feat(examples/iam-roles): add IAM roles sample with critical policies and batch migrations

- Added IamRoles example project to Polygon solution
- Implemented IAM role mutations:
  - GrantUserRoleMutation (critical security mutation)
  - RevokeUserRoleMutation
- Introduced domain policies:
  - PreventLastAdminRemovalPolicy (guards against removing final Admin)
  - RequireTwoManApprovalPolicy for critical role changes
- Added execution scenarios:
  - GrantAdminScenario (single critical mutation with approval)
  - RevokeAdminScenario (policy-guarded admin revocation)
  - BatchRoleMigrationScenario (batch role grants during org restructure)
- Demonstrated:
  - Critical vs high-risk mutation classification
  - System vs user MutationContext usage
  - Metadata-driven approvals (approvedBy)
  - Policy blocking and decision reporting
  - Batch execution with partial failures
- Added immutable UserPermissionsState domain model
- Registered IamRoles project in solution structure

Author: rian-be

ModularityKit.Mutator.slnx

@@ -2,6 +2,7 @@
   <Folder Name="/Polygon/">
     <Project Path="Polygon/BillingQuotas/BillingQuotas.csproj" />
     <Project Path="Polygon/FeatureFlags/FeatureFlags.csproj" />
+    <Project Path="Polygon/IamRoles/IamRoles.csproj" />
   </Folder>
   <Project Path="ModularityKit.Mutator/ModularityKit.Mutator.csproj" />
 </Solution>

Polygon/IamRoles/IamRoles.csproj

@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+    <PropertyGroup>
+        <OutputType>Exe</OutputType>
+        <TargetFramework>net10.0</TargetFramework>
+        <ImplicitUsings>enable</ImplicitUsings>
+        <Nullable>enable</Nullable>
+    </PropertyGroup>
+
+    <ItemGroup>
+      <ProjectReference Include="..\..\ModularityKit.Mutator\ModularityKit.Mutator.csproj" />
+    </ItemGroup>
+
+    <ItemGroup>
+      <PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.2" />
+    </ItemGroup>
+
+</Project>

Polygon/IamRoles/Mutations/GrantUserRoleMutation.cs

@@ -0,0 +1,68 @@
+using IamRoles.State;
+using ModularityKit.Mutator.Abstractions.Changes;
+using ModularityKit.Mutator.Abstractions.Context;
+using ModularityKit.Mutator.Abstractions.Engine;
+using ModularityKit.Mutator.Abstractions.Intent;
+using ModularityKit.Mutator.Abstractions.Results;
+
+namespace IamRoles.Mutations;
+
+/// <summary>
+/// Mutation that grants role to user in current <see cref="UserPermissionsState"/>.
+/// </summary>
+internal sealed record GrantUserRoleMutation(
+    string UserId,
+    string Role,
+    MutationContext Context
+) : IMutation<UserPermissionsState>
+{
+    public MutationIntent Intent { get; } = new()
+    {
+        OperationName = "GrantUserRole",
+        Category = "Security",
+        RiskLevel = MutationRiskLevel.Critical,
+        Description = "Grants role to a user"
+    };
+
+    public ValidationResult Validate(UserPermissionsState state)
+    {
+        var result = new ValidationResult();
+
+        if (string.IsNullOrWhiteSpace(UserId))
+            result.AddError("UserId", "UserId cannot be empty");
+
+        if (string.IsNullOrWhiteSpace(Role))
+            result.AddError("Role", "Role cannot be empty");
+
+        if (state.RolesByUser.TryGetValue(UserId, out var roles) &&
+            roles.Contains(Role))
+            result.AddError("Role", "User already has this role");
+
+        return result;
+    }
+
+    public MutationResult<UserPermissionsState> Apply(UserPermissionsState state)
+    {
+        var rolesByUser = state.RolesByUser
+            .ToDictionary(kv => kv.Key, kv => new HashSet<string>(kv.Value));
+
+        if (!rolesByUser.TryGetValue(UserId, out var roles))
+        {
+            roles = [];
+            rolesByUser[UserId] = roles;
+        }
+
+        roles.Add(Role);
+
+        var newState = state with { RolesByUser = rolesByUser };
+
+        var changes = ChangeSet.Single(
+            StateChange.Added($"RolesByUser.{UserId}", Role)
+        );
+
+        return MutationResult<UserPermissionsState>.Success(newState, changes);
+    }
+
+    public MutationResult<UserPermissionsState> Simulate(UserPermissionsState state)
+        => Apply(state);
+}

