Add DeferredGateHardeningTests (28 unit tests) covering the Phase 6.2
compliance-checklist gaps left by the per-gate unit suites that shipped
with the gate implementations:
- Lax-mode fall-through for CreateMonitoredItems and Call gates (null
identity and identity-without-LDAP-groups both skip denial in lax mode,
consistent with BrowseGatingTests.Lax_mode_null_identity)
- Flag isolation: Subscribe-only grant does NOT imply Read; Read-only
grant does NOT imply Subscribe; HistoryRead-only grant does NOT imply
Read and vice versa (Phase 6.2 compliance: "HistoryRead uses its own flag")
- Alarm-bit isolation: AlarmAcknowledge alone does not grant AlarmConfirm
or AlarmShelve; Browse alone does not grant AlarmAcknowledge
- AlarmShelve falls through to OpcUaOperation.Call in MapCallOperation
(documents the ShelvedStateMachine per-instance NodeId limitation noted
in the implementation, with the follow-up path: MethodCall grant covers it)
- Complete OpcUaOperation→NodePermissions mapping coverage for all deferred
operations (Browse, CreateMonitoredItems, TransferSubscriptions, Call,
AlarmAcknowledge, AlarmConfirm, AlarmShelve) — both positive and
wrong-bit negative cases
- Multi-group union for deferred gates (grp-browse ∪ grp-ack gives both
Browse and AlarmAcknowledge without leaking Read or Call)
Build: 0 errors on Server.csproj (verified against main repo build which
carries the gRPC-generated Galaxy driver artifacts the isolated worktree
lacks — that pre-existing gap is unrelated to these changes).
Test count: 247 → 275 (+28 unit, 0 failures).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
70d7166a39