fix(client-shared): resolve Low code-review findings (Client.Shared-003,004,009,010,011)

- Client.Shared-003: DefaultSessionAdapter.WriteValueAsync / CallMethodAsync
  guard against null/empty Results and throw ServiceResultException with
  the response's ServiceResult code instead of indexing into a missing
  list.
- Client.Shared-004: DefaultSessionAdapter.CloseAsync / HistoryReadRawAsync
  / HistoryReadAggregateAsync use the Session.*Async overloads and honour
  the caller's CancellationToken.
- Client.Shared-009: AcknowledgeAlarmAsync returns the underlying
  ServiceResultException.StatusCode on failure instead of always Good;
  IOpcUaClientService doc updated to describe the new contract.
- Client.Shared-010: ConnectionSettings.CertificateStorePath defaults to
  empty; DefaultApplicationConfigurationFactory resolves the canonical
  PKI path lazily, so per-failover ConnectionSettings copies don't hit
  the filesystem.
- Client.Shared-011: added the alarm-fallback regression test, extracted
  EndpointSelector as a pure static, and added EndpointSelectorTests
  covering security-mode match, Basic256Sha256 preference, fallback,
  diagnostics, hostname rewrite, and null/empty guards.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/Client/ZB.MOM.WW.OtOpcUa.Client.Shared.Tests/Models/ConnectionSettingsTests.cs

@@ -18,8 +18,10 @@ public class ConnectionSettingsTests
         settings.SecurityMode.ShouldBe(SecurityMode.None);
         settings.SessionTimeoutSeconds.ShouldBe(60);
         settings.AutoAcceptCertificates.ShouldBeTrue();
-        settings.CertificateStorePath.ShouldContain("OtOpcUaClient");
-        settings.CertificateStorePath.ShouldContain("pki");
+        // CertificateStorePath defaults to empty so constructing settings does not
+        // touch disk; DefaultApplicationConfigurationFactory resolves the canonical
+        // PKI path lazily on first connect (Client.Shared-010).
+        settings.CertificateStorePath.ShouldBe(string.Empty);
     }
 
     [Fact]