feat(todo-api): add full-stack POC demonstrating micro-lib v0.9.0

Runnable REST API exercising every micro-lib tier in a containerless setup: N-layer architecture, SQLite persistence, header-based auth simulating Firebase output, and bit-mask RBAC enforcement.

What's included:
- cmd/todo-api: minimal main delegating to application.Run
- internal/application: full object graph wiring — launcher, sqlite, httpserver, httpmw stack, routes in BeforeStart
- internal/domain: User entity, ResourceTodos constant, PermReadTodo/PermWriteTodo bit positions
- internal/repository: TodoRepository, UserRepository, DBPermissionProvider (SQLite via modernc)
- internal/service: TodoService, UserService with interface-based dependencies
- internal/handler: TodoHandler, UserHandler using httputil adapters and valid for input validation
- internal/middleware: Auth (X-User-ID → rbac.Identity) and Require (bit-mask permission gate)
- logAdapter: bridges logz.Logger.With return type to httpmw.Logger interface
- SQLite schema: users, user_role (bitmask), todos; migrations run in BeforeStart
- Routes: POST /users (open), GET+POST /todos (RBAC), GET /users (RBAC)

Tested-via: todo-api POC integration
Reviewed-against: docs/adr/

internal/service/todo_service.go

@@ -0,0 +1,36 @@
+package service
+
+import (
+	"context"
+
+	"code.nochebuena.dev/go/todo-api/internal/domain"
+	"code.nochebuena.dev/go/todo-api/internal/repository"
+)
+
+// CreateTodoRequest is the input for creating a new todo.
+type CreateTodoRequest struct {
+	Title string `json:"title" validate:"required,min=1,max=255"`
+}
+
+// TodoService handles todo business logic.
+type TodoService interface {
+	FindAll(ctx context.Context) ([]domain.Todo, error)
+	Create(ctx context.Context, req CreateTodoRequest) (domain.Todo, error)
+}
+
+type todoService struct {
+	repo repository.TodoRepository
+}
+
+// NewTodoService returns a TodoService backed by the given repository.
+func NewTodoService(repo repository.TodoRepository) TodoService {
+	return &todoService{repo: repo}
+}
+
+func (s *todoService) FindAll(ctx context.Context) ([]domain.Todo, error) {
+	return s.repo.FindAll(ctx)
+}
+
+func (s *todoService) Create(ctx context.Context, req CreateTodoRequest) (domain.Todo, error) {
+	return s.repo.Create(ctx, domain.Todo{Title: req.Title})
+}

internal/service/user_service.go

@@ -0,0 +1,65 @@
+package service
+
+import (
+	"context"
+
+	"code.nochebuena.dev/go/rbac"
+	"code.nochebuena.dev/go/todo-api/internal/domain"
+	"code.nochebuena.dev/go/todo-api/internal/repository"
+)
+
+// CreateUserRequest is the input for creating a new user.
+// CanRead / CanWrite seed the permission bits for the todos resource immediately.
+type CreateUserRequest struct {
+	Name     string `json:"name"     validate:"required,min=1,max=100"`
+	Email    string `json:"email"    validate:"required,email"`
+	CanRead  bool   `json:"can_read"`
+	CanWrite bool   `json:"can_write"`
+}
+
+// UserService handles user business logic.
+type UserService interface {
+	FindAll(ctx context.Context) ([]domain.User, error)
+	Create(ctx context.Context, req CreateUserRequest) (domain.User, error)
+}
+
+type userService struct {
+	repo  repository.UserRepository
+	idGen func() string
+}
+
+// NewUserService returns a UserService. idGen is called to mint new user IDs (e.g. uuid.NewString).
+func NewUserService(repo repository.UserRepository, idGen func() string) UserService {
+	return &userService{repo: repo, idGen: idGen}
+}
+
+func (s *userService) FindAll(ctx context.Context) ([]domain.User, error) {
+	return s.repo.FindAll(ctx)
+}
+
+func (s *userService) Create(ctx context.Context, req CreateUserRequest) (domain.User, error) {
+	user, err := s.repo.Create(ctx, domain.User{
+		ID:    s.idGen(),
+		Name:  req.Name,
+		Email: req.Email,
+	})
+	if err != nil {
+		return domain.User{}, err
+	}
+
+	// Build and persist permission mask from the request flags.
+	var mask rbac.PermissionMask
+	if req.CanRead {
+		mask = mask.Grant(domain.PermReadTodo)
+	}
+	if req.CanWrite {
+		mask = mask.Grant(domain.PermWriteTodo)
+	}
+	if mask != 0 {
+		if err := s.repo.SetPermissions(ctx, user.ID, domain.ResourceTodos, mask); err != nil {
+			return domain.User{}, err
+		}
+	}
+
+	return user, nil
+}