Pick a Galaxy attribute that actually exercises the full driver stack:
TestMachine_001.TestHistoryValue. Verified against the live dev-box ZB:
it's Int32, writable (security_classification = Operate), and historized
(HistoryExtension primitive). The query lives in
`gr/queries/attributes_extended.sql` — swap to any other writable
historized attribute via the same shape
(`WHERE is_historized = 1 AND security_classification > 0`).
Seed changes:
- Tag row: FullName = TestMachine_001.TestHistoryValue (Int32 / ReadWrite)
- VirtualTag renamed: `Doubled` → `MachineStatus` (Boolean), script returns
`Source > 0`. Historized, so the write/subscribe exercise doubles as a
historian-sink check once the alarm/write stages are enabled.
- Scripted alarm predicate reads the same Source and fires on `> 50`.
- Added ClusterNodeCredential(sa → p7-smoke-node) row so
sp_GetCurrentGenerationForCluster's caller-binding check passes. Without
this the server bootstrap fails with
`Unauthorized: caller sa is not bound to NodeId p7-smoke-node`.
E2E script:
- Path-based NodeId defaults updated to match the new MachineStatus
virtual tag.
- Added optional `-Username / -Password` parameters. Anonymous sessions
still get denied against Operate-classified attributes (PR 26 /
docs/Security.md); supplying `-Username writeop -Password writeop123`
against the dev-box GLAuth exercises the reverse-bridge stage.
- Wired those credentials into every Invoke-Cli / Start-Process CLI
invocation the script drives.
Anonymous smoke remains 3/7 pass (probe + source read + reverse-bridge
marked acl-expected INFO). A fuller run with
`-Username writeop -Password writeop123` requires also enabling LDAP +
a SecurityProfile that carries a UserName UserTokenPolicy — separate
config step tracked alongside #124 (3-user authz matrix).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ec1a5905bf