…methods

Add 7 new collection/table names (Resource, Scope, Policy, PolicyTarget,
Permission, PermissionScope, PermissionPolicy) to CollectionList and
Collections var.

Add 28 new method signatures to the Provider interface covering CRUD for
resources, scopes, policies, policy targets, permissions, and join tables,
plus the optimized GetPermissionsForResourceScope evaluation query.

Add CRUD methods for resources, scopes, policies, policy targets,
permissions, permission scopes, and permission policies. Implement
GetPermissionsForResourceScope optimized JOIN query for the evaluation
engine. Add 7 new schemas to AutoMigrate.

Add CRUD methods for all 7 authorization collections using MongoDB driver.
Implement GetPermissionsForResourceScope using sequential lookups.
Create indexes for efficient name and foreign key lookups.

…ders

Add authorization CRUD methods for all remaining NoSQL providers.
Each provider follows its existing patterns for collection access,
querying, and pagination. All 6 providers now implement the full
28-method authorization storage interface.

Add principal-agnostic policy evaluation engine with:
- Role-based and user-based policy evaluators (extensible to client/agent)
- Affirmative and unanimous decision strategies
- MaxScopes delegation ceiling enforcement
- Input validation (safe characters, known resource/scope checks)
- In-memory cache with negative caching and prefix invalidation
- Three enforcement modes (disabled, permissive, enforcing)

Add SetCache, GetCache, DeleteCacheByPrefix to Redis, DB-backed,
and in-memory memory store providers. Update fakeMemoryStore in
tests to implement the new interface methods.

Add --authorization-enforcement, --authorization-cache-ttl,
--include-permissions-in-token, --authorization-log-all-checks flags.
Wire authorization provider in cmd/root.go initialization order.
Pass authorization provider to http_handlers and graphql dependencies.

Add 10 output types, 9 input types, 12 admin mutations, and 6 queries
for the authorization model. Regenerate GraphQL code. Wire resolver
stubs with placeholder implementations until Phase 10.

Add 18 GraphQL handler methods: CRUD for resources, scopes, policies,
permissions, plus check_permission and my_permissions user-facing queries.
Add AsAPI conversion methods to all authorization schemas.
Wire resolvers to graphql Provider interface.

Add POST /api/v1/check-permission endpoint for downstream services.
Extracts principal from JWT Bearer token, evaluates permission via
authorization engine, returns {allowed, matched_policy} JSON response.

Add 16 integration tests covering resource/scope/policy/permission CRUD,
permission evaluation with role-based policies, referential integrity
checks on delete, and cleanup. All tests pass with SQLite.

Add 5 authorization pages to admin dashboard: Resources, Scopes,
Policies, Permissions, and Evaluate. Include guided setup flow,
natural language permission summaries, and policy evaluation
test tool. Add Authorization nav item to sidebar.

- H-1: Make cache invalidation synchronous (remove goroutine) to prevent
  stale authorization decisions after policy changes
- H-2: Add allowlist validation for policy type, logic, and decision
  strategy in add/update handlers -- prevents silent permission escalation
  from typos
- C-2: Fix evaluateRoleTargets unanimous strategy returning true when no
  role targets exist (empty-target bypass)
- C-3: Fix DeletePolicy handler ordering -- storage provider now handles
  cascade deletion, preventing data loss on referential integrity failure
- M-3: Add name format validation (alphanumeric, hyphens, underscores,
  max 100 chars) in resource/scope/policy/permission add/update handlers

Upgrade to latest available versions to address CVE-2026-33816 and
CVE-2026-33815 in pgx. Note: both CVEs have no upstream fix yet
(Fixed in: N/A) but govulncheck confirms the affected symbols
(Backend.Receive, FunctionCall.Decode, Bind.Decode) are not called
by Authorizer code. Also upgrades gorm v1.25.5->v1.25.10.

…cks, and latency

… for unmatched checks

…ult rationale

…led' with one-time log

…ermission-probe errors

…t cache, DoS caps

…ts, test coverage

…fer cache decode, shared identifier constant

…atePermission, duplicate detection

…tribution, dashboard tab paths

- cmd: emit one-time WARN when --authorization-enforcement is unrecognized
  (legacyTypoObserved was set but never read, so typos like "enforcin"
  silently demoted to permissive with no operator signal).
- evaluator: track first deny policy through the per-permission loop and
  return it as matched_policy on Allowed=false, so audits can attribute
  explicit denies instead of seeing a bare null.
- routes: NoRoute fallback serves the SPA shell for any unmatched GET
  under /dashboard/ or /app/, fixing 404 on refresh/bookmark of
  multi-segment SPA paths (e.g. /dashboard/authorization/resources).
- routes/handlers: send Cache-Control: no-cache on the SPA shell HTML and
  the unhashed entry assets (index.js, main.css), and immutable long-cache
  on the content-hashed chunks. Prevents post-deploy users from holding a
  cached shell that points at chunks the new build no longer publishes.
- dashboard Authorization.tsx: NavLinks now use absolute paths so clicking
  a tab from /dashboard/authorization/resources doesn't compound into
  /dashboard/authorization/resources/scopes (which the inner Routes can't
  match → tab pages rendered blank).

