Description

• Derive low-level API key scope names directly frompolicy.RBACPermissions (coderd/rbac/policy/policy.go). For each resource’s allowed actions, expose<resource>:<action> scope names (e.g.,template:use,workspace:start,workspace:ssh,api_key:create).
• Introduce a collection of public low-level scope names that are exposed via an API endpoint for discovery and request by users/clients.
• Support internal-only low-level scopes that are not exposed via the public catalog and cannot be requested by users, but may be attached by the system where needed.

Key files/areas

• coderd/rbac/policy/policy.go (source of truth:RBACPermissions andpolicy.Action*).
• coderd/rbac/scopes.go (expansion logic and mapping from scope string → RBAC permissions).
• API surface to list public scope names (e.g., handler undercoderd/ and OpenAPI docs) and validation in token creation to allow only public names.

Acceptance criteria

• Table-driven tests validate that for every<resource>:<action> pair inRBACPermissions, if marked public, the corresponding scope exists and expands to the expectedrbac.Scope.Site permissions.
• No org-level permissions present in these expansions.
• Public listing endpoint returns only public low-level scopes; internal-only scopes are not listed and cannot be requested (token creation with internal-only scope is rejected).