From 4a6594d9e8e2281df287cffecd607ea1458e1452 Mon Sep 17 00:00:00 2001
From: Dev <dev@sharepoint-toolbox.local>
Date: Thu, 2 Apr 2026 13:51:15 +0200
Subject: [PATCH] feat(02-02): define PermissionEntry, ScanOptions, and
 IPermissionsService

- PermissionEntry record with 9 fields matching PS Generate-PnPSitePermissionRpt
- ScanOptions record with defaults: IncludeInherited=false, ScanFolders=true, FolderDepth=1, IncludeSubsites=false
- IPermissionsService interface with ScanSiteAsync method enabling ViewModel mocking
---
 .../Core/Models/PermissionEntry.cs              | 17 +++++++++++++++++
 SharepointToolbox/Core/Models/ScanOptions.cs    | 12 ++++++++++++
 .../Services/IPermissionsService.cs             | 17 +++++++++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 SharepointToolbox/Core/Models/PermissionEntry.cs
 create mode 100644 SharepointToolbox/Core/Models/ScanOptions.cs
 create mode 100644 SharepointToolbox/Services/IPermissionsService.cs

diff --git a/SharepointToolbox/Core/Models/PermissionEntry.cs b/SharepointToolbox/Core/Models/PermissionEntry.cs
new file mode 100644
index 0000000..11043e8
--- /dev/null
+++ b/SharepointToolbox/Core/Models/PermissionEntry.cs
@@ -0,0 +1,17 @@
+namespace SharepointToolbox.Core.Models;
+
+/// <summary>
+/// Flat record representing one permission assignment on a SharePoint object.
+/// Mirrors the $entry object built by the PowerShell Generate-PnPSitePermissionRpt function.
+/// </summary>
+public record PermissionEntry(
+    string ObjectType,          // "Site Collection" | "Site" | "List" | "Folder"
+    string Title,
+    string Url,
+    bool   HasUniquePermissions,
+    string Users,               // Semicolon-joined display names
+    string UserLogins,          // Semicolon-joined login names
+    string PermissionLevels,    // Semicolon-joined role names (Limited Access already removed)
+    string GrantedThrough,      // "Direct Permissions" | "SharePoint Group: <name>"
+    string PrincipalType        // "SharePointGroup" | "User" | "External User"
+);
diff --git a/SharepointToolbox/Core/Models/ScanOptions.cs b/SharepointToolbox/Core/Models/ScanOptions.cs
new file mode 100644
index 0000000..dd31f87
--- /dev/null
+++ b/SharepointToolbox/Core/Models/ScanOptions.cs
@@ -0,0 +1,12 @@
+namespace SharepointToolbox.Core.Models;
+
+/// <summary>
+/// Immutable scan configuration value object.
+/// Controls which SharePoint objects are included in the permission scan.
+/// </summary>
+public record ScanOptions(
+    bool IncludeInherited = false,  // When false: only objects with unique permissions are returned
+    bool ScanFolders      = true,   // Include folder-level permission entries
+    int  FolderDepth      = 1,      // Max folder depth to scan (999 = unlimited)
+    bool IncludeSubsites  = false   // Whether to recursively scan subsites
+);
diff --git a/SharepointToolbox/Services/IPermissionsService.cs b/SharepointToolbox/Services/IPermissionsService.cs
new file mode 100644
index 0000000..f400632
--- /dev/null
+++ b/SharepointToolbox/Services/IPermissionsService.cs
@@ -0,0 +1,17 @@
+using Microsoft.SharePoint.Client;
+using SharepointToolbox.Core.Models;
+
+namespace SharepointToolbox.Services;
+
+/// <summary>
+/// Contract for the permission scan engine.
+/// Enables ViewModel mocking in unit tests.
+/// </summary>
+public interface IPermissionsService
+{
+    Task<IReadOnlyList<PermissionEntry>> ScanSiteAsync(
+        ClientContext ctx,
+        ScanOptions options,
+        IProgress<OperationProgress> progress,
+        CancellationToken ct);
+}