Auth & RBAC
Every API request passes through a single authentication and authorization path. The server extracts credentials (API key or JWT), loads the associated roles, derives the requested action from the HTTP method and route, builds an IRN for the target resource, and evaluates policies. Authorization is two-layered: Layer 1 system RBAC (built-in roles + verbs) is authoritative for ALLOW; Layer 2 tenant-edit-time CEL is subtractive deny-only. See ADR 0015 and ADR 0016.