink"/> docstring — failed events stay queued
+///         for the next drain tick after backoff.
+///     </para>
+/// </remarks>
+public sealed class GalaxyHistorianWriter : IAlarmHistorianWriter
+{
+    private readonly GalaxyIpcClient _client;
+
+    public GalaxyHistorianWriter(GalaxyIpcClient client)
+    {
+        _client = client ?? throw new ArgumentNullException(nameof(client));
+    }
+
+    public async Task<IReadOnlyList<HistorianWriteOutcome>> WriteBatchAsync(
+        IReadOnlyList<AlarmHistorianEvent> batch, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(batch);
+        if (batch.Count == 0) return [];
+
+        var request = new HistorianAlarmEventRequest
+        {
+            Events = batch.Select(ToDto).ToArray(),
+        };
+
+        var response = await _client.CallAsync<HistorianAlarmEventRequest, HistorianAlarmEventResponse>(
+            requestKind: MessageKind.HistorianAlarmEventRequest,
+            request: request,
+            expectedResponseKind: MessageKind.HistorianAlarmEventResponse,
+            ct: cancellationToken).ConfigureAwait(false);
+
+        if (response.Outcomes.Length != batch.Count)
+            throw new InvalidOperationException(
+                $"Galaxy.Host returned {response.Outcomes.Length} outcomes for a batch of {batch.Count} — protocol mismatch");
+
+        var outcomes = new HistorianWriteOutcome[response.Outcomes.Length];
+        for (var i = 0; i < response.Outcomes.Length; i++)
+            outcomes[i] = MapOutcome(response.Outcomes[i]);
+        return outcomes;
+    }
+
+    internal static HistorianAlarmEventDto ToDto(AlarmHistorianEvent e) => new()
+    {
+        AlarmId = e.AlarmId,
+        EquipmentPath = e.EquipmentPath,
+        AlarmName = e.AlarmName,
+        AlarmTypeName = e.AlarmTypeName,
+        Severity = (int)e.Severity,
+        EventKind = e.EventKind,
+        Message = e.Message,
+        User = e.User,
+        Comment = e.Comment,
+        TimestampUtcUnixMs = new DateTimeOffset(e.TimestampUtc, TimeSpan.Zero).ToUnixTimeMilliseconds(),
+    };
+
+    internal static HistorianWriteOutcome MapOutcome(HistorianAlarmEventOutcomeDto wire) => wire switch
+    {
+        HistorianAlarmEventOutcomeDto.Ack => HistorianWriteOutcome.Ack,
+        HistorianAlarmEventOutcomeDto.RetryPlease => HistorianWriteOutcome.RetryPlease,
+        HistorianAlarmEventOutcomeDto.PermanentFail => HistorianWriteOutcome.PermanentFail,
+        _ => throw new InvalidOperationException($"Unknown HistorianAlarmEventOutcomeDto byte {(byte)wire}"),
+    };
+}

src/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.csproj

@@ -13,7 +13,9 @@
 
     <ItemGroup>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.Abstractions\ZB.MOM.WW.OtOpcUa.Core.Abstractions.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core\ZB.MOM.WW.OtOpcUa.Core.csproj"/>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian\ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian.csproj"/>
     </ItemGroup>
 
     <ItemGroup>

src/ZB.MOM.WW.OtOpcUa.Server/DriverInstanceBootstrapper.cs

@@ -0,0 +1,88 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Server;
+
+/// <summary>
+///     Task #248 — bridges the gap surfaced by the Phase 7 live smoke (#240) where
+///     <c>DriverInstance</c> rows in the central config DB had no path to materialise
+///     as live <see cref="Core.Abstractions.IDriver"/> instances in <see cref="DriverHost"/>.
+///     Called from <c>OpcUaServerService.ExecuteAsync</c> after the bootstrap loads
+///     the published generation, before address-space build.
+/// </summary>
+/// <remarks>
+///     <para>
+///         Per row: looks up the <c>DriverType</c> string in
+///         <see cref="DriverFactoryRegistry"/>, calls the factory with the row's
+///         <c>DriverInstanceId</c> + <c>DriverConfig</c> JSON to construct an
+///         <see cref="Core.Abstractions.IDriver"/>, then registers via
+///         <see cref="DriverHost.RegisterAsync"/> which invokes <c>InitializeAsync</c>
+///         under the host's lifecycle semantics.
+///     </para>
+///     <para>
+///         Unknown <c>DriverType</c> = factory not registered = log a warning and skip.
+///         Per plan decision #12 (driver isolation), failure to construct or initialize
+///         one driver doesn't prevent the rest from coming up — the Server keeps serving
+///         the others' subtrees + the operator can fix the misconfigured row + republish
+///         to retry.
+///     </para>
+/// </remarks>
+public sealed class DriverInstanceBootstrapper(
+    DriverFactoryRegistry factories,
+    DriverHost driverHost,
+    IServiceScopeFactory scopeFactory,
+    ILogger<DriverInstanceBootstrapper> logger)
+{
+    public async Task<int> RegisterDriversFromGenerationAsync(long generationId, CancellationToken ct)
+    {
+        using var scope = scopeFactory.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
+
+        var rows = await db.DriverInstances.AsNoTracking()
+            .Where(d => d.GenerationId == generationId && d.Enabled)
+            .ToListAsync(ct).ConfigureAwait(false);
+
+        var registered = 0;
+        var skippedUnknownType = 0;
+        var failedInit = 0;
+
+        foreach (var row in rows)
+        {
+            var factory = factories.TryGet(row.DriverType);
+            if (factory is null)
+            {
+                logger.LogWarning(
+                    "DriverInstance {Id} skipped — DriverType '{Type}' has no registered factory (known: {Known})",
+                    row.DriverInstanceId, row.DriverType, string.Join(",", factories.RegisteredTypes));
+                skippedUnknownType++;
+                continue;
+            }
+
+            try
+            {
+                var driver = factory(row.DriverInstanceId, row.DriverConfig);
+                await driverHost.RegisterAsync(driver, row.DriverConfig, ct).ConfigureAwait(false);
+                registered++;
+                logger.LogInformation(
+                    "DriverInstance {Id} ({Type}) registered + initialized", row.DriverInstanceId, row.DriverType);
+            }
+            catch (Exception ex)
+            {
+                // Plan decision #12 — driver isolation. Log + continue so one bad row
+                // doesn't deny the OPC UA endpoint to the rest of the fleet.
+                logger.LogError(ex,
+                    "DriverInstance {Id} ({Type}) failed to initialize — driver state will reflect Faulted; operator can republish to retry",
+                    row.DriverInstanceId, row.DriverType);
+                failedInit++;
+            }
+        }
+
+        logger.LogInformation(
+            "DriverInstanceBootstrapper: gen={Gen} registered={Registered} skippedUnknownType={Skipped} failedInit={Failed}",
+            generationId, registered, skippedUnknownType, failedInit);
+        return registered;
+    }
+}

