Resolve DA, A&C, and security spec gaps with ServerCapabilities, alarm methods, and modern profiles

Add ServerCapabilities/OperationLimits node, enable diagnostics, add OnModifyMonitoredItemsComplete
override for DA compliance. Wire shelving, enable/disable, confirm, and addcomment handlers on
alarm conditions with LocalTime/Quality event fields for Part 9 compliance. Add Aes128/Aes256
security profiles, X.509 certificate authentication, and AUDIT-prefixed auth logging. Fix flaky
probe monitor test. Update docs for all changes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/security.md

@@ -11,13 +11,17 @@ There are two distinct layers of security in OPC UA:
 
 ## Supported Security Profiles
 
-The server supports three transport security profiles in Phase 1:
+The server supports seven transport security profiles:
 
-| Profile Name                      | Security Policy     | Message Security Mode | Description                                      |
-|-----------------------------------|---------------------|-----------------------|--------------------------------------------------|
-| `None`                            | None                | None                  | No signing or encryption. Suitable for development and isolated networks only. |
-| `Basic256Sha256-Sign`             | Basic256Sha256      | Sign                  | Messages are signed but not encrypted. Protects against tampering but data is visible on the wire. |
-| `Basic256Sha256-SignAndEncrypt`   | Basic256Sha256      | SignAndEncrypt        | Messages are both signed and encrypted. Full protection against tampering and eavesdropping. |
+| Profile Name                      | Security Policy            | Message Security Mode | Description                                      |
+|-----------------------------------|----------------------------|-----------------------|--------------------------------------------------|
+| `None`                            | None                       | None                  | No signing or encryption. Suitable for development and isolated networks only. |
+| `Basic256Sha256-Sign`             | Basic256Sha256             | Sign                  | Messages are signed but not encrypted. Protects against tampering but data is visible on the wire. |
+| `Basic256Sha256-SignAndEncrypt`   | Basic256Sha256             | SignAndEncrypt        | Messages are both signed and encrypted. Full protection against tampering and eavesdropping. |
+| `Aes128_Sha256_RsaOaep-Sign`     | Aes128_Sha256_RsaOaep      | Sign                  | Modern profile with AES-128 encryption and SHA-256 signing. |
+| `Aes128_Sha256_RsaOaep-SignAndEncrypt` | Aes128_Sha256_RsaOaep | SignAndEncrypt        | Modern profile with AES-128 encryption. Recommended for production. |
+| `Aes256_Sha256_RsaPss-Sign`      | Aes256_Sha256_RsaPss       | Sign                  | Strongest profile with AES-256 and RSA-PSS signatures. |
+| `Aes256_Sha256_RsaPss-SignAndEncrypt` | Aes256_Sha256_RsaPss  | SignAndEncrypt        | Strongest profile. Recommended for high-security deployments. |
 
 Multiple profiles can be enabled simultaneously. The server exposes a separate endpoint for each configured profile, and clients select the one they prefer during connection.
 
@@ -44,7 +48,7 @@ Transport security is configured in the `Security` section of `appsettings.json`
 
 | Property                       | Type       | Default                                          | Description |
 |--------------------------------|------------|--------------------------------------------------|-------------|
-| `Profiles`                     | `string[]` | `["None"]`                                       | List of security profile names to expose as server endpoints. Valid values: `None`, `Basic256Sha256-Sign`, `Basic256Sha256-SignAndEncrypt`. Profile names are case-insensitive. Duplicates are ignored. |
+| `Profiles`                     | `string[]` | `["None"]`                                       | List of security profile names to expose as server endpoints. Valid values: `None`, `Basic256Sha256-Sign`, `Basic256Sha256-SignAndEncrypt`, `Aes128_Sha256_RsaOaep-Sign`, `Aes128_Sha256_RsaOaep-SignAndEncrypt`, `Aes256_Sha256_RsaPss-Sign`, `Aes256_Sha256_RsaPss-SignAndEncrypt`. Profile names are case-insensitive. Duplicates are ignored. |
 | `AutoAcceptClientCertificates` | `bool`     | `true`                                           | When `true`, the server automatically trusts client certificates that are not already in the trusted store. Set to `false` in production for explicit trust management. |
 | `RejectSHA1Certificates`       | `bool`     | `true`                                           | When `true`, client certificates signed with SHA-1 are rejected. SHA-1 is considered cryptographically weak. |
 | `MinimumCertificateKeySize`    | `int`      | `2048`                                           | Minimum RSA key size (in bits) required for client certificates. Certificates with shorter keys are rejected. |
@@ -142,7 +146,7 @@ Remove `None` from the `Profiles` list to prevent unencrypted connections:
 ```json
 {
   "Security": {
-    "Profiles": ["Basic256Sha256-SignAndEncrypt"]
+    "Profiles": ["Aes256_Sha256_RsaPss-SignAndEncrypt"]
   }
 }
 ```
@@ -174,6 +178,32 @@ While UserName tokens are always encrypted by the OPC UA stack (using the server
 
 Periodically inspect the `rejected/` directory. Certificates that appear here were presented by clients but were not trusted. If you recognize a legitimate client certificate, move it to the `trusted/` directory to grant access.
 
+## X.509 Certificate Authentication
+
+The server supports X.509 certificate-based user authentication in addition to Anonymous and UserName tokens. When any non-None security profile is configured, the server advertises `UserTokenType.Certificate` in its endpoint descriptions.
+
+Clients can authenticate by presenting an X.509 certificate. The server extracts the Common Name (CN) from the certificate subject and assigns the `AuthenticatedUser` and `ReadOnly` roles. The authentication is logged with the certificate's CN, subject, and thumbprint.
+
+X.509 authentication is available automatically when transport security is enabled -- no additional configuration is required.
+
+## Audit Logging
+
+The server generates audit log entries for security-relevant operations. All audit entries use the `AUDIT:` prefix and are written to the Serilog rolling file sink for compliance review.
+
+Audited events:
+- **Authentication success**: Logs username, assigned roles, and session ID
+- **Authentication failure**: Logs username and session ID
+- **X.509 authentication**: Logs certificate CN, subject, and thumbprint
+- **Certificate validation**: Logs certificate subject, thumbprint, and expiry for all validation events (accepted or rejected)
+- **Write access denial**: Logged by the role-based access control system when a user lacks the required role
+
+Example audit log entries:
+```
+AUDIT: Authentication SUCCESS for user admin with roles [ReadOnly, WriteOperate, AlarmAck] session abc123
+AUDIT: Authentication FAILED for user baduser from session def456
+X509 certificate authenticated: CN=ClientApp, Subject=CN=ClientApp,O=Acme, Thumbprint=AB12CD34
+```
+
 ## CLI Examples
 
 The Client CLI supports the `-S` (or `--security`) flag to select the transport security mode when connecting. Valid values are `none`, `sign`, `encrypt`, and `signandencrypt`.