Polygon/IamRoles/Mutations/RevokeUserRoleMutation.cs

@@ -0,0 +1,56 @@
+using IamRoles.State;
+using ModularityKit.Mutator.Abstractions.Changes;
+using ModularityKit.Mutator.Abstractions.Context;
+using ModularityKit.Mutator.Abstractions.Engine;
+using ModularityKit.Mutator.Abstractions.Intent;
+using ModularityKit.Mutator.Abstractions.Results;
+
+namespace IamRoles.Mutations;
+
+/// <summary>
+/// Mutation that revokes role from user in the current <see cref="UserPermissionsState"/>.
+/// </summary>
+internal sealed record RevokeUserRoleMutation(
+    string UserId,
+    string Role,
+    MutationContext Context
+) : IMutation<UserPermissionsState>
+{
+    public MutationIntent Intent { get; } = new()
+    {
+        OperationName = "RevokeUserRole",
+        Category = "Security",
+        RiskLevel = MutationRiskLevel.High,
+        Description = "Revokes a role from a user"
+    };
+
+    public ValidationResult Validate(UserPermissionsState state)
+    {
+        var result = new ValidationResult();
+
+        if (!state.RolesByUser.TryGetValue(UserId, out var roles) ||
+            !roles.Contains(Role))
+            result.AddError("Role", "User does not have this role");
+
+        return result;
+    }
+
+    public MutationResult<UserPermissionsState> Apply(UserPermissionsState state)
+    {
+        var rolesByUser = state.RolesByUser
+            .ToDictionary(kv => kv.Key, kv => new HashSet<string>(kv.Value));
+
+        rolesByUser[UserId].Remove(Role);
+
+        var newState = state with { RolesByUser = rolesByUser };
+
+        var changes = ChangeSet.Single(
+            StateChange.Removed($"RolesByUser.{UserId}", Role)
+        );
+
+        return MutationResult<UserPermissionsState>.Success(newState, changes);
+    }
+
+    public MutationResult<UserPermissionsState> Simulate(UserPermissionsState state)
+        => Apply(state);
+}

Polygon/IamRoles/Policies/PreventLastAdminRemovalPolicy.cs

@@ -0,0 +1,44 @@
+using IamRoles.Mutations;
+using IamRoles.State;
+using ModularityKit.Mutator.Abstractions.Engine;
+using ModularityKit.Mutator.Abstractions.Policies;
+
+namespace IamRoles.Policies;
+
+/// <summary>
+/// Policy that prevents the removal of last user with "Admin" role.
+/// </summary>
+internal sealed class PreventLastAdminRemovalPolicy
+    : IMutationPolicy<UserPermissionsState>
+{
+    public string Name => "PreventLastAdminRemoval";
+    public int Priority => 100;
+    public string Description => "Prevents removal of the last Admin user.";
+    
+    /// <summary>
+    /// Evaluates mutation against the policy.
+    /// Only RevokeUserRoleMutation for the "Admin" role is subject to this policy.
+    /// </summary>
+    /// <param name="mutation">The mutation being evaluated.</param>
+    /// <param name="state">The current user permissions state.</param>
+    /// <returns>A <see cref="PolicyDecision"/> indicating whether the mutation is allowed or denied.</returns>
+    public PolicyDecision Evaluate(
+        IMutation<UserPermissionsState> mutation,
+        UserPermissionsState state)
+    {
+        if (mutation is not RevokeUserRoleMutation { Role: "Admin" })
+            return PolicyDecision.Allow();
+
+        var adminCount = state.RolesByUser
+            .SelectMany(kv => kv.Value)
+            .Count(r => r == "Admin");
+
+        if (adminCount <= 1)
+        {
+            return PolicyDecision.Deny(
+                "Cannot remove the last Admin user");
+        }
+
+        return PolicyDecision.Allow();
+    }
+}