src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs

@@ -371,7 +371,20 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
                     BrowseName = new QualifiedName(_variable.BrowseName.Name + "_Condition", _owner.NamespaceIndex),
                     DisplayName = new LocalizedText(info.SourceName),
                 };
-                alarm.Create(_owner.SystemContext, alarm.NodeId, alarm.BrowseName, alarm.DisplayName, false);
+                // assignNodeIds=true makes the stack allocate NodeIds for every inherited
+                // AlarmConditionState child (Severity / Message / ActiveState / AckedState /
+                // EnabledState / …). Without this the children keep Foundation (ns=0) type-
+                // declaration NodeIds that aren't in the node manager's predefined-node index.
+                // The newly-allocated NodeIds default to ns=0 via the shared identifier
+                // counter — we remap them to the node manager's namespace below so client
+                // Read/Browse on children resolves against the predefined-node dictionary.
+                alarm.Create(_owner.SystemContext, alarm.NodeId, alarm.BrowseName, alarm.DisplayName, true);
+                // Assign every descendant a stable, collision-free NodeId in the node manager's
+                // namespace keyed on the condition path. The stack's default assignNodeIds path
+                // allocates from a shared ns=0 counter and does not update parent→child
+                // references when we remap, so we do the rename up front, symbolically:
+                //   {condition-full-ref}/{symbolic-path-under-condition}
+                AssignSymbolicDescendantIds(alarm, alarm.NodeId, _owner.NamespaceIndex);
                 alarm.SourceName.Value = info.SourceName;
                 alarm.Severity.Value = (ushort)MapSeverity(info.InitialSeverity);
                 alarm.Message.Value = new LocalizedText(info.InitialDescription ?? info.SourceName);
@@ -382,10 +395,20 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
                 alarm.AckedState.Id.Value = true;
                 alarm.ActiveState.Value = new LocalizedText("Inactive");
                 alarm.ActiveState.Id.Value = false;
+                // Enable ConditionRefresh support so clients that connect *after* a transition
+                // can pull the current retained-condition snapshot.
+                alarm.ClientUserId.Value = string.Empty;
+                alarm.BranchId.Value = NodeId.Null;
 
                 _variable.AddChild(alarm);
                 _owner.AddPredefinedNode(_owner.SystemContext, alarm);
 
+                // Part 9 event propagation: AddRootNotifier registers the alarm as an event
+                // source reachable from Objects/Server so subscriptions placed on Server-object
+                // EventNotifier receive the ReportEvent calls ConditionSink.OnTransition emits.
+                // Without this the Report fires but has no subscribers to deliver to.
+                _owner.AddRootNotifier(alarm);
+
                 return new ConditionSink(_owner, alarm);
             }
         }
@@ -398,6 +421,26 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
             AlarmSeverity.Critical => 900,
             _ => 500,
         };
+
+        // After alarm.Create(assignNodeIds=true), every descendant has *some* NodeId but
+        // they default to ns=0 via the shared identifier counter — allocations from two
+        // different alarms collide when we move them into the driver's namespace. Rewriting
+        // symbolically based on the condition path gives each descendant a unique, stable
+        // NodeId in the node manager's namespace. Browse + Read resolve against the current
+        // NodeId because the stack's CustomNodeManager2.Browse traverses NodeState.Children
+        // (NodeState references) and uses each child's current .NodeId in the response.
+        private static void AssignSymbolicDescendantIds(
+            NodeState parent, NodeId parentNodeId, ushort namespaceIndex)
+        {
+            var children = new List<BaseInstanceState>();
+            parent.GetChildren(null!, children);
+            foreach (var child in children)
+            {
+                child.NodeId = new NodeId(
+                    $"{parentNodeId.Identifier}.{child.SymbolicName}", namespaceIndex);
+                AssignSymbolicDescendantIds(child, child.NodeId, namespaceIndex);
+            }
+        }
     }
 
