package rbac

// Permission is a named bit position (0–62) representing a single capability.
//
// Applications define their own constants using this type:
//
//	const (
//	    Read   rbac.Permission = 0
//	    Write  rbac.Permission = 1
//	    Delete rbac.Permission = 2
//	)
//
// The zero value (0) is a valid permission representing the first bit.
type Permission int64

// PermissionMask is a resolved bit-mask for a user on a specific resource.
// It is returned by [PermissionProvider.ResolveMask] and checked with [PermissionMask.Has].
type PermissionMask int64

// Has reports whether the given permission bit is set in the mask.
// Returns false for out-of-range values (p < 0 or p >= 63).
func (m PermissionMask) Has(p Permission) bool {
	if p < 0 || p >= 63 {
		return false
	}
	return (int64(m) & (1 << uint(p))) != 0
}

// Grant returns a new mask with the bit for p set.
// The receiver is not modified.
// Useful for building masks in tests and in-memory [PermissionProvider] implementations:
//
//	mask := rbac.PermissionMask(0).Grant(Read).Grant(Write)
func (m PermissionMask) Grant(p Permission) PermissionMask {
	if p < 0 || p >= 63 {
		return m
	}
	return PermissionMask(int64(m) | (1 << uint(p)))
}