feat(rbac): role carries a FieldMask projection — distinct views, not depth levels

RBAC is classid :: role :: membership, where the role IS a distinct
projection of the class — not a graduated access level. PermissionSpec
already had max_depth (a scalar level: Identity < … < Full), which only
expresses more-vs-less of the same fields. It could not express that two
roles see DISJOINT views of one class — the actual HIPAA mechanism
(health-personnel sees the clinical histogram; invoice sees billing
fields; research sees de-identified aggregate — and that the research
cross-correlation would be unlawful in the invoice purpose).

- contract FieldMask: add FULL (all positions), intersect, is_disjoint —
  the ops a projection + a distinctness check need.
- rbac PermissionSpec: add `projection: FieldMask` (default FULL = no
  narrowing, depth governs), `with_projection(mask)` builder, `projects(n)`
  accessor. The projection is resolved against the class's ClassView field
  basis (lance-graph-ogar pulls OgarClassView for that basis).

The projection SLOT is reusable here; the consumer (medcare-rs) hand-rolls
the distinctness ENFORCEMENT — the three clinical roles' masks, and the
invariant that the research projection is disjoint from the identifier
fields. Test: two same-depth roles on one class with disjoint projections.
lance-graph-rbac 15 tests green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01EYvNjD8M8LMNYbRy3gq2FP

Author: claude

crates/lance-graph-contract/src/class_view.rs

@@ -123,6 +123,26 @@ impl FieldMask {
         self.0 == 0
     }
 
+    /// The full mask — every addressable field position present. The
+    /// "no projection constraint" default for an RBAC role that has not
+    /// narrowed its view (lance-graph-rbac `PermissionSpec::projection`).
+    pub const FULL: Self = Self(u64::MAX);
+
+    /// Bitwise intersection — the field positions present in BOTH masks.
+    #[inline]
+    pub const fn intersect(self, other: Self) -> Self {
+        Self(self.0 & other.0)
+    }
+
+    /// Do the two masks share NO field position? RBAC uses this to assert
+    /// two roles project **distinct** views of the same class — e.g. a
+    /// research projection must be disjoint from the identifier fields
+    /// (`classid :: role :: membership`, where the role is the projection).
+    #[inline]
+    pub const fn is_disjoint(self, other: Self) -> bool {
+        self.0 & other.0 == 0
+    }
+
     /// Inherit a parent class's presence into this mask — the **mask-inherits-as-
     /// delta** of the HHTL `subClassOf` walk (`wikidata-hhtl-load.md`). A child
     /// IS-A its parent, so its mask carries every field the parent declares

crates/lance-graph-rbac/src/permission.rs

@@ -1,15 +1,37 @@
 //! Permission specifications tied to the ontology layer.
 
+use lance_graph_contract::class_view::FieldMask;
 use lance_graph_contract::property::PrefetchDepth;
 