     private sealed class ConditionSink(DriverNodeManager owner, AlarmConditionState alarm)

src/ZB.MOM.WW.OtOpcUa.Server/OpcUaServerService.cs

@@ -18,6 +18,7 @@ public sealed class OpcUaServerService(
     DriverHost driverHost,
     OpcUaApplicationHost applicationHost,
     DriverEquipmentContentRegistry equipmentContentRegistry,
+    DriverInstanceBootstrapper driverBootstrapper,
     Phase7Composer phase7Composer,
     IServiceScopeFactory scopeFactory,
     ILogger<OpcUaServerService> logger) : BackgroundService
@@ -37,6 +38,13 @@ public sealed class OpcUaServerService(
         // address space until the first publish, then the registry fills on next restart.
         if (result.GenerationId is { } gen)
         {
+            // Task #248 — register IDriver instances from the published DriverInstance
+            // rows BEFORE the equipment-content load + Phase 7 compose, so the rest of
+            // the pipeline sees a populated DriverHost. Without this step Phase 7's
+            // CachedTagUpstreamSource has no upstream feed + virtual-tag scripts read
+            // BadNodeIdUnknown for every tag path (gap surfaced by task #240 smoke).
+            await driverBootstrapper.RegisterDriversFromGenerationAsync(gen, stoppingToken);
+
             await PopulateEquipmentContentAsync(gen, stoppingToken);
 
             // Phase 7 follow-up #246 — load Script + VirtualTag + ScriptedAlarm rows,

src/ZB.MOM.WW.OtOpcUa.Server/Phase7/Phase7Composer.cs

@@ -47,6 +47,9 @@ public sealed class Phase7Composer : IAsyncDisposable
 
     private DriverSubscriptionBridge? _bridge;
     private Phase7ComposedSources _sources = Phase7ComposedSources.Empty;
+    // Sink we constructed in PrepareAsync (vs. the injected fallback). Held so
+    // DisposeAsync can flush + tear down the SQLite drain timer.
+    private SqliteStoreAndForwardSink? _ownedSink;
     private bool _disposed;
 
     public Phase7Composer(
@@ -96,13 +99,20 @@ public sealed class Phase7Composer : IAsyncDisposable
 
         var upstream = new CachedTagUpstreamSource();
 
+        // Phase 7 follow-up #247 — if any registered driver implements IAlarmHistorianWriter
+        // (today: GalaxyProxyDriver), wrap it in a SqliteStoreAndForwardSink at
+        // %ProgramData%/OtOpcUa/alarm-historian-queue.db with the 2s drain cadence the
+        // sink's docstring recommends. Otherwise fall back to the injected sink (Null in
+        // the default registration).
+        var historianSink = ResolveHistorianSink();
+
         _sources = Phase7EngineComposer.Compose(
             scripts: scripts,
             virtualTags: virtualTags,
             scriptedAlarms: scriptedAlarms,
             upstream: upstream,
             alarmStateStore: new InMemoryAlarmStateStore(),
-            historianSink: _historianSink,
+            historianSink: historianSink,
             rootScriptLogger: _scriptLogger,
             loggerFactory: _loggerFactory);
 
@@ -121,6 +131,47 @@ public sealed class Phase7Composer : IAsyncDisposable
         return _sources;
     }
 
+    private IAlarmHistorianSink ResolveHistorianSink()
+    {
+        IAlarmHistorianWriter? writer = null;
+        foreach (var driverId in _driverHost.RegisteredDriverIds)
+        {
+            if (_driverHost.GetDriver(driverId) is IAlarmHistorianWriter w)
+            {
+                writer = w;
+                _logger.LogInformation(
+                    "Phase 7 historian sink: driver {Driver} provides IAlarmHistorianWriter — wiring SqliteStoreAndForwardSink",
+                    driverId);
+                break;
+            }
+        }
+        if (writer is null)
+        {
+            _logger.LogInformation(
+                "Phase 7 historian sink: no driver provides IAlarmHistorianWriter — using {Sink}",
+                _historianSink.GetType().Name);
+            return _historianSink;
+        }
+
+        var queueRoot = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
+        if (string.IsNullOrEmpty(queueRoot)) queueRoot = Path.GetTempPath();
+        var queueDir = Path.Combine(queueRoot, "OtOpcUa");
+        Directory.CreateDirectory(queueDir);
+        var queuePath = Path.Combine(queueDir, "alarm-historian-queue.db");
+
+        var sinkLogger = _loggerFactory.CreateLogger<SqliteStoreAndForwardSink>();
+        // SqliteStoreAndForwardSink wants a Serilog logger for warn-on-eviction emissions;
+        // bridge the Microsoft logger via Serilog's null-safe path until the sink's
+        // dependency surface is reshaped (covered as part of release-readiness).
+        var serilogShim = _scriptLogger.ForContext("HistorianQueuePath", queuePath);
+        _ownedSink = new SqliteStoreAndForwardSink(
+            databasePath: queuePath,
+            writer: writer,
+            logger: serilogShim);
+        _ownedSink.StartDrainLoop(TimeSpan.FromSeconds(2));
+        return _ownedSink;
+    }
+
     /// <summary>
     ///     For each registered driver that exposes <see cref="Core.Abstractions.ISubscribable"/>,
     ///     build a UNS-path → driver-fullRef map from its EquipmentNamespaceContent.
@@ -178,6 +229,9 @@ public sealed class Phase7Composer : IAsyncDisposable
             try { d.Dispose(); }
             catch (Exception ex) { _logger.LogWarning(ex, "Phase 7 disposable threw during shutdown"); }
         }
+        // Owned SQLite sink: dispose first so the drain timer stops + final batch flushes
+        // before we release the writer-bearing driver via DriverHost.DisposeAsync upstream.
+        _ownedSink?.Dispose();
         if (_historianSink is IDisposable disposableSink) disposableSink.Dispose();
     }
 }

