Auth & RBAC

Every API request passes through a single authentication and authorization path. The server extracts credentials (API key or JWT), loads the associated roles, derives the requested action from the HTTP method and route, builds an IRN for the target resource, and evaluates policies. Core uses hardcoded role-permission maps; enterprise adds CEL-based custom policies with deny-wins semantics.