DiffViewer ACL section — extend sp_ComputeGenerationDiff with NodeAcl rows. Closes the final slice of task #196 (draft-diff ACL section). The DiffViewer already rendered a placeholder "NodeAcl" card from the task #156 refactor; it stayed empty because the stored proc didn't emit NodeAcl rows. This PR lights the card up by adding a fifth UNION to the proc. Logical id for NodeAcl is the composite LdapGroup + ScopeKind + ScopeId triple — format "cn=group|Cluster|scope-id" or "cn=group|Cluster|(cluster)" when ScopeId is null (Cluster-wide rows). That shape means a permission-only change (same group + same scope, PermissionFlags shifted) appears as a single Modified row with the full triple as its identifier, whereas a scope move (same group, new ScopeId) correctly surfaces as Added + Removed of two different logical ids. CHECKSUM signature covers ClusterId + PermissionFlags + Notes so both operator-visible changes (permission bitmask) and audit-tier changes (notes) round-trip through the diff. New migration 20260420000001_ExtendComputeGenerationDiffWithNodeAcl.cs ships both Up (install V2 proc) + Down (restore the exact V1 proc text shipped in 20260417215224_StoredProcedures so the migration is reversible). Row-id column widens from nvarchar(64) to nvarchar(128) in V2 since the composite key (group DN + scope + scope-id) exceeds 64 chars comfortably — narrow column would silently truncate in prod. Designer .cs cloned from the prior migration since the EF model is unchanged; DiffViewer.razor section description updated to drop the "(proc-extension pending)" note it carried since task #156 — the card will now populate live. Admin + Core full-solution build clean. No unit-test changes needed — the existing StoredProceduresTests cover the proc-exec path + would immediately catch any SQL syntax regression on next SQL Server integration run. Task #196 fully closed now — Probe-this-permission (slice 1, PR 144), SignalR invalidation (slice 2, PR 145), draft-diff ACL section (this PR).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge pull request (#145 ) - ACL + role-grant SignalR invalidation
2026-04-20 00:37:05 -04:00 · 2026-04-20 00:34:24 -04:00 · 2026-04-20 00:32:28 -04:00 · 2026-04-20 00:30:15 -04:00 · 2026-04-20 00:28:17 -04:00 · 2026-04-20 00:06:29 -04:00
24 changed files with 3001 additions and 42 deletions
--- a/ci/ab-server.lock.json
+++ b/ci/ab-server.lock.json
@@ -0,0 +1,20 @@
 {
  "_comment": "Pinned libplctag release used by tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbServerFixture. ab_server.exe ships inside the *_tools.zip asset on every GitHub release. See docs/v2/test-data-sources.md §2.CI for the GitHub Actions step that consumes this file.",
  "repo": "libplctag/libplctag",
  "tag": "v2.6.16",
  "published": "2026-03-29",
  "assets": {
    "windows-x64": {
      "file": "libplctag_2.6.16_windows_x64_tools.zip",
      "sha256": "9b78a3dee73d9cd28ca348c090f453dbe3ad9d07ad6bf42865a9dc3a79bc2232"
    },
    "windows-x86": {
      "file": "libplctag_2.6.16_windows_x86_tools.zip",
      "sha256": "fdfefd58b266c5da9a1ded1a430985e609289c9e67be2544da7513b668761edf"
    },
    "windows-arm64": {
      "file": "libplctag_2.6.16_windows_arm64_tools.zip",
      "sha256": "d747728e4c4958bb63b4ac23e1c820c4452e4778dfd7d58f8a0aecd5402d4944"
    }
  }
 }
--- a/docs/v2/test-data-sources.md
+++ b/docs/v2/test-data-sources.md
@@ -189,6 +189,43 @@ Modbus has no native String, DateTime, or Int64 — those rows are skipped on th
 - **ab_server tag-type coverage is finite** (BOOL, DINT, REAL, arrays, basic strings). UDTs and `Program:` scoping are not fully implemented. Document an "ab_server-supported tag set" in the harness and exclude the rest from default CI; UDT coverage moves to the Studio 5000 Emulate golden-box tier.
 - CIP has no native subscriptions, so polling behavior matches real hardware.
 ### CI fixture (task #180)
 The integration harness at `tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/` exposes two test-time contracts:
 - **`AbServerFixture(AbServerProfile)`** — starts the simulator with the CLI args composed from the profile's `--plc` family + seed-tag set. One fixture instance per family, one simulator process per test case (smoke tier). For larger suites that can share a simulator across several reads/writes, use a `IClassFixture<AbServerFixture>` wrapper per family.
 - **`KnownProfiles.{ControlLogix, CompactLogix, Micro800, GuardLogix}`** — the four per-family profiles. Drives the simulator's `--plc` mode + the preseed `--tag name:type[:size]` set. Micro800 + GuardLogix fall back to `controllogix` under the hood because ab_server has no dedicated mode for them — the driver-side family profile still enforces the narrower connection shape / safety classification separately.
 **Pinned version** (recorded in `ci/ab-server.lock.json` so drift is one-file visible):
 - `libplctag` **v2.6.16** (published 2026-03-29) — `ab_server.exe` ships inside the `_tools.zip` asset alongside `plctag.dll` + two `list_tags_*` helpers.
 - Windows x64: `libplctag_2.6.16_windows_x64_tools.zip` — SHA256 `9b78a3dee73d9cd28ca348c090f453dbe3ad9d07ad6bf42865a9dc3a79bc2232`
 - Windows x86: `libplctag_2.6.16_windows_x86_tools.zip` — SHA256 `fdfefd58b266c5da9a1ded1a430985e609289c9e67be2544da7513b668761edf`
 - Windows ARM64: `libplctag_2.6.16_windows_arm64_tools.zip` — SHA256 `d747728e4c4958bb63b4ac23e1c820c4452e4778dfd7d58f8a0aecd5402d4944`
 **CI step:**
 ```yaml
 # GitHub Actions step placed before `dotnet test`:
 - name: Fetch ab_server (libplctag v2.6.16)
  shell: pwsh
  run: |
    $pin = Get-Content ci/ab-server.lock.json | ConvertFrom-Json
    $asset = $pin.assets.'windows-x64'       # swap to windows-x86 / windows-arm64 on non-x64 runners
    $url = "https://github.com/libplctag/libplctag/releases/download/$($pin.tag)/$($asset.file)"
    $zip = Join-Path $env:RUNNER_TEMP 'libplctag-tools.zip'
    Invoke-WebRequest $url -OutFile $zip
    $actual = (Get-FileHash -Algorithm SHA256 $zip).Hash.ToLower()
    if ($actual -ne $asset.sha256) { throw "libplctag tools SHA256 mismatch: expected $($asset.sha256), got $actual" }
    $dest = Join-Path $env:RUNNER_TEMP 'libplctag-tools'
    Expand-Archive $zip -DestinationPath $dest
    Add-Content $env:GITHUB_PATH $dest
 ```
 The fixture's `LocateBinary()` picks the binary up off PATH so the C# harness doesn't own the download — CI YAML is the right place for version pinning + hash verification. Developer workstations install the binary once from source (`cmake + make ab_server` under a libplctag clone) and the same fixture works identically.
 Tests without ab_server on PATH are marked `Skip` via `AbServerFactAttribute` / `AbServerTheoryAttribute`, so fresh-clone runs without the simulator still pass all unit suites in this project.
 ---
 ## 3. Allen-Bradley Legacy (SLC 500 / MicroLogix, PCCC)
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AclsTab.razor
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/AclsTab.razor
@@ -1,7 +1,13 @@
@using Microsoft.AspNetCore.SignalR.Client
@using ZB.MOM.WW.OtOpcUa.Admin.Hubs
@using ZB.MOM.WW.OtOpcUa.Admin.Services
@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
@using ZB.MOM.WW.OtOpcUa.Core.Authorization
@inject NodeAclService AclSvc
@inject PermissionProbeService ProbeSvc
@inject NavigationManager Nav
@implements IAsyncDisposable
 <div class="d-flex justify-content-between mb-3">
    <h4>Access-control grants</h4>
@@ -29,6 +35,95 @@ else
    </table>
 }
@* Probe-this-permission — task #196 slice 1 *@
 <div class="card mt-4 mb-3">
    <div class="card-header">
        <strong>Probe this permission</strong>
        <span class="small text-muted ms-2">
            Ask the trie "if LDAP group X asks for permission Y on node Z, would it be granted?" —
            answers the same way the live server does at request time.
