package rbac

import "context"

// PermissionProvider resolves the permission mask for a user on a given resource.
//
// Implementations may call [FromContext] to retrieve the [Identity] (and its
// TenantID) when multi-tenancy is required — there is no need to thread tenantID
// as an explicit parameter since it is already in the context.
//
// The resource string identifies what is being accessed (e.g. "orders",
// "invoices"). Its meaning is defined by the application.
//
// Example in-memory implementation for tests:
//
//	type staticProvider struct {
//	    mask rbac.PermissionMask
//	}
//
//	func (p *staticProvider) ResolveMask(_ context.Context, _, _ string) (rbac.PermissionMask, error) {
//	    return p.mask, nil
//	}
type PermissionProvider interface {
	ResolveMask(ctx context.Context, uid, resource string) (PermissionMask, error)
}