namespace ZB.MOM.WW.OtOpcUa.Server.Security;

/// <summary>
///     Minimal interface an <see cref="Opc.Ua.IUserIdentity"/> exposes so the Phase 6.2
///     authorization evaluator can read the session's resolved LDAP group DNs without a
///     hard dependency on any specific identity subtype. Implemented by OtOpcUaServer's
///     role-based identity; tests stub it to drive the evaluator under different group
///     memberships.
/// </summary>
/// <remarks>
///     Control/data-plane separation (decision #150): Admin UI role routing consumes
///     <see cref="IRoleBearer.Roles"/> via <c>LdapGroupRoleMapping</c>; the OPC UA data-path
///     evaluator consumes <see cref="LdapGroups"/> directly against <c>NodeAcl</c>. The two
///     are sourced from the same directory query at sign-in but never cross.
/// </remarks>
public interface ILdapGroupsBearer
{
    /// <summary>Fully-qualified LDAP group DNs the user is a member of.</summary>
    IReadOnlyList<string> LdapGroups { get; }
}