feat(httpauth)!: promote to v1.0.0 — add ChainPermissionProvider, bump rbac to v1.0.0

Add NewChainPermissionProvider: tries each rbac.PermissionProvider in order,
returns the first non-zero mask, propagates errors immediately. Primary use case:
ClaimsPermissionProvider (JWT fast-path, no DB call) chained with
CachedPermissionProvider (DB fallback). Bump rbac dependency to v1.0.0.
API committed as stable.

chain_provider.go

@@ -0,0 +1,39 @@
+package httpauth
+
+import (
+	"context"
+
+	"code.nochebuena.dev/go/rbac"
+)
+
+type chainPermissionProvider struct {
+	providers []rbac.PermissionProvider
+}
+
+// NewChainPermissionProvider returns an rbac.PermissionProvider that tries each
+// provider in order and returns the first non-zero mask. If all providers return 0,
+// the result is 0. On error from any provider, the error is propagated immediately
+// and subsequent providers are not consulted.
+//
+// Primary use case: JWT claims fast-path with DB fallback.
+//
+//	chain := httpauth.NewChainPermissionProvider(
+//	    httpauth.NewClaimsPermissionProvider("permisos"), // JWT claims — no DB call
+//	    httpauth.NewCachedPermissionProvider(dbProvider, cache, 5*time.Minute), // fallback
+//	)
+func NewChainPermissionProvider(providers ...rbac.PermissionProvider) rbac.PermissionProvider {
+	return &chainPermissionProvider{providers: providers}
+}
+
+func (c *chainPermissionProvider) ResolveMask(ctx context.Context, uid, resource string) (rbac.PermissionMask, error) {
+	for _, p := range c.providers {
+		mask, err := p.ResolveMask(ctx, uid, resource)
+		if err != nil {
+			return 0, err
+		}
+		if mask != 0 {
+			return mask, nil
+		}
+	}
+	return 0, nil
+}