Description

• Add a build-time script that compiles the list of all available<resource>:<action> mappings frompolicy.RBACPermissions and verifies each exists in theapi_key_scope enum incoderd/database/dump.sql.
• If all are present, exit 0. If any are missing, exit 1 and print a clear message:
  • Which scopes are missing.
  • Instruct to add a DB migration to extend theapi_key_scope enum with those values.
  • Remind to decide whether each new scope is public (exposed in the catalog) or internal-only.
• Implement immediately after DB migrations are in place, so CI fails fast when RBAC evolves.

Key files/areas

• coderd/rbac/policy/policy.go (source for<resource>:<action> list viaRBACPermissions).
• coderd/database/dump.sql (authoritative enum definition used by sqlc and migrations).
• New script/tool (e.g.,tools/check-scopes/ Go cmd orscripts/check_scopes.go).
• CI/Makefile integration (e.g.,make check-scopes and include inmake lint or PR checks).

Acceptance criteria

• Running the check locally and in CI passes when enum includes all current RBAC<resource>:<action> values.
• When RBACPermissions gains a new action or resource, the check fails with actionable output until a migration adds the enum value and a decision is made regarding public catalog exposure.
• Document how to run/fix inCONTRIBUTING.md or a shortREADME in the tool directory.