$node parameter of node_access() / hook_node_access() should always be a Node

yup, that's a bug.

unfortunately changing it means that a different data type will be passed to hook_access() implementations, which could cause downstream errors in contrib code that might outweigh any benefits in D6.

Hopefully everyone that this is causing a problem for has discovered this example in node_content_access().:

$type = is_string($node) ? $node : (is_array($node) ? $node['type'] : $node->type);

However, the bug technically still exists in D8:

function node_preview(EntityInterface $node) {
  if (node_access('create', $node) || node_access('update', $node)) {

That said, node_access() is now more defensive about how it handles passed in $node values:

function node_access($op, $node, $account = NULL, $langcode = NULL) {
  if (!$node instanceof EntityInterface) {
    $type = is_object($node) ? $node->type : $node;
    $node = entity_create('node', array('type' => $type));
  }

so this issue exists in D8 but is even more minor than it was in D6.

Would it be untoward to reframe the issue like so? Generally speaking, it isn't good API design for the type of one function parameter to vary based on the value of another parameter. If we call that variable $node, it should always be a node! : )

Especially since node_access() is doing the conversion anyways... which means the docs for hook_node_access() must be wrong: $node will never be a string by that time, because:

1. node_access() converts string node types to empty node entities and
2. node_access() uses EntityAccessController::access() anyways, which requires a full entity and passes it as a full entity to hook_node_access().

If we decide it's too cumbersome to require invokers of node_access() to first create an empty node object, then we should make a wrapper along the lines of node_type_create_access() (or push "entity creation by type" access up the food chain).

Patch attached moves forward with a small wrapper for create access. I wasn't sure on the parameter docs if I was specifying the type properly, though. i.e. I don't know for sure that $account always implements Drupal\Core\Session\AccountInterface, I just saw that other modules documented $account parameters as such. Additionally, in some places there's a preceding \, in other places there isn't. Is there a standard?

Also, I wasn't sure if the $account variable is actually supposed the be AccountInterface or some User related interface... went with account since that's what the access controller uses. And I saw that we specified in the .api.php an object for $langcode, but I'm pretty sure that's always a string.

Note that this fixes the OP by simply always making this a node entity. Confusion be gone.

And here's another take that just uses entity_create() inline in our calls to node_access('create', ...).

node_access() is just a deprecated wrapper that does this already internally, I think this issue is a duplicate of #1947880: Replace node_access() by $entity->access() and #1979094: Separate create access operation entity access controllers to avoid costly EntityNG instantiation.

If anything, something could be improved in 7.x/6.x but the other way round, as the initial bug report said, but I think that's unlikely to happen, as it is to be expected that the arguments differ, this can't be enforced, so doesn't seem worth the effort.

Great, didn't realize there were duplicates around. Saves me the trouble of finding out why the tests were failing. : )