src/ZB.MOM.WW.OtOpcUa.Server/Program.cs

@@ -9,6 +9,7 @@ using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
 using ZB.MOM.WW.OtOpcUa.Core.Hosting;
 using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy;
 using ZB.MOM.WW.OtOpcUa.Server;
 using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
 using ZB.MOM.WW.OtOpcUa.Server.Phase7;
@@ -89,6 +90,18 @@ builder.Services.AddSingleton<ILocalConfigCache>(_ => new LiteDbConfigCache(opti
 builder.Services.AddSingleton<DriverHost>();
 builder.Services.AddSingleton<NodeBootstrap>();
 
+// Task #248 — driver-instance bootstrap pipeline. DriverFactoryRegistry is the
+// type-name → factory map; each driver project's static Register call pre-loads
+// its factory so the bootstrapper can materialise DriverInstance rows from the
+// central DB into live IDriver instances.
+builder.Services.AddSingleton<DriverFactoryRegistry>(_ =>
+{
+    var registry = new DriverFactoryRegistry();
+    GalaxyProxyDriverFactoryExtensions.Register(registry);
+    return registry;
+});
+builder.Services.AddSingleton<DriverInstanceBootstrapper>();
+
 // ADR-001 Option A wiring — the registry is the handoff between OpcUaServerService's
 // bootstrap-time population pass + OpcUaApplicationHost's StartAsync walker invocation.
 // DriverEquipmentContentRegistry.Get is the equipmentContentLookup delegate that PR #155

src/ZB.MOM.WW.OtOpcUa.Server/ZB.MOM.WW.OtOpcUa.Server.csproj

@@ -34,6 +34,7 @@
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.VirtualTags\ZB.MOM.WW.OtOpcUa.Core.VirtualTags.csproj"/>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms\ZB.MOM.WW.OtOpcUa.Core.ScriptedAlarms.csproj"/>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian\ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian.csproj"/>
+        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy\ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.csproj"/>
         <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Analyzers\ZB.MOM.WW.OtOpcUa.Analyzers.csproj"
                           OutputItemType="Analyzer" ReferenceOutputAssembly="false"/>
     </ItemGroup>

tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/GalaxyHistorianWriterMappingTests.cs

