feat(rbac)!: promote to v1.0.0 — MaxPermission constant, audit logging policy

Add MaxPermission constant (62) to make the valid bit range explicit in the API.
Document in PermissionProvider that audit logging belongs in the application layer.
API committed as stable: Identity, PermissionMask, context helpers, and
PermissionProvider interface are unchanged from v0.9.0.

CHANGELOG.md

@@ -5,6 +5,29 @@ All notable changes to this module will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.0] — 2026-05-08
+
+### Added
+
+- `MaxPermission Permission = 62` — exported constant that makes the valid bit range
+  explicit in the API; applications can use it in validation code and it is referenced
+  in the `Permission` type godoc
+
+### Changed
+
+- `Permission` type godoc updated to reference `MaxPermission` and document that
+  values outside `[0, MaxPermission]` are silently ignored
+- `PermissionProvider` godoc updated to document that audit logging of permission
+  checks is out of scope for this package — log denials and grants inside
+  PermissionProvider implementations or in the middleware layer
+
+### Unchanged
+
+Identity, PermissionMask (Has, Grant), context helpers (SetInContext, FromContext),
+and the PermissionProvider interface are API-compatible with v0.9.0.
+
+[1.0.0]: https://code.nochebuena.dev/go/rbac/releases/tag/v1.0.0
+
 ## [0.9.0] - 2026-03-18
 
 ### Added