Add authentication and role-based write access control

Implements configurable user authentication (anonymous + username/password)
with pluggable credential provider (IUserAuthenticationProvider). Anonymous
writes can be disabled via AnonymousCanWrite setting while reads remain
open. Adds -U/-P flags to all CLI commands for authenticated sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tools/opcuacli-dotnet/Commands/HistoryReadCommand.cs

@@ -15,6 +15,12 @@ public class HistoryReadCommand : ICommand
     [CommandOption("url", 'u', Description = "OPC UA server endpoint URL", IsRequired = true)]
     public string Url { get; init; } = default!;
 
+    [CommandOption("username", 'U', Description = "Username for authentication")]
+    public string? Username { get; init; }
+
+    [CommandOption("password", 'P', Description = "Password for authentication")]
+    public string? Password { get; init; }
+
     /// <summary>
     /// Gets the node identifier for the historized variable to query.
     /// </summary>
@@ -57,7 +63,7 @@ public class HistoryReadCommand : ICommand
     /// <param name="console">The CLI console used for output, errors, and cancellation handling.</param>
     public async ValueTask ExecuteAsync(IConsole console)
     {
-        using var session = await OpcUaHelper.ConnectAsync(Url);
+        using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
 
         var nodeId = new NodeId(NodeId);
         var start = string.IsNullOrEmpty(StartTime) ? DateTime.UtcNow.AddHours(-24) : DateTime.Parse(StartTime).ToUniversalTime();