@@ -0,0 +1,83 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Ipc;
+using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Shared.Contracts;
+
+namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests;
+
+/// <summary>
+///     Phase 7 follow-up #247 — covers the wire-format translation between the
+///     <see cref="AlarmHistorianEvent"/> the SQLite sink hands to the writer + the
+///     <see cref="HistorianAlarmEventDto"/> the Galaxy.Host IPC contract expects, plus
+///     the per-event outcome enum mapping. Pure functions; the round-trip over a real
+///     pipe is exercised by the live Host suite (task #240).
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class GalaxyHistorianWriterMappingTests
+{
+    [Fact]
+    public void ToDto_round_trips_every_field()
+    {
+        var ts = new DateTime(2026, 4, 20, 14, 30, 0, DateTimeKind.Utc);
+        var e = new AlarmHistorianEvent(
+            AlarmId: "al-7",
+            EquipmentPath: "/Site/Line/Cell",
+            AlarmName: "HighTemp",
+            AlarmTypeName: "LimitAlarm",
+            Severity: AlarmSeverity.High,
+            EventKind: "RaiseEvent",
+            Message: "Temp 92°C exceeded 90°C",
+            User: "operator-7",
+            Comment: "ack with reason",
+            TimestampUtc: ts);
+
+        var dto = GalaxyHistorianWriter.ToDto(e);
+
+        dto.AlarmId.ShouldBe("al-7");
+        dto.EquipmentPath.ShouldBe("/Site/Line/Cell");
+        dto.AlarmName.ShouldBe("HighTemp");
+        dto.AlarmTypeName.ShouldBe("LimitAlarm");
+        dto.Severity.ShouldBe((int)AlarmSeverity.High);
+        dto.EventKind.ShouldBe("RaiseEvent");
+        dto.Message.ShouldBe("Temp 92°C exceeded 90°C");
+        dto.User.ShouldBe("operator-7");
+        dto.Comment.ShouldBe("ack with reason");
+        dto.TimestampUtcUnixMs.ShouldBe(new DateTimeOffset(ts, TimeSpan.Zero).ToUnixTimeMilliseconds());
+    }
+
+    [Fact]
+    public void ToDto_preserves_null_Comment()
+    {
+        var e = new AlarmHistorianEvent(
+            "a", "/p", "n", "AlarmCondition", AlarmSeverity.Low, "RaiseEvent", "m",
+            User: "system", Comment: null, TimestampUtc: DateTime.UtcNow);
+
+        GalaxyHistorianWriter.ToDto(e).Comment.ShouldBeNull();
+    }
+
+    [Theory]
+    [InlineData(HistorianAlarmEventOutcomeDto.Ack, HistorianWriteOutcome.Ack)]
+    [InlineData(HistorianAlarmEventOutcomeDto.RetryPlease, HistorianWriteOutcome.RetryPlease)]
+    [InlineData(HistorianAlarmEventOutcomeDto.PermanentFail, HistorianWriteOutcome.PermanentFail)]
+    public void MapOutcome_round_trips_every_byte(
+        HistorianAlarmEventOutcomeDto wire, HistorianWriteOutcome expected)
+    {
+        GalaxyHistorianWriter.MapOutcome(wire).ShouldBe(expected);
+    }
+
+    [Fact]
+    public void MapOutcome_unknown_byte_throws()
+    {
+        Should.Throw<InvalidOperationException>(
+            () => GalaxyHistorianWriter.MapOutcome((HistorianAlarmEventOutcomeDto)0xFF));
+    }
+
+    [Fact]
+    public void Null_client_rejected()
+    {
+        Should.Throw<ArgumentNullException>(() => new GalaxyHistorianWriter(null!));
+    }
+
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/AlarmSubscribeIntegrationTests.cs

