Description

• After low-level scopes exist, implement a composable scope container that satisfiesrbac.ExpandableScope, e.g.,type ComposableScope []ScopeName, whoseExpand() merges site-level permissions of each named scope into a singlerbac.Scope.
• Ensure expansions are site-level only; remove any org-level blocks from built-ins.

Key files/areas

• coderd/rbac/scopes.go (defineComposableScope and related helpers).
• coderd/rbac/ tests for expansion correctness.

Acceptance criteria

• Unit tests verify that combiningworkspace:read +workspace:ssh yields a scope allowing both actions at the Site level only.
• No negative/deny semantics implemented; expansions are strictly additive.