using ZB.MOM.WW.OtOpcUa.Core.Abstractions;

namespace ZB.MOM.WW.OtOpcUa.Core.Authorization;

/// <summary>
///     Evaluates whether a session is authorized to perform an OPC UA <see cref="OpcUaOperation"/>
///     on the node addressed by a <see cref="NodeScope"/>. Phase 6.2 Stream B central surface.
/// </summary>
/// <remarks>
///     Data-plane only. Reads <c>NodeAcl</c> rows joined against the session's resolved LDAP
///     groups (via <see cref="UserAuthorizationState"/>). Must not depend on the control-plane
///     admin-role mapping table per decision #150 — the two concerns share zero runtime code.
/// </remarks>
public interface IPermissionEvaluator
{
    /// <summary>
    ///     Authorize the requested operation for the session. Callers (<c>DriverNodeManager</c>
    ///     Read / Write / HistoryRead / Subscribe / Browse / Call dispatch) map their native
    ///     failure to <c>BadUserAccessDenied</c> per OPC UA Part 4 when the result is not
    ///     <see cref="AuthorizationVerdict.Allow"/>.
    /// </summary>
    AuthorizationDecision Authorize(UserAuthorizationState session, OpcUaOperation operation, NodeScope scope);
}