using ZB.MOM.WW.OtOpcUa.Configuration.Entities; using ZB.MOM.WW.OtOpcUa.Configuration.Enums; namespace ZB.MOM.WW.OtOpcUa.Configuration.Services; ///

/// CRUD surface for — the control-plane mapping from /// LDAP groups to Admin UI roles. Consumed only by Admin UI code paths; the OPC UA /// data-path evaluator MUST NOT depend on this interface (see decision #150 and the /// Phase 6.2 compliance check on control/data-plane separation). ///

/// /// Per Phase 6.2 Stream A.2 this service is expected to run behind the Phase 6.1 /// ResilientConfigReader pipeline (timeout → retry → fallback-to-cache) so a /// transient DB outage during sign-in falls back to the sealed snapshot rather than /// denying every login. /// public interface ILdapGroupRoleMappingService { ///

List every mapping whose LDAP group matches one of .

/// /// Hot path — fires on every sign-in. The default EF implementation relies on the /// IX_LdapGroupRoleMapping_Group index. Case-insensitive per LDAP conventions. /// Task> GetByGroupsAsync( IEnumerable ldapGroups, CancellationToken cancellationToken); ///

Enumerate every mapping; Admin UI listing only.

Task> ListAllAsync(CancellationToken cancellationToken); ///

Create a new grant.

/// /// Thrown when the proposed row violates an invariant (IsSystemWide inconsistent with /// ClusterId, duplicate (group, cluster) pair, etc.) — ValidatedLdapGroupRoleMappingService /// is the write surface that enforces these; the raw service here surfaces DB-level violations. /// Task CreateAsync(LdapGroupRoleMapping row, CancellationToken cancellationToken); ///

Delete a mapping by its surrogate key.

Task DeleteAsync(Guid id, CancellationToken cancellationToken); } ///

Thrown when authoring violates an invariant.

public sealed class InvalidLdapGroupRoleMappingException : Exception { public InvalidLdapGroupRoleMappingException(string message) : base(message) { } }