lmxopcua/docs/v2/v2-release-readiness.md

v2 Release Readiness

Last updated: 2026-04-19 (all three release blockers CLOSED — Phase 6.3 Streams A/C core shipped) Status: RELEASE-READY (code-path) for v2 GA — all three code-path release blockers are closed. Remaining work is manual (client interop matrix, deployment checklist signoff, OPC UA CTT pass) + hardening follow-ups; see exit-criteria checklist below.

This doc is the single view of where v2 stands against its release criteria. Update it whenever a deferred follow-up closes or a new release blocker is discovered.

Release-readiness dashboard

Phase	Shipped	Status
Phase 0 — Rename + entry gate	✓	Shipped
Phase 1 — Configuration + Admin scaffold	✓	Shipped (some UI items deferred to 6.4)
Phase 2 — Galaxy driver split (Proxy/Host/Shared)	✓	Shipped
Phase 3 — OPC UA server + LDAP + security profiles	✓	Shipped
Phase 4 — Redundancy scaffold (entities + endpoints)	✓	Shipped (runtime closes in 6.3)
Phase 5 — Drivers	⚠ partial	Galaxy / Modbus / S7 / OpcUaClient shipped; AB CIP / AB Legacy / TwinCAT / FOCAS deferred (task #120)
Phase 6.1 — Resilience & Observability	✓	SHIPPED (PRs #78–83)
Phase 6.2 — Authorization runtime	◐ core	SHIPPED (core) (PRs #84–88); dispatch wiring + Admin UI deferred
Phase 6.3 — Redundancy runtime	◐ core	SHIPPED (core) (PRs #89–90); coordinator + UA-node wiring + Admin UI + interop deferred
Phase 6.4 — Admin UI completion	◐ data layer	SHIPPED (data layer) (PRs #91–92); Blazor UI + OPC 40010 address-space wiring deferred

Aggregate test counts: 906 baseline (pre-Phase-6) → 1159 passing across Phase 6. One pre-existing Client.CLI SubscribeCommandTests.Execute_PrintsSubscriptionMessage flake tracked separately.

Release blockers (must close before v2 GA)

Ordered by severity + impact on production fitness.

Security — Phase 6.2 dispatch wiring (task #143 — CLOSED 2026-04-19, PR #94)

Closed. AuthorizationGate + NodeScopeResolver now thread through OpcUaApplicationHost → OtOpcUaServer → DriverNodeManager. OnReadValue + OnWriteValue + all four HistoryRead paths call gate.IsAllowed(identity, operation, scope) before the invoker. Production deployments activate enforcement by constructing OpcUaApplicationHost with an AuthorizationGate(StrictMode: true) + populating the NodeAcl table.

Additional Stream C surfaces (not release-blocking, hardening only):

• Browse + TranslateBrowsePathsToNodeIds gating with ancestor-visibility logic per acl-design.md §Browse.
• CreateMonitoredItems + TransferSubscriptions gating with per-item (AuthGenerationId, MembershipVersion) stamp so revoked grants surface BadUserAccessDenied within one publish cycle (decision #153).
• Alarm Acknowledge / Confirm / Shelve gating.
• Call (method invocation) gating.
• Finer-grained scope resolution — current NodeScopeResolver returns a flat cluster-level scope. Joining against the live Configuration DB to populate UnsArea / UnsLine / Equipment path is tracked as Stream C.12.
• 3-user integration matrix covering every operation × allow/deny.

These are additional hardening — the three highest-value surfaces (Read / Write / HistoryRead) are now gated, which covers the base-security gap for v2 GA.

Config fallback — Phase 6.1 Stream D wiring (task #136 — CLOSED 2026-04-19, PR #96)

Closed. SealedBootstrap consumes ResilientConfigReader + GenerationSealedCache + StaleConfigFlag end-to-end: bootstrap calls go through the timeout → retry → fallback-to-sealed pipeline; every central-DB success writes a fresh sealed snapshot so the next cache-miss has a known-good fallback; StaleConfigFlag.IsStale is now consumed by HealthEndpointsHost.usingStaleConfig so /healthz body reports reality.

Production activation: Program.cs switches NodeBootstrap → SealedBootstrap + constructs OpcUaApplicationHost with the StaleConfigFlag as an optional ctor parameter.

Remaining follow-ups (hardening, not release-blocking):

• A HostedService that polls sp_GetCurrentGenerationForCluster periodically so peer-published generations land in this node's cache without a restart.
• Richer snapshot payload via sp_GetGenerationContent so fallback can serve the full generation content (DriverInstance enumeration, ACL rows, etc.) from the sealed cache alone.

Redundancy — Phase 6.3 Streams A/C core (tasks #145 + #147 — CLOSED 2026-04-19, PRs #98–99)

Closed. The runtime orchestration layer now exists end-to-end:

• RedundancyCoordinator reads ClusterNode + peer list at startup (Stream A shipped in PR #98). Invariants enforced: 1-2 nodes (decision #83), unique ApplicationUri (#86), ≤1 Primary in Warm/Hot (#84). Startup fails fast on violation; runtime refresh logs + flips IsTopologyValid=false so the calculator falls to band 2 without tearing down.
• RedundancyStatePublisher orchestrates topology + apply lease + recovery state + peer reachability through ServiceLevelCalculator + emits OnStateChanged / OnServerUriArrayChanged edge-triggered events (Stream C core shipped in PR #99). The OPC UA ServiceLevel Byte variable + ServerUriArray String[] variable subscribe to these events.

