domain: add PermissionChecker service with additive role evaluation

crates/domain/src/services/permission_service.rs

@@ -1 +1,21 @@
-// Permission service — will be implemented in Task 5
+use std::collections::HashSet;
+use crate::entities::{Permission, PermissionAction, ResourceType, Role};
+
+pub struct PermissionChecker;
+
+impl PermissionChecker {
+    pub fn has_permission(
+        roles: &[Role],
+        action: PermissionAction,
+        resource_type: ResourceType,
+    ) -> bool {
+        roles.iter().any(|role| {
+            role.has_permission(action, resource_type)
+                || role.has_permission(action, ResourceType::Global)
+        })
+    }
+
+    pub fn effective_permissions(roles: &[Role]) -> HashSet<Permission> {
+        roles.iter().flat_map(|r| r.permissions.iter().copied()).collect()
+    }
+}