Closes task #122 (Acknowledge + Confirm + generic Call — Shelve stays as
a follow-up pending per-instance method-NodeId resolution).
Before this commit any session with a connected channel could invoke
method nodes on driver-materialized equipment — including alarm
Acknowledge / Confirm. Combined with the Browse + CreateMonitoredItems
gates that landed earlier in Stream C, this was the last service-layer
entry point where a session could still affect state without passing
the authz trie.
Implementation on DriverNodeManager:
- `Call` override — pre-iterates methodsToCall, gates each through
AuthorizationGate with the operation kind returned by
MapCallOperation. Denied calls get errors[i] = BadUserAccessDenied
before delegating to base.Call.
- `MapCallOperation(NodeId methodId)` — maps well-known Part 9 method
NodeIds to dedicated operation kinds:
MethodIds.AcknowledgeableConditionType_Acknowledge →
OpcUaOperation.AlarmAcknowledge
MethodIds.AcknowledgeableConditionType_Confirm →
OpcUaOperation.AlarmConfirm
everything else → OpcUaOperation.Call
Lets the ACL distinguish "can acknowledge alarms" from "can invoke
arbitrary methods" without conflating the two roles.
- Shelve dispatch paths through per-instance ShelvedStateMachine methods
with dynamic NodeIds that can't be constant-matched — falls through
to generic Call. Fine-grained OpcUaOperation.AlarmShelve is a follow-
up when the method-invocation path grows a "method-role" annotation.
Extracted GateCallMethodRequests + MapCallOperation as static internal
for unit-testability. 8 new tests (MapCallOperation Acknowledge /
Confirm / generic; gate-null no-op, denied-Acknowledge, allowed-
Acknowledge, mixed-batch, pre-populated-error-preserved).
Server.Tests 269 → 277.
Known follow-ups:
- Shelve per-operation gating (see above).
- TranslateBrowsePathsToNodeIds gating (Browse follow-up from #120).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ded292ecd7