feat(todo-api): add full-stack POC demonstrating micro-lib v0.9.0

Runnable REST API exercising every micro-lib tier in a containerless setup: N-layer architecture, SQLite persistence, header-based auth simulating Firebase output, and bit-mask RBAC enforcement.

What's included:
- cmd/todo-api: minimal main delegating to application.Run
- internal/application: full object graph wiring — launcher, sqlite, httpserver, httpmw stack, routes in BeforeStart
- internal/domain: User entity, ResourceTodos constant, PermReadTodo/PermWriteTodo bit positions
- internal/repository: TodoRepository, UserRepository, DBPermissionProvider (SQLite via modernc)
- internal/service: TodoService, UserService with interface-based dependencies
- internal/handler: TodoHandler, UserHandler using httputil adapters and valid for input validation
- internal/middleware: Auth (X-User-ID → rbac.Identity) and Require (bit-mask permission gate)
- logAdapter: bridges logz.Logger.With return type to httpmw.Logger interface
- SQLite schema: users, user_role (bitmask), todos; migrations run in BeforeStart
- Routes: POST /users (open), GET+POST /todos (RBAC), GET /users (RBAC)

Tested-via: todo-api POC integration
Reviewed-against: docs/adr/

internal/repository/user_repository.go

@@ -0,0 +1,91 @@
+package repository
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+
+	"code.nochebuena.dev/go/rbac"
+	"code.nochebuena.dev/go/sqlite"
+	"code.nochebuena.dev/go/xerrors"
+	"code.nochebuena.dev/go/todo-api/internal/domain"
+)
+
+// UserRepository defines persistence operations for users and their role bits.
+type UserRepository interface {
+	FindAll(ctx context.Context) ([]domain.User, error)
+	FindByID(ctx context.Context, id string) (domain.User, error)
+	Create(ctx context.Context, user domain.User) (domain.User, error)
+	SetPermissions(ctx context.Context, userID, resource string, mask rbac.PermissionMask) error
+}
+
+type userRepository struct {
+	db sqlite.Client
+}
+
+// NewUserRepository returns a SQLite-backed UserRepository.
+func NewUserRepository(db sqlite.Client) UserRepository {
+	return &userRepository{db: db}
+}
+
+func (r *userRepository) FindAll(ctx context.Context) ([]domain.User, error) {
+	rows, err := r.db.GetExecutor(ctx).QueryContext(ctx,
+		`SELECT id, name, email, created_at FROM users ORDER BY created_at DESC`,
+	)
+	if err != nil {
+		return nil, r.db.HandleError(err)
+	}
+	defer rows.Close()
+
+	var users []domain.User
+	for rows.Next() {
+		var u domain.User
+		if err := rows.Scan(&u.ID, &u.Name, &u.Email, &u.CreatedAt); err != nil {
+			return nil, err
+		}
+		users = append(users, u)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	if users == nil {
+		users = []domain.User{}
+	}
+	return users, nil
+}
+
+func (r *userRepository) FindByID(ctx context.Context, id string) (domain.User, error) {
+	row := r.db.GetExecutor(ctx).QueryRowContext(ctx,
+		`SELECT id, name, email, created_at FROM users WHERE id = ?`, id,
+	)
+	var u domain.User
+	if err := row.Scan(&u.ID, &u.Name, &u.Email, &u.CreatedAt); err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return domain.User{}, xerrors.New(xerrors.ErrNotFound, "user not found")
+		}
+		return domain.User{}, r.db.HandleError(err)
+	}
+	return u, nil
+}
+
+func (r *userRepository) Create(ctx context.Context, user domain.User) (domain.User, error) {
+	row := r.db.GetExecutor(ctx).QueryRowContext(ctx,
+		`INSERT INTO users (id, name, email) VALUES (?, ?, ?)
+		 RETURNING id, name, email, created_at`,
+		user.ID, user.Name, user.Email,
+	)
+	var u domain.User
+	if err := row.Scan(&u.ID, &u.Name, &u.Email, &u.CreatedAt); err != nil {
+		return domain.User{}, r.db.HandleError(err)
+	}
+	return u, nil
+}
+
+func (r *userRepository) SetPermissions(ctx context.Context, userID, resource string, mask rbac.PermissionMask) error {
+	_, err := r.db.GetExecutor(ctx).ExecContext(ctx,
+		`INSERT INTO user_role (user_id, resource, permissions) VALUES (?, ?, ?)
+		 ON CONFLICT (user_id, resource) DO UPDATE SET permissions = excluded.permissions`,
+		userID, resource, int64(mask),
+	)
+	return err
+}