 /// What a role can do on a specific entity type.
+///
+/// # Depth is a level; projection is a view
+///
+/// [`max_depth`](Self::max_depth) is a *scalar level* (Identity < … < Full):
+/// how far down the prefetch ladder a role may read — "more or less of the
+/// same fields". It does NOT express **distinct** role-views of one class.
+///
+/// [`projection`](Self::projection) is the orthogonal axis: a [`FieldMask`]
+/// over the class's `ClassView` field basis naming exactly which fields the
+/// role may see. Two roles at the *same* depth can carry *disjoint*
+/// projections — the mechanism behind `classid :: role :: membership`, where
+/// the role IS the projection. A consumer (e.g. medcare-rs) gives
+/// `health-personnel`, `invoice`, and `research` three distinct projections
+/// of one clinical class and enforces that they never collapse (the research
+/// projection disjoint from the identifier fields, etc.). The distinctness
+/// enforcement is the consumer's; the projection slot is here.
 #[derive(Clone, Debug)]
 pub struct PermissionSpec {
     /// Entity type this permission applies to (e.g. "Customer", "Invoice").
     pub entity_type: &'static str,
     /// Maximum property prefetch depth this role can access.
     /// Identity = Required only, Full = everything including Free + episodic.
     pub max_depth: PrefetchDepth,
+    /// The role's lawful **field projection** over this entity's `ClassView`
+    /// field basis. [`FieldMask::FULL`] = no narrowing (depth governs); a
+    /// narrowed mask is the per-role view that makes roles distinct rather
+    /// than merely graduated.
+    pub projection: FieldMask,
     /// Predicates this role can write. Empty = read-only for this entity.
     pub writable_predicates: &'static [&'static str],
     /// ActionSpec names this role can trigger. Empty = no actions.
@@ -22,6 +44,7 @@ impl PermissionSpec {
         Self {
             entity_type,
             max_depth: PrefetchDepth::Identity,
+            projection: FieldMask::FULL,
             writable_predicates: &[],
             allowed_actions: &[],
         }
@@ -36,6 +59,7 @@ impl PermissionSpec {
         Self {
             entity_type,
             max_depth: PrefetchDepth::Full,
+            projection: FieldMask::FULL,
             writable_predicates: writable,
             allowed_actions: actions,
         }
@@ -46,11 +70,27 @@ impl PermissionSpec {
         Self {
             entity_type,
             max_depth: depth,
+            projection: FieldMask::FULL,
             writable_predicates: &[],
             allowed_actions: &[],
         }
     }
 
+    /// Narrow this permission to a specific field projection — the per-role
+    /// view over the class's field basis. Builder; chains after any
+    /// constructor (`read_at(..).with_projection(mask)`).
+    pub const fn with_projection(mut self, projection: FieldMask) -> Self {
+        self.projection = projection;
+        self
+    }
+
+    /// Is field position `n` (a bit in the class's `ClassView` field basis)
+    /// within this role's projection? `false` = the role may not see it,
+    /// regardless of depth.
+    pub const fn projects(&self, n: u8) -> bool {
+        self.projection.has(n)
+    }
+
     /// Check if this permission allows reading a predicate at the given depth.
     pub fn can_read_at(&self, depth: PrefetchDepth) -> bool {
         depth <= self.max_depth
@@ -76,10 +116,40 @@ mod tests {
         let p = PermissionSpec::read_only("Customer");
         assert_eq!(p.entity_type, "Customer");
         assert_eq!(p.max_depth, PrefetchDepth::Identity);
+        // No narrowing by default — projection governs nothing until set.
+        assert_eq!(p.projection, FieldMask::FULL);
         assert!(p.writable_predicates.is_empty());
         assert!(p.allowed_actions.is_empty());
     }
 
+    #[test]
+    fn distinct_roles_carry_disjoint_projections_of_one_class() {
+        // classid :: role :: membership — two roles, SAME entity, SAME
+        // depth, but DISTINCT views. Mirrors the medcare shape: a billing
+        // role sees the coded/amount fields; a research role sees only
+        // de-identified aggregate fields. The point isn't more-vs-less
+        // depth — it's that the two field projections are disjoint.
+        //
+        // (Field positions index the entity's ClassView field basis; here
+        // 0,1 are identifier/clinical slots, 5,6 the de-identified slots.)
+        let invoice = PermissionSpec::read_at("Diagnosis", PrefetchDepth::Detail)
+            .with_projection(FieldMask::from_positions(&[0, 1]));
+        let research = PermissionSpec::read_at("Diagnosis", PrefetchDepth::Detail)
+            .with_projection(FieldMask::from_positions(&[5, 6]));
+
+        // Same level, distinct views.
+        assert_eq!(invoice.max_depth, research.max_depth);
+        assert!(
+            invoice.projection.is_disjoint(research.projection),
+            "the two roles must project distinct views of the class",
+        );
+        // The slot the invoice role sees, the research role does not.
+        assert!(invoice.projects(0));
+        assert!(!research.projects(0));
+        assert!(research.projects(5));
+        assert!(!invoice.projects(5));
+    }
+
     #[test]
     fn full_access_allows_writes() {
         let p = PermissionSpec::full("Invoice", &["status", "payment_date"], &["approve"]);