…leanup

TestSession was intermittently failing with "unauthorized" because subtests
picked a session_token by iterating MemoryStoreProvider.GetAllData(). Session()
rotates the cookie and deletes the old token in an async goroutine, so the map
transiently held both old and new tokens — map iteration randomness could land
on the token about to be deleted by the rollover goroutine. Replaced the racy
iteration with latestAppSessionCookie(ts), which reads the rotated cookie from
the gin response writer's Set-Cookie headers (deterministic, race-free).

Also softened the storageProvider.Close() failure path in initTestSetup's
t.Cleanup: fire-and-forget goroutines from RegisterEvent / LogEvent / AddSession
can hold pool connections past test body completion, surfacing Close errors
even though test logic succeeded. Switched t.Errorf to t.Logf so cleanup noise
no longer fails the parent test (which previously manifested as bare
"--- FAIL: TestX" with no failing subtest).

Verified with 8 consecutive `make test` runs (all pass) and `go test -count=50
-run TestSession` (50/50 pass).

Session() previously rotated the cookie+memory in two stages: a fire-and-forget
goroutine deleted the OLD session/access/refresh trio, while SetUserSession for
the new tokens ran synchronously. This left a window — bounded only by Go
scheduler latency — where a stolen pre-rotation token was still accepted
alongside the rotated one. It also made integration tests racy: any code that
inspected MemoryStoreProvider state after Session() could see either set.

Move DeleteUserSession into the synchronous path, ordered AFTER the new
session is fully established, so there is never a moment with no valid token
and never a moment with both. Delete failure remains non-fatal (log and
continue) since the new session is already live. The op is in-memory or a
single Redis DEL — sync cost is negligible.

Also migrate profile_test.go and validate_session_test.go off the racy
MemoryStoreProvider.GetAllData iteration pattern to latestAppSessionCookie —
those endpoints don't rotate today, but the pattern is fragile and these
tests now share the same race-free helper as TestSession.

Includes a pre-existing enforceRequiredPermissions hook in Session() from the
required_permissions feature on this branch.

Backend already calls validatePolicyTargets from add_policy and update_policy
(committed previously in 3d11699's audit), but the helper itself was never
added to the tree. This commit lands it and its unit tests.

Rules enforced:
- target_type must equal the policy's type (role|user) so storage and
  evaluator agree on how to match.
- target_value is non-empty after trim.
- For role policies, target_value must be one of --roles so a typo cannot
  silently produce a dead policy that never matches.

User targets are not looked up in the users table here — the lookup is
per-target and races deletes; the evaluator no-ops on missing IDs.

Adds 6 table-driven test cases covering valid role / user / mismatched
target_type / unknown role / empty value / empty targets.

… retire Evaluate tab

Three interlocking FGA UX changes that share schema regeneration.

1. Required-permissions field on session APIs
   New optional required_permissions: [PermissionInput!] on session,
   validate_session, validate_jwt_token. AND semantics — any deny or
   unmatched (resource, scope) returns "unauthorized". Helper lives in
   internal/graphql/permission_check.go; integration coverage spans the
   backward-compat (no field), granted, and denied paths for all three
   endpoints. validate_jwt_token also picks up a role-claim fallback so
   access tokens (claim "roles") work alongside id tokens (configured
   JWTRoleClaim, typically "role").

2. Drop the public check_permission surface
   The standalone check_permission GraphQL query and POST
   /api/v1/check-permission REST handler are removed. Required-permissions
   subsumes that workflow inside the authenticated session endpoints and
   avoids exposing the evaluator as an unauthenticated probe target. Schema
   types renamed accordingly: AuthzResourceScope → Permission,
   CheckPermissionInput → PermissionInput.

3. Retire the Evaluate dashboard tab
   The tab was the only consumer of check_permission. Removed the tab, the
   Evaluate.tsx page, the CheckPermissionQuery client, and the matching TS
   types. The /authorization/* catch-all now sends unknown subpaths back to
   Resources so a stale bookmark does not 404.

