# Non-architectural follow-ups batch — Design **Date:** 2026-06-19 **Status:** Approved (planning) — for later subagent-driven execution **Base:** master `f57aa8fa` This batches every **non-architectural** open follow-up (the A/B/C survey) into one design + plan so it can be executed task-by-task later. Items are grouped by how actionable they are: - **A — actionable code now** (buildable, no infra/contract change). Do these. - **B — design-deferred** (decided not-worth-it, or out-of-scope by a prior mechanism choice). Included per request; two carry a *reconsider* flag (we previously rejected them). - **C — operational / live-verify** (code already shipped; needs a rig/fixtures/devices up). Captured as verify tasks, not code; the device-gated ones are blocked on hardware. **Excluded (architectural / infra-gated, by request):** H2 HistoryUpdate service, H5b durable `IHistoryWriter`, per-Akka-member `/hosts` nesting (needs a Commons field on `DriverHealthChanged`), driver `IHistoryProvider`→server HistoryRead bridge, modified-value history, array writes / S7 wide-type arrays, the Wonderware SDK-semantic permanent boundary, full-stack WebSocket+JWT DriverStatusHub test. **Standing guardrails (all tasks):** no EF migration, no Commons/proto/wire change, no bUnit; stage by explicit path; never stage `sql_login.txt`/`Host/pki/`/`docker-dev/docker-compose.yml`/ `pending.md`/`current.md`/`stillpending.md`; no `--no-verify`/force-push; `dangerouslyDisableSandbox` for build/test/rig. Each code task = its own commit; finish a batch = merge to master + push. --- ## A — Actionable code ### A1. OpcUaClient history session-capture-before-gate race *(strongest — real latent bug)* `OpcUaClientDriver.cs` captures `var session = RequireSession()` **before** acquiring `_gate` at lines **1134, 1299, 1413, 1618 (`ExecuteHistoryReadAsync`, the funnel for ReadRaw/Processed/AtTime), and 1788** — whereas the read/write paths deliberately re-resolve *inside* the gate (`_ = RequireSession()` guard at 624/714/829, then re-read after `await _gate.WaitAsync`; see the `:622-628` comment "a reconnect can swap Session while we wait on _gate"). So a reconnect that swaps the session while a caller waits on `_gate` leaves these methods using a **stale session**. **Approach:** for every `var session = RequireSession()` that precedes `await _gate.WaitAsync`, move the authoritative read to *inside* the gate (keep an outside `_ = RequireSession()` fast-fail guard), matching the existing read/write idiom. Add a regression test that swaps the session across the gate wait and asserts the post-gate call uses the new session. Driver-internal; no contract change. **Classification:** standard. ### A2. Client.CLI `enable` / `disable` command (H4 client-driven path) Phase 3 shipped the node-manager `OnEnableDisable` → engine Enable/DisableAsync, but there's no client verb to invoke the OPC UA ConditionType Enable/Disable methods, so H4 was never live-driven. **Approach:** mirror the existing `ack`/`shelve`/`confirm` command + service-method pattern — add `EnableAsync`/`DisableAsync` to the client-side `IOpcUaClientService` (calls the OPC UA Enable/Disable condition methods; **client app interface, NOT a Commons/wire change**) + the CLI `enable`/`disable` commands. Unit-test the VM/service call; live-drive against the rig's scripted condition. **Classification:** standard. (Unblocks the deferred H4 live `/run`.) ### A3. Cert-audit minor review nits *(from this session's final integration review)* Two cleanups in the just-shipped cert-audit code: (a) `Certificates.razor` `ConfirmAction` has two **unreachable** fallthrough arms (`"cannot delete from {Kind}"`, `"unknown action"`) that build a `CertActionResult.Fail` *inside* the razor, bypassing `CertificateStoreManager` → those (unreachable) failures aren't audited. Either route them through the manager or add an explicit "unreachable defensive guard" comment. (b) `OpcUa:PkiStoreRoot` is read in BOTH `Certificates.razor:130` and the `CertificateStoreManager` ctor — centralize on the manager (expose a `PkiRoot` property the razor reads). **Classification:** trivial (combined into one task; same two files). --- ## B — Design-deferred (included per