@@ -0,0 +1,322 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua;
+using Opc.Ua.Client;
+using Opc.Ua.Configuration;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Task #219 — end-to-end server integration coverage for the <see cref="IAlarmSource"/>
+///     dispatch path. Boots the full OPC UA stack + a fake <see cref="IAlarmSource"/> driver,
+///     opens a client session, raises a driver-side transition, and asserts it propagates
+///     through <c>GenericDriverNodeManager</c>'s alarm forwarder into
+///     <c>DriverNodeManager.ConditionSink</c>, updates the server-side
+///     <c>AlarmConditionState</c> child attributes (Severity / Message / ActiveState), and
+///     flows out to an OPC UA subscription on the Server object's EventNotifier.
+///
+///     Companion to <see cref="HistoryReadIntegrationTests"/> which covers the
+///     <see cref="IHistoryProvider"/> dispatch path; together they close the server-side
+///     integration gap for optional driver capabilities (plan decision #62).
+/// </summary>
+[Trait("Category", "Integration")]
+public sealed class AlarmSubscribeIntegrationTests : IAsyncLifetime
+{
+    private static readonly int Port = 48700 + Random.Shared.Next(0, 99);
+    private readonly string _endpoint = $"opc.tcp://localhost:{Port}/OtOpcUaAlarmTest";
+    private readonly string _pkiRoot = Path.Combine(Path.GetTempPath(), $"otopcua-alarm-test-{Guid.NewGuid():N}");
+
+    private DriverHost _driverHost = null!;
+    private OpcUaApplicationHost _server = null!;
+    private AlarmDriver _driver = null!;
+
+    public async ValueTask InitializeAsync()
+    {
+        _driverHost = new DriverHost();
+        _driver = new AlarmDriver();
+        await _driverHost.RegisterAsync(_driver, "{}", CancellationToken.None);
+
+        var options = new OpcUaServerOptions
+        {
+            EndpointUrl = _endpoint,
+            ApplicationName = "OtOpcUaAlarmTest",
+            ApplicationUri = "urn:OtOpcUa:Server:AlarmTest",
+            PkiStoreRoot = _pkiRoot,
+            AutoAcceptUntrustedClientCertificates = true,
+            HealthEndpointsEnabled = false,
+        };
+
+        _server = new OpcUaApplicationHost(options, _driverHost, new DenyAllUserAuthenticator(),
+            NullLoggerFactory.Instance, NullLogger<OpcUaApplicationHost>.Instance);
+        await _server.StartAsync(CancellationToken.None);
+    }
+
+    public async ValueTask DisposeAsync()
+    {
+        await _server.DisposeAsync();
+        await _driverHost.DisposeAsync();
+        try { Directory.Delete(_pkiRoot, recursive: true); } catch { /* best-effort */ }
+    }
+
+    [Fact]
+    public async Task Driver_alarm_transition_updates_server_side_AlarmConditionState_node()
+    {
+        using var session = await OpenSessionAsync();
+        var nsIndex = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:alarm-driver");
+
+        _driver.RaiseAlarm(new AlarmEventArgs(
+            SubscriptionHandle: new FakeHandle("sub"),
+            SourceNodeId: "Tank.HiHi",
+            ConditionId: "cond-1",
+            AlarmType: "Active",
+            Message: "Level exceeded upper-upper",
+            Severity: AlarmSeverity.High,
+            SourceTimestampUtc: DateTime.UtcNow));
+
+        // The alarm-condition node's identifier is the driver full-reference + ".Condition"
+        // (DriverNodeManager.VariableHandle.MarkAsAlarmCondition). Server-side state changes
+        // are applied synchronously under DriverNodeManager.Lock inside ConditionSink.OnTransition,
+        // so by the time RaiseAlarm returns the node state has been flushed.
+        var conditionNodeId = new NodeId("Tank.HiHi.Condition", nsIndex);
+
+        // Browse the condition node for the well-known Part-9 child variables. The stack
+        // materializes Severity / Message / ActiveState / AckedState as children below the
+        // AlarmConditionState; their NodeIds are allocated by the stack so we discover them
+        // by BrowseName rather than guessing.
+        var browseDescriptions = new BrowseDescriptionCollection
+        {
+            new()
+            {
+                NodeId = conditionNodeId,
+                BrowseDirection = BrowseDirection.Forward,
+                ReferenceTypeId = ReferenceTypeIds.HierarchicalReferences,
+                IncludeSubtypes = true,
+                NodeClassMask = 0,
+                ResultMask = (uint)BrowseResultMask.All,
+            },
+        };
+        session.Browse(null, null, 0, browseDescriptions, out var browseResults, out _);
+        var children = browseResults[0].References
+            .ToDictionary(r => r.BrowseName.Name,
+                r => ExpandedNodeId.ToNodeId(r.NodeId, session.NamespaceUris),
+                StringComparer.Ordinal);
+
+        children.ShouldContainKey("Severity");
+        children.ShouldContainKey("Message");
+        children.ShouldContainKey("ActiveState");
+
+        // Severity / Message / ActiveState.Id reflect the driver-fired transition — verifies
+        // the forwarder → ConditionSink.OnTransition → alarm.ClearChangeMasks pipeline
+        // landed the new values in addressable child nodes. DriverNodeManager's
+        // AssignSymbolicDescendantIds keeps each child reachable under the node manager's
+        // namespace so Read resolves against the predefined-node dictionary.
+        var severity = session.ReadValue(children["Severity"]);
+        var message = session.ReadValue(children["Message"]);
+        severity.Value.ShouldBe((ushort)700);  // AlarmSeverity.High → 700 (MapSeverity)
+        ((LocalizedText)message.Value).Text.ShouldBe("Level exceeded upper-upper");
+
+        // ActiveState exposes its boolean Id as a HasProperty child.
+        var activeBrowse = new BrowseDescriptionCollection
+        {
+            new()
+            {
+                NodeId = children["ActiveState"],
+                BrowseDirection = BrowseDirection.Forward,
+                ReferenceTypeId = ReferenceTypeIds.HasProperty,
+                IncludeSubtypes = true,
+                ResultMask = (uint)BrowseResultMask.All,
+            },
+        };
+        session.Browse(null, null, 0, activeBrowse, out var activeChildren, out _);
+        var idRef = activeChildren[0].References.Single(r => r.BrowseName.Name == "Id");
+        var activeId = session.ReadValue(ExpandedNodeId.ToNodeId(idRef.NodeId, session.NamespaceUris));
+        activeId.Value.ShouldBe(true);
+    }
+
+    [Fact]
+    public async Task Driver_alarm_event_flows_to_client_subscription_on_Server_EventNotifier()
+    {
+        // AddRootNotifier registers the AlarmConditionState as a Server-object notifier
+        // source, so a subscription with an EventFilter on Server receives the
+        // ReportEvent calls ConditionSink emits per-transition.
+        using var session = await OpenSessionAsync();
+
+        var subscription = new Subscription(session.DefaultSubscription) { PublishingInterval = 100 };
+        session.AddSubscription(subscription);
+        await subscription.CreateAsync();
+
+        var received = new List<EventFieldList>();
+        var gate = new TaskCompletionSource(TaskCreationOptions.RunContinuationsAsynchronously);
+
+        var filter = new EventFilter();
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.EventId);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.SourceName);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.Message);
+        filter.AddSelectClause(ObjectTypeIds.BaseEventType, BrowseNames.Severity);
+        filter.WhereClause = new ContentFilter();
+        filter.WhereClause.Push(FilterOperator.OfType,
+            new LiteralOperand { Value = new Variant(ObjectTypeIds.AlarmConditionType) });
+
+        var item = new MonitoredItem(subscription.DefaultItem)
+        {
+            StartNodeId = ObjectIds.Server,