Polish:
- Dashboard FGA forms gained inline help text under name/description/type/
  decision-strategy/targets fields explaining the validation rules and the
  user-ID-not-email expectation.
- make dev now passes --authorization-enforcement=enforcing so the local
  developer loop matches production semantics.
- Stale "check_permission" wording in the cmd/root.go startup warn line
  swapped for "authorization checks".

Regenerated GraphQL bindings via make generate-graphql.

The embedded GraphQL playground loads React + GraphiQL bundles from
cdn.jsdelivr.net at runtime. The global defaultCSP whitelists only self,
unsafe-inline, and editor.unlayer.com — so the playground page rendered
but every script and stylesheet from jsdelivr was CSP-blocked, leaving
GraphiQL undefined and the page non-functional.

Introduce a second policy constant, playgroundCSP, that swaps the unlayer
allowlist for jsdelivr on script-src, style-src, and font-src and tightens
connect-src to self (the playground only talks to /graphql, not
api.unlayer.com). The middleware picks playgroundCSP when c.Request.URL.Path
is exactly /playground and defaultCSP everywhere else, so the rest of the
app retains its stricter posture.

Wire the endpoint label through enforceRequiredPermissions so each call
site (session, validate_session, validate_jwt_token) emits
authorizer_required_permissions_checks_total with a bounded endpoint
label; add integration test asserting counters increment per outcome.

Session subtests each call login() internally (session rotates on every
successful call), so the top-level accessToken captured before those
subtests run is evicted from the memory store. The metrics subtest now
calls login() + captureTokens() at its own start to get a fresh token.

…gaps

Three small comment tweaks from code review on commit 0c6e80c:

- enforceRequiredPermissions doc now states the not_requested path still
  emits a metric (callers see no error but observability is preserved),
  and a follow-on note explains the early-return invariant so a future
  refactor that collects all failures doesn't silently double-count.
- The denied subtest's `_, _ = ...` discard line now states the intent
  (error is expected, only the counter matters) and notes that the
  outcome=error path is not exercised here because integration tests
  cannot synthesize a CheckPermission storage fault without injection
  hooks the provider doesn't expose today.

… unmatched

Code-review fallout from Tasks 3+4: a residual permissive-mode test
asserted Allowed:true under a setup that now always denies, two tests had
"Permissive"/"Enforcing" qualifiers in their names that no longer mean
anything, and testSetupWithAuthzMode wrote to a config field the
authorization provider no longer reads.

- Deleted TestCheckPermission_PermissiveDefault_NoPermissions_Allows; its
  premise ("permissive allows unmatched") is gone.
- Renamed TestCheckPermission_Enforcing_NoPermissions_Denies →
  TestCheckPermission_NoPermissions_Denies and dropped the redundant
  mode qualifier from its doc + failure message.
- Renamed TestCheckPermission_Permissive_WithExplicitDenyPolicy_StillDenies
  → TestCheckPermission_ExplicitDenyPolicy_Denies (the explicit-deny
  invariant survives the dual-mode removal; only the name needed work).
- Replaced 9 remaining testSetupWithAuthzMode(..., Enforcing) call sites
  with initTestSetup(t, getTestConfig()) and deleted the helper itself.
- Refreshed the validateResourceExists doc comment, which still narrated
  the permissive-mode fall-through reason that no longer exists.

NormalizeAuthzEnforcement tests at lines 844-873 are left intact — Task 5
will delete the function and its tests together.

Delete the AuthorizationEnforcement config field, NormalizeAuthzEnforcement
function, and all legacy permissive/disabled handling. The deprecated
--authorization-enforcement CLI flag is kept as a no-op no-parse-error
shim for one release, with a startup warning when the operator passes it.
Startup probe wording updated to drop permissive-mode references.
Deleted 5 NormalizeAuthzEnforcement unit tests from authorization_test.go.

After Task 5 removed the only Go-code consumers (NormalizeAuthzEnforcement,
the CLI flag's defaulting logic, and the runRoot mode-switch), the two
AuthorizationEnforcement* constants are orphaned. Drop both.

Full integration suite still green.

…tric

CHANGELOG.md: under [Unreleased] add a Breaking changes section noting
the always-enforcing posture and the Prometheus label collapse, and an
Added entry for authorizer_required_permissions_checks_total.

MIGRATION.md: append a stand-alone "Authorization Enforcement Removal"
section with the pre-upgrade audit (authz.unmatched signals to act on
before flipping versions), the flag-removal action item, the dashboard
relabel guidance, and a per-outcome table for the new counter. Calls
out outcome=error as the only outcome that warrants paging.