Add authentication and role-based write access control

Implements configurable user authentication (anonymous + username/password)
with pluggable credential provider (IUserAuthenticationProvider). Anonymous
writes can be disabled via AnonymousCanWrite setting while reads remain
open. Adds -U/-P flags to all CLI commands for authenticated sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tools/opcuacli-dotnet/Commands/ConnectCommand.cs

@@ -13,13 +13,19 @@ public class ConnectCommand : ICommand
     [CommandOption("url", 'u', Description = "OPC UA server endpoint URL", IsRequired = true)]
     public string Url { get; init; } = default!;
 
+    [CommandOption("username", 'U', Description = "Username for authentication")]
+    public string? Username { get; init; }
+
+    [CommandOption("password", 'P', Description = "Password for authentication")]
+    public string? Password { get; init; }
+
     /// <summary>
     /// Connects to the OPC UA endpoint and prints the resolved server metadata.
     /// </summary>
     /// <param name="console">The console used to report connection results.</param>
     public async ValueTask ExecuteAsync(IConsole console)
     {
-        using var session = await OpcUaHelper.ConnectAsync(Url);
+        using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
         await console.Output.WriteLineAsync($"Connected to: {session.Endpoint.EndpointUrl}");
         await console.Output.WriteLineAsync($"Server: {session.Endpoint.Server!.ApplicationName}");
         await console.Output.WriteLineAsync($"Security Mode: {session.Endpoint.SecurityMode}");