package security

// PermissionMask is a resolved bit-mask for a user on a specific resource.
// It is returned by PermissionProvider.ResolveMask and inspected with Has.
// A zero value means no permissions are granted.
type PermissionMask int64

// Has reports whether the given permission bit is set in the mask.
// Returns false for out-of-range values (p < 0 or p > MaxPermission).
func (m PermissionMask) Has(p Permission) bool {
	if p < 0 || p >= 63 {
		return false
	}
	return (int64(m) & (1 << uint(p))) != 0
}

// Grant returns a new mask with the bit for p set.
// The receiver is not modified — safe to use in builder chains:
//
//	mask := security.PermissionMask(0).Grant(Read).Grant(Write)
func (m PermissionMask) Grant(p Permission) PermissionMask {
	if p < 0 || p >= 63 {
		return m
	}
	return PermissionMask(int64(m) | (1 << uint(p)))
}