AclsTab Probe-this-permission — first of three #196 slices. New /clusters/{ClusterId}/draft/{GenerationId} ACLs-tab gains a probe card above the grant table so operators can ask the trie "if cn=X asks for permission Y on node Z, would it be granted, and which rows contributed?" without shell-ing into the DB. Service thinly wraps the same PermissionTrieBuilder + PermissionTrie.CollectMatches call path the Server's dispatch layer uses at request time, so a probe answer is by construction identical to what the live server would decide. New PermissionProbeService.ProbeAsync(generationId, ldapGroup, NodeScope, requiredFlags) — loads the target generation's NodeAcl rows filtered to the cluster (critical: without the cluster filter, cross-cluster grants leak into the probe which tested false-positive in the unit suite), builds a trie, CollectMatches against the supplied scope + [ldapGroup], ORs the matched-grant flags into Effective, compares to Required. Returns PermissionProbeResult(Granted, Required, Effective, Matches) — Matches carries LdapGroup + Scope + PermissionFlags per matched row so the UI can render the contribution chain. Zero side effects + no audit rows — a failing probe is a question, not a denial. AclsTab.razor gains the probe card at the top (before the New-grant form + grant table): six inputs for ldap group + every NodeScope level (NamespaceId → UnsAreaId → UnsLineId → EquipmentId → TagId — blank fields become null so the trie walks only as deep as the operator specified), a NodePermissions dropdown filtered to skip None, Probe button, green Granted / red Denied badge + Required/Effective bitmask display, and (when matches exist) a small table showing which LdapGroup matched at which level with which flags. Admin csproj adds ProjectReference to Core — the trie + NodeScope live there + were previously Server-only. Five new PermissionProbeServiceTests covering: cluster-level row grants a namespace-level read; no-group-match denies with empty Effective; matching group but insufficient flags (Browse+Read vs WriteOperate required) denies with correct Effective bitmask; cross-cluster grants stay isolated (c2's WriteOperate does NOT leak into c1's probe); generation isolation (gen1's Read-only does NOT let gen2's WriteOperate-requiring probe pass). Admin.Tests 92/92 passing (was 87, +5). Admin builds 0 errors. Remaining #196 slices — SignalR invalidation + draft-diff ACL section — ship in follow-up PRs so the review surface per PR stays tight.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/ZB.MOM.WW.OtOpcUa.Admin.Tests/PermissionProbeServiceTests.cs

@@ -0,0 +1,128 @@
+using Microsoft.EntityFrameworkCore;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Admin.Services;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Core.Authorization;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class PermissionProbeServiceTests
+{
+    [Fact]
+    public async Task Probe_Grants_When_ClusterLevelRow_CoversRequiredFlag()
+    {
+        using var ctx = NewContext();
+        SeedAcl(ctx, gen: 1, cluster: "c1",
+            scopeKind: NodeAclScopeKind.Cluster, scopeId: null,
+            group: "cn=operators", flags: NodePermissions.Browse | NodePermissions.Read);
+        var svc = new PermissionProbeService(ctx);
+
+        var result = await svc.ProbeAsync(
+            generationId: 1,
+            ldapGroup: "cn=operators",
+            scope: new NodeScope { ClusterId = "c1", NamespaceId = "ns-1", Kind = NodeHierarchyKind.Equipment },
+            required: NodePermissions.Read,
+            CancellationToken.None);
+
+        result.Granted.ShouldBeTrue();
+        result.Matches.Count.ShouldBe(1);
+        result.Matches[0].LdapGroup.ShouldBe("cn=operators");
+        result.Matches[0].Scope.ShouldBe(NodeAclScopeKind.Cluster);