Polygon/IamRoles/Policies/RequireTwoManApprovalPolicy.cs

@@ -0,0 +1,55 @@
+using IamRoles.State;
+using ModularityKit.Mutator.Abstractions.Engine;
+using ModularityKit.Mutator.Abstractions.Intent;
+using ModularityKit.Mutator.Abstractions.Policies;
+
+namespace IamRoles.Policies;
+
+/// <summary>
+/// Policy that requires second user approval for critical mutations in <see cref="UserPermissionsState"/>.
+/// </summary>
+public sealed class RequireTwoManApprovalPolicy
+    : IMutationPolicy<UserPermissionsState>
+{
+    public string Name => "RequireTwoManApproval";
+    public int Priority => 100;
+    public string Description => "Requires second user approval for critical mutations.";
+    
+    /// <summary>
+    /// Evaluates mutation against the policy.
+    /// Critical mutations must have a second approver that is different from the actor.
+    /// </summary>
+    /// <param name="mutation">The mutation being evaluated.</param>
+    /// <param name="state">The current user permissions state.</param>
+    /// <returns>A <see cref="PolicyDecision"/> indicating whether the mutation is allowed or denied.</returns>
+    public PolicyDecision Evaluate(
+        IMutation<UserPermissionsState> mutation,
+        UserPermissionsState state)
+    {
+        if (mutation.Intent.RiskLevel != MutationRiskLevel.Critical)
+            return PolicyDecision.Allow();
+
+        var context = mutation.Context;
+
+        if (!context.Metadata.TryGetValue("approvedBy", out var approvedObj))
+        {
+            return PolicyDecision.Deny(
+                "Critical mutation requires second approval (approvedBy missing)");
+        }
+
+        var approvers = approvedObj switch
+        {
+            string s => s.Split(',').Select(x => x.Trim()).Where(x => !string.IsNullOrEmpty(x)),
+            IEnumerable<string> arr => arr,
+            _ => [approvedObj?.ToString() ?? string.Empty]
+        };
+
+        if (approvers.Any(a => string.Equals(a, context.ActorId, StringComparison.OrdinalIgnoreCase)))
+        {
+            return PolicyDecision.Deny(
+                "Second approval must come from a different user");
+        }
+
+        return PolicyDecision.Allow();
+    }
+}

Polygon/IamRoles/Program.cs

@@ -0,0 +1,40 @@
+using IamRoles.Policies;
+using Microsoft.Extensions.DependencyInjection;
+using ModularityKit.Mutator.Abstractions;
+using ModularityKit.Mutator.Abstractions.Engine;
+using ModularityKit.Mutator.Runtime;
+
+namespace IamRoles;
+
+internal static class Program
+{
+    private static async Task Main()
+    {
+        var services = new ServiceCollection();
+        services.AddMutators(MutationEngineOptions.Strict, addDefaultLoggingInterceptor: true);
+       
+        var provider = services.BuildServiceProvider();
+        var engine = provider.GetRequiredService<IMutationEngine>();
+        
+        engine.RegisterPolicy(new PreventLastAdminRemovalPolicy());
+        engine.RegisterPolicy(new RequireTwoManApprovalPolicy());
+
+        Console.WriteLine("=== ModularityKit.Mutators - Complete Example ===\n");
+        
+        await Scenarios.GrantAdminScenario.Run(engine);
+        await Scenarios.RevokeAdminScenario.Run(engine);
+        await Scenarios.BatchRoleMigrationScenario.Run(engine);
+        
+        Console.WriteLine("\n METRICS & STATISTICS");
+
+        var stats = await engine.GetStatisticsAsync();
+
+        Console.WriteLine($"\n Mutation Statistics:");
+        Console.WriteLine($"  Total executed: {stats.TotalExecuted}");
+
+        Console.WriteLine($"\n Performance Metrics:");
+        Console.WriteLine($"  Average execution time: {stats.AverageExecutionTime.TotalMilliseconds:F2} ms");
+        Console.WriteLine($"  Median execution time: {stats.MedianExecutionTime.TotalMilliseconds:F2} ms");
+        Console.WriteLine($"  P95 execution time: {stats.P95ExecutionTime.TotalMilliseconds:F2} ms");
+    }
+}