        </span>
    </div>
    <div class="card-body">
        <div class="row g-2 align-items-end">
            <div class="col-md-3">
                <label class="form-label small">LDAP group</label>
                <input class="form-control form-control-sm" @bind="_probeGroup" placeholder="cn=fleet-admin,…"/>
            </div>
            <div class="col-md-2">
                <label class="form-label small">Namespace</label>
                <input class="form-control form-control-sm" @bind="_probeNamespaceId" placeholder="ns-1"/>
            </div>
            <div class="col-md-2">
                <label class="form-label small">UnsArea</label>
                <input class="form-control form-control-sm" @bind="_probeUnsAreaId"/>
            </div>
            <div class="col-md-2">
                <label class="form-label small">UnsLine</label>
                <input class="form-control form-control-sm" @bind="_probeUnsLineId"/>
            </div>
            <div class="col-md-1">
                <label class="form-label small">Equipment</label>
                <input class="form-control form-control-sm" @bind="_probeEquipmentId"/>
            </div>
            <div class="col-md-1">
                <label class="form-label small">Tag</label>
                <input class="form-control form-control-sm" @bind="_probeTagId"/>
            </div>
            <div class="col-md-1">
                <label class="form-label small">Permission</label>
                <select class="form-select form-select-sm" @bind="_probePermission">
                    @foreach (var p in Enum.GetValues<NodePermissions>())
                    {
                        if (p == NodePermissions.None) continue;
                        <option value="@p">@p</option>
                    }
                </select>
            </div>
        </div>
        <div class="mt-3">
            <button class="btn btn-sm btn-outline-primary" @onclick="RunProbeAsync" disabled="@_probing">Probe</button>
            @if (_probeResult is not null)
            {
                <span class="ms-3">
                    @if (_probeResult.Granted)
                    {
                        <span class="badge bg-success">Granted</span>
                    }
                    else
                    {
                        <span class="badge bg-danger">Denied</span>
                    }
                    <span class="small ms-2">
                        Required <code>@_probeResult.Required</code>,
                        Effective <code>@_probeResult.Effective</code>
                    </span>
                </span>
            }
        </div>
        @if (_probeResult is not null && _probeResult.Matches.Count > 0)
        {
            <table class="table table-sm mt-3 mb-0">
                <thead><tr><th>LDAP group matched</th><th>Level</th><th>Flags contributed</th></tr></thead>
                <tbody>
                @foreach (var m in _probeResult.Matches)
                {
                    <tr>
                        <td><code>@m.LdapGroup</code></td>
                        <td>@m.Scope</td>
                        <td><code>@m.PermissionFlags</code></td>
                    </tr>
                }
                </tbody>
            </table>
        }
        else if (_probeResult is not null)
        {
            <div class="mt-2 small text-muted">No matching grants for this (group, scope) — effective permission is <code>None</code>.</div>
        }
    </div>
 </div>
@if (_showForm)
 {
    <div class="card">
@@ -80,6 +175,64 @@ else
    private string _preset = "Read";
    private string? _error;
    // Probe-this-permission state
    private string _probeGroup = string.Empty;
    private string _probeNamespaceId = string.Empty;
    private string _probeUnsAreaId = string.Empty;
    private string _probeUnsLineId = string.Empty;
    private string _probeEquipmentId = string.Empty;
    private string _probeTagId = string.Empty;
    private NodePermissions _probePermission = NodePermissions.Read;
    private PermissionProbeResult? _probeResult;
    private bool _probing;
    private async Task RunProbeAsync()
    {
        if (string.IsNullOrWhiteSpace(_probeGroup)) { _probeResult = null; return; }
        _probing = true;
        try
        {
            var scope = new NodeScope
            {
                ClusterId = ClusterId,
                NamespaceId = NullIfBlank(_probeNamespaceId),
                UnsAreaId = NullIfBlank(_probeUnsAreaId),
                UnsLineId = NullIfBlank(_probeUnsLineId),
                EquipmentId = NullIfBlank(_probeEquipmentId),
                TagId = NullIfBlank(_probeTagId),
                Kind = NodeHierarchyKind.Equipment,
            };
            _probeResult = await ProbeSvc.ProbeAsync(GenerationId, _probeGroup.Trim(), scope, _probePermission, CancellationToken.None);
        }
        finally { _probing = false; }
    }
    private static string? NullIfBlank(string s) => string.IsNullOrWhiteSpace(s) ? null : s;
    private HubConnection? _hub;
    protected override async Task OnAfterRenderAsync(bool firstRender)
    {
        if (!firstRender || _hub is not null) return;
        _hub = new HubConnectionBuilder()
            .WithUrl(Nav.ToAbsoluteUri("/hubs/fleet-status"))
            .WithAutomaticReconnect()
            .Build();
        _hub.On<NodeAclChangedMessage>("NodeAclChanged", async msg =>
        {
            if (msg.ClusterId != ClusterId || msg.GenerationId != GenerationId) return;
            _acls = await AclSvc.ListAsync(GenerationId, CancellationToken.None);
            await InvokeAsync(StateHasChanged);
        });
        await _hub.StartAsync();
        await _hub.SendAsync("SubscribeCluster", ClusterId);
    }
    public async ValueTask DisposeAsync()
    {
        if (_hub is not null) { await _hub.DisposeAsync(); _hub = null; }
    }
    protected override async Task OnParametersSetAsync() =>
        _acls = await AclSvc.ListAsync(GenerationId, CancellationToken.None);
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DiffViewer.razor
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/DiffViewer.razor
@@ -59,7 +59,7 @@ else
        new SectionDef("Equipment",      "Equipment",       "UNS level-5 rows + identification fields"),
        new SectionDef("Tag",            "Tags",            "Per-device tag definitions + poll-group binding"),
        new SectionDef("UnsLine",        "UNS structure",   "Site / Area / Line hierarchy (proc-extension pending)"),
-        new SectionDef("NodeAcl",        "ACLs",            "LDAP-group → node-scope permission grants (proc-extension pending)"),
+        new SectionDef("NodeAcl",        "ACLs",            "LDAP-group → node-scope permission grants (logical id = LdapGroup|ScopeKind|ScopeId)"),
    };
    private List<DiffRow>? _rows;
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/RedundancyTab.razor
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/Clusters/RedundancyTab.razor
@@ -1,9 +1,17 @@
@using Microsoft.AspNetCore.SignalR.Client
@using ZB.MOM.WW.OtOpcUa.Admin.Hubs
@using ZB.MOM.WW.OtOpcUa.Admin.Services
@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
@inject ClusterNodeService NodeSvc
@inject NavigationManager Nav
@implements IAsyncDisposable
 <h4>Redundancy topology</h4>
@if (_roleChangedBanner is not null)
 {
    <div class="alert alert-info small mb-2">@_roleChangedBanner</div>
 }
 <p class="text-muted small">
    One row per <code>ClusterNode</code> in this cluster. Role, <code>ApplicationUri</code>,
    and <code>ServiceLevelBase</code> are authored separately; the Admin UI shows them read-only
@@ -107,10 +115,41 @@ else
    [Parameter] public string ClusterId { get; set; } = string.Empty;
    private List<ClusterNode>? _nodes;
    private HubConnection? _hub;
    private string? _roleChangedBanner;
    protected override async Task OnParametersSetAsync()
    {
        _nodes = await NodeSvc.ListByClusterAsync(ClusterId, CancellationToken.None);
        if (_hub is null) await ConnectHubAsync();
    }
    private async Task ConnectHubAsync()
    {
        _hub = new HubConnectionBuilder()
            .WithUrl(Nav.ToAbsoluteUri("/hubs/fleet-status"))
            .WithAutomaticReconnect()
            .Build();
        _hub.On<RoleChangedMessage>("RoleChanged", async msg =>
        {
            if (msg.ClusterId != ClusterId) return;
            _roleChangedBanner = $"Role changed on {msg.NodeId}: {msg.FromRole} → {msg.ToRole} at {msg.ObservedAtUtc:HH:mm:ss 'UTC'}";
            _nodes = await NodeSvc.ListByClusterAsync(ClusterId, CancellationToken.None);
            await InvokeAsync(StateHasChanged);
        });
        await _hub.StartAsync();
        await _hub.SendAsync("SubscribeCluster", ClusterId);
    }
    public async ValueTask DisposeAsync()
    {
        if (_hub is not null)
        {
            await _hub.DisposeAsync();
            _hub = null;
        }
    }
    private static string RowClass(ClusterNode n) =>
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/RoleGrants.razor
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Components/Pages/RoleGrants.razor
@@ -1,10 +1,16 @@
@page "/role-grants"
@using Microsoft.AspNetCore.Components.Web
@using Microsoft.AspNetCore.SignalR.Client
@using ZB.MOM.WW.OtOpcUa.Admin.Hubs
@using ZB.MOM.WW.OtOpcUa.Admin.Services
@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
@using ZB.MOM.WW.OtOpcUa.Configuration.Services
@inject ILdapGroupRoleMappingService RoleSvc
@inject ClusterService ClusterSvc
@inject AclChangeNotifier Notifier
@inject NavigationManager Nav
@implements IAsyncDisposable
 <h1 class="mb-4">LDAP group → Admin role grants</h1>
@@ -147,6 +153,7 @@ else
                Notes = string.IsNullOrWhiteSpace(_notes) ? null : _notes,
            };
            await RoleSvc.CreateAsync(row, CancellationToken.None);
            await Notifier.NotifyRoleGrantsChangedAsync(CancellationToken.None);
            _showForm = false;
            await ReloadAsync();
        }
@@ -156,6 +163,30 @@ else
    private async Task DeleteAsync(Guid id)
    {
        await RoleSvc.DeleteAsync(id, CancellationToken.None);
        await Notifier.NotifyRoleGrantsChangedAsync(CancellationToken.None);
        await ReloadAsync();
    }
    private HubConnection? _hub;
    protected override async Task OnAfterRenderAsync(bool firstRender)
    {
        if (!firstRender || _hub is not null) return;
        _hub = new HubConnectionBuilder()
            .WithUrl(Nav.ToAbsoluteUri("/hubs/fleet-status"))
            .WithAutomaticReconnect()
            .Build();
        _hub.On<RoleGrantsChangedMessage>("RoleGrantsChanged", async _ =>
        {
            await ReloadAsync();
            await InvokeAsync(StateHasChanged);
        });
        await _hub.StartAsync();
        await _hub.SendAsync("SubscribeFleet");
    }
    public async ValueTask DisposeAsync()
    {
        if (_hub is not null) { await _hub.DisposeAsync(); _hub = null; }
    }
 }
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Hubs/FleetStatusPoller.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Hubs/FleetStatusPoller.cs
@@ -1,7 +1,9 @@
 using Microsoft.AspNetCore.SignalR;
 using Microsoft.EntityFrameworkCore;
 using ZB.MOM.WW.OtOpcUa.Admin.Services;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
 using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
 namespace ZB.MOM.WW.OtOpcUa.Admin.Hubs;
@@ -14,11 +16,13 @@ public sealed class FleetStatusPoller(
    IServiceScopeFactory scopeFactory,
    IHubContext<FleetStatusHub> fleetHub,
    IHubContext<AlertHub> alertHub,
-    ILogger<FleetStatusPoller> logger) : BackgroundService
+    ILogger<FleetStatusPoller> logger,
    RedundancyMetrics redundancyMetrics) : BackgroundService
 {
    public TimeSpan PollInterval { get; init; } = TimeSpan.FromSeconds(5);
    private readonly Dictionary<string, NodeStateSnapshot> _last = new();
    private readonly Dictionary<string, RedundancyRole> _lastRole = new(StringComparer.Ordinal);
    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
    {
@@ -42,6 +46,10 @@ public sealed class FleetStatusPoller(
        using var scope = scopeFactory.CreateScope();
        var db = scope.ServiceProvider.GetRequiredService<OtOpcUaConfigDbContext>();
        var nodes = await db.ClusterNodes.AsNoTracking().ToListAsync(ct);
        await PollRolesAsync(nodes, ct);
        UpdateClusterGauges(nodes);
        var rows = await db.ClusterNodeGenerationStates.AsNoTracking()
            .Join(db.ClusterNodes.AsNoTracking(), s => s.NodeId, n => n.NodeId, (s, n) => new { s, n.ClusterId })
            .ToListAsync(ct);
@@ -85,9 +93,63 @@ public sealed class FleetStatusPoller(
    }
    /// <summary>Exposed for tests — forces a snapshot reset so stub data re-seeds.</summary>
-    internal void ResetCache() => _last.Clear();
+    internal void ResetCache()
    {
        _last.Clear();
        _lastRole.Clear();
    }
    private async Task PollRolesAsync(IReadOnlyList<ClusterNode> nodes, CancellationToken ct)
    {
        foreach (var n in nodes)
        {
            var hadPrior = _lastRole.TryGetValue(n.NodeId, out var priorRole);
            if (hadPrior && priorRole == n.RedundancyRole) continue;
            _lastRole[n.NodeId] = n.RedundancyRole;
            if (!hadPrior) continue; // first-observation bootstrap — not a transition
            redundancyMetrics.RecordRoleTransition(
                clusterId: n.ClusterId, nodeId: n.NodeId,
                fromRole: priorRole.ToString(), toRole: n.RedundancyRole.ToString());
            var msg = new RoleChangedMessage(
                ClusterId: n.ClusterId, NodeId: n.NodeId,
                FromRole: priorRole.ToString(), ToRole: n.RedundancyRole.ToString(),
                ObservedAtUtc: DateTime.UtcNow);
            await fleetHub.Clients.Group(FleetStatusHub.GroupName(n.ClusterId))
                .SendAsync("RoleChanged", msg, ct);
            await fleetHub.Clients.Group(FleetStatusHub.FleetGroup)
                .SendAsync("RoleChanged", msg, ct);
        }
    }
    private void UpdateClusterGauges(IReadOnlyList<ClusterNode> nodes)
    {
        var staleCutoff = DateTime.UtcNow - Services.ClusterNodeService.StaleThreshold;
        foreach (var group in nodes.GroupBy(n => n.ClusterId))
        {
            var primary = group.Count(n => n.RedundancyRole == RedundancyRole.Primary);
            var secondary = group.Count(n => n.RedundancyRole == RedundancyRole.Secondary);
            var stale = group.Count(n => n.LastSeenAt is null || n.LastSeenAt.Value < staleCutoff);
            redundancyMetrics.SetClusterCounts(group.Key, primary, secondary, stale);
        }
    }
    private readonly record struct NodeStateSnapshot(
        string NodeId, string ClusterId, long? GenerationId,
        string? Status, string? Error, DateTime? AppliedAt, DateTime? SeenAt);
 }
 /// <summary>
 ///     Pushed by <see cref="FleetStatusPoller"/> when it observes a change in
 ///     <see cref="ClusterNode.RedundancyRole"/>. Consumed by the Admin RedundancyTab to trigger
 ///     an instant reload instead of waiting for the next on-parameter-set poll.
