Define RBAC scope-entity combination constants

[fregataa]

Objective

Define Python constants for valid RBAC scope-entity type combinations based on BEP-1048/entity-edge-catalog.md.

This provides the single source of truth for:

• Frontend UI filtering (which entity types to show for a given scope)

• Server-side validation (reject invalid combinations)

Tasks

• Create src/ai/backend/common/data/permission/scope_entity_combinations.py

• Define VALID_SCOPE_ENTITY_COMBINATIONS: dict[RBACElementType, set[RBACElementType]]

• Map all scope types from entity-edge-catalog.md:

• Domain → ResourceGroup, ContainerRegistry, User, Project, Network

• Project → ResourceGroup, ContainerRegistry, Session, VFolder, Deployment, Network, User (ref)

• User → ResourceGroup, Session, VFolder, Deployment, KeyPair

• (and other scope types)

• Add is_valid_scope_entity_combination(scope_type, entity_type) -> bool helper function

• Add unit tests for the validation function

Files to Create/Modify

• src/ai/backend/common/data/permission/scope_entity_combinations.py (new)

• tests/common/data/permission/test_scope_entity_combinations.py (new)

Acceptance Criteria

• All auto and ref edges from entity-edge-catalog.md are accurately mapped

• Helper function correctly validates valid/invalid combinations

• Unit tests cover all scope types and edge cases

Reference

• BEP-1048/entity-edge-catalog.md (Auto Edges and Ref Edges sections)

JIRA Issue: BA-4808