# Phase 7 Exit Gate — Scripting, Virtual Tags, Scripted Alarms, Historian Sink > **Status**: Open. Closed when every compliance check passes + every deferred item either ships or is filed as a post-v2-release follow-up. > > **Compliance script**: `scripts/compliance/phase-7-compliance.ps1` > **Plan doc**: `docs/v2/implementation/phase-7-scripting-and-alarming.md` ## What shipped | Stream | PR | Summary | |--------|-----|---------| | A | #177–#179 | `Core.Scripting` — Roslyn sandbox + `DependencyExtractor` + `ForbiddenTypeAnalyzer` + per-script Serilog sink + 63 tests | | B | #180 | `Core.VirtualTags` — dep graph (iterative Tarjan) + engine + timer scheduler + `VirtualTagSource` + 36 tests | | C | #181 | `Core.ScriptedAlarms` — Part 9 state machine + predicate engine + message template + `ScriptedAlarmSource` + 47 tests | | D | #182 | `Core.AlarmHistorian` — SQLite store-and-forward + backoff ladder + dead-letter retention + Galaxy.Host IPC contracts + 14 tests | | E | #183 | Config DB schema — `Script` / `VirtualTag` / `ScriptedAlarm` / `ScriptedAlarmState` entities + migration + 12 tests | | F | #185 | Admin UI — `ScriptService` / `VirtualTagService` / `ScriptedAlarmService` / `ScriptTestHarnessService` / `HistorianDiagnosticsService` + Monaco editor + `/alarms/historian` page + 13 tests | | G | #184 | Walker emits Virtual + ScriptedAlarm variables with `NodeSourceKind` discriminator + 5 tests | | G follow-up | #186 | `DriverNodeManager` dispatch routes by `NodeSourceKind` + writes rejected for non-Driver sources + 7 tests | **Phase 7 totals**: ~197 new tests across 7 projects. Plan decisions #1–#22 all realised in code. ## Compliance Checks (run at exit gate) Covered by `scripts/compliance/phase-7-compliance.ps1`: - [x] Roslyn sandbox anchored on `ScriptContext` assembly with `ForbiddenTypeAnalyzer` defense-in-depth (plan #6) - [x] `DependencyExtractor` rejects non-literal tag paths with source spans (plan #7) - [x] Per-script rolling Serilog sink + companion-forwarding Error+ to main log (plan #12) - [x] VirtualTag dep graph uses iterative SCC — no stack overflow on 10 000-deep chains - [x] `VirtualTagSource` implements `IReadable` + `ISubscribable` per ADR-002 - [x] Part 9 state machine covers every transition (Apply/Ack/Confirm/Shelve/Unshelve/Enable/Disable/Comment/ShelvingCheck) - [x] `AlarmPredicateContext` rejects `SetVirtualTag` at runtime (predicates must be pure) - [x] `MessageTemplate` substitutes `{TagPath}` tokens at event emission (plan #13); missing/bad → `{?}` - [x] SQLite sink backoff ladder 1s → 2s → 5s → 15s → 60s cap (plan #16) - [x] Default 1M-row capacity + 30-day dead-letter retention (plan #21) - [x] Per-event outcomes Ack/RetryPlease/PermanentFail on the wire - [x] Galaxy.Host IPC contracts (`HistorianAlarmEventRequest` / `Response` / `ConnectivityStatusNotification`) - [x] Config DB check constraints: trigger-required, timer-min, severity-range, alarm-type-enum, JSON comments - [x] `ScriptedAlarmState` keyed on `ScriptedAlarmId` (not generation-scoped) per plan #14 - [x] Admin services: SourceHash preserves compile-cache hit on rename; Update recomputes on source change - [x] `ScriptTestHarnessService` enforces declared-inputs-only contract (plan #22) - [x] Monaco editor via CDN + textarea fallback (plan #18) - [x] `/alarms/historian` page with Retry-dead-lettered operator action - [x] Walker emits `NodeSourceKind.Virtual` + `NodeSourceKind.ScriptedAlarm` variables - [x] `DriverNodeManager` dispatch routes Reads by source; Writes to non-Driver rejected with `BadUserAccessDenied` (plan #6) ## Deferred to Post-Gate Follow-ups Kept out of the capstone so the gate can close cleanly while the less-critical wiring lands in targeted PRs: - [ ] **SealedBootstrap composition root** (task #239) — instantiate `VirtualTagEngine` + `ScriptedAlarmEngine` + `SqliteStoreAndForwardSink` in `Program.cs`; pass `VirtualTagSource` + `ScriptedAlarmSource` as the new `IReadable` parameters on `DriverNodeManager`. Without this, the engines are dormant in production even though every piece is tested. - [ ] **Live OPC UA end-to-end smoke** (task #240) — Client.CLI browse + read a virtual tag computed by Roslyn; Client.CLI acknowledge a scripted alarm via the Part 9 method node; historian-disabled deployment returns `BadNotFound` for virtual nodes rather than silent failure. - [ ] **sp_ComputeGenerationDiff extension** (task #241) — emit Script / VirtualTag / ScriptedAlarm sections alongside the existing Namespace/DriverInstance/Equipment/Tag/NodeAcl rows so the Admin DiffViewer shows Phase 7 changes between generations. ## Completion Checklist - [x] Stream A shipped + merged - [x] Stream B shipped + merged - [x] Stream C shipped + merged - [x] Stream D shipped + merged - [x] Stream E shipped + merged - [x] Stream F shipped + merged - [x] Stream G shipped + merged - [x] Stream G follow-up (dispatch) shipped + merged - [x] `phase-7-compliance.ps1` present and passes - [x] Full solution `dotnet test` passes (no new failures beyond pre-existing tolerated CLI flake) - [x] Exit-gate doc checked in - [ ] `SealedBootstrap` composition follow-up filed + tracked - [ ] Live end-to-end smoke follow-up filed + tracked - [ ] `sp_ComputeGenerationDiff` extension follow-up filed + tracked ## How to run ```powershell pwsh ./scripts/compliance/phase-7-compliance.ps1 ``` Exit code 0 = all pass; non-zero = failures listed in the preceding `[FAIL]` lines.