Description

• Confirm and, if necessary, adjustcoderd/rbac/policy.rego to require both role allow and scope allow. Ensure allow-list membership is enforced for reads/updates/deletes, but not for creates (no ID at creation time), matching the RFC.

Progress

• PRfeat: scope allow_list to includeresource_type #19748 updatedpolicy.rego and RBAC to a typed{type,id} allow-list, added wildcard handling ((*,*),(type,*)), and included unit tests (TestScopeAllowList).

Remaining work

• Explicitly verify and add tests that create operations bypass allow-list ID checks while read/update/delete enforce membership.
• Add deny-by-default tests when scope is missing; cover list endpoints where applicable.
• Ensure all subject construction paths now provide typed allow-lists; update docs/README for policy changes.

Key files/areas

• coderd/rbac/policy.rego and unit tests.

Acceptance criteria

• Policy tests prove deny-by-default when scope is missing and allow-list excludes the resource.
• Create operations bypass allow-list ID checks; other verbs require matching IDs.