+            AttributeId = Attributes.EventNotifier,
+            NodeClass = NodeClass.Object,
+            SamplingInterval = 0,
+            QueueSize = 100,
+            Filter = filter,
+        };
+        item.Notification += (_, e) =>
+        {
+            if (e.NotificationValue is EventFieldList fields)
+            {
+                lock (received) { received.Add(fields); gate.TrySetResult(); }
+            }
+        };
+        subscription.AddItem(item);
+        await subscription.ApplyChangesAsync();
+
+        // Give the publish loop a tick to establish before firing.
+        await Task.Delay(200);
+
+        _driver.RaiseAlarm(new AlarmEventArgs(
+            new FakeHandle("sub"), "Tank.HiHi", "cond-x", "Active",
+            "High-high tripped", AlarmSeverity.Critical, DateTime.UtcNow));
+
+        var delivered = await Task.WhenAny(gate.Task, Task.Delay(TimeSpan.FromSeconds(10)));
+        delivered.ShouldBe(gate.Task, "alarm event must arrive at the client within 10s");
+
+        EventFieldList first;
+        lock (received) first = received[0];
+        // Filter field order: 0=EventId, 1=SourceName, 2=Message, 3=Severity.
+        ((LocalizedText)first.EventFields[2].Value).Text.ShouldBe("High-high tripped");
+        first.EventFields[3].Value.ShouldBe((ushort)900);  // Critical → 900
+    }
+
+    [Fact]
+    public async Task Each_IsAlarm_variable_registers_its_own_condition_node_in_the_driver_namespace()
+    {
+        // Tag-scoped alarm wiring: DiscoverAsync declares two IsAlarm variables and calls
+        // MarkAsAlarmCondition on each. The server-side DriverNodeManager wraps each call in
+        // a CapturingHandle that creates a sibling AlarmConditionState + registers a sink
+        // under the driver full-reference. Browse should show both condition nodes with
+        // distinct NodeIds using the FullReference + ".Condition" convention.
+        using var session = await OpenSessionAsync();
+        var nsIndex = (ushort)session.NamespaceUris.GetIndex("urn:OtOpcUa:alarm-driver");
+
+        _driver.RaiseAlarm(new AlarmEventArgs(
+            new FakeHandle("sub"), "Tank.HiHi", "c", "Active", "first", AlarmSeverity.High,
+            DateTime.UtcNow));
+
+        var attrs = new ReadValueIdCollection
+        {
+            new() { NodeId = new NodeId("Tank.HiHi.Condition", nsIndex), AttributeId = Attributes.DisplayName },
+            new() { NodeId = new NodeId("Heater.OverTemp.Condition", nsIndex), AttributeId = Attributes.DisplayName },
+        };
+        session.Read(null, 0, TimestampsToReturn.Neither, attrs, out var results, out _);
+        results[0].StatusCode.Code.ShouldBe(StatusCodes.Good);
+        results[1].StatusCode.Code.ShouldBe(StatusCodes.Good);
+        ((LocalizedText)results[0].Value).Text.ShouldBe("Tank.HiHi");
+        ((LocalizedText)results[1].Value).Text.ShouldBe("Heater.OverTemp");
+    }
+
+    private async Task<ISession> OpenSessionAsync()
+    {
+        var cfg = new ApplicationConfiguration
+        {
+            ApplicationName = "OtOpcUaAlarmTestClient",
+            ApplicationUri = "urn:OtOpcUa:AlarmTestClient",
+            ApplicationType = ApplicationType.Client,
+            SecurityConfiguration = new SecurityConfiguration
+            {
+                ApplicationCertificate = new CertificateIdentifier
+                {
+                    StoreType = CertificateStoreType.Directory,
+                    StorePath = Path.Combine(_pkiRoot, "client-own"),
+                    SubjectName = "CN=OtOpcUaAlarmTestClient",
+                },
+                TrustedIssuerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-issuers") },
+                TrustedPeerCertificates = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-trusted") },
+                RejectedCertificateStore = new CertificateTrustList { StoreType = CertificateStoreType.Directory, StorePath = Path.Combine(_pkiRoot, "client-rejected") },
+                AutoAcceptUntrustedCertificates = true,
+                AddAppCertToTrustedStore = true,
+            },
+            TransportConfigurations = new TransportConfigurationCollection(),
+            TransportQuotas = new TransportQuotas { OperationTimeout = 15000 },
+            ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = 60000 },
+        };
+        await cfg.Validate(ApplicationType.Client);
+        cfg.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;
+
+        var instance = new ApplicationInstance { ApplicationConfiguration = cfg, ApplicationType = ApplicationType.Client };
+        await instance.CheckApplicationInstanceCertificate(true, CertificateFactory.DefaultKeySize);
+
+        var selected = CoreClientUtils.SelectEndpoint(cfg, _endpoint, useSecurity: false);
+        var endpointConfig = EndpointConfiguration.Create(cfg);
+        var configuredEndpoint = new ConfiguredEndpoint(null, selected, endpointConfig);
+
+        return await Session.Create(cfg, configuredEndpoint, false, "OtOpcUaAlarmTestClientSession", 60000,
+            new UserIdentity(new AnonymousIdentityToken()), null);
+    }
+
+    /// <summary>
+    ///     Stub <see cref="IAlarmSource"/> driver. <see cref="DiscoverAsync"/> emits two alarm-
+    ///     bearing variables (so tag-scoped fan-out can be asserted); <see cref="RaiseAlarm"/>
+    ///     fires <see cref="OnAlarmEvent"/> exactly like a real driver would.
+    /// </summary>
+    private sealed class AlarmDriver : IDriver, ITagDiscovery, IAlarmSource
+    {
+        public string DriverInstanceId => "alarm-driver";
+        public string DriverType => "AlarmStub";
+
+        public event EventHandler<AlarmEventArgs>? OnAlarmEvent;
+
+        public Task InitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ReinitializeAsync(string driverConfigJson, CancellationToken ct) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken ct) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, DateTime.UtcNow, null);
+        public long GetMemoryFootprint() => 0;
+        public Task FlushOptionalCachesAsync(CancellationToken ct) => Task.CompletedTask;
+
+        public Task DiscoverAsync(IAddressSpaceBuilder builder, CancellationToken ct)
+        {
+            var tank = builder.Folder("Tank", "Tank");
+            var hiHi = tank.Variable("HiHi", "HiHi", new DriverAttributeInfo(
+                "Tank.HiHi", DriverDataType.Boolean, false, null,
+                SecurityClassification.FreeAccess, false, IsAlarm: true));
+            hiHi.MarkAsAlarmCondition(new AlarmConditionInfo(
+                "Tank.HiHi", AlarmSeverity.High, "High-high alarm"));
+
+            var heater = builder.Folder("Heater", "Heater");
+            var ot = heater.Variable("OverTemp", "OverTemp", new DriverAttributeInfo(
+                "Heater.OverTemp", DriverDataType.Boolean, false, null,
+                SecurityClassification.FreeAccess, false, IsAlarm: true));
+            ot.MarkAsAlarmCondition(new AlarmConditionInfo(
+                "Heater.OverTemp", AlarmSeverity.Critical, "Over-temperature"));
+            return Task.CompletedTask;
+        }
+
+        public void RaiseAlarm(AlarmEventArgs args) => OnAlarmEvent?.Invoke(this, args);
+
+        public Task<IAlarmSubscriptionHandle> SubscribeAlarmsAsync(
+            IReadOnlyList<string> _, CancellationToken __)
+            => Task.FromResult<IAlarmSubscriptionHandle>(new FakeHandle("sub"));
+
+        public Task UnsubscribeAlarmsAsync(IAlarmSubscriptionHandle _, CancellationToken __)
+            => Task.CompletedTask;
+
+        public Task AcknowledgeAsync(
+            IReadOnlyList<AlarmAcknowledgeRequest> _, CancellationToken __)
+            => Task.CompletedTask;
+    }
+
+    private sealed class FakeHandle(string diagnosticId) : IAlarmSubscriptionHandle
+    {
+        public string DiagnosticId { get; } = diagnosticId;
+    }
+}