 /// </summary>
 public sealed record RoleChangedMessage(
    string ClusterId,
    string NodeId,
    string FromRole,
    string ToRole,
    DateTime ObservedAtUtc);
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Program.cs
@@ -44,11 +44,14 @@ builder.Services.AddScoped<UnsService>();
 builder.Services.AddScoped<NamespaceService>();
 builder.Services.AddScoped<DriverInstanceService>();
 builder.Services.AddScoped<NodeAclService>();
 builder.Services.AddScoped<PermissionProbeService>();
 builder.Services.AddScoped<AclChangeNotifier>();
 builder.Services.AddScoped<ReservationService>();
 builder.Services.AddScoped<DraftValidationService>();
 builder.Services.AddScoped<AuditLogService>();
 builder.Services.AddScoped<HostStatusService>();
 builder.Services.AddScoped<ClusterNodeService>();
 builder.Services.AddSingleton<RedundancyMetrics>();
 builder.Services.AddScoped<EquipmentImportBatchService>();
 builder.Services.AddScoped<ZB.MOM.WW.OtOpcUa.Configuration.Services.ILdapGroupRoleMappingService,
    ZB.MOM.WW.OtOpcUa.Configuration.Services.LdapGroupRoleMappingService>();
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/AclChangeNotifier.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/AclChangeNotifier.cs
@@ -0,0 +1,49 @@
 using Microsoft.AspNetCore.SignalR;
 using ZB.MOM.WW.OtOpcUa.Admin.Hubs;
 namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
 /// <summary>
 ///     Thin SignalR push helper for ACL + role-grant invalidation — slice 2 of task #196.
 ///     Lets the Admin services + razor pages invalidate connected peers' views without each
 ///     one having to know the hub wiring. Two message kinds: <c>NodeAclChanged</c> (cluster-scoped)
 ///     and <c>RoleGrantsChanged</c> (fleet-wide — role mappings cross cluster boundaries).
 /// </summary>
 /// <remarks>
 ///     Intentionally fire-and-forget — a failed hub send doesn't rollback the DB write that
 ///     triggered it. Worst-case an operator sees stale data until their next poll or manual
 ///     refresh; better than a transient hub blip blocking the authoritative write path.
 /// </remarks>
 public sealed class AclChangeNotifier(IHubContext<FleetStatusHub> fleetHub, ILogger<AclChangeNotifier> logger)
 {
    public async Task NotifyNodeAclChangedAsync(string clusterId, long generationId, CancellationToken ct)
    {
        try
        {
            var msg = new NodeAclChangedMessage(ClusterId: clusterId, GenerationId: generationId, ObservedAtUtc: DateTime.UtcNow);
            await fleetHub.Clients.Group(FleetStatusHub.GroupName(clusterId))
                .SendAsync("NodeAclChanged", msg, ct).ConfigureAwait(false);
        }
        catch (Exception ex) when (ex is not OperationCanceledException)
        {
            logger.LogWarning(ex, "NodeAclChanged push failed for cluster {ClusterId} gen {GenerationId}", clusterId, generationId);
        }
    }
    public async Task NotifyRoleGrantsChangedAsync(CancellationToken ct)
    {
        try
        {
            var msg = new RoleGrantsChangedMessage(ObservedAtUtc: DateTime.UtcNow);
            await fleetHub.Clients.Group(FleetStatusHub.FleetGroup)
                .SendAsync("RoleGrantsChanged", msg, ct).ConfigureAwait(false);
        }
        catch (Exception ex) when (ex is not OperationCanceledException)
        {
            logger.LogWarning(ex, "RoleGrantsChanged push failed");
        }
    }
 }
 public sealed record NodeAclChangedMessage(string ClusterId, long GenerationId, DateTime ObservedAtUtc);
 public sealed record RoleGrantsChangedMessage(DateTime ObservedAtUtc);
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/NodeAclService.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/NodeAclService.cs
@@ -5,7 +5,7 @@ using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
 namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
-public sealed class NodeAclService(OtOpcUaConfigDbContext db)
+public sealed class NodeAclService(OtOpcUaConfigDbContext db, AclChangeNotifier? notifier = null)
 {
    public Task<List<NodeAcl>> ListAsync(long generationId, CancellationToken ct) =>
        db.NodeAcls.AsNoTracking()
@@ -31,6 +31,10 @@ public sealed class NodeAclService(OtOpcUaConfigDbContext db)
        };
        db.NodeAcls.Add(acl);
        await db.SaveChangesAsync(ct);
        if (notifier is not null)
            await notifier.NotifyNodeAclChangedAsync(clusterId, draftId, ct);
        return acl;
    }
@@ -40,5 +44,8 @@ public sealed class NodeAclService(OtOpcUaConfigDbContext db)
        if (row is null) return;
        db.NodeAcls.Remove(row);
        await db.SaveChangesAsync(ct);
        if (notifier is not null)
            await notifier.NotifyNodeAclChangedAsync(row.ClusterId, row.GenerationId, ct);
    }
 }
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/PermissionProbeService.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/PermissionProbeService.cs
@@ -0,0 +1,63 @@
 using Microsoft.EntityFrameworkCore;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
 using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
 using ZB.MOM.WW.OtOpcUa.Core.Authorization;
 namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
 /// <summary>
 ///     Runs an ad-hoc permission probe against a draft or published generation's NodeAcl rows —
 ///     "if LDAP group X asks for permission Y on node Z, would the trie grant it, and which
 ///     rows contributed?" Powers the AclsTab "Probe this permission" form per the #196 sub-slice.
 /// </summary>
 /// <remarks>
 ///     Thin wrapper over <see cref="PermissionTrieBuilder"/> + <see cref="PermissionTrie.CollectMatches"/> —
 ///     the same code path the Server's dispatch layer uses at request time, so a probe result
 ///     is guaranteed to match what the live server would decide. The probe is read-only + has
 ///     no side effects; failing probes do NOT generate audit log rows.
 /// </remarks>
 public sealed class PermissionProbeService(OtOpcUaConfigDbContext db)
 {
    /// <summary>
    ///     Evaluate <paramref name="required"/> against the NodeAcl rows of
    ///     <paramref name="generationId"/> for a request by <paramref name="ldapGroup"/> at
    ///     <paramref name="scope"/>. Returns whether the permission would be granted + the list
    ///     of matching grants so the UI can show *why*.
    /// </summary>
    public async Task<PermissionProbeResult> ProbeAsync(
        long generationId,
        string ldapGroup,
        NodeScope scope,
        NodePermissions required,
        CancellationToken ct)
    {
        ArgumentException.ThrowIfNullOrWhiteSpace(ldapGroup);
        ArgumentNullException.ThrowIfNull(scope);
        var rows = await db.NodeAcls.AsNoTracking()
            .Where(a => a.GenerationId == generationId && a.ClusterId == scope.ClusterId)
            .ToListAsync(ct).ConfigureAwait(false);
        var trie = PermissionTrieBuilder.Build(scope.ClusterId, generationId, rows);
        var matches = trie.CollectMatches(scope, [ldapGroup]);
        var effective = NodePermissions.None;
        foreach (var m in matches)
            effective |= m.PermissionFlags;
        var granted = (effective & required) == required;
        return new PermissionProbeResult(
            Granted: granted,
            Required: required,
            Effective: effective,
            Matches: matches);
    }
 }
 /// <summary>Outcome of a <see cref="PermissionProbeService.ProbeAsync"/> call.</summary>
 public sealed record PermissionProbeResult(
    bool Granted,
    NodePermissions Required,
    NodePermissions Effective,
    IReadOnlyList<MatchedGrant> Matches);
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/Services/RedundancyMetrics.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/Services/RedundancyMetrics.cs
@@ -0,0 +1,102 @@
 using System.Diagnostics.Metrics;
 namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
 /// <summary>
 ///     OpenTelemetry-compatible instrumentation for the redundancy surface. Uses in-box
 ///     <see cref="System.Diagnostics.Metrics"/> so no NuGet dependency is required to emit —
 ///     any MeterListener (dotnet-counters, OpenTelemetry.Extensions.Hosting OTLP exporter,
 ///     Prometheus exporter, etc.) picks up the instruments by the <see cref="MeterName"/>.
 /// </summary>
 /// <remarks>
 ///     Exporter configuration (OTLP, Prometheus, etc.) is intentionally NOT wired here —
 ///     that's a deployment-ops decision that belongs in <c>Program.cs</c> behind an
 ///     <c>appsettings</c> toggle. This class owns only the Meter + instruments so the
 ///     production data stream exists regardless of exporter availability.
 ///
 ///     Counter + gauge names follow the otel-semantic-conventions pattern:
 ///     <c>otopcua.redundancy.*</c> with tags for ClusterId + (for transitions) FromRole/ToRole/NodeId.
 /// </remarks>
 public sealed class RedundancyMetrics : IDisposable
 {
    public const string MeterName = "ZB.MOM.WW.OtOpcUa.Redundancy";
    private readonly Meter _meter;
    private readonly Counter<long> _roleTransitions;
    private readonly object _gaugeLock = new();
    private readonly Dictionary<string, ClusterGaugeState> _gaugeState = new();
    public RedundancyMetrics()
    {
        _meter = new Meter(MeterName, version: "1.0.0");
        _roleTransitions = _meter.CreateCounter<long>(
            "otopcua.redundancy.role_transition",
            unit: "{transition}",
            description: "Observed RedundancyRole changes per node — tagged FromRole, ToRole, NodeId, ClusterId.");
        // Observable gauges — the callback reports whatever the last Observe*Count call stashed.
