feat(rbac)!: promote to v1.0.0 — MaxPermission constant, audit logging policy

Add MaxPermission constant (62) to make the valid bit range explicit in the API. Document in PermissionProvider that audit logging belongs in the application layer. API committed as stable: Identity, PermissionMask, context helpers, and PermissionProvider interface are unchanged from v0.9.0.
2026-05-07 22:46:44 -06:00
parent 0864f031a1
commit 18fcd2bee3
5 changed files with 51 additions and 0 deletions
--- a/permission_test.go
+++ b/permission_test.go
@@ -93,3 +93,19 @@ func TestPermissionMask_Grant_DoesNotMutateReceiver(t *testing.T) {
 		t.Error("Grant mutated the receiver; PermissionMask must be a value type")
 	}
 }
+
+func TestMaxPermission(t *testing.T) {
+	if MaxPermission != 62 {
+		t.Errorf("MaxPermission = %d, want 62", MaxPermission)
+	}
+	// MaxPermission must be usable as a valid bit position.
+	mask := PermissionMask(0).Grant(MaxPermission)
+	if !mask.Has(MaxPermission) {
+		t.Error("MaxPermission bit not set after Grant")
+	}
+	// One past the limit must be rejected.
+	mask2 := PermissionMask(0).Grant(MaxPermission + 1)
+	if mask2 != 0 {
+		t.Error("Grant(MaxPermission+1) must return the original mask unchanged")
+	}
+}