package security

import "context"

// PermissionProvider resolves the permission mask for a user on a given resource.
//
// Implementations may call FromContext to retrieve the Identity (and its TenantID)
// when multi-tenancy is required — there is no need to thread tenantID as an
// explicit parameter since it is already in the context.
//
// The resource string identifies what is being accessed (e.g. "orders",
// "invoices"). Its meaning is defined by the application domain.
type PermissionProvider interface {
	// ResolveMask returns the PermissionMask for uid on resource.
	// A zero mask means no permissions are granted. Callers check individual
	// bits with PermissionMask.Has using domain-defined Permission constants.
	ResolveMask(ctx context.Context, uid, resource string) (PermissionMask, error)
}