namespace ZB.MOM.WW.OtOpcUa.Configuration.Enums;

/// <summary>
///     Admin UI roles per <c>admin-ui.md</c> §"Admin Roles" and Phase 6.2 Stream A.
///     These govern Admin UI capabilities (cluster CRUD, draft → publish, fleet-wide admin
///     actions) — they do NOT govern OPC UA data-path authorization, which reads
///     <see cref="Entities.NodeAcl"/> joined against LDAP group memberships directly.
/// </summary>
/// <remarks>
///     Per <c>docs/v2/plan.md</c> decision #150 the two concerns share zero runtime code path:
///     the control plane (Admin UI) consumes <see cref="Entities.LdapGroupRoleMapping"/>; the
///     data plane consumes <see cref="Entities.NodeAcl"/> rows directly. Having them in one
///     table would collapse the distinction + let a user inherit tag permissions via their
///     admin-role claim path.
/// </remarks>
public enum AdminRole
{
    /// <summary>Read-only Admin UI access — can view cluster state, drafts, publish history.</summary>
    ConfigViewer,

    /// <summary>Can author drafts + submit for publish.</summary>
    ConfigEditor,

    /// <summary>Full Admin UI privileges including publish + fleet-admin actions.</summary>
    FleetAdmin,
}