        _meter.CreateObservableGauge(
            "otopcua.redundancy.primary_count",
            ObservePrimaryCounts,
            unit: "{node}",
            description: "Count of Primary-role nodes per cluster (should be 1 for N+1 redundant clusters, 0 during failover).");
        _meter.CreateObservableGauge(
            "otopcua.redundancy.secondary_count",
            ObserveSecondaryCounts,
            unit: "{node}",
            description: "Count of Secondary-role nodes per cluster.");
        _meter.CreateObservableGauge(
            "otopcua.redundancy.stale_count",
            ObserveStaleCounts,
            unit: "{node}",
            description: "Count of cluster nodes whose LastSeenAt is older than StaleThreshold.");
    }
    /// <summary>
    ///     Update the per-cluster snapshot consumed by the ObservableGauges. Poller calls this
    ///     at the end of every tick so the collectors see fresh numbers on the next observation
    ///     window (by default 1s for dotnet-counters, configurable per exporter).
    /// </summary>
    public void SetClusterCounts(string clusterId, int primary, int secondary, int stale)
    {
        lock (_gaugeLock)
        {
            _gaugeState[clusterId] = new ClusterGaugeState(primary, secondary, stale);
        }
    }
    /// <summary>
    ///     Increment the role_transition counter when a node's RedundancyRole changes. Tags
    ///     allow breakdowns by from/to roles (e.g. Primary → Secondary for planned failover vs
    ///     Primary → Standalone for emergency recovery) + by cluster for multi-site fleets.
    /// </summary>
    public void RecordRoleTransition(string clusterId, string nodeId, string fromRole, string toRole)
    {
        _roleTransitions.Add(1,
            new KeyValuePair<string, object?>("cluster.id", clusterId),
            new KeyValuePair<string, object?>("node.id", nodeId),
            new KeyValuePair<string, object?>("from_role", fromRole),
            new KeyValuePair<string, object?>("to_role", toRole));
    }
    public void Dispose() => _meter.Dispose();
    private IEnumerable<Measurement<long>> ObservePrimaryCounts() => SnapshotGauge(s => s.Primary);
    private IEnumerable<Measurement<long>> ObserveSecondaryCounts() => SnapshotGauge(s => s.Secondary);
    private IEnumerable<Measurement<long>> ObserveStaleCounts() => SnapshotGauge(s => s.Stale);
    private IEnumerable<Measurement<long>> SnapshotGauge(Func<ClusterGaugeState, int> selector)
    {
        List<Measurement<long>> results;
        lock (_gaugeLock)
        {
            results = new List<Measurement<long>>(_gaugeState.Count);
            foreach (var (cluster, state) in _gaugeState)
                results.Add(new Measurement<long>(selector(state),
                    new KeyValuePair<string, object?>("cluster.id", cluster)));
        }
        return results;
    }
    private readonly record struct ClusterGaugeState(int Primary, int Secondary, int Stale);
 }
--- a/src/ZB.MOM.WW.OtOpcUa.Admin/ZB.MOM.WW.OtOpcUa.Admin.csproj
+++ b/src/ZB.MOM.WW.OtOpcUa.Admin/ZB.MOM.WW.OtOpcUa.Admin.csproj
@@ -20,6 +20,7 @@
    <ItemGroup>
        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Configuration\ZB.MOM.WW.OtOpcUa.Configuration.csproj"/>
        <ProjectReference Include="..\ZB.MOM.WW.OtOpcUa.Core\ZB.MOM.WW.OtOpcUa.Core.csproj"/>
    </ItemGroup>
    <ItemGroup>
--- a/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260420000001_ExtendComputeGenerationDiffWithNodeAcl.Designer.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260420000001_ExtendComputeGenerationDiffWithNodeAcl.Designer.cs
--- a/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260420000001_ExtendComputeGenerationDiffWithNodeAcl.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Configuration/Migrations/20260420000001_ExtendComputeGenerationDiffWithNodeAcl.cs
@@ -0,0 +1,172 @@
 using Microsoft.EntityFrameworkCore.Migrations;
 #nullable disable
 namespace ZB.MOM.WW.OtOpcUa.Configuration.Migrations
 {
    /// <summary>
    ///     Extends <c>dbo.sp_ComputeGenerationDiff</c> to emit <c>NodeAcl</c> rows alongside the
    ///     existing Namespace/DriverInstance/Equipment/Tag output — closes the final slice of
    ///     task #196 (DiffViewer ACL section). Logical id for NodeAcl is a composite
    ///     <c>LdapGroup|ScopeKind|ScopeId</c> triple so a Change row surfaces whether the grant
    ///     shifted permissions, moved scope, or was added/removed outright.
    /// </summary>
    /// <inheritdoc />
    public partial class ExtendComputeGenerationDiffWithNodeAcl : Migration
    {
        /// <inheritdoc />
        protected override void Up(MigrationBuilder migrationBuilder)
        {
            migrationBuilder.Sql(Procs.ComputeGenerationDiffV2);
        }
        /// <inheritdoc />
        protected override void Down(MigrationBuilder migrationBuilder)
        {
            migrationBuilder.Sql(Procs.ComputeGenerationDiffV1);
        }
        private static class Procs
        {
            /// <summary>V2 — adds the NodeAcl section to the diff output.</summary>
            public const string ComputeGenerationDiffV2 = @"
 CREATE OR ALTER PROCEDURE dbo.sp_ComputeGenerationDiff
    @FromGenerationId bigint,
    @ToGenerationId   bigint
 AS
 BEGIN
    SET NOCOUNT ON;
    CREATE TABLE #diff (TableName nvarchar(32), LogicalId nvarchar(128), ChangeKind nvarchar(16));
    WITH f AS (SELECT NamespaceId AS LogicalId, CHECKSUM(NamespaceUri, Kind, Enabled, Notes) AS Sig FROM dbo.Namespace WHERE GenerationId = @FromGenerationId),
         t AS (SELECT NamespaceId AS LogicalId, CHECKSUM(NamespaceUri, Kind, Enabled, Notes) AS Sig FROM dbo.Namespace WHERE GenerationId = @ToGenerationId)
    INSERT #diff
    SELECT 'Namespace', CONVERT(nvarchar(128), COALESCE(f.LogicalId, t.LogicalId)),
           CASE WHEN f.LogicalId IS NULL THEN 'Added'
                WHEN t.LogicalId IS NULL THEN 'Removed'
                WHEN f.Sig <> t.Sig       THEN 'Modified'
                ELSE 'Unchanged' END
    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
    WITH f AS (SELECT DriverInstanceId AS LogicalId, CHECKSUM(ClusterId, NamespaceId, Name, DriverType, Enabled, CONVERT(varchar(max), DriverConfig)) AS Sig FROM dbo.DriverInstance WHERE GenerationId = @FromGenerationId),
         t AS (SELECT DriverInstanceId AS LogicalId, CHECKSUM(ClusterId, NamespaceId, Name, DriverType, Enabled, CONVERT(varchar(max), DriverConfig)) AS Sig FROM dbo.DriverInstance WHERE GenerationId = @ToGenerationId)
    INSERT #diff
    SELECT 'DriverInstance', CONVERT(nvarchar(128), COALESCE(f.LogicalId, t.LogicalId)),
           CASE WHEN f.LogicalId IS NULL THEN 'Added'
                WHEN t.LogicalId IS NULL THEN 'Removed'
                WHEN f.Sig <> t.Sig       THEN 'Modified'
                ELSE 'Unchanged' END
    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
    WITH f AS (SELECT EquipmentId AS LogicalId, CHECKSUM(EquipmentUuid, DriverInstanceId, UnsLineId, Name, MachineCode, ZTag, SAPID, EquipmentClassRef, Manufacturer, Model, SerialNumber) AS Sig FROM dbo.Equipment WHERE GenerationId = @FromGenerationId),
         t AS (SELECT EquipmentId AS LogicalId, CHECKSUM(EquipmentUuid, DriverInstanceId, UnsLineId, Name, MachineCode, ZTag, SAPID, EquipmentClassRef, Manufacturer, Model, SerialNumber) AS Sig FROM dbo.Equipment WHERE GenerationId = @ToGenerationId)
    INSERT #diff
    SELECT 'Equipment', CONVERT(nvarchar(128), COALESCE(f.LogicalId, t.LogicalId)),
           CASE WHEN f.LogicalId IS NULL THEN 'Added'
                WHEN t.LogicalId IS NULL THEN 'Removed'
                WHEN f.Sig <> t.Sig       THEN 'Modified'
                ELSE 'Unchanged' END
    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
    WITH f AS (SELECT TagId AS LogicalId, CHECKSUM(DriverInstanceId, DeviceId, EquipmentId, PollGroupId, FolderPath, Name, DataType, AccessLevel, WriteIdempotent, CONVERT(varchar(max), TagConfig)) AS Sig FROM dbo.Tag WHERE GenerationId = @FromGenerationId),
         t AS (SELECT TagId AS LogicalId, CHECKSUM(DriverInstanceId, DeviceId, EquipmentId, PollGroupId, FolderPath, Name, DataType, AccessLevel, WriteIdempotent, CONVERT(varchar(max), TagConfig)) AS Sig FROM dbo.Tag WHERE GenerationId = @ToGenerationId)
    INSERT #diff
    SELECT 'Tag', CONVERT(nvarchar(128), COALESCE(f.LogicalId, t.LogicalId)),
           CASE WHEN f.LogicalId IS NULL THEN 'Added'
                WHEN t.LogicalId IS NULL THEN 'Removed'
                WHEN f.Sig <> t.Sig       THEN 'Modified'
                ELSE 'Unchanged' END
    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
    -- NodeAcl section. Logical id is the (LdapGroup, ScopeKind, ScopeId) triple so the diff
    -- distinguishes same row with new permissions (Modified via CHECKSUM on PermissionFlags + Notes)
    -- from a scope move (which surfaces as Added + Removed of different logical ids).
