Description

• Add a build-time script that compiles the list of all available <resource>:<action> mappings from policy.RBACPermissions and verifies each exists in the api_key_scope enum in coderd/database/dump.sql.
• If all are present, exit 0. If any are missing, exit 1 and print a clear message:
  • Which scopes are missing.
  • Instruct to add a DB migration to extend the api_key_scope enum with those values.
  • Remind to decide whether each new scope is public (exposed in the catalog) or internal-only.
• Implement immediately after DB migrations are in place, so CI fails fast when RBAC evolves.

Key files/areas

• coderd/rbac/policy/policy.go (source for <resource>:<action> list via RBACPermissions).
• coderd/database/dump.sql (authoritative enum definition used by sqlc and migrations).
• New script/tool (e.g., tools/check-scopes/ Go cmd or scripts/check_scopes.go).
• CI/Makefile integration (e.g., make check-scopes and include in make lint or PR checks).

Acceptance criteria

• Running the check locally and in CI passes when enum includes all current RBAC <resource>:<action> values.
• When RBACPermissions gains a new action or resource, the check fails with actionable output until a migration adds the enum value and a decision is made regarding public catalog exposure.
• Document how to run/fix in CONTRIBUTING.md or a short README in the tool directory.