feat(todo-api): add full-stack POC demonstrating micro-lib v0.9.0

Runnable REST API exercising every micro-lib tier in a containerless setup: N-layer architecture, SQLite persistence, header-based auth simulating Firebase output, and bit-mask RBAC enforcement.

What's included:
- cmd/todo-api: minimal main delegating to application.Run
- internal/application: full object graph wiring — launcher, sqlite, httpserver, httpmw stack, routes in BeforeStart
- internal/domain: User entity, ResourceTodos constant, PermReadTodo/PermWriteTodo bit positions
- internal/repository: TodoRepository, UserRepository, DBPermissionProvider (SQLite via modernc)
- internal/service: TodoService, UserService with interface-based dependencies
- internal/handler: TodoHandler, UserHandler using httputil adapters and valid for input validation
- internal/middleware: Auth (X-User-ID → rbac.Identity) and Require (bit-mask permission gate)
- logAdapter: bridges logz.Logger.With return type to httpmw.Logger interface
- SQLite schema: users, user_role (bitmask), todos; migrations run in BeforeStart
- Routes: POST /users (open), GET+POST /todos (RBAC), GET /users (RBAC)

Tested-via: todo-api POC integration
Reviewed-against: docs/adr/

internal/repository/permission_provider.go

@@ -0,0 +1,38 @@
+package repository
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+
+	"code.nochebuena.dev/go/rbac"
+	"code.nochebuena.dev/go/sqlite"
+)
+
+// DBPermissionProvider implements rbac.PermissionProvider by reading the
+// user_role table. A missing row is treated as "no permissions" (mask = 0).
+type DBPermissionProvider struct {
+	db sqlite.Client
+}
+
+// NewPermissionProvider returns a DBPermissionProvider backed by the given client.
+func NewPermissionProvider(db sqlite.Client) *DBPermissionProvider {
+	return &DBPermissionProvider{db: db}
+}
+
+// ResolveMask returns the permission bit-mask for uid on resource.
+// Returns 0 (no permissions) if no row exists for the user/resource pair.
+func (p *DBPermissionProvider) ResolveMask(ctx context.Context, uid, resource string) (rbac.PermissionMask, error) {
+	row := p.db.GetExecutor(ctx).QueryRowContext(ctx,
+		`SELECT permissions FROM user_role WHERE user_id = ? AND resource = ?`,
+		uid, resource,
+	)
+	var bits int64
+	if err := row.Scan(&bits); err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return 0, nil
+		}
+		return 0, err
+	}
+	return rbac.PermissionMask(bits), nil
+}

internal/repository/todo_repository.go

@@ -0,0 +1,61 @@
+package repository
+
+import (
+	"context"
+
+	"code.nochebuena.dev/go/sqlite"
+	"code.nochebuena.dev/go/todo-api/internal/domain"
+)
+
+// TodoRepository defines persistence operations for todos.
+type TodoRepository interface {
+	FindAll(ctx context.Context) ([]domain.Todo, error)
+	Create(ctx context.Context, todo domain.Todo) (domain.Todo, error)
+}
+
+type todoRepository struct {
+	db sqlite.Client
+}
+
+// NewTodoRepository returns a SQLite-backed TodoRepository.
+func NewTodoRepository(db sqlite.Client) TodoRepository {
+	return &todoRepository{db: db}
+}
+
+func (r *todoRepository) FindAll(ctx context.Context) ([]domain.Todo, error) {
+	rows, err := r.db.GetExecutor(ctx).QueryContext(ctx,
+		`SELECT id, title, done, created_at FROM todos ORDER BY created_at DESC`,
+	)
+	if err != nil {
+		return nil, r.db.HandleError(err)
+	}
+	defer rows.Close()
+
+	var todos []domain.Todo
+	for rows.Next() {
+		var t domain.Todo
+		if err := rows.Scan(&t.ID, &t.Title, &t.Done, &t.CreatedAt); err != nil {
+			return nil, err
+		}
+		todos = append(todos, t)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	if todos == nil {
+		todos = []domain.Todo{} // always return a slice, never nil
+	}
+	return todos, nil
+}
+
+func (r *todoRepository) Create(ctx context.Context, todo domain.Todo) (domain.Todo, error) {
+	row := r.db.GetExecutor(ctx).QueryRowContext(ctx,
+		`INSERT INTO todos (title, done) VALUES (?, ?) RETURNING id, title, done, created_at`,
+		todo.Title, todo.Done,
+	)
+	var t domain.Todo
+	if err := row.Scan(&t.ID, &t.Title, &t.Done, &t.CreatedAt); err != nil {
+		return domain.Todo{}, r.db.HandleError(err)
+	}
+	return t, nil
+}

