Consolidate LDAP roles into OPC UA session roles with granular write permissions

Map LDAP groups to custom OPC UA role NodeIds on RoleBasedIdentity.GrantedRoleIds
during authentication, replacing the username-to-role side cache. Split ReadWrite
into WriteOperate/WriteTune/WriteConfigure so write access is gated per Galaxy
security classification. AnonymousCanWrite now behaves consistently regardless
of LDAP state.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/ZB.MOM.WW.LmxOpcUa.Tests/Helpers/OpcUaServerFixture.cs

@@ -3,6 +3,7 @@ using System.Threading.Tasks;
 using Xunit;
 using ZB.MOM.WW.LmxOpcUa.Host;
 using ZB.MOM.WW.LmxOpcUa.Host.Configuration;
+using ZB.MOM.WW.LmxOpcUa.Host.Domain;
 
 namespace ZB.MOM.WW.LmxOpcUa.Tests.Helpers
 {
@@ -120,7 +121,9 @@ namespace ZB.MOM.WW.LmxOpcUa.Tests.Helpers
             SecurityProfileConfiguration? security = null,
             RedundancyConfiguration? redundancy = null,
             string? applicationUri = null,
-            string? serverName = null)
+            string? serverName = null,
+            AuthenticationConfiguration? authConfig = null,
+            IUserAuthenticationProvider? authProvider = null)
         {
             var client = mxClient ?? new FakeMxAccessClient();
             var r = repo ?? new FakeGalaxyRepository
@@ -142,6 +145,10 @@ namespace ZB.MOM.WW.LmxOpcUa.Tests.Helpers
                 builder.WithApplicationUri(applicationUri);
             if (serverName != null)
                 builder.WithGalaxyName(serverName);
+            if (authConfig != null)
+                builder.WithAuthentication(authConfig);
+            if (authProvider != null)
+                builder.WithAuthProvider(authProvider);
 
             return new OpcUaServerFixture(builder, repo: r, mxClient: client);
         }