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/DriverFactoryRegistryTests.cs

@@ -0,0 +1,73 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Hosting;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Task #248 — covers the <see cref="DriverFactoryRegistry"/> contract that
+///     <see cref="DriverInstanceBootstrapper"/> consumes.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class DriverFactoryRegistryTests
+{
+    private static IDriver FakeDriver(string id, string config) => new FakeIDriver(id);
+
+    [Fact]
+    public void Register_then_TryGet_returns_factory()
+    {
+        var r = new DriverFactoryRegistry();
+        r.Register("MyDriver", FakeDriver);
+
+        r.TryGet("MyDriver").ShouldNotBeNull();
+        r.TryGet("Nope").ShouldBeNull();
+    }
+
+    [Fact]
+    public void Register_is_case_insensitive()
+    {
+        var r = new DriverFactoryRegistry();
+        r.Register("Galaxy", FakeDriver);
+        r.TryGet("galaxy").ShouldNotBeNull();
+        r.TryGet("GALAXY").ShouldNotBeNull();
+    }
+
+    [Fact]
+    public void Register_duplicate_type_throws()
+    {
+        var r = new DriverFactoryRegistry();
+        r.Register("Galaxy", FakeDriver);
+        Should.Throw<InvalidOperationException>(() => r.Register("Galaxy", FakeDriver));
+    }
+
+    [Fact]
+    public void Register_null_args_rejected()
+    {
+        var r = new DriverFactoryRegistry();
+        Should.Throw<ArgumentException>(() => r.Register("", FakeDriver));
+        Should.Throw<ArgumentNullException>(() => r.Register("X", null!));
+    }
+
+    [Fact]
+    public void RegisteredTypes_returns_snapshot()
+    {
+        var r = new DriverFactoryRegistry();
+        r.Register("A", FakeDriver);
+        r.Register("B", FakeDriver);
+        r.RegisteredTypes.ShouldContain("A");
+        r.RegisteredTypes.ShouldContain("B");
+    }
+
+    private sealed class FakeIDriver(string id) : IDriver
+    {
+        public string DriverInstanceId => id;
+        public string DriverType => "Fake";
+        public Task InitializeAsync(string _, CancellationToken __) => Task.CompletedTask;
+        public Task ReinitializeAsync(string _, CancellationToken __) => Task.CompletedTask;
+        public Task ShutdownAsync(CancellationToken _) => Task.CompletedTask;
+        public Task FlushOptionalCachesAsync(CancellationToken _) => Task.CompletedTask;
+        public DriverHealth GetHealth() => new(DriverState.Healthy, null, null);
+        public long GetMemoryFootprint() => 0;
+    }
+}