Add authentication and role-based write access control

Implements configurable user authentication (anonymous + username/password)
with pluggable credential provider (IUserAuthenticationProvider). Anonymous
writes can be disabled via AnonymousCanWrite setting while reads remain
open. Adds -U/-P flags to all CLI commands for authenticated sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tools/opcuacli-dotnet/Commands/ReadCommand.cs

@@ -15,6 +15,12 @@ public class ReadCommand : ICommand
     [CommandOption("url", 'u', Description = "OPC UA server endpoint URL", IsRequired = true)]
     public string Url { get; init; } = default!;
 
+    [CommandOption("username", 'U', Description = "Username for authentication")]
+    public string? Username { get; init; }
+
+    [CommandOption("password", 'P', Description = "Password for authentication")]
+    public string? Password { get; init; }
+
     /// <summary>
     /// Gets the node identifier whose value should be read.
     /// </summary>
@@ -27,7 +33,7 @@ public class ReadCommand : ICommand
     /// <param name="console">The console used to report the read result.</param>
     public async ValueTask ExecuteAsync(IConsole console)
     {
-        using var session = await OpcUaHelper.ConnectAsync(Url);
+        using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
 
         var node = new NodeId(NodeId);
         var value = await session.ReadValueAsync(node);