    WITH f AS (
            SELECT  CONVERT(nvarchar(128), LdapGroup + '|' + CONVERT(nvarchar(16), ScopeKind) + '|' + ISNULL(ScopeId, '(cluster)')) AS LogicalId,
                    CHECKSUM(ClusterId, PermissionFlags, Notes) AS Sig
            FROM    dbo.NodeAcl WHERE GenerationId = @FromGenerationId),
         t AS (
            SELECT  CONVERT(nvarchar(128), LdapGroup + '|' + CONVERT(nvarchar(16), ScopeKind) + '|' + ISNULL(ScopeId, '(cluster)')) AS LogicalId,
                    CHECKSUM(ClusterId, PermissionFlags, Notes) AS Sig
            FROM    dbo.NodeAcl WHERE GenerationId = @ToGenerationId)
    INSERT #diff
    SELECT 'NodeAcl', COALESCE(f.LogicalId, t.LogicalId),
           CASE WHEN f.LogicalId IS NULL THEN 'Added'
                WHEN t.LogicalId IS NULL THEN 'Removed'
                WHEN f.Sig <> t.Sig       THEN 'Modified'
                ELSE 'Unchanged' END
    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
    SELECT TableName, LogicalId, ChangeKind FROM #diff;
    DROP TABLE #diff;
 END
 ";
            /// <summary>V1 — exact proc shipped in migration 20260417215224_StoredProcedures. Restored on Down().</summary>
            public const string ComputeGenerationDiffV1 = @"
 CREATE OR ALTER PROCEDURE dbo.sp_ComputeGenerationDiff
    @FromGenerationId bigint,
    @ToGenerationId   bigint
 AS
 BEGIN
    SET NOCOUNT ON;
    CREATE TABLE #diff (TableName nvarchar(32), LogicalId nvarchar(64), ChangeKind nvarchar(16));
    WITH f AS (SELECT NamespaceId AS LogicalId, CHECKSUM(NamespaceUri, Kind, Enabled, Notes) AS Sig FROM dbo.Namespace WHERE GenerationId = @FromGenerationId),
         t AS (SELECT NamespaceId AS LogicalId, CHECKSUM(NamespaceUri, Kind, Enabled, Notes) AS Sig FROM dbo.Namespace WHERE GenerationId = @ToGenerationId)
    INSERT #diff
    SELECT 'Namespace', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
           CASE WHEN f.LogicalId IS NULL THEN 'Added'
                WHEN t.LogicalId IS NULL THEN 'Removed'
                WHEN f.Sig <> t.Sig       THEN 'Modified'
                ELSE 'Unchanged' END
    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
    WITH f AS (SELECT DriverInstanceId AS LogicalId, CHECKSUM(ClusterId, NamespaceId, Name, DriverType, Enabled, CONVERT(varchar(max), DriverConfig)) AS Sig FROM dbo.DriverInstance WHERE GenerationId = @FromGenerationId),
         t AS (SELECT DriverInstanceId AS LogicalId, CHECKSUM(ClusterId, NamespaceId, Name, DriverType, Enabled, CONVERT(varchar(max), DriverConfig)) AS Sig FROM dbo.DriverInstance WHERE GenerationId = @ToGenerationId)
    INSERT #diff
    SELECT 'DriverInstance', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
           CASE WHEN f.LogicalId IS NULL THEN 'Added'
                WHEN t.LogicalId IS NULL THEN 'Removed'
                WHEN f.Sig <> t.Sig       THEN 'Modified'
                ELSE 'Unchanged' END
    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
    WITH f AS (SELECT EquipmentId AS LogicalId, CHECKSUM(EquipmentUuid, DriverInstanceId, UnsLineId, Name, MachineCode, ZTag, SAPID, EquipmentClassRef, Manufacturer, Model, SerialNumber) AS Sig FROM dbo.Equipment WHERE GenerationId = @FromGenerationId),
         t AS (SELECT EquipmentId AS LogicalId, CHECKSUM(EquipmentUuid, DriverInstanceId, UnsLineId, Name, MachineCode, ZTag, SAPID, EquipmentClassRef, Manufacturer, Model, SerialNumber) AS Sig FROM dbo.Equipment WHERE GenerationId = @ToGenerationId)
    INSERT #diff
    SELECT 'Equipment', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
           CASE WHEN f.LogicalId IS NULL THEN 'Added'
                WHEN t.LogicalId IS NULL THEN 'Removed'
                WHEN f.Sig <> t.Sig       THEN 'Modified'
                ELSE 'Unchanged' END
    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
    WITH f AS (SELECT TagId AS LogicalId, CHECKSUM(DriverInstanceId, DeviceId, EquipmentId, PollGroupId, FolderPath, Name, DataType, AccessLevel, WriteIdempotent, CONVERT(varchar(max), TagConfig)) AS Sig FROM dbo.Tag WHERE GenerationId = @FromGenerationId),
         t AS (SELECT TagId AS LogicalId, CHECKSUM(DriverInstanceId, DeviceId, EquipmentId, PollGroupId, FolderPath, Name, DataType, AccessLevel, WriteIdempotent, CONVERT(varchar(max), TagConfig)) AS Sig FROM dbo.Tag WHERE GenerationId = @ToGenerationId)
    INSERT #diff
    SELECT 'Tag', CONVERT(nvarchar(64), COALESCE(f.LogicalId, t.LogicalId)),
           CASE WHEN f.LogicalId IS NULL THEN 'Added'
                WHEN t.LogicalId IS NULL THEN 'Removed'
                WHEN f.Sig <> t.Sig       THEN 'Modified'
                ELSE 'Unchanged' END
    FROM   f FULL OUTER JOIN t ON f.LogicalId = t.LogicalId
    WHERE  f.LogicalId IS NULL OR t.LogicalId IS NULL OR f.Sig <> t.Sig;
    SELECT TableName, LogicalId, ChangeKind FROM #diff;
    DROP TABLE #diff;
 END
 ";
        }
    }
 }
--- a/src/ZB.MOM.WW.OtOpcUa.Core/Resilience/AlarmSurfaceInvoker.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Core/Resilience/AlarmSurfaceInvoker.cs
@@ -0,0 +1,129 @@
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
 namespace ZB.MOM.WW.OtOpcUa.Core.Resilience;
 /// <summary>
 ///     Wraps the three mutating surfaces of <see cref="IAlarmSource"/>
 ///     (<see cref="IAlarmSource.SubscribeAlarmsAsync"/>, <see cref="IAlarmSource.UnsubscribeAlarmsAsync"/>,
 ///     <see cref="IAlarmSource.AcknowledgeAsync"/>) through <see cref="CapabilityInvoker"/> so the
 ///     Phase 6.1 resilience pipeline runs — retry semantics match
 ///     <see cref="DriverCapability.AlarmSubscribe"/> (retries by default) and
 ///     <see cref="DriverCapability.AlarmAcknowledge"/> (does NOT retry per decision #143).
 /// </summary>
 /// <remarks>
 ///     <para>Multi-host dispatch: when the driver implements <see cref="IPerCallHostResolver"/>,
 ///     each source-node-id is resolved individually + grouped by host so a dead PLC inside a
 ///     multi-device driver doesn't poison the sibling hosts' breakers. Drivers with a single
 ///     host fall back to <see cref="IDriver.DriverInstanceId"/> as the single-host key.</para>
 ///
 ///     <para>Why this lives here + not on <see cref="CapabilityInvoker"/>: alarm surfaces have a
 ///     handle-returning shape (SubscribeAlarmsAsync returns <see cref="IAlarmSubscriptionHandle"/>)
 ///     + a per-call fan-out (AcknowledgeAsync gets a batch of
 ///     <see cref="AlarmAcknowledgeRequest"/>s that may span multiple hosts). Keeping the fan-out
 ///     logic here keeps the invoker's execute-overloads narrow.</para>
 /// </remarks>
 public sealed class AlarmSurfaceInvoker
 {
    private readonly CapabilityInvoker _invoker;
    private readonly IAlarmSource _alarmSource;
    private readonly IPerCallHostResolver? _hostResolver;
    private readonly string _defaultHost;
    public AlarmSurfaceInvoker(
        CapabilityInvoker invoker,
        IAlarmSource alarmSource,
        string defaultHost,
        IPerCallHostResolver? hostResolver = null)
    {
        ArgumentNullException.ThrowIfNull(invoker);
        ArgumentNullException.ThrowIfNull(alarmSource);
        ArgumentException.ThrowIfNullOrWhiteSpace(defaultHost);
        _invoker = invoker;
        _alarmSource = alarmSource;
        _defaultHost = defaultHost;
        _hostResolver = hostResolver;
    }
    /// <summary>
    ///     Subscribe to alarm events for a set of source node ids, fanning out by resolved host
    ///     so per-host breakers / bulkheads apply. Returns one handle per host — callers that
    ///     don't care about per-host separation may concatenate them.
    /// </summary>
    public async Task<IReadOnlyList<IAlarmSubscriptionHandle>> SubscribeAsync(
        IReadOnlyList<string> sourceNodeIds,
        CancellationToken cancellationToken)
    {
        ArgumentNullException.ThrowIfNull(sourceNodeIds);
        if (sourceNodeIds.Count == 0) return [];
        var byHost = GroupByHost(sourceNodeIds);
        var handles = new List<IAlarmSubscriptionHandle>(byHost.Count);
        foreach (var (host, ids) in byHost)
        {
            var handle = await _invoker.ExecuteAsync(
                DriverCapability.AlarmSubscribe,
                host,
                async ct => await _alarmSource.SubscribeAlarmsAsync(ids, ct).ConfigureAwait(false),
                cancellationToken).ConfigureAwait(false);
            handles.Add(handle);
        }
        return handles;
    }
    /// <summary>Cancel an alarm subscription. Routes through the AlarmSubscribe pipeline for parity.</summary>
    public ValueTask UnsubscribeAsync(IAlarmSubscriptionHandle handle, CancellationToken cancellationToken)
    {
        ArgumentNullException.ThrowIfNull(handle);
        return _invoker.ExecuteAsync(
            DriverCapability.AlarmSubscribe,
            _defaultHost,
            async ct => await _alarmSource.UnsubscribeAlarmsAsync(handle, ct).ConfigureAwait(false),
            cancellationToken);
    }
    /// <summary>
    ///     Acknowledge alarms. Fans out by resolved host; each host's batch runs through the
    ///     AlarmAcknowledge pipeline (no-retry per decision #143 — an alarm-ack is not idempotent
    ///     at the plant-floor acknowledgement level even if the OPC UA spec permits re-issue).
