docs(security,core): correct stale write-outcome doc + note benign DraftSnapshot/LeaderChanged residue (stillpending §9/§3)

docs/security.md

@@ -327,9 +327,25 @@ The rule is intentionally scoped to async surfaces — pure in-memory accessors
 
 ---
 
+## Write-Outcome Self-Correction
+
+When an OPC UA client writes a value and the driver reports a failure, the server automatically
+reverts the variable node to its prior value and surfaces the Bad-quality status code to the client.
+This prevents the node from showing a phantom Good value after a device-level write error. The
+revert is local to the node that received the write — no cluster coordination is required.
+
+Additionally, an `AuditWriteUpdateEvent` is emitted on every write attempt (success or failure),
+consistent with OPC UA Part 4 audit requirements. The event carries the source node id, the
+requested value, and the final status code so audit log consumers can trace write outcomes without
+polling the node.
+
+(Implemented in master `1d797c1c`.)
+
+---
+
 ## Audit Logging
 
-- **Server**: authentication, certificate-validation, and write-denial events are logged through the regular Serilog rolling file sink.
+- **Server**: authentication, certificate-validation, write, and write-denial events are logged through the regular Serilog rolling file sink; write outcomes also emit an `AuditWriteUpdateEvent` (see [Write-Outcome Self-Correction](#write-outcome-self-correction)).
 - **Admin**: `AuditWriterActor` (`src/Server/ZB.MOM.WW.OtOpcUa.ControlPlane/Audit/AuditWriterActor.cs`) writes `ConfigAuditLog` rows (`src/Core/ZB.MOM.WW.OtOpcUa.Configuration/Entities/ConfigAuditLog.cs`) to the Config DB for publish, rollback, cluster-node CRUD, and credential rotation. Visible on the cluster Audit page (`ClusterAudit.razor`) for operators with `Viewer` or above.
 
 ---