request) ### B1. Write-outcome residuals Extend the shipped compare-and-revert write path (write-outcome self-correction, master `1d797c1c`): on a failed inbound device write, additionally (i) emit a **Bad-quality blip** on the node, (ii) raise an OPC UA **`AuditWriteUpdateEvent`**, and (iii) add **synchronous structural fail-fast** for writes that can be rejected before dispatch. These were out-of-scope by the chosen revert-only mechanism. **Approach:** locate the revert continuation (node-manager `OnWriteValue`/the `IOpcUaNodeWriteGateway` outcome handler), add the three behaviours behind the existing failure branch. Galaxy can't surface a write failure (fire-and-forget gateway), so this only exercises on protocol drivers. **Classification:** standard. *(Each of i/ii/iii could split if it balloons.)* ### B2. AdminUI — Galaxy re-pick preserves prior alarm-field edits On the equipment Tag modal, re-picking a Galaxy address currently resets manually-edited alarm fields. **Approach:** in the Galaxy-address-picked handler, merge the picked defaults *without* clobbering already-edited `alarm` fields (same preserve-unknown idiom used elsewhere). No bUnit; live-verify on docker-dev. **Classification:** small. ### B3. AdminUI — inline-create-script dropdown label drift After "New script" inline-creates + binds a script from the VirtualTagModal, the script dropdown label can drift from the selection. **Approach:** refresh the bound-script label from the created `SC-…` id after creation. **Classification:** trivial/small. ### B4. F10b surgical DataType / IsArray in-place writes *(RECONSIDER — previously rejected)* Previously **decided against**: dirty (brief value-type mismatch on the live node, no ModelChangeEvents) for rare edits → kept full rebuild. Included here only so the decision is a task, not a silent gap. To actually build: extend `ISurgicalAddressSpaceSink.UpdateTagAttributes` to also swap DataType/ValueRank in place + emit ModelChangeEvents, and widen `TagDeltaIsSurgicalEligible`. **Recommendation:** keep deferred unless a concrete need appears. **Classification:** standard. ### B5. Alarm-severity `SetSeverity` surgical update *(RECONSIDER — previously rejected)* Previously **decided against**: operationally invisible — the live alarm engine (`ScriptedAlarmHostActor`→`AlarmStateUpdate`) overwrites the authored severity on first eval, so an in-place node severity change is shadowed immediately. Included for completeness. **Recommendation:** keep deferred. **Classification:** small. --- ## C — Operational / live-verify (not code; needs a rig) ### C1. Modbus-Int64 full live authoring Code shipped (Phase 4 T1, `bd8fee61`); never live-authored because docker-dev has no seeded Modbus driver. **Verify steps:** seed a Modbus driver on docker-dev pointed at sim `10.100.0.35:5020`, author an Int64 equipment tag, deploy, confirm the OPC UA node advertises `DataTypeIds.Int64` and reads. **No code** (unless seeding surfaces a gap). **Classification:** verify-only. ### C2. S7 + AbCip Test-Connect probe happy-path live-verify Probes shipped (Phase 5); green-path skipped because the fixtures aren't on this Mac. **Verify steps:** bring up `lmxopcua-fix up s7 s7_1500` / `up abcip controllogix` from the Windows VM, run the skip-gated probe E2E green path. **Classification:** verify-only (needs the Windows-VM fixtures). ### C3. Device-gated proofs *(BLOCKED on hardware — capture only)* H6 native-ack→AVEVA round-trip, Galaxy Phase C historian T7 live HistoryRead, Phase B native-alarm T9, and AbLegacy/TwinCAT/FOCAS probe happy-paths all need real devices (Wonderware sidecar+AVEVA on `10.100.0.48`, a Galaxy native alarm, PLC5/SLC sim, ADS target, CNC+FWLIB). Recorded so they're not lost; **not executable** without the hardware. **Classification:** blocked. --- ## Execution shape Independent code tasks (A1/A2/A3, B1/B2/B3) touch disjoint projects → dispatchable concurrently in a subagent-driven run, each its own commit, per-task review by classification, final integration review, merge+push. B4/B5 are *reconsider* gates (don't build without a fresh go-ahead). C1/C2 are operator/rig verify; C3 is blocked. See `2026-06-19-followups-batch.md` for the executable task list.