    /// </summary>
    public async Task AcknowledgeAsync(
        IReadOnlyList<AlarmAcknowledgeRequest> acknowledgements,
        CancellationToken cancellationToken)
    {
        ArgumentNullException.ThrowIfNull(acknowledgements);
        if (acknowledgements.Count == 0) return;
        var byHost = _hostResolver is null
            ? new Dictionary<string, List<AlarmAcknowledgeRequest>> { [_defaultHost] = acknowledgements.ToList() }
            : acknowledgements
                .GroupBy(a => _hostResolver.ResolveHost(a.SourceNodeId))
                .ToDictionary(g => g.Key, g => g.ToList());
        foreach (var (host, batch) in byHost)
        {
            var batchSnapshot = batch; // capture for the lambda
            await _invoker.ExecuteAsync(
                DriverCapability.AlarmAcknowledge,
                host,
                async ct => await _alarmSource.AcknowledgeAsync(batchSnapshot, ct).ConfigureAwait(false),
                cancellationToken).ConfigureAwait(false);
        }
    }
    private Dictionary<string, List<string>> GroupByHost(IReadOnlyList<string> sourceNodeIds)
    {
        if (_hostResolver is null)
            return new Dictionary<string, List<string>> { [_defaultHost] = sourceNodeIds.ToList() };
        var result = new Dictionary<string, List<string>>(StringComparer.Ordinal);
        foreach (var id in sourceNodeIds)
        {
            var host = _hostResolver.ResolveHost(id);
            if (!result.TryGetValue(host, out var list))
                result[host] = list = new List<string>();
            list.Add(id);
        }
        return result;
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/FleetStatusPollerTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/FleetStatusPollerTests.cs
@@ -5,6 +5,7 @@ using Microsoft.Extensions.Logging.Abstractions;
 using Shouldly;
 using Xunit;
 using ZB.MOM.WW.OtOpcUa.Admin.Hubs;
 using ZB.MOM.WW.OtOpcUa.Admin.Services;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
 using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
@@ -97,7 +98,7 @@ END";
        var poller = new FleetStatusPoller(
            _sp.GetRequiredService<IServiceScopeFactory>(),
-            fleetHub, alertHub, NullLogger<FleetStatusPoller>.Instance);
+            fleetHub, alertHub, NullLogger<FleetStatusPoller>.Instance, new RedundancyMetrics());
        await poller.PollOnceAsync(CancellationToken.None);
@@ -142,7 +143,7 @@ END";
        var poller = new FleetStatusPoller(
            _sp.GetRequiredService<IServiceScopeFactory>(),
-            fleetHub, alertHub, NullLogger<FleetStatusPoller>.Instance);
+            fleetHub, alertHub, NullLogger<FleetStatusPoller>.Instance, new RedundancyMetrics());
        await poller.PollOnceAsync(CancellationToken.None);
--- a/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/PermissionProbeServiceTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/PermissionProbeServiceTests.cs
@@ -0,0 +1,128 @@
 using Microsoft.EntityFrameworkCore;
 using Shouldly;
 using Xunit;
 using ZB.MOM.WW.OtOpcUa.Admin.Services;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
 using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
 using ZB.MOM.WW.OtOpcUa.Core.Authorization;
 namespace ZB.MOM.WW.OtOpcUa.Admin.Tests;
 [Trait("Category", "Unit")]
 public sealed class PermissionProbeServiceTests
 {
    [Fact]
    public async Task Probe_Grants_When_ClusterLevelRow_CoversRequiredFlag()
    {
        using var ctx = NewContext();
        SeedAcl(ctx, gen: 1, cluster: "c1",
            scopeKind: NodeAclScopeKind.Cluster, scopeId: null,
            group: "cn=operators", flags: NodePermissions.Browse | NodePermissions.Read);
        var svc = new PermissionProbeService(ctx);
        var result = await svc.ProbeAsync(
            generationId: 1,
            ldapGroup: "cn=operators",
            scope: new NodeScope { ClusterId = "c1", NamespaceId = "ns-1", Kind = NodeHierarchyKind.Equipment },
            required: NodePermissions.Read,
            CancellationToken.None);
        result.Granted.ShouldBeTrue();
        result.Matches.Count.ShouldBe(1);
        result.Matches[0].LdapGroup.ShouldBe("cn=operators");
        result.Matches[0].Scope.ShouldBe(NodeAclScopeKind.Cluster);
    }
    [Fact]
    public async Task Probe_Denies_When_NoGroupMatches()
    {
        using var ctx = NewContext();
        SeedAcl(ctx, 1, "c1", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.Read);
        var svc = new PermissionProbeService(ctx);
        var result = await svc.ProbeAsync(1, "cn=random-group",
            new NodeScope { ClusterId = "c1", Kind = NodeHierarchyKind.Equipment },
            NodePermissions.Read, CancellationToken.None);
        result.Granted.ShouldBeFalse();
        result.Matches.ShouldBeEmpty();
        result.Effective.ShouldBe(NodePermissions.None);
    }
    [Fact]
    public async Task Probe_Denies_When_Effective_Missing_RequiredFlag()
    {
        using var ctx = NewContext();
        SeedAcl(ctx, 1, "c1", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.Browse | NodePermissions.Read);
        var svc = new PermissionProbeService(ctx);
        var result = await svc.ProbeAsync(1, "cn=operators",
            new NodeScope { ClusterId = "c1", Kind = NodeHierarchyKind.Equipment },
            required: NodePermissions.WriteOperate,
            CancellationToken.None);
        result.Granted.ShouldBeFalse();
        result.Effective.ShouldBe(NodePermissions.Browse | NodePermissions.Read);
    }
    [Fact]
    public async Task Probe_Ignores_Rows_From_OtherClusters()
    {
        using var ctx = NewContext();
        SeedAcl(ctx, 1, "c1", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.Read);
        SeedAcl(ctx, 1, "c2", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.WriteOperate);
        var svc = new PermissionProbeService(ctx);
        var c1Result = await svc.ProbeAsync(1, "cn=operators",
            new NodeScope { ClusterId = "c1", Kind = NodeHierarchyKind.Equipment },
            NodePermissions.WriteOperate, CancellationToken.None);
        c1Result.Granted.ShouldBeFalse("c2's WriteOperate grant must NOT leak into c1's probe");
    }
    [Fact]
    public async Task Probe_UsesOnlyRows_From_Specified_Generation()
    {
        using var ctx = NewContext();
        SeedAcl(ctx, gen: 1, cluster: "c1", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.Read);
        SeedAcl(ctx, gen: 2, cluster: "c1", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.WriteOperate);
        var svc = new PermissionProbeService(ctx);
        var gen1 = await svc.ProbeAsync(1, "cn=operators",
            new NodeScope { ClusterId = "c1", Kind = NodeHierarchyKind.Equipment },
            NodePermissions.WriteOperate, CancellationToken.None);
        var gen2 = await svc.ProbeAsync(2, "cn=operators",
            new NodeScope { ClusterId = "c1", Kind = NodeHierarchyKind.Equipment },
            NodePermissions.WriteOperate, CancellationToken.None);
        gen1.Granted.ShouldBeFalse();
        gen2.Granted.ShouldBeTrue();
    }
    private static void SeedAcl(
        OtOpcUaConfigDbContext ctx, long gen, string cluster,
        NodeAclScopeKind scopeKind, string? scopeId, string group, NodePermissions flags)
    {
        ctx.NodeAcls.Add(new NodeAcl
        {
            NodeAclRowId = Guid.NewGuid(),
            NodeAclId = $"acl-{Guid.NewGuid():N}"[..16],
            GenerationId = gen,
            ClusterId = cluster,
            LdapGroup = group,
            ScopeKind = scopeKind,
            ScopeId = scopeId,
            PermissionFlags = flags,
        });
        ctx.SaveChanges();
    }
    private static OtOpcUaConfigDbContext NewContext()
    {
        var opts = new DbContextOptionsBuilder<OtOpcUaConfigDbContext>()
            .UseInMemoryDatabase(Guid.NewGuid().ToString())
            .Options;
        return new OtOpcUaConfigDbContext(opts);
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/RedundancyMetricsTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/RedundancyMetricsTests.cs
@@ -0,0 +1,70 @@
 using System.Diagnostics.Metrics;
 using Shouldly;
 using Xunit;
 using ZB.MOM.WW.OtOpcUa.Admin.Services;
 namespace ZB.MOM.WW.OtOpcUa.Admin.Tests;
 [Trait("Category", "Unit")]
 public sealed class RedundancyMetricsTests
 {
    [Fact]
    public void RecordRoleTransition_Increments_Counter_WithExpectedTags()
    {
        using var metrics = new RedundancyMetrics();
        using var listener = new MeterListener();
        var observed = new List<(long Value, Dictionary<string, object?> Tags)>();
        listener.InstrumentPublished = (instrument, l) =>
        {
            if (instrument.Meter.Name == RedundancyMetrics.MeterName &&
                instrument.Name == "otopcua.redundancy.role_transition")
            {
                l.EnableMeasurementEvents(instrument);
            }
        };
        listener.SetMeasurementEventCallback<long>((_, value, tags, _) =>
        {
            var dict = new Dictionary<string, object?>();
            foreach (var tag in tags) dict[tag.Key] = tag.Value;
            observed.Add((value, dict));
        });
        listener.Start();
        metrics.RecordRoleTransition("c1", "node-a", "Primary", "Secondary");
        observed.Count.ShouldBe(1);
        observed[0].Value.ShouldBe(1);
        observed[0].Tags["cluster.id"].ShouldBe("c1");
        observed[0].Tags["node.id"].ShouldBe("node-a");
        observed[0].Tags["from_role"].ShouldBe("Primary");
        observed[0].Tags["to_role"].ShouldBe("Secondary");
    }
    [Fact]
    public void SetClusterCounts_Observed_Via_ObservableGauges()
    {
        using var metrics = new RedundancyMetrics();
        metrics.SetClusterCounts("c1", primary: 1, secondary: 2, stale: 0);
        metrics.SetClusterCounts("c2", primary: 0, secondary: 1, stale: 1);
        var observations = new List<(string Name, long Value, string Cluster)>();
        using var listener = new MeterListener();
        listener.InstrumentPublished = (instrument, l) =>
        {
            if (instrument.Meter.Name == RedundancyMetrics.MeterName)
                l.EnableMeasurementEvents(instrument);
        };
        listener.SetMeasurementEventCallback<long>((instrument, value, tags, _) =>
        {
            string? cluster = null;
            foreach (var t in tags) if (t.Key == "cluster.id") cluster = t.Value as string;
            observations.Add((instrument.Name, value, cluster ?? "?"));
        });
        listener.Start();
        listener.RecordObservableInstruments();
        observations.ShouldContain(o => o.Name == "otopcua.redundancy.primary_count" && o.Cluster == "c1" && o.Value == 1);
        observations.ShouldContain(o => o.Name == "otopcua.redundancy.secondary_count" && o.Cluster == "c1" && o.Value == 2);
        observations.ShouldContain(o => o.Name == "otopcua.redundancy.stale_count" && o.Cluster == "c2" && o.Value == 1);
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Resilience/AlarmSurfaceInvokerTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Core.Tests/Resilience/AlarmSurfaceInvokerTests.cs
@@ -0,0 +1,127 @@
 using Shouldly;
 using Xunit;
 using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
 using ZB.MOM.WW.OtOpcUa.Core.Resilience;
 namespace ZB.MOM.WW.OtOpcUa.Core.Tests.Resilience;
 [Trait("Category", "Unit")]
 public sealed class AlarmSurfaceInvokerTests
 {
    private static readonly DriverResilienceOptions TierAOptions = new() { Tier = DriverTier.A };
    [Fact]
    public async Task SubscribeAsync_EmptyList_ReturnsEmpty_WithoutDriverCall()
    {
        var driver = new FakeAlarmSource();
        var surface = NewSurface(driver, defaultHost: "h");
        var handles = await surface.SubscribeAsync([], CancellationToken.None);
        handles.Count.ShouldBe(0);
