# Casbin model for the Gateway permission module.
#
# Multi-tenant RBAC with HTTP path/method matching. The 5th policy column
# (name) is the permission.name (dot notation) so audit logs can attribute
# the matched permission without re-querying the catalog.
#
# Request:  (tenant, role, path, method)
# Policy:   (tenant, role, path, methods, name)
# Effect:   any role/policy that matches → allow
# Matcher:  same tenant + same role + path keyMatch2 + method regexMatch
#
# Platform admin bypass is enforced before this matcher (middleware short
# circuit) so it does not appear here. See internal/model/permission/SDD.md
# §3.3 (RBAC Model).

[request_definition]
r = tenant, role, path, method

[policy_definition]
p = tenant, role, path, methods, name

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.tenant == p.tenant && r.role == p.role && keyMatch2(r.path, p.path) && regexMatch(r.method, p.methods)