Phase 6.2 Stream C — CreateMonitoredItems per-item gating

Closes task #121 (partial — creation-time gate; decision #153 per-item
revocation stamp is a follow-up).

Before this commit a session could subscribe to any node via
CreateMonitoredItems, even nodes where Read was denied — the
subscription would surface BadUserAccessDenied on each data-change
read, but the client saw a successful CreateMonitoredItems response
and held the subscription open, wasting resources and leaking the
address-space shape through the item metadata.

New override on DriverNodeManager.CreateMonitoredItems:
- Pre-iterates itemsToCreate, gates each through AuthorizationGate with
  OpcUaOperation.CreateMonitoredItems at the target node's scope.
- For denied slots: sets errors[i] = new ServiceResult(
  StatusCodes.BadUserAccessDenied). The OPC Foundation base stack
  honours pre-populated non-success errors and skips item creation for
  those slots — the subscription never holds a handle to a denied
  node.
- Preserves prior errors (e.g. BadNodeIdUnknown) — first diagnosis wins.
- Non-string-identifier references (stack-synthesized numeric ids)
  bypass the gate.

Extracted the pure filter logic into
GateMonitoredItemCreateRequests(items, errors, identity, gate,
scopeResolver) — static internal, unit-testable without the OPC UA
server stack.

Tests — 6 new in MonitoredItemGatingTests.cs (gate-null no-op,
denied-gets-BadUserAccessDenied, allowed-passes, mixed-batch-denies-
per-item, pre-populated-error-preserved, numeric-id-bypass). Server.Tests
263 → 269.

Known follow-ups:
- Per-item (AuthGenerationId, MembershipVersion) stamp (decision #153)
  for detecting revocation mid-subscription — needs subscription-layer
  plumbing.
- TransferSubscriptions not yet wired (same pattern, smaller scope).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/ZB.MOM.WW.OtOpcUa.Server.Tests/MonitoredItemGatingTests.cs

@@ -0,0 +1,146 @@
+using Opc.Ua;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Authorization;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Unit tests for <see cref="DriverNodeManager.GateMonitoredItemCreateRequests"/> —
+///     Phase 6.2 Stream C per-item subscription gating. Pre-populates the errors array
+///     with <see cref="StatusCodes.BadUserAccessDenied"/> for denied items; base stack
+///     honours the pre-set error and skips the item.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class MonitoredItemGatingTests
+{
+    [Fact]
+    public void Gate_null_leaves_errors_untouched()
+    {
+        var items = new List<MonitoredItemCreateRequest> { NewRequest("c1/area/line/eq/tag1") };
+        var errors = new List<ServiceResult> { (ServiceResult)null! };
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, new UserIdentity(), gate: null, scopeResolver: null);
+
+        errors[0].ShouldBeNull();
+    }
+
+    [Fact]
+    public void Denied_item_gets_BadUserAccessDenied()
+    {
+        var items = new List<MonitoredItemCreateRequest> { NewRequest("c1/area/line/eq/tag1") };
+        var errors = new List<ServiceResult> { (ServiceResult)null! };
+        var gate = MakeGate(strict: true, rows: []); // no grants → deny
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, NewIdentity("alice"), gate, new NodeScopeResolver("c1"));
+
+        ServiceResult.IsBad(errors[0]).ShouldBeTrue();
+        errors[0].StatusCode.ShouldBe((StatusCode)StatusCodes.BadUserAccessDenied);
+    }
+
+    [Fact]
+    public void Allowed_item_is_not_touched()
+    {
+        var items = new List<MonitoredItemCreateRequest> { NewRequest("c1/area/line/eq/tag1") };
+        var errors = new List<ServiceResult> { (ServiceResult)null! };
+        var gate = MakeGate(strict: true, rows: [Row("grp-ops", NodePermissions.Subscribe)]);
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, NewIdentity("alice", "grp-ops"), gate, new NodeScopeResolver("c1"));
+
+        errors[0].ShouldBeNull();
+    }
+
+    [Fact]
+    public void Mixed_batch_denies_per_item()
+    {
+        var items = new List<MonitoredItemCreateRequest>
+        {
+            NewRequest("c1/area/line/eq/tagA"),
+            NewRequest("c1/area/line/eq/tagB"),
+        };
+        var errors = new List<ServiceResult> { (ServiceResult)null!, (ServiceResult)null! };
+        // Grant Browse not CreateMonitoredItems → still denied for this op
+        var gate = MakeGate(strict: true, rows: [Row("grp-ops", NodePermissions.Browse)]);
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, NewIdentity("alice", "grp-ops"), gate, new NodeScopeResolver("c1"));
+
+        ServiceResult.IsBad(errors[0]).ShouldBeTrue();
+        ServiceResult.IsBad(errors[1]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Pre_populated_error_is_preserved()
+    {
+        // Base stack may have already flagged an item (e.g. BadNodeIdUnknown). The gate
+        // must not overwrite that with a generic BadUserAccessDenied — the first diagnosis
+        // wins.
+        var items = new List<MonitoredItemCreateRequest> { NewRequest("c1/area/line/eq/tag1") };
+        var errors = new List<ServiceResult> { new(StatusCodes.BadNodeIdUnknown) };
+        var gate = MakeGate(strict: true, rows: []);
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, NewIdentity("alice"), gate, new NodeScopeResolver("c1"));
+
+        errors[0].StatusCode.ShouldBe((StatusCode)StatusCodes.BadNodeIdUnknown);
+    }
+
+    [Fact]
+    public void Non_string_identifier_bypasses_the_gate()
+    {
+        // Numeric-id references (standard-type nodes) aren't keyed into the authz trie.
+        var items = new List<MonitoredItemCreateRequest>
+        {
+            new() { ItemToMonitor = new ReadValueId { NodeId = new NodeId(62u) } },
+        };
+        var errors = new List<ServiceResult> { (ServiceResult)null! };
+        var gate = MakeGate(strict: true, rows: []);
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, NewIdentity("alice"), gate, new NodeScopeResolver("c1"));
+
+        errors[0].ShouldBeNull("numeric-id references bypass the gate");
+    }
+
+    // ---- helpers -----------------------------------------------------------
+
+    private static MonitoredItemCreateRequest NewRequest(string fullRef) => new()
+    {
+        ItemToMonitor = new ReadValueId { NodeId = new NodeId(fullRef, 2) },
+    };
+
+    private static NodeAcl Row(string group, NodePermissions flags) => new()
+    {
+        NodeAclRowId = Guid.NewGuid(),
+        NodeAclId = Guid.NewGuid().ToString(),
+        GenerationId = 1,
+        ClusterId = "c1",
+        LdapGroup = group,
+        ScopeKind = NodeAclScopeKind.Cluster,
+        ScopeId = null,
+        PermissionFlags = flags,
+    };
+
+    private static AuthorizationGate MakeGate(bool strict, NodeAcl[] rows)
+    {
+        var cache = new PermissionTrieCache();
+        cache.Install(PermissionTrieBuilder.Build("c1", 1, rows));
+        var evaluator = new TriePermissionEvaluator(cache);
+        return new AuthorizationGate(evaluator, strictMode: strict);
+    }
+
+    private static IUserIdentity NewIdentity(string name, params string[] groups) => new FakeIdentity(name, groups);
+
+    private sealed class FakeIdentity : UserIdentity, ILdapGroupsBearer
+    {
+        public FakeIdentity(string name, IReadOnlyList<string> groups)
+        {
+            DisplayName = name;
+            LdapGroups = groups;
+        }
+        public new string DisplayName { get; }
+        public IReadOnlyList<string> LdapGroups { get; }
+    }
+}