docs(m7): reflect OPC UA / MxGateway UX (T13-T17) across component docs + CLAUDE/stillpending/completion-design

docs/requirements/Component-ManagementService.md

@@ -140,6 +140,15 @@ Both endpoints honour any site-scope rules attached to the caller's audit role b
 - **DeployArtifacts**: Deploy system-wide artifacts (shared scripts, external system definitions, DB connections, data connections) to all sites or a specific site.
 - **GetDeploymentStatus**: Query deployment status.
 
+### Secured Writes (MxGateway, two-person)
+
+The two-person authorization workflow for writes through the MxAccess Gateway. Backed by the central `PendingSecuredWrite` table; all four lifecycle events emit a best-effort Audit Log row sharing the row id as `CorrelationId` (see Component-AuditLog.md).
+
+- **SubmitSecuredWriteCommand** (`Operator` role): validates the target connection exists and uses the **MxGateway** protocol (rejected otherwise), then inserts a `Pending` row capturing site / connection / tag / typed value / operator + comment. Nothing is written yet.
+- **ApproveSecuredWriteCommand** (`Verifier` role): enforces **no self-approval** (`VerifierUser ≠ OperatorUser`, checked **before** any state change) and a **compare-and-swap** race guard (`TryMarkApprovedAsync` — exactly one concurrent approver flips `Pending → Approved`; the loser is rejected). On winning, it validates the value type, decodes the value (guarded — a bad value fails the row deterministically rather than leaving it stuck `Approved`), and relays a `WriteTagRequest` to the site MxGateway via the Communication Layer, recording the outcome as `Executed` or `Failed`.
+- **RejectSecuredWriteCommand** (`Verifier` role): marks a `Pending` row `Rejected` with the verifier's reason.
+- **List / query secured writes**: pending queue + terminal history, global or per-site.
+
 ### External Systems
 
 - **ListExternalSystems** / **GetExternalSystem**: Query external system definitions.
@@ -192,6 +201,10 @@ Both endpoints honour any site-scope rules attached to the caller's audit role b
 - **QuerySiteEventLog**: Query site event log entries from a remote site (routed via communication layer). Supports date range, keyword search, and pagination.
 - **QueryParkedMessages**: Query parked (dead-letter) messages at a remote site (routed via communication layer). Supports pagination.
 - **DebugSnapshot**: Request a one-shot snapshot of attribute values and alarm states for a running instance. Resolves the instance's site from the config DB and routes via the communication layer. Uses 30s `QueryTimeout`.
+- **BrowseNodeCommand**: Browse an OPC UA / MxGateway connection's address space one level at a time; supports a `BrowseNext` continuation token (paging) and returns per-node type-info for OPC UA Variables. (`Design` role.)
+- **SearchAddressSpaceCommand**: Bounded recursive address-space search (depth + result caps, case-insensitive substring) against an OPC UA connection. (`Design` role.)
+- **VerifyEndpointCommand**: Ask a site to probe an OPC UA endpoint (temporary client, short timeout) and report success / typed failure / a captured-but-untrusted server cert. Read-only — never trusts. (`Design` role — runs inside the Admin-gated connection editor.)
+- **TrustServerCertCommand** / **RemoveServerCertCommand** / **ListServerCertsCommand**: Manage the site's OPC UA trusted-peer PKI store; Trust/Remove broadcast to **both** site nodes (see Component-SiteRuntime.md). (`Admin` role.)
 
 ## Authorization
 
@@ -200,6 +213,9 @@ Every incoming message carries the authenticated user's identity and roles. The
 - **Admin** role required for: site management, area management, API key management, role mapping management, scope rule management, system configuration.
 - **Design** role required for: template authoring (including template member management: attributes, alarms, native alarm sources, scripts, compositions), shared scripts, external system definitions, database connection definitions, notification lists, inbound API method definitions.
 - **Deployment** role required for: instance management (including instance alarm overrides and native alarm source overrides), deployments, debug view, debug snapshot, parked message queries, site event log queries. Site scoping is enforced for site-scoped Deployment users.
+- **Operator** role required for: submitting a secured write (`SubmitSecuredWriteCommand`).
+- **Verifier** role required for: approving / rejecting a secured write (`ApproveSecuredWriteCommand` / `RejectSecuredWriteCommand`). The no-self-approval rule (`Operator ≠ Verifier`) is enforced in the handler, independent of the role check.
+- **Admin** role additionally required for: server-certificate trust/remove/list (`TrustServerCertCommand` / `RemoveServerCertCommand` / `ListServerCertsCommand`).
 - **Read-only access** (any authenticated role): health summary, health site, site event log queries, parked message queries.
 
 Unauthorized commands receive an `Unauthorized` response message. Failed authorization attempts are not audit logged (consistent with existing behavior).
@@ -216,6 +232,8 @@ The ManagementActor receives the following services and repositories via DI (inj
 - `IExternalSystemRepository` — External system definitions.
 - `INotificationRepository` — Notification lists and SMTP config.
 - `ISecurityRepository` — API keys and LDAP role mappings.
+- `ISecuredWriteRepository` — Pending/decided secured writes (the two-person MxGateway write workflow).
+- `IAuditLogRepository` — Best-effort central direct-write of secured-write lifecycle audit rows.
 - `IInboundApiRepository` — Inbound API method definitions.
 - `ISharedScriptRepository` / `SharedScriptService` — Shared script definitions.
 - `IDatabaseConnectionRepository` — Database connection definitions.