        driver.SubscribeCallCount.ShouldBe(0);
    }
    [Fact]
    public async Task SubscribeAsync_SingleHost_RoutesThroughDefaultHost()
    {
        var driver = new FakeAlarmSource();
        var surface = NewSurface(driver, defaultHost: "h1");
        var handles = await surface.SubscribeAsync(["src-1", "src-2"], CancellationToken.None);
        handles.Count.ShouldBe(1);
        driver.SubscribeCallCount.ShouldBe(1);
        driver.LastSubscribedIds.ShouldBe(["src-1", "src-2"]);
    }
    [Fact]
    public async Task SubscribeAsync_MultiHost_FansOutByResolvedHost()
    {
        var driver = new FakeAlarmSource();
        var resolver = new StubResolver(new Dictionary<string, string>
        {
            ["src-1"] = "plc-a",
            ["src-2"] = "plc-b",
            ["src-3"] = "plc-a",
        });
        var surface = NewSurface(driver, defaultHost: "default-ignored", resolver: resolver);
        var handles = await surface.SubscribeAsync(["src-1", "src-2", "src-3"], CancellationToken.None);
        handles.Count.ShouldBe(2);                 // one per distinct host
        driver.SubscribeCallCount.ShouldBe(2);     // one driver call per host
    }
    [Fact]
    public async Task AcknowledgeAsync_DoesNotRetry_OnFailure()
    {
        var driver = new FakeAlarmSource { AcknowledgeShouldThrow = true };
        var surface = NewSurface(driver, defaultHost: "h1");
        await Should.ThrowAsync<InvalidOperationException>(() =>
            surface.AcknowledgeAsync([new AlarmAcknowledgeRequest("s", "c", null)], CancellationToken.None));
        driver.AcknowledgeCallCount.ShouldBe(1, "AlarmAcknowledge must not retry — decision #143");
    }
    [Fact]
    public async Task SubscribeAsync_Retries_Transient_Failures()
    {
        var driver = new FakeAlarmSource { SubscribeFailuresBeforeSuccess = 2 };
        var surface = NewSurface(driver, defaultHost: "h1");
        await surface.SubscribeAsync(["src"], CancellationToken.None);
        driver.SubscribeCallCount.ShouldBe(3, "AlarmSubscribe retries by default — decision #143");
    }
    private static AlarmSurfaceInvoker NewSurface(
        IAlarmSource driver,
        string defaultHost,
        IPerCallHostResolver? resolver = null)
    {
        var builder = new DriverResiliencePipelineBuilder();
        var invoker = new CapabilityInvoker(builder, "drv-1", () => TierAOptions);
        return new AlarmSurfaceInvoker(invoker, driver, defaultHost, resolver);
    }
    private sealed class FakeAlarmSource : IAlarmSource
    {
        public int SubscribeCallCount { get; private set; }
        public int AcknowledgeCallCount { get; private set; }
        public int SubscribeFailuresBeforeSuccess { get; set; }
        public bool AcknowledgeShouldThrow { get; set; }
        public IReadOnlyList<string> LastSubscribedIds { get; private set; } = [];
        public Task<IAlarmSubscriptionHandle> SubscribeAlarmsAsync(
            IReadOnlyList<string> sourceNodeIds, CancellationToken cancellationToken)
        {
            SubscribeCallCount++;
            LastSubscribedIds = sourceNodeIds;
            if (SubscribeCallCount <= SubscribeFailuresBeforeSuccess)
                throw new InvalidOperationException("transient");
            return Task.FromResult<IAlarmSubscriptionHandle>(new StubHandle($"h-{SubscribeCallCount}"));
        }
        public Task UnsubscribeAlarmsAsync(IAlarmSubscriptionHandle handle, CancellationToken cancellationToken)
            => Task.CompletedTask;
        public Task AcknowledgeAsync(
            IReadOnlyList<AlarmAcknowledgeRequest> acknowledgements, CancellationToken cancellationToken)
        {
            AcknowledgeCallCount++;
            if (AcknowledgeShouldThrow) throw new InvalidOperationException("ack boom");
            return Task.CompletedTask;
        }
        public event EventHandler<AlarmEventArgs>? OnAlarmEvent { add { } remove { } }
    }
    private sealed record StubHandle(string DiagnosticId) : IAlarmSubscriptionHandle;
    private sealed class StubResolver(Dictionary<string, string> map) : IPerCallHostResolver
    {
        public string ResolveHost(string fullReference) => map[fullReference];
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbCipReadSmokeTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbCipReadSmokeTests.cs
@@ -8,30 +8,31 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests;
 /// <summary>
 ///     End-to-end smoke tests that exercise the real libplctag stack against a running
 ///     <c>ab_server</c>. Skipped when the binary isn't on PATH (<see cref="AbServerFactAttribute"/>).
 ///     Parametrized over <see cref="KnownProfiles.All"/> so one test file covers every family
 ///     (ControlLogix / CompactLogix / Micro800 / GuardLogix).
 /// </summary>
 /// <remarks>
 ///     Intentionally minimal — per-family + per-capability coverage ships in PRs 9–12 once the
 ///     integration harness is CI-ready. This file exists at PR 3 time to prove the wire path
 ///     works end-to-end on developer boxes that have <c>ab_server</c>.
 /// </remarks>
 [Trait("Category", "Integration")]
 [Trait("Requires", "AbServer")]
-public sealed class AbCipReadSmokeTests : IAsyncLifetime
+public sealed class AbCipReadSmokeTests
 {
-    private readonly AbServerFixture _fixture = new();
+    public static IEnumerable<object[]> Profiles =>
        KnownProfiles.All.Select(p => new object[] { p });
-    public async ValueTask InitializeAsync() => await _fixture.InitializeAsync();
+    [AbServerTheory]
-    public async ValueTask DisposeAsync() => await _fixture.DisposeAsync();
+    [MemberData(nameof(Profiles))]
-
+    public async Task Driver_reads_seeded_DInt_from_ab_server(AbServerProfile profile)
    [AbServerFact]
    public async Task Driver_reads_DInt_from_ab_server()
    {
        var fixture = new AbServerFixture(profile);
        await fixture.InitializeAsync();
        try
        {
            var deviceUri = $"ab://127.0.0.1:{fixture.Port}/1,0";
            var drv = new AbCipDriver(new AbCipDriverOptions
            {
-            Devices = [new AbCipDeviceOptions($"ab://127.0.0.1:{_fixture.Port}/1,0", AbCipPlcFamily.ControlLogix)],
+                Devices = [new AbCipDeviceOptions(deviceUri, profile.Family)],
-            Tags = [new AbCipTagDefinition("Counter", $"ab://127.0.0.1:{_fixture.Port}/1,0", "TestDINT", AbCipDataType.DInt)],
+                Tags = [new AbCipTagDefinition("Counter", deviceUri, "TestDINT", AbCipDataType.DInt)],
                Timeout = TimeSpan.FromSeconds(5),
-        }, "drv-smoke");
+            }, $"drv-smoke-{profile.Family}");
            await drv.InitializeAsync("{}", CancellationToken.None);
            var snapshots = await drv.ReadAsync(["Counter"], CancellationToken.None);
@@ -41,4 +42,9 @@ public sealed class AbCipReadSmokeTests : IAsyncLifetime
            await drv.ShutdownAsync(CancellationToken.None);
        }
        finally
        {
            await fixture.DisposeAsync();
        }
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbServerFixture.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbServerFixture.cs
@@ -6,28 +6,44 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests;
 /// <summary>
 ///     Shared fixture that starts libplctag's <c>ab_server</c> simulator in the background for
-///     the duration of an integration test collection. Binary is expected on PATH; the per-test
+///     the duration of an integration test collection. The fixture takes an
-///     JSON profile is passed via <c>--config</c>.
+///     <see cref="AbServerProfile"/> (see <see cref="KnownProfiles"/>) so each AB family — ControlLogix,
 ///     CompactLogix, Micro800, GuardLogix — starts the simulator with the right <c>--plc</c>
 ///     mode + preseed tag set. Binary is expected on PATH; CI resolves that via a job step
 ///     that downloads the pinned Windows build from libplctag GitHub Releases before
 ///     <c>dotnet test</c> — see <c>docs/v2/test-data-sources.md §2.CI</c> for the exact step.
 /// </summary>
 /// <remarks>
-///     <para><c>ab_server</c> is a C binary shipped in the same repo as libplctag (see
+///     <para><c>ab_server</c> is a C binary shipped in libplctag's repo (MIT). On developer
-///     <c>test-data-sources.md</c> §2 and plan decision #99). On a developer workstation it's
+///     workstations it's built once from source and placed on PATH; on CI the workflow file
-///     built once from source and placed on PATH; in CI we intend to publish a prebuilt Windows
+///     fetches a version-pinned prebuilt + stages it. Tests skip (via
-///     x64 binary as a GitHub release asset in a follow-up PR so the fixture can download +
+///     <see cref="AbServerFactAttribute"/>) when the binary is not on PATH so a fresh clone
-///     extract it at setup time. Until then every test in this project is skipped when
+///     without the simulator still gets a green unit-test run.</para>
 ///     <c>ab_server</c> is not locatable.</para>
 ///
-///     <para>Per-family JSON profiles (ControlLogix / CompactLogix / Micro800 / GuardLogix)
+///     <para>Per-family profiles live in <see cref="KnownProfiles"/>. When a test wants a
-///     ship under <c>Profiles/</c> and drive the simulator's tag shape — this is where the
+///     specific family, instantiate the fixture with that profile — either via a
-///     UDT + Program-scope coverage gap will be filled by the hand-rolled stub in PR 6.</para>
+///     <see cref="IClassFixture{TFixture}"/> derived type or by constructing directly in a
 ///     parametric test (the latter is used below for the smoke suite).</para>
 /// </remarks>
 public sealed class AbServerFixture : IAsyncLifetime
 {
    private Process? _proc;
    public int Port { get; } = 44818;
    /// <summary>The profile the simulator was started with. Same instance the driver-side options should use.</summary>
    public AbServerProfile Profile { get; }
    public int Port { get; }
    public bool IsAvailable { get; private set; }
    public AbServerFixture() : this(KnownProfiles.ControlLogix, AbServerProfile.DefaultPort) { }
    public AbServerFixture(AbServerProfile profile) : this(profile, AbServerProfile.DefaultPort) { }
    public AbServerFixture(AbServerProfile profile, int port)
    {
        Profile = profile ?? throw new ArgumentNullException(nameof(profile));
        Port = port;
    }
    public ValueTask InitializeAsync() => InitializeAsync(default);
    public ValueTask DisposeAsync() => DisposeAsync(default);
@@ -45,7 +61,7 @@ public sealed class AbServerFixture : IAsyncLifetime
            StartInfo = new ProcessStartInfo
            {
                FileName = binary,
-                Arguments = $"--port {Port} --plc controllogix",
+                Arguments = Profile.BuildCliArgs(Port),
                RedirectStandardOutput = true,
                RedirectStandardError = true,
                UseShellExecute = false,
@@ -75,7 +91,7 @@ public sealed class AbServerFixture : IAsyncLifetime
    /// <summary>
    ///     Locate <c>ab_server</c> on PATH. Returns <c>null</c> when missing — tests that
-    ///     depend on it should use <see cref="AbServerFact"/> so CI runs without the binary
+    ///     depend on it should use <see cref="AbServerFactAttribute"/> so CI runs without the binary
    ///     simply skip rather than fail.
    /// </summary>
    public static string? LocateBinary()
@@ -107,3 +123,17 @@ public sealed class AbServerFactAttribute : FactAttribute
            Skip = "ab_server not on PATH; install libplctag test binaries to run.";
    }
 }
 /// <summary>
 ///     <c>[Theory]</c>-equivalent that skips when <c>ab_server</c> is not on PATH. Pair with
 ///     <c>[MemberData(nameof(KnownProfiles.All))]</c>-style providers to run one theory row per
 ///     profile so a single test covers all four families.
