domain: add Identity & Access entities (User, Role, Permission, Group)

crates/domain/tests/domain_tests.rs

@@ -1,2 +1,4 @@
+mod entities;
 mod events;
+mod services;
 mod value_objects;

crates/domain/tests/entities/group.rs

@@ -0,0 +1,41 @@
+use domain::entities::Group;
+use domain::errors::DomainError;
+use domain::value_objects::SystemId;
+
+#[test]
+fn owner_auto_member() {
+    let owner = SystemId::new();
+    let g = Group::new("team", owner);
+    assert!(g.is_member(&owner));
+    assert_eq!(g.members.len(), 1);
+}
+
+#[test]
+fn add_and_remove() {
+    let owner = SystemId::new();
+    let member = SystemId::new();
+    let mut g = Group::new("team", owner);
+    g.add_member(member).unwrap();
+    assert!(g.is_member(&member));
+    assert_eq!(g.members.len(), 2);
+    g.remove_member(member).unwrap();
+    assert!(!g.is_member(&member));
+}
+
+#[test]
+fn cannot_remove_owner() {
+    let owner = SystemId::new();
+    let mut g = Group::new("team", owner);
+    let result = g.remove_member(owner);
+    assert!(matches!(result, Err(DomainError::Validation(_))));
+}
+
+#[test]
+fn cannot_add_duplicate() {
+    let owner = SystemId::new();
+    let member = SystemId::new();
+    let mut g = Group::new("team", owner);
+    g.add_member(member).unwrap();
+    let result = g.add_member(member);
+    assert!(matches!(result, Err(DomainError::Conflict(_))));
+}

crates/domain/tests/entities/mod.rs

@@ -0,0 +1,4 @@
+mod group;
+mod permission;
+mod role;
+mod user;

crates/domain/tests/entities/permission.rs

@@ -0,0 +1,19 @@
+use domain::entities::permission::{
+    admin_permissions, contributor_permissions, viewer_permissions,
+    Permission, PermissionAction, ResourceType,
+};
+
+#[test]
+fn admin_is_superset_of_contributor() {
+    let admin = admin_permissions();
+    let contrib = contributor_permissions();
+    assert!(contrib.is_subset(&admin));
+    assert!(admin.len() > contrib.len());
+}
+
+#[test]
+fn viewer_cannot_write() {
+    let viewer = viewer_permissions();
+    let write = Permission::new(PermissionAction::WriteMetadata, ResourceType::Global);
+    assert!(!viewer.contains(&write));
+}

crates/domain/tests/entities/role.rs

@@ -0,0 +1,9 @@
+use domain::entities::{Role, PermissionAction, ResourceType};
+use domain::entities::permission::viewer_permissions;
+
+#[test]
+fn role_checks_permission() {
+    let role = Role::new("viewer", viewer_permissions(), true);
+    assert!(role.has_permission(PermissionAction::ReadAsset, ResourceType::Global));
+    assert!(!role.has_permission(PermissionAction::DeleteAsset, ResourceType::Global));
+}

crates/domain/tests/entities/user.rs

@@ -0,0 +1,11 @@
+use domain::entities::User;
+use domain::value_objects::{Email, PasswordHash};
+
+#[test]
+fn creates_user_with_unique_id() {
+    let a = User::new("alice", Email::new("a@example.com").unwrap(), PasswordHash::from_hash("h".into()));
+    let b = User::new("bob", Email::new("b@example.com").unwrap(), PasswordHash::from_hash("h".into()));
+    assert_ne!(a.id, b.id);
+    assert_eq!(a.username, "alice");
+    assert_eq!(b.username, "bob");
+}