Polygon/IamRoles/Scenarios/BatchRoleMigrationScenario.cs

@@ -0,0 +1,81 @@
+using IamRoles.Mutations;
+using IamRoles.State;
+using ModularityKit.Mutator.Abstractions.Context;
+using ModularityKit.Mutator.Abstractions.Engine;
+
+namespace IamRoles.Scenarios;
+
+/// <summary>
+/// BatchRoleMigrationScenario
+/// 
+/// Demonstrates batch migration of IAM roles for multiple users using <see cref="IMutation{TState}"/> 
+/// and <see cref="GrantUserRoleMutation"/> in a single operation.
+/// 
+/// Scenario Details:
+/// - Executes multiple <see cref="IMutationEngine.ExecuteBatchAsync{TState}"/> instances in a batch via <see cref="IMutationEngine"/>.
+/// - Provides a <see cref="UserPermissionsState"/> with system metadata, including approval info for auditability.
+/// - Logs success and failure statistics for each mutation.
+/// - Handles policy decisions for each mutation, such as restrictions on role assignments.
+/// - Works with <see cref="IMutation{TState}"/> which tracks roles assigned to users.
+/// 
+/// Key Steps:
+/// 1. Initialize <see cref="IMutationEngine.ExecuteBatchAsync{TState}"/> with initial roles for each user.
+/// 2. Construct an array of <see cref="IMutationEngine"/> representing role grants.
+/// 3. Execute the batch with <see cref="IMutationEngine"/>.
+/// 4. Count successes and failures, and display any policy decisions that blocked mutations.
+/// 
+/// Example Use Case:
+/// - Performing organizational role restructuring
+/// - Batch granting of elevated permissions to multiple users
+/// - Ensuring compliance and auditability via system metadata and policy evaluation
+/// 
+/// Notes:
+/// - Individual mutations in the batch may fail if any policy denies the role change.
+/// - Correlation ID or metadata can be used to trace this batch operation in logs.
+/// </summary>
+internal static class BatchRoleMigrationScenario
+{
+    internal static async Task Run(IMutationEngine engine)
+    {
+        Console.WriteLine("\n=== Batch Role Migration Scenario ===");
+
+        var state = new UserPermissionsState
+        {
+            RolesByUser = new Dictionary<string, HashSet<string>>
+            {
+                ["alice"] = ["User"],
+                ["bob"]   = ["User"],
+                ["carol"] = ["User"]
+            }
+        };
+
+        var ctx = MutationContext.System(reason: "Org restructure")
+            with
+            {
+                Metadata = new Dictionary<string, object>
+                {
+                    ["approvedBy"] = "security-team"
+                }
+            };
+
+        var mutations = new IMutation<UserPermissionsState>[]
+        {
+            new GrantUserRoleMutation("alice", "Manager", ctx),
+            new GrantUserRoleMutation("bob", "Admin", ctx),
+            new GrantUserRoleMutation("carol", "Manager", ctx)
+        };
+
+        var result = await engine.ExecuteBatchAsync(mutations, state);
+
+        Console.WriteLine($"Executed: {result.Results.Count}");
+        Console.WriteLine($"Success: {result.Results.Count(r => r.IsSuccess)}");
+        Console.WriteLine($"Failed:  {result.Results.Count(r => !r.IsSuccess)}");
+
+        foreach (var failure in result.Results.Where(r => !r.IsSuccess))
+        {
+            Console.WriteLine("✗ Mutation failed:");
+            foreach (var decision in failure.PolicyDecisions)
+                Console.WriteLine($"  Policy: {decision.PolicyName} – {decision.Reason}");
+        }
+    }
+}