Remaining Phase 6.3 surfaces (hardening, not release-blocking):

• PeerHttpProbeLoop + PeerUaProbeLoop HostedServices that poll the peer + write to PeerReachabilityTracker on each tick. Without these the publisher sees PeerReachability.Unknown for every peer → Isolated-Primary band (230) even when the peer is up. Safe default (retains authority) but not the full non-transparent-redundancy UX.
• OPC UA variable-node wiring layer: bind the ServiceLevel Byte node + ServerUriArray String[] node to the publisher's events via BaseDataVariable.OnReadValue / direct value push. Scoped follow-up on the Opc.Ua.Server stack integration.
• sp_PublishGeneration wraps its apply in await using var lease = coordinator.BeginApplyLease(...) so the PrimaryMidApply band (200) fires during actual publishes (task #148 part 2).
• Client interop matrix validation — Ignition / Kepware / Aveva OI Gateway (Stream F, task #150). Manual + doc-only work; doesn't block code ship.

Remaining drivers (task #120)

AB CIP, AB Legacy, TwinCAT ADS, FOCAS drivers are planned but unshipped. Decision pending on whether these are release-blocking for v2 GA or can slip to a v2.1 follow-up.

Nice-to-haves (not release-blocking)

• Admin UI — Phase 6.1 Stream E.2/E.3 (/hosts column refresh), Phase 6.2 Stream D (RoleGrantsTab + AclsTab Probe), Phase 6.3 Stream E (RedundancyTab), Phase 6.4 Streams A/B UI pieces, Stream C DiffViewer, Stream D IdentificationFields.razor. Tasks #134, #144, #149, #153, #155, #156, #157.
• Background services — Phase 6.1 Stream B.4 ScheduledRecycleScheduler HostedService (task #137), Phase 6.1 Stream A analyzer (task #135 — Roslyn analyzer asserting every capability surface routes through CapabilityInvoker).
• Multi-host dispatch — Phase 6.1 Stream A follow-up (task #135). Currently every driver gets a single pipeline keyed on driver.DriverInstanceId; multi-host drivers (Modbus with N PLCs) need per-PLC host resolution so failing PLCs trip per-PLC breakers without poisoning siblings. Decision #144 requires this but we haven't wired it yet.

Running the release-readiness check

pwsh ./scripts/compliance/phase-6-all.ps1

This meta-runner invokes each phase-6-N-compliance.ps1 script in sequence and reports an aggregate PASS/FAIL. It is the single-command verification that what we claim is shipped still compiles + tests pass + the plan-level invariants are still satisfied.

Exit 0 = every phase passes its compliance checks + no test-count regression.

Release-readiness exit criteria

v2 GA requires all of the following:

• All four Phase 6.N compliance scripts exit 0.
• dotnet test ZB.MOM.WW.OtOpcUa.slnx passes with ≤ 1 known-flake failure.
• Release blockers listed above all closed (or consciously deferred to v2.1 with a written decision).
• Production deployment checklist (separate doc) signed off by Fleet Admin.
• At least one end-to-end integration run against the live Galaxy on the dev box succeeds.
• OPC UA conformance test (CTT or UA Compliance Test Tool) passes against the live endpoint.
• Non-transparent redundancy cutover validated with at least one production client (Ignition 8.3 recommended — see decision #85).

Change log

• 2026-04-19 — Release blocker #3 closed (PRs #98–99). Phase 6.3 Streams A + C core shipped: ClusterTopologyLoader + RedundancyCoordinator + RedundancyStatePublisher + PeerReachabilityTracker. Code-path release blockers all closed; remaining Phase 6.3 surfaces (peer-probe HostedServices, OPC UA variable-node binding, sp_PublishGeneration lease wrap, client interop matrix) are hardening follow-ups.
• 2026-04-19 — Release blocker #2 closed (PR #96). SealedBootstrap consumes ResilientConfigReader + GenerationSealedCache + StaleConfigFlag; /healthz now surfaces the stale flag. Remaining follow-ups (periodic poller + richer snapshot payload) downgraded to hardening.
• 2026-04-19 — Release blocker #1 closed (PR #94). AuthorizationGate wired into DriverNodeManager Read / Write / HistoryRead dispatch. Remaining Stream C surfaces (Browse / Subscribe / Alarm / Call + finer-grained scope resolution) downgraded to hardening follow-ups — no longer release-blocking.
• 2026-04-19 — Phase 6.4 data layer merged (PRs #91–92). Phase 6 core complete. Capstone doc created.
• 2026-04-19 — Phase 6.3 core merged (PRs #89–90). ServiceLevelCalculator + RecoveryStateManager + ApplyLeaseRegistry land as pure logic; coordinator / UA-node wiring / Admin UI / interop deferred.
• 2026-04-19 — Phase 6.2 core merged (PRs #84–88). AuthorizationGate + TriePermissionEvaluator + LdapGroupRoleMapping land; dispatch wiring + Admin UI deferred.
• 2026-04-19 — Phase 6.1 shipped (PRs #78–83). Polly resilience + Tier A/B/C stability + health endpoints + LiteDB generation-sealed cache + Admin /hosts data layer all live.