[Server] Add INodeManager3 with role permission validation. Improve MonitoredNode Datastructures & Locks

[romanett]

Proposed changes

Add INodeManager3 with role permission validation

Introduce INodeManager3 interface extending INodeManager2, adding synchronous role permission validation methods. Update all node manager interfaces and classes to use INodeManager3. Extend IAsyncNodeManager with async permission validation methods and update adapters for sync/async bridging. Deprecate FindNodeInAddressSpace in favor of new async FindNodeInAddressSpaceAsync.
Refactor MonitoredNode2 to use thread-safe collections and locking for monitored items. Enhance event reporting with security and permission checks. Update constructors and documentation to reflect new interfaces and best practices. Only Lock per MonitoredNode instead of full NodeManager.

Related Issues

• Fixes IConfigurationNodeManager and IMasterNodeManager Interfaces have dropped methods and properties #3494

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• Enhancement (non-breaking change which adds functionality)
• Test enhancement (non-breaking change to increase test coverage)
• Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
• Documentation Update (if none of the other choices apply)

Checklist

• I have read the CONTRIBUTING doc.
• I have signed the CLA.
• I ran tests locally with my changes, all passed.
• I fixed all failing tests in the CI pipelines.
• I fixed all introduced issues with CodeQL and LGTM.
• I have added tests that prove my fix is effective or that my feature works and increased code coverage.
• I have added necessary documentation (if appropriate).
• Any dependent changes have been merged and published in downstream modules.

[Copilot]

Pull request overview

This pull request introduces INodeManager3, a new interface that extends INodeManager2 with synchronous role permission validation methods. The PR also refactors MonitoredNode2 to use thread-safe collections (ConcurrentDictionary) and per-node locks instead of global NodeManager locks, improving concurrency. Additionally, FindNodeInAddressSpace is deprecated in favor of a new async variant FindNodeInAddressSpaceAsync. The changes address issue #3494 by restoring missing methods to configuration and master node manager interfaces through the interface hierarchy.

Changes:

• Introduced INodeManager3 interface with ValidateEventRolePermissions and ValidateRolePermissions methods
• Refactored MonitoredNode2 to use ConcurrentDictionary for monitored items and per-node Lock objects for thread safety
• Updated all node manager interfaces (IConfigurationNodeManager, IDiagnosticsNodeManager) to inherit from INodeManager3
• Added async permission validation methods to IAsyncNodeManager and updated adapter classes for sync/async bridging
• Deprecated FindNodeInAddressSpace in favor of FindNodeInAddressSpaceAsync
• Enhanced event reporting with security checks for audit events and session-specific filtering

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
Libraries/Opc.Ua.Server/NodeManager/INodeManager.cs	Defines new INodeManager3 interface with permission validation methods and adds corresponding async methods to IAsyncNodeManager; updates documentation references
Libraries/Opc.Ua.Server/NodeManager/IMasterNodeManager.cs	Adds FindNodeInAddressSpaceAsync method declaration
Libraries/Opc.Ua.Server/NodeManager/MasterNodeManager.cs	Implements FindNodeInAddressSpaceAsync to search across all node managers
Libraries/Opc.Ua.Server/NodeManager/CustomNodeManager.cs	Updates to implement INodeManager3 and deprecates FindNodeInAddressSpace method
Libraries/Opc.Ua.Server/NodeManager/MonitoredItem/MonitoredNode.cs	Refactors to use ConcurrentDictionary for monitored items, adds per-node locks, implements role permission checks in event reporting
Libraries/Opc.Ua.Server/NodeManager/MonitoredItem/MonitoredNodeMonitoredItemManager.cs	Updates constructor to accept INodeManager3 and IServerInternal, updates MonitoredNode2 instantiation
Libraries/Opc.Ua.Server/NodeManager/MonitoredItem/SamplingGroupMonitoredItemManager.cs	Updates constructor to accept INodeManager3 and IServerInternal, updates MonitoredNode2 instantiation
Libraries/Opc.Ua.Server/NodeManager/Adapters/SyncNodeManagerAdapter.cs	Adds sync-to-async adapter methods for new permission validation methods
Libraries/Opc.Ua.Server/NodeManager/Adapters/AsyncNodeManagerAdapter.cs	Adds async-to-sync adapter methods for new permission validation methods with fallback to ServiceResult.Good
Libraries/Opc.Ua.Server/Configuration/IConfigurationNodeManager.cs	Updates to inherit from INodeManager3 instead of INodeManager2
Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs	Updates FindNodeInAddressSpace calls to use new async variant
Libraries/Opc.Ua.Server/Diagnostics/IDiagnosticsNodeManager.cs	Updates to inherit from INodeManager3 instead of INodeManager2

[marcschier]

Should we not just make this method async, too? All the way up to "start"? We could lave the sync one and deprecate it. WIth a pointer to how the behavior inside it has changed anyway.

[romanett]

Async will be done with AsyncCustomNodeManager being added soon.

[romanett]

Plese merge #3558 first