BCH-1313: AuthZ Phase 1 — internal/authz (PDP, manifest, builtin driver) + single PEP

[ccf-lisa]

BCH-1313 — AuthZ Phase 1: internal/authz (PDP interface, manifest loader, builtin driver)

Implements Phase 1 of CCF Pluggable Authorization — Design Plan (BCH-1313).

Goal: centralize authorization behind one PEP + a pluggable PDP interface, with zero behavior change.

What's here

• internal/authz — engine-neutral PDP interface (Evaluate + batch Evaluations), Subject/Resource/Decision/EvalRequest types, and a driver registry (Register/Open/Drivers) that mirrors database/sql.
• Manifest loader — manifest.yaml declares the authorization vocabulary (subjects, resources, actions, default roles); embedded via go:embed and parsed/validated at startup.
• builtin driver — reproduces today's rules: admin resources require SSO admin-group membership (password users are super admins; SSO-disabled or no-required-groups → allow); every other resource is allowed once authenticated. Self-registers and is the default.
• mw.Authorize(resource, action) PEP — builds the Subject from user/agent claims + route params, calls the PDP, and enforces: allow → next; deny → 403 (reason logged, never echoed); PDP-unavailable → fail_mode; other error → 500.
• Migrations — RequireAdminGroups is now a thin PEP over the builtin driver (signature preserved; the rule's logic has a single home in authz.Builtin). The evidence create route gains Authorize("evidence","create") after its existing authn middleware.
• Config (Viper) — authz.driver (default builtin) and authz.fail_mode (default closed), via CCF_AUTHZ_DRIVER / CCF_AUTHZ_FAIL_MODE.

Zero behavior change — verified

• TestWorkflowImportRouteRequiresAdminGroup (admin-group denial) passes unchanged through the new PEP + builtin path.
• Evidence integration tests pass with the new Authorize on the create route.
• New TestBuiltinAdminDecisionMatrix (sqlite, integration) covers the full admin decision matrix of the relocated logic; new unit tests cover the PEP status mapping / fail-mode and the manifest loader.
• go build ./..., go vet (incl. -tags integration), and the full go test ./... suite are green.

Notes / scope

• fail_mode is wired but inert for builtin (in-process, never ErrUnavailable); it governs the later remote drivers. Resource/subject attributes are intentionally minimal — the authoritative attribute surface is BCH-1319. ccf authz export, audit logging, and remote/cedar/permit drivers are later phases.

🤖 Generated with Claude Code

[gusfcarvalho]

First-pass review (HEAD 7b44f85). Findings inline — non-blocking. Faithful zero-behavior-change admin migration; build/vet/gofmt and unit+integration tests pass with -race locally, CI green.

Headline: 1 Medium (admin action manage is enforced but absent from the manifest's declared admin vocabulary — inert in Phase 1 but a contract mismatch the next manifest-gating driver will hit) + 3 Low (admin path hardcodes the builtin driver and diverges from the config-selected evidence path; builtin's error→500 branch is untested; request ctx dropped on DB lookups). No blockers.

[gusfcarvalho]

LGTM — approving at HEAD 26882c5. All four findings from the review round are addressed and verified, and CI is fully green (check-diff, lint, unit-tests, integration-tests all pass).

• [Medium] admin action vocab — manage added to the admin resource's actions (granular *.manage kept for later phases), the pdp.go "mirror the vocabulary" comment corrected, and HasAction(ResourceAdmin, ActionManage) now asserted in manifest_test.go. ✅
• [Low] hardcoded builtin driver — comment documents the admin↔evidence divergence and the "route through authz.Open when a real second driver lands" plan. ✅
• [Low] untested error→500 branch — TestBuiltinAdminGenuineDBErrorReturnsError forces a non-RecordNotFound DB failure and asserts error + deny, locking in 500-not-403. ✅
• [Low/nit] dropped ctx — ctx threaded through evaluateAdmin; both admin DB lookups use .WithContext(ctx). ✅

Verified locally too: go build/vet/gofmt clean, unit + integration tests pass with -race (incl. the new DB-error case). Zero-behavior-change bar holds. Nice work.

[ccf-lisa]

PR approved. Marking ready for e2e.