 /// </summary>
 public sealed class AbServerTheoryAttribute : TheoryAttribute
 {
    public AbServerTheoryAttribute()
    {
        if (AbServerFixture.LocateBinary() is null)
            Skip = "ab_server not on PATH; install libplctag test binaries to run.";
    }
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbServerProfile.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbServerProfile.cs
@@ -0,0 +1,134 @@
 using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
 namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests;
 /// <summary>
 ///     Per-family provisioning profile for the <c>ab_server</c> simulator. Instead of hard-coding
 ///     one fixture shape + one set of CLI args, each integration test picks a profile matching the
 ///     family it wants to exercise — ControlLogix / CompactLogix / Micro800 / GuardLogix. The
 ///     profile composes the CLI arg list passed to <c>ab_server</c> + the tag-definition set the
 ///     driver uses to address the simulator's pre-provisioned tags.
 /// </summary>
 /// <param name="Family">OtOpcUa driver family this profile targets. Drives
 ///     <see cref="AbCipDeviceOptions.PlcFamily"/> + driver-side connection-parameter profile
 ///     (ConnectionSize, unconnected-only, etc.) per decision #9.</param>
 /// <param name="AbServerPlcArg">The value passed to <c>ab_server --plc &lt;arg&gt;</c>. Some families
 ///     map 1:1 (ControlLogix → "controllogix"); Micro800/GuardLogix fall back to the family whose
 ///     CIP behavior ab_server emulates most faithfully (see per-profile Notes).</param>
 /// <param name="SeedTags">Tags to preseed on the simulator via <c>--tag &lt;name&gt;:&lt;type&gt;[:&lt;size&gt;]</c>
 ///     flags. Each entry becomes one CLI arg; the driver-side <see cref="AbCipTagDefinition"/>
 ///     list references the same names so tests can read/write without walking the @tags surface
 ///     first.</param>
 /// <param name="Notes">Operator-facing description of what the profile covers + any quirks.</param>
 public sealed record AbServerProfile(
    AbCipPlcFamily Family,
    string AbServerPlcArg,
    IReadOnlyList<AbServerSeedTag> SeedTags,
    string Notes)
 {
    /// <summary>Default port — every profile uses the same so parallel-runs-of-different-families
    /// would conflict (deliberately — one simulator per test collection is the model).</summary>
    public const int DefaultPort = 44818;
    /// <summary>Compose the full <c>ab_server</c> CLI arg string for
    /// <see cref="System.Diagnostics.ProcessStartInfo.Arguments"/>.</summary>
    public string BuildCliArgs(int port)
    {
        var parts = new List<string>
        {
            "--port", port.ToString(),
            "--plc", AbServerPlcArg,
        };
        foreach (var tag in SeedTags)
        {
            parts.Add("--tag");
            parts.Add(tag.ToCliSpec());
        }
        return string.Join(' ', parts);
    }
 }
 /// <summary>One tag the simulator pre-creates. ab_server spec format:
 /// <c>&lt;name&gt;:&lt;type&gt;[:&lt;array_size&gt;]</c>.</summary>
 public sealed record AbServerSeedTag(string Name, string AbServerType, int? ArraySize = null)
 {
    public string ToCliSpec() => ArraySize is { } n ? $"{Name}:{AbServerType}:{n}" : $"{Name}:{AbServerType}";
 }
 /// <summary>Canonical profiles covering every AB CIP family shipped in PRs 9–12.</summary>
 public static class KnownProfiles
 {
    /// <summary>
    ///     ControlLogix — the widest-coverage family: full CIP capabilities, generous connection
    ///     size, @tags controller-walk supported. Tag shape covers atomic types + a Program-scoped
    ///     tag so the Symbol-Object decoder's scope-split path is exercised.
    /// </summary>
    public static readonly AbServerProfile ControlLogix = new(
        Family: AbCipPlcFamily.ControlLogix,
        AbServerPlcArg: "controllogix",
        SeedTags: new AbServerSeedTag[]
        {
            new("TestDINT",  "DINT"),
            new("TestREAL",  "REAL"),
            new("TestBOOL",  "BOOL"),
            new("TestSINT",  "SINT"),
            new("TestString","STRING"),
            new("TestArray", "DINT", ArraySize: 16),
        },
        Notes: "Widest-coverage profile — PR 9 baseline. UDTs live in PR 6-shipped Template Object tests; ab_server lacks full UDT emulation.");
    /// <summary>
    ///     CompactLogix — narrower ConnectionSize quirk exercised here. ab_server doesn't
    ///     enforce the narrower limit itself; the driver-side profile caps it + this simulator
    ///     honors whatever the client asks for. Tag set is a subset of ControlLogix.
    /// </summary>
    public static readonly AbServerProfile CompactLogix = new(
        Family: AbCipPlcFamily.CompactLogix,
        AbServerPlcArg: "compactlogix",
        SeedTags: new AbServerSeedTag[]
        {
            new("TestDINT",  "DINT"),
            new("TestREAL",  "REAL"),
            new("TestBOOL",  "BOOL"),
        },
        Notes: "Narrower ConnectionSize than ControlLogix — driver-side profile caps it per PR 10. Tag set mirrors the CompactLogix atomic subset.");
    /// <summary>
    ///     Micro800 — unconnected-only family. ab_server has no explicit micro800 plc mode so
    ///     we fall back to the nearest CIP-compatible emulation (controllogix) + document the
    ///     discrepancy. Driver-side path enforcement (empty routing path, unconnected-only
    ///     sessions) is exercised in the unit suite; this integration profile smoke-tests that
    ///     reads work end-to-end against the unconnected path.
    /// </summary>
    public static readonly AbServerProfile Micro800 = new(
        Family: AbCipPlcFamily.Micro800,
        AbServerPlcArg: "controllogix", // ab_server lacks dedicated micro800 mode — see Notes
        SeedTags: new AbServerSeedTag[]
        {
            new("TestDINT",  "DINT"),
            new("TestREAL",  "REAL"),
        },
        Notes: "ab_server has no --plc micro800 — falls back to controllogix emulation. Driver side still enforces empty path + unconnected-only per PR 11. Real Micro800 coverage requires a 2080 on a lab rig.");
    /// <summary>
    ///     GuardLogix — safety-capable ControlLogix variant with ViewOnly safety tags. ab_server
    ///     doesn't emulate the safety subsystem; we preseed a safety-suffixed name (<c>_S</c>) so
    ///     the driver's read-only classification path is exercised against a real tag.
    /// </summary>
    public static readonly AbServerProfile GuardLogix = new(
        Family: AbCipPlcFamily.GuardLogix,
        AbServerPlcArg: "controllogix",
        SeedTags: new AbServerSeedTag[]
        {
            new("TestDINT",  "DINT"),
            new("SafetyDINT_S", "DINT"), // _S-suffixed → driver classifies as safety-ViewOnly per PR 12
        },
        Notes: "ab_server has no safety subsystem — this profile emulates the tag-naming contract. Real safety-lock behavior requires a physical GuardLogix 1756-L8xS rig.");
    public static IReadOnlyList<AbServerProfile> All { get; } =
        new[] { ControlLogix, CompactLogix, Micro800, GuardLogix };
    public static AbServerProfile ForFamily(AbCipPlcFamily family) =>
        All.FirstOrDefault(p => p.Family == family)
        ?? throw new ArgumentOutOfRangeException(nameof(family), family, "No integration profile for this family.");
 }
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbServerProfileTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests/AbServerProfileTests.cs
@@ -0,0 +1,90 @@
 using Shouldly;
 using Xunit;
 using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
 namespace ZB.MOM.WW.OtOpcUa.Driver.AbCip.IntegrationTests;
 /// <summary>
 ///     Pure-unit tests for the profile → CLI arg composition. Runs without <c>ab_server</c>
 ///     on PATH so CI without the binary still exercises these contracts + catches any
 ///     profile-definition drift (e.g. a typo in <c>--plc</c> mapping would silently make the
 ///     simulator boot with the wrong family).
 /// </summary>
 [Trait("Category", "Unit")]
 public sealed class AbServerProfileTests
 {
    [Fact]
    public void BuildCliArgs_Emits_Port_And_Plc_And_TagFlags()
    {
        var profile = new AbServerProfile(
            Family: AbCipPlcFamily.ControlLogix,
            AbServerPlcArg: "controllogix",
            SeedTags: new AbServerSeedTag[]
            {
                new("A", "DINT"),
                new("B", "REAL"),
            },
            Notes: "test");
        profile.BuildCliArgs(44818).ShouldBe("--port 44818 --plc controllogix --tag A:DINT --tag B:REAL");
    }
    [Fact]
    public void BuildCliArgs_NoSeedTags_Emits_Just_Port_And_Plc()
    {
        var profile = new AbServerProfile(
            AbCipPlcFamily.ControlLogix, "controllogix", [], "empty");
        profile.BuildCliArgs(5000).ShouldBe("--port 5000 --plc controllogix");
    }
    [Fact]
    public void AbServerSeedTag_ArraySize_FormatsAsThirdSegment()
    {
        new AbServerSeedTag("TestArray", "DINT", ArraySize: 16)
            .ToCliSpec().ShouldBe("TestArray:DINT:16");
    }
    [Fact]
    public void AbServerSeedTag_NoArraySize_TwoSegments()
    {
        new AbServerSeedTag("TestScalar", "REAL")
            .ToCliSpec().ShouldBe("TestScalar:REAL");
    }
    [Theory]
    [InlineData(AbCipPlcFamily.ControlLogix, "controllogix")]
    [InlineData(AbCipPlcFamily.CompactLogix, "compactlogix")]
    [InlineData(AbCipPlcFamily.Micro800,     "controllogix")] // falls back — ab_server lacks dedicated mode
    [InlineData(AbCipPlcFamily.GuardLogix,   "controllogix")] // falls back — ab_server lacks safety subsystem
    public void KnownProfiles_ForFamily_Returns_Expected_AbServerPlcArg(AbCipPlcFamily family, string expected)
    {
        KnownProfiles.ForFamily(family).AbServerPlcArg.ShouldBe(expected);
    }
    [Fact]
    public void KnownProfiles_All_Covers_Every_Family()
    {
        var covered = KnownProfiles.All.Select(p => p.Family).ToHashSet();
        foreach (var family in Enum.GetValues<AbCipPlcFamily>())
            covered.ShouldContain(family, $"Family {family} is missing a KnownProfiles entry.");
    }
    [Fact]
    public void KnownProfiles_ControlLogix_Includes_AllAtomicTypes()
    {
        var tags = KnownProfiles.ControlLogix.SeedTags.Select(t => t.AbServerType).ToHashSet();
        tags.ShouldContain("DINT");
        tags.ShouldContain("REAL");
        tags.ShouldContain("BOOL");
        tags.ShouldContain("SINT");
        tags.ShouldContain("STRING");
    }
    [Fact]
    public void KnownProfiles_GuardLogix_SeedsSafetySuffixedTag()
    {
        KnownProfiles.GuardLogix.SeedTags
            .ShouldContain(t => t.Name.EndsWith("_S"), "GuardLogix profile must seed at least one _S-suffixed tag for safety-classification coverage.");
    }
 }