diff --git a/SharepointToolbox/Core/Models/PermissionEntry.cs b/SharepointToolbox/Core/Models/PermissionEntry.cs
new file mode 100644
index 0000000..11043e8
--- /dev/null
+++ b/SharepointToolbox/Core/Models/PermissionEntry.cs
@@ -0,0 +1,17 @@
+namespace SharepointToolbox.Core.Models;
+
+/// <summary>
+/// Flat record representing one permission assignment on a SharePoint object.
+/// Mirrors the $entry object built by the PowerShell Generate-PnPSitePermissionRpt function.
+/// </summary>
+public record PermissionEntry(
+    string ObjectType,          // "Site Collection" | "Site" | "List" | "Folder"
+    string Title,
+    string Url,
+    bool   HasUniquePermissions,
+    string Users,               // Semicolon-joined display names
+    string UserLogins,          // Semicolon-joined login names
+    string PermissionLevels,    // Semicolon-joined role names (Limited Access already removed)
+    string GrantedThrough,      // "Direct Permissions" | "SharePoint Group: <name>"
+    string PrincipalType        // "SharePointGroup" | "User" | "External User"
+);
diff --git a/SharepointToolbox/Core/Models/ScanOptions.cs b/SharepointToolbox/Core/Models/ScanOptions.cs
new file mode 100644
index 0000000..dd31f87
--- /dev/null
+++ b/SharepointToolbox/Core/Models/ScanOptions.cs
@@ -0,0 +1,12 @@
+namespace SharepointToolbox.Core.Models;
+
+/// <summary>
+/// Immutable scan configuration value object.
+/// Controls which SharePoint objects are included in the permission scan.
+/// </summary>
+public record ScanOptions(
+    bool IncludeInherited = false,  // When false: only objects with unique permissions are returned
+    bool ScanFolders      = true,   // Include folder-level permission entries
+    int  FolderDepth      = 1,      // Max folder depth to scan (999 = unlimited)
+    bool IncludeSubsites  = false   // Whether to recursively scan subsites
+);
diff --git a/SharepointToolbox/Services/IPermissionsService.cs b/SharepointToolbox/Services/IPermissionsService.cs
new file mode 100644
index 0000000..f400632
--- /dev/null
+++ b/SharepointToolbox/Services/IPermissionsService.cs
@@ -0,0 +1,17 @@
+using Microsoft.SharePoint.Client;
+using SharepointToolbox.Core.Models;
+
+namespace SharepointToolbox.Services;
+
+/// <summary>
+/// Contract for the permission scan engine.
+/// Enables ViewModel mocking in unit tests.
+/// </summary>
+public interface IPermissionsService
+{
+    Task<IReadOnlyList<PermissionEntry>> ScanSiteAsync(
+        ClientContext ctx,
+        ScanOptions options,
+        IProgress<OperationProgress> progress,
+        CancellationToken ct);
+}