+    }
+
+    [Fact]
+    public async Task Probe_Denies_When_NoGroupMatches()
+    {
+        using var ctx = NewContext();
+        SeedAcl(ctx, 1, "c1", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.Read);
+        var svc = new PermissionProbeService(ctx);
+
+        var result = await svc.ProbeAsync(1, "cn=random-group",
+            new NodeScope { ClusterId = "c1", Kind = NodeHierarchyKind.Equipment },
+            NodePermissions.Read, CancellationToken.None);
+
+        result.Granted.ShouldBeFalse();
+        result.Matches.ShouldBeEmpty();
+        result.Effective.ShouldBe(NodePermissions.None);
+    }
+
+    [Fact]
+    public async Task Probe_Denies_When_Effective_Missing_RequiredFlag()
+    {
+        using var ctx = NewContext();
+        SeedAcl(ctx, 1, "c1", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.Browse | NodePermissions.Read);
+        var svc = new PermissionProbeService(ctx);
+
+        var result = await svc.ProbeAsync(1, "cn=operators",
+            new NodeScope { ClusterId = "c1", Kind = NodeHierarchyKind.Equipment },
+            required: NodePermissions.WriteOperate,
+            CancellationToken.None);
+
+        result.Granted.ShouldBeFalse();
+        result.Effective.ShouldBe(NodePermissions.Browse | NodePermissions.Read);
+    }
+
+    [Fact]
+    public async Task Probe_Ignores_Rows_From_OtherClusters()
+    {
+        using var ctx = NewContext();
+        SeedAcl(ctx, 1, "c1", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.Read);
+        SeedAcl(ctx, 1, "c2", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.WriteOperate);
+        var svc = new PermissionProbeService(ctx);
+
+        var c1Result = await svc.ProbeAsync(1, "cn=operators",
+            new NodeScope { ClusterId = "c1", Kind = NodeHierarchyKind.Equipment },
+            NodePermissions.WriteOperate, CancellationToken.None);
+
+        c1Result.Granted.ShouldBeFalse("c2's WriteOperate grant must NOT leak into c1's probe");
+    }
+
+    [Fact]
+    public async Task Probe_UsesOnlyRows_From_Specified_Generation()
+    {
+        using var ctx = NewContext();
+        SeedAcl(ctx, gen: 1, cluster: "c1", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.Read);
+        SeedAcl(ctx, gen: 2, cluster: "c1", NodeAclScopeKind.Cluster, null, "cn=operators", NodePermissions.WriteOperate);
+        var svc = new PermissionProbeService(ctx);
+
+        var gen1 = await svc.ProbeAsync(1, "cn=operators",
+            new NodeScope { ClusterId = "c1", Kind = NodeHierarchyKind.Equipment },
+            NodePermissions.WriteOperate, CancellationToken.None);
+        var gen2 = await svc.ProbeAsync(2, "cn=operators",
+            new NodeScope { ClusterId = "c1", Kind = NodeHierarchyKind.Equipment },
+            NodePermissions.WriteOperate, CancellationToken.None);
+
+        gen1.Granted.ShouldBeFalse();
+        gen2.Granted.ShouldBeTrue();
+    }
+
+    private static void SeedAcl(
+        OtOpcUaConfigDbContext ctx, long gen, string cluster,
+        NodeAclScopeKind scopeKind, string? scopeId, string group, NodePermissions flags)
+    {
+        ctx.NodeAcls.Add(new NodeAcl
+        {
+            NodeAclRowId = Guid.NewGuid(),
+            NodeAclId = $"acl-{Guid.NewGuid():N}"[..16],
+            GenerationId = gen,
+            ClusterId = cluster,
+            LdapGroup = group,
+            ScopeKind = scopeKind,
+            ScopeId = scopeId,
+            PermissionFlags = flags,
+        });
+        ctx.SaveChanges();
+    }
+
+    private static OtOpcUaConfigDbContext NewContext()
+    {
+        var opts = new DbContextOptionsBuilder<OtOpcUaConfigDbContext>()
+            .UseInMemoryDatabase(Guid.NewGuid().ToString())
+            .Options;
+        return new OtOpcUaConfigDbContext(opts);
+    }
+}