tests: record AFP trustee access privileges smoke success

TODO.md

@@ -418,9 +418,11 @@ Refactor/wrapper follow-up:
   `st_atime`/`utime()` path, and Create/Backup through the existing
   `nwarchive.c` metadata helpers.
 - Normalize Get/Scan File Information so each field comes from the existing
-  mars_nwe source of truth where possible: NetWare attributes, effective rights,
-  file size, timestamps, owner information, archive date/time, FinderInfo,
-  resource-fork size, and Entry ID/CNID metadata.
+  mars_nwe source of truth where possible: NetWare attributes, file size,
+  timestamps, owner information, archive date/time, FinderInfo, resource-fork
+  size, and Entry ID/CNID metadata.  AccessPrivileges are now derived from
+  `tru_get_eff_rights()` instead of static AFP masks and have readonly smoke
+  coverage under a temporary `[RF]` trustee assignment.
 - Revisit Scan File Information after the resolver work and prefer mars_nwe's
   existing directory/search machinery over the current AFP-local directory walk
   for search attributes, namespace filtering, and multi-record replies.
@@ -550,3 +552,20 @@ bitmap `0x0800`, both for epoch `1700000000` with the returned AFP date
 `user.org.mars-nwe.netware.fileinfo=0x01036e57aab90000000000000000`, while
 Access Date/Time remained on the normal file `atime` path and did not create an
 AFP metadata xattr.
+
+AFP Get/Scan AccessPrivileges convergence:
+
+- AFP Get File Information and AFP Scan File Information now use the same
+  trustee/effective-rights source when filling the WebSDK AccessPrivileges
+  word.  The old static file/directory masks have been replaced with mapping
+  from `tru_get_eff_rights()` to Read, Write, Open, Create, Delete, Parental,
+  Search, and Modify File Status Flags.
+- File-level readonly attributes still suppress write/delete style AFP
+  privileges for file replies, while directories expose directory-appropriate
+  parental/search/status bits based on the effective trustee rights.
+- Runtime status: the AFP smoke suite verified the mapping with
+  `--readonly-user NOPASSUSER --readonly-no-password --prepare-readonly-rights`.
+  The suite granted `[RF]` on `SYS:PUBLIC/pmdflts.ini`, confirmed the readonly
+  Get File Information probe reported `rights=0x0500`, checked that Read was
+  set and Write/Modify Status were clear, then revoked the temporary trustee
+  assignment.  The same run ended with `failures=0`.

tests/linux/README.md

@@ -459,6 +459,46 @@ The server replies with the read-only AFP file information record currently
 implemented by mars_nwe: Entry ID, Parent ID, attributes, data/resource fork
 lengths, offspring count, fixed long/short names, and access rights.
 
+
+### AFP Get/Scan AccessPrivileges smoke
+
+AFP Get File Information and AFP Scan File Information now derive the
+`AccessPrivileges` word from mars_nwe trustee/effective-rights state instead
+of returning the old static compatibility masks.  The WebSDK AccessPrivileges
+bits exposed by the smoke helpers are:
+
+```text
+0x0100 Read
+0x0200 Write
+0x0400 Open
+0x0800 Create
+0x1000 Delete
+0x2000 Parental
+0x4000 Search
+0x8000 Modify File Status Flags
+```
+
+The AFP smoke suite exercises this with the same readonly trustee setup used by
+the metadata negative tests.  With `--readonly-user NOPASSUSER`,
+`--readonly-no-password`, and `--prepare-readonly-rights`, the suite grants
+`[RF]` on `SYS:PUBLIC/pmdflts.ini` and verifies that Get File Information
+reports readable/openable rights while write and modify-status rights are not
+set:
+
+```sh
+./afp_file_info_smoke \
+  --expect-rights-set 0x0100 \
+  --expect-rights-clear 0x9200 \
+  -S MARS -U NOPASSUSER -n \
+  SYS:PUBLIC/pmdflts.ini
+```
+
+Runtime status: the trustee-derived AccessPrivileges smoke run is verified
+with `failures=0`.  The report showed the Supervisor Get/Scan replies returning
+`rights=0x9f00`, while the readonly `NOPASSUSER` probe returned `rights=0x0500`
+under the temporary `[RF]` trustee assignment and satisfied the set/clear mask
+checks.
+
 Useful smoke cases for a standard MARS-NWE `SYS` volume are:
 
 ```sh