internal/repository/user_repository.go

@@ -0,0 +1,91 @@
+package repository
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+
+	"code.nochebuena.dev/go/rbac"
+	"code.nochebuena.dev/go/sqlite"
+	"code.nochebuena.dev/go/xerrors"
+	"code.nochebuena.dev/go/todo-api/internal/domain"
+)
+
+// UserRepository defines persistence operations for users and their role bits.
+type UserRepository interface {
+	FindAll(ctx context.Context) ([]domain.User, error)
+	FindByID(ctx context.Context, id string) (domain.User, error)
+	Create(ctx context.Context, user domain.User) (domain.User, error)
+	SetPermissions(ctx context.Context, userID, resource string, mask rbac.PermissionMask) error
+}
+
+type userRepository struct {
+	db sqlite.Client
+}
+
+// NewUserRepository returns a SQLite-backed UserRepository.
+func NewUserRepository(db sqlite.Client) UserRepository {
+	return &userRepository{db: db}
+}
+
+func (r *userRepository) FindAll(ctx context.Context) ([]domain.User, error) {
+	rows, err := r.db.GetExecutor(ctx).QueryContext(ctx,
+		`SELECT id, name, email, created_at FROM users ORDER BY created_at DESC`,
+	)
+	if err != nil {
+		return nil, r.db.HandleError(err)
+	}
+	defer rows.Close()
+
+	var users []domain.User
+	for rows.Next() {
+		var u domain.User
+		if err := rows.Scan(&u.ID, &u.Name, &u.Email, &u.CreatedAt); err != nil {
+			return nil, err
+		}
+		users = append(users, u)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	if users == nil {
+		users = []domain.User{}
+	}
+	return users, nil
+}
+
+func (r *userRepository) FindByID(ctx context.Context, id string) (domain.User, error) {
+	row := r.db.GetExecutor(ctx).QueryRowContext(ctx,
+		`SELECT id, name, email, created_at FROM users WHERE id = ?`, id,
+	)
+	var u domain.User
+	if err := row.Scan(&u.ID, &u.Name, &u.Email, &u.CreatedAt); err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return domain.User{}, xerrors.New(xerrors.ErrNotFound, "user not found")
+		}
+		return domain.User{}, r.db.HandleError(err)
+	}
+	return u, nil
+}
+
+func (r *userRepository) Create(ctx context.Context, user domain.User) (domain.User, error) {
+	row := r.db.GetExecutor(ctx).QueryRowContext(ctx,
+		`INSERT INTO users (id, name, email) VALUES (?, ?, ?)
+		 RETURNING id, name, email, created_at`,
+		user.ID, user.Name, user.Email,
+	)
+	var u domain.User
+	if err := row.Scan(&u.ID, &u.Name, &u.Email, &u.CreatedAt); err != nil {
+		return domain.User{}, r.db.HandleError(err)
+	}
+	return u, nil
+}
+
+func (r *userRepository) SetPermissions(ctx context.Context, userID, resource string, mask rbac.PermissionMask) error {
+	_, err := r.db.GetExecutor(ctx).ExecContext(ctx,
+		`INSERT INTO user_role (user_id, resource, permissions) VALUES (?, ?, ?)
+		 ON CONFLICT (user_id, resource) DO UPDATE SET permissions = excluded.permissions`,
+		userID, resource, int64(mask),
+	)
+	return err
+}