template-monorepo/internal/model/permission/domain/errors.go

package domain

import "fmt"

// Module-wide sentinel errors. They are intentionally untyped so callers
// wrap them with library/errors.Builder when surfacing to HTTP/RPC layers.
var (
	ErrPermissionNotFound = fmt.Errorf("permission: permission not found")
	ErrPermissionDup      = fmt.Errorf("permission: duplicate permission")
	ErrPermissionClosed   = fmt.Errorf("permission: permission is closed")
	ErrPermissionInTenant = fmt.Errorf("permission: permission not in catalog")

	ErrRoleNotFound        = fmt.Errorf("permission: role not found")
	ErrRoleDuplicate       = fmt.Errorf("permission: duplicate role key in tenant")
	ErrRoleSystemImmutable = fmt.Errorf("permission: system role is immutable")
	ErrRoleNotInTenant     = fmt.Errorf("permission: role does not belong to tenant")
	ErrRoleKeyReserved     = fmt.Errorf("permission: role key uses reserved prefix")
	ErrRoleKeyInvalid      = fmt.Errorf("permission: role key format invalid")

	ErrUserRoleNotFound  = fmt.Errorf("permission: user role assignment not found")
	ErrUserRoleDuplicate = fmt.Errorf("permission: duplicate user role assignment")

	ErrRoleMappingNotFound  = fmt.Errorf("permission: role mapping not found")
	ErrRoleMappingDuplicate = fmt.Errorf("permission: duplicate role mapping")

	ErrCasbinNotConfigured = fmt.Errorf("permission: casbin enforcer not configured")
	ErrInvalidCheckRequest = fmt.Errorf("permission: invalid check request")
	ErrInvalidStatus       = fmt.Errorf("permission: invalid status value")
)
feat(permission): add RBAC module with Casbin enforcement and policy reload - Multi-tenant RBAC: permission catalog, roles, role-permission mapping, user-role assignment, and external IdP role mapping (zitadel/ldap/scim). - Casbin enforcer with Redis-backed adapter and Pub/Sub reload for multi-instance policy sync; HTTP middleware enforces (tenant, role, path, method) with platform admin bypass. - /api/v1/permissions routes: catalog, me, policy/reload, roles CRUD, role permissions, user roles, role mappings. - New error scope (31) for Permission and biz code descriptions. - Wire Permission module into ServiceContext, config, mongo-index, and add cmd/permission-seed CLI plus etc/rbac.conf model. - Redis client gains lazy PubSubClient helper (go-zero wrapper lacks Subscribe). - Rewrite internal/model/member/README to cover Tenant/Member/Identity. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 08:47:35 +00:00			`package domain`

			`import "fmt"`

			`// Module-wide sentinel errors. They are intentionally untyped so callers`
			`// wrap them with library/errors.Builder when surfacing to HTTP/RPC layers.`
			`var (`
			`ErrPermissionNotFound = fmt.Errorf("permission: permission not found")`
			`ErrPermissionDup = fmt.Errorf("permission: duplicate permission")`
			`ErrPermissionClosed = fmt.Errorf("permission: permission is closed")`
			`ErrPermissionInTenant = fmt.Errorf("permission: permission not in catalog")`

			`ErrRoleNotFound = fmt.Errorf("permission: role not found")`
			`ErrRoleDuplicate = fmt.Errorf("permission: duplicate role key in tenant")`
			`ErrRoleSystemImmutable = fmt.Errorf("permission: system role is immutable")`
			`ErrRoleNotInTenant = fmt.Errorf("permission: role does not belong to tenant")`
			`ErrRoleKeyReserved = fmt.Errorf("permission: role key uses reserved prefix")`
			`ErrRoleKeyInvalid = fmt.Errorf("permission: role key format invalid")`

			`ErrUserRoleNotFound = fmt.Errorf("permission: user role assignment not found")`
			`ErrUserRoleDuplicate = fmt.Errorf("permission: duplicate user role assignment")`

			`ErrRoleMappingNotFound = fmt.Errorf("permission: role mapping not found")`
			`ErrRoleMappingDuplicate = fmt.Errorf("permission: duplicate role mapping")`

			`ErrCasbinNotConfigured = fmt.Errorf("permission: casbin enforcer not configured")`
			`ErrInvalidCheckRequest = fmt.Errorf("permission: invalid check request")`
			`ErrInvalidStatus = fmt.Errorf("permission: invalid status value")`
			`)`