fix(client-shared): resolve Low code-review findings (Client.Shared-003,004,009,010,011)

- Client.Shared-003: DefaultSessionAdapter.WriteValueAsync / CallMethodAsync
  guard against null/empty Results and throw ServiceResultException with
  the response's ServiceResult code instead of indexing into a missing
  list.
- Client.Shared-004: DefaultSessionAdapter.CloseAsync / HistoryReadRawAsync
  / HistoryReadAggregateAsync use the Session.*Async overloads and honour
  the caller's CancellationToken.
- Client.Shared-009: AcknowledgeAlarmAsync returns the underlying
  ServiceResultException.StatusCode on failure instead of always Good;
  IOpcUaClientService doc updated to describe the new contract.
- Client.Shared-010: ConnectionSettings.CertificateStorePath defaults to
  empty; DefaultApplicationConfigurationFactory resolves the canonical
  PKI path lazily, so per-failover ConnectionSettings copies don't hit
  the filesystem.
- Client.Shared-011: added the alarm-fallback regression test, extracted
  EndpointSelector as a pure static, and added EndpointSelectorTests
  covering security-mode match, Basic256Sha256 preference, fallback,
  diagnostics, hostname rewrite, and null/empty guards.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/Client/ZB.MOM.WW.OtOpcUa.Client.Shared/Adapters/DefaultEndpointDiscovery.cs

@@ -24,9 +24,47 @@ internal sealed class DefaultEndpointDiscovery : IEndpointDiscovery
         using var client = DiscoveryClient.Create(new Uri(endpointUrl));
         var allEndpoints = client.GetEndpoints(null);
 
+        return EndpointSelector.SelectBest(allEndpoints, endpointUrl, requestedMode);
+    }
+}
+
+/// <summary>
+///     Pure best-endpoint selection logic, extracted from <see cref="DefaultEndpointDiscovery"/>
+///     so it can be unit tested without standing up a real <see cref="DiscoveryClient"/>.
+/// </summary>
+internal static class EndpointSelector
+{
+    private static readonly ILogger Logger = Log.ForContext(typeof(EndpointSelector));
+
+    /// <summary>
+    ///     Picks the best endpoint from the discovery response that matches the requested
+    ///     security mode, preferring <c>Basic256Sha256</c>, and rewrites the endpoint URL
+    ///     host to match the user-supplied URL when the discovery response advertises a
+    ///     different hostname.
+    /// </summary>
+    /// <param name="allEndpoints">Endpoints returned by the discovery query, in any order.</param>
+    /// <param name="endpointUrl">The endpoint URL the operator supplied; supplies the hostname rewrite target.</param>
+    /// <param name="requestedMode">The requested OPC UA message security mode.</param>
+    /// <exception cref="InvalidOperationException">
+    ///     Thrown when no endpoint matches <paramref name="requestedMode"/>; the message lists the
+    ///     security mode + policy combinations the server returned so operators can diagnose mismatches.
+    /// </exception>
+    public static EndpointDescription SelectBest(
+        IEnumerable<EndpointDescription> allEndpoints,
+        string endpointUrl,
+        MessageSecurityMode requestedMode)
+    {
+        ArgumentNullException.ThrowIfNull(allEndpoints);
+        if (string.IsNullOrWhiteSpace(endpointUrl))
+            throw new ArgumentException("Endpoint URL must not be null or empty.", nameof(endpointUrl));
+
+        // Materialise once so we can both iterate and produce a diagnostic message
+        // without re-running the underlying discovery enumeration.
+        var endpoints = allEndpoints.ToList();
+
         EndpointDescription? best = null;
 
-        foreach (var ep in allEndpoints)
+        foreach (var ep in endpoints)
         {
             if (ep.SecurityMode != requestedMode)
                 continue;
@@ -37,18 +75,21 @@ internal sealed class DefaultEndpointDiscovery : IEndpointDiscovery
                 continue;
             }
 
+            // Prefer Basic256Sha256 when multiple endpoints match the requested mode.
             if (ep.SecurityPolicyUri == SecurityPolicies.Basic256Sha256)
                 best = ep;
         }
 
         if (best == null)
         {
-            var available = string.Join(", ", allEndpoints.Select(e => $"{e.SecurityMode}/{e.SecurityPolicyUri}"));
+            var available = string.Join(", ", endpoints.Select(e => $"{e.SecurityMode}/{e.SecurityPolicyUri}"));
             throw new InvalidOperationException(
                 $"No endpoint found with security mode '{requestedMode}'. Available endpoints: {available}");
         }
 
-        // Rewrite endpoint URL hostname to match user-supplied hostname
+        // Rewrite endpoint URL hostname to match user-supplied hostname. Necessary
+        // when the OPC UA server returns a discovery URL using a different hostname
+        // (e.g. internal DNS name) than the one the operator routed to.
         var serverUri = new Uri(best.EndpointUrl);
         var requestedUri = new Uri(endpointUrl);
         if